diff --git a/.gitignore b/.gitignore deleted file mode 100644 index 5897ba5..0000000 --- a/.gitignore +++ /dev/null @@ -1,11 +0,0 @@ -/modsecurity-crs_2.2.4.tar.gz -/modsecurity-crs_2.2.5.tar.gz -/SpiderLabs-owasp-modsecurity-crs-21197fc.tar.gz -/SpiderLabs-owasp-modsecurity-crs-v2.2.6-0-g3f85c76.tar.gz -/owasp-modsecurity-crs-2.2.8.tar.gz -/SpiderLabs-owasp-modsecurity-crs-2.2.9-19-ga57031b.tar.gz -/owasp-modsecurity-crs-f16e0b1.tar.gz -/owasp-modsecurity-crs-3.0.0.tar.gz -/owasp-modsecurity-crs-3.2.0.tar.gz -/v3.3.0.tar.gz -/v3.3.4.tar.gz diff --git a/dead.package b/dead.package new file mode 100644 index 0000000..893c76f --- /dev/null +++ b/dead.package @@ -0,0 +1 @@ +mod_security_crs was removed due to minimization efforts prior to public launch diff --git a/mod_security_crs-early-blocking.patch b/mod_security_crs-early-blocking.patch deleted file mode 100644 index 2d2dbb3..0000000 --- a/mod_security_crs-early-blocking.patch +++ /dev/null @@ -1,280 +0,0 @@ -diff --git a/crs-setup.conf.example b/crs-setup.conf.example -index b443e77..0fdd5cb 100644 ---- a/crs-setup.conf.example -+++ b/crs-setup.conf.example -@@ -234,7 +234,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" - - - # --# -- [[ Anomaly Mode Severity Levels ]] ---------------------------------------- -+# -- [[ Anomaly Scoring Mode Severity Levels ]] -------------------------------- - # - # Each rule in the CRS has an associated severity level. - # These are the default scoring points for each severity level. -@@ -270,7 +270,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" - - - # --# -- [[ Anomaly Mode Blocking Threshold Levels ]] ------------------------------ -+# -- [[ Anomaly Scoring Mode Blocking Threshold Levels ]] ---------------------- - # - # Here, you can specify at which cumulative anomaly score an inbound request, - # or outbound response, gets blocked. -@@ -319,6 +319,35 @@ SecDefaultAction "phase:2,log,auditlog,pass" - # setvar:tx.outbound_anomaly_score_threshold=4" - - # -+# -- [[ Early Anomaly Scoring Mode Blocking ]] ------------------------------ -+# -+# The anomaly scores for the request and the responses are generally summed up -+# and evaluated at the end of phase:2 and at the end of phase:4 respectively. -+# However, it is possible to enable an early evaluation of these anomaly scores -+# at the end of phase:1 and at the end of phase:3. -+# -+# If a request (or a response) hits the anomaly threshold in this early -+# evaluation, then blocking happens immediately (if blocking is enabled) and -+# the phase 2 (and phase 4 respectively) will no longer be executed. -+# -+# Enable the rule 900120 that sets the variable tx.blocking_early to 1 in order -+# to enable early blocking. The variable tx.blocking_early is set to 0 by -+# default. Early blocking is thus disabled by default. -+# -+# Please note that blocking early will hide potential alerts from you. This -+# means that a payload that would appear in an alert in phase 2 (or phase 4) -+# does not get evaluated if the request is being blocked early. So when you -+# disabled blocking early again at some point in the future, then new alerts -+# from phase 2 might pop up. -+#SecAction \ -+# "id:900120,\ -+# phase:1,\ -+# nolog,\ -+# pass,\ -+# t:none,\ -+# setvar:tx.blocking_early=1" -+ -+ - # -- [[ Application Specific Rule Exclusions ]] ---------------------------------------- - # - # Some well-known applications may undertake actions that appear to be -diff --git a/rules/REQUEST-901-INITIALIZATION.conf b/rules/REQUEST-901-INITIALIZATION.conf -index 5044abd..06a1bb3 100644 ---- a/rules/REQUEST-901-INITIALIZATION.conf -+++ b/rules/REQUEST-901-INITIALIZATION.conf -@@ -89,6 +89,15 @@ SecRule &TX:outbound_anomaly_score_threshold "@eq 0" \ - ver:'OWASP_CRS/3.3.4',\ - setvar:'tx.outbound_anomaly_score_threshold=4'" - -+# Default Blocking Early (rule 900120 in setup.conf) -+SecRule &TX:blocking_early "@eq 0" \ -+ "id:901115,\ -+ phase:1,\ -+ pass,\ -+ nolog,\ -+ ver:'OWASP_CRS/3.3.0',\ -+ setvar:'tx.blocking_early=0'" -+ - # Default Paranoia Level (rule 900000 in setup.conf) - SecRule &TX:paranoia_level "@eq 0" \ - "id:901120,\ -diff --git a/rules/REQUEST-949-BLOCKING-EVALUATION.conf b/rules/REQUEST-949-BLOCKING-EVALUATION.conf -index 050eb04..755315f 100644 ---- a/rules/REQUEST-949-BLOCKING-EVALUATION.conf -+++ b/rules/REQUEST-949-BLOCKING-EVALUATION.conf -@@ -12,7 +12,66 @@ - # -= Paranoia Level 0 (empty) =- (apply unconditionally) - # - --# Summing up the anomaly score. -+# Skipping early blocking -+ -+SecRule TX:BLOCKING_EARLY "!@eq 1" \ -+ "id:949050,\ -+ phase:1,\ -+ pass,\ -+ t:none,\ -+ nolog,\ -+ skipAfter:BLOCKING_EARLY_ANOMALY_SCORING" -+ -+SecRule TX:BLOCKING_EARLY "!@eq 1" \ -+ "id:949051,\ -+ phase:2,\ -+ pass,\ -+ t:none,\ -+ nolog,\ -+ skipAfter:BLOCKING_EARLY_ANOMALY_SCORING" -+ -+# Summing up the anomaly score for early blocking -+ -+SecRule TX:PARANOIA_LEVEL "@ge 1" \ -+ "id:949052,\ -+ phase:1,\ -+ pass,\ -+ t:none,\ -+ nolog,\ -+ setvar:'tx.anomaly_score=+%{tx.anomaly_score_pl1}'" -+ -+SecRule TX:PARANOIA_LEVEL "@ge 2" \ -+ "id:949053,\ -+ phase:1,\ -+ pass,\ -+ t:none,\ -+ nolog,\ -+ setvar:'tx.anomaly_score=+%{tx.anomaly_score_pl2}'" -+ -+SecRule TX:PARANOIA_LEVEL "@ge 3" \ -+ "id:949054,\ -+ phase:1,\ -+ pass,\ -+ t:none,\ -+ nolog,\ -+ setvar:'tx.anomaly_score=+%{tx.anomaly_score_pl3}'" -+ -+SecRule TX:PARANOIA_LEVEL "@ge 4" \ -+ "id:949055,\ -+ phase:1,\ -+ pass,\ -+ t:none,\ -+ nolog,\ -+ setvar:'tx.anomaly_score=+%{tx.anomaly_score_pl4}'" -+ -+SecAction "id:949059,\ -+ phase:2,\ -+ pass,\ -+ t:none,\ -+ nolog,\ -+ setvar:'tx.anomaly_score=0'" -+ -+SecMarker BLOCKING_EARLY_ANOMALY_SCORING - - # NOTE: tx.anomaly_score should not be set initially, but masking would lead to difficult bugs. - # So we add to it. -@@ -93,6 +152,21 @@ SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \ - severity:'CRITICAL',\ - setvar:'tx.inbound_anomaly_score=%{tx.anomaly_score}'" - -+SecRule TX:BLOCKING_EARLY "@eq 1" \ -+ "id:949111,\ -+ phase:1,\ -+ deny,\ -+ t:none,\ -+ msg:'Inbound Anomaly Score Exceeded in phase 1 (Total Score: %{TX.ANOMALY_SCORE})',\ -+ tag:'application-multi',\ -+ tag:'language-multi',\ -+ tag:'platform-multi',\ -+ tag:'attack-generic',\ -+ ver:'OWASP_CRS/3.3.0',\ -+ severity:'CRITICAL',\ -+ chain" -+ SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \ -+ "setvar:'tx.inbound_anomaly_score=%{tx.anomaly_score}'" - - - SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:949011,phase:1,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" -diff --git a/rules/RESPONSE-950-DATA-LEAKAGES.conf b/rules/RESPONSE-950-DATA-LEAKAGES.conf -index 13013de..bf9b03d 100644 ---- a/rules/RESPONSE-950-DATA-LEAKAGES.conf -+++ b/rules/RESPONSE-950-DATA-LEAKAGES.conf -@@ -96,7 +96,7 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:950014,phase:4,pass,nolog,skipAf - # - SecRule RESPONSE_STATUS "@rx ^5\d{2}$" \ - "id:950100,\ -- phase:4,\ -+ phase:3,\ - block,\ - capture,\ - t:none,\ -diff --git a/rules/RESPONSE-959-BLOCKING-EVALUATION.conf b/rules/RESPONSE-959-BLOCKING-EVALUATION.conf -index 24130eb..549c07c 100644 ---- a/rules/RESPONSE-959-BLOCKING-EVALUATION.conf -+++ b/rules/RESPONSE-959-BLOCKING-EVALUATION.conf -@@ -22,7 +22,67 @@ - # -= Paranoia Level 0 (empty) =- (apply unconditionally) - # - --# Summing up the anomaly score. -+ -+# Skipping early blocking -+ -+SecRule TX:BLOCKING_EARLY "!@eq 1" \ -+ "id:959050,\ -+ phase:3,\ -+ pass,\ -+ t:none,\ -+ nolog,\ -+ skipAfter:BLOCKING_EARLY_ANOMALY_SCORING" -+ -+SecRule TX:BLOCKING_EARLY "!@eq 1" \ -+ "id:959051,\ -+ phase:4,\ -+ pass,\ -+ t:none,\ -+ nolog,\ -+ skipAfter:BLOCKING_EARLY_ANOMALY_SCORING" -+ -+# Summing up the anomaly score for early blocking -+ -+SecRule TX:PARANOIA_LEVEL "@ge 1" \ -+ "id:959052,\ -+ phase:3,\ -+ pass,\ -+ t:none,\ -+ nolog,\ -+ setvar:'tx.outbound_anomaly_score=+%{tx.anomaly_score_pl1}'" -+ -+SecRule TX:PARANOIA_LEVEL "@ge 2" \ -+ "id:959053,\ -+ phase:3,\ -+ pass,\ -+ t:none,\ -+ nolog,\ -+ setvar:'tx.outbound_anomaly_score=+%{tx.anomaly_score_pl2}'" -+ -+SecRule TX:PARANOIA_LEVEL "@ge 3" \ -+ "id:959054,\ -+ phase:3,\ -+ pass,\ -+ t:none,\ -+ nolog,\ -+ setvar:'tx.outbound_anomaly_score=+%{tx.anomaly_score_pl3}'" -+ -+SecRule TX:PARANOIA_LEVEL "@ge 4" \ -+ "id:959055,\ -+ phase:3,\ -+ pass,\ -+ t:none,\ -+ nolog,\ -+ setvar:'tx.outbound_anomaly_score=+%{tx.anomaly_score_pl4}'" -+ -+SecAction "id:959059,\ -+ phase:4,\ -+ pass,\ -+ t:none,\ -+ nolog,\ -+ setvar:'tx.outbound_anomaly_score=0'" -+ -+SecMarker BLOCKING_EARLY_ANOMALY_SCORING - - # NOTE: tx.anomaly_score should not be set initially, but masking would lead to difficult bugs. - # So we add to it. -@@ -76,6 +136,21 @@ SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \ - ver:'OWASP_CRS/3.3.4',\ - setvar:'tx.anomaly_score=+%{tx.outbound_anomaly_score}'" - -+SecRule TX:BLOCKING_EARLY "@eq 1" \ -+ "id:959101,\ -+ phase:3,\ -+ deny,\ -+ t:none,\ -+ msg:'Outbound Anomaly Score Exceeded in phase 3 (Total Score: %{TX.OUTBOUND_ANOMALY_SCORE})',\ -+ tag:'application-multi',\ -+ tag:'language-multi',\ -+ tag:'platform-multi',\ -+ tag:'attack-generic',\ -+ ver:'OWASP_CRS/3.3.0',\ -+ severity:'CRITICAL',\ -+ chain" -+ SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \ -+ "setvar:'tx.anomaly_score=%{tx.outbound_anomaly_score}'" - - - SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:959011,phase:3,pass,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" diff --git a/mod_security_crs.spec b/mod_security_crs.spec deleted file mode 100644 index d2cd427..0000000 --- a/mod_security_crs.spec +++ /dev/null @@ -1,196 +0,0 @@ -Summary: ModSecurity Rules -Name: mod_security_crs -Version: 3.3.4 -Release: 6%{?dist} -License: Apache-2.0 -URL: https://coreruleset.org/ -Source: https://github.com/coreruleset/coreruleset/archive/refs/tags/v%{version}.tar.gz -BuildArch: noarch -Requires: mod_security >= 2.9.6 -Obsoletes: mod_security_crs-extras < 3.0.0 - -Patch0: mod_security_crs-early-blocking.patch - -%description -This package provides the base rules for mod_security. - -%prep -%setup -q -n coreruleset-%{version} -%patch0 -p1 -b.early_blocking - -%build - -%install - -install -d %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/ -install -d %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/activated_rules -install -d %{buildroot}%{_datarootdir}/mod_modsecurity_crs/rules - -# To exclude rules (pre/post) -mv rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/activated_rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf -mv rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/activated_rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf - -install -m0644 rules/*.conf %{buildroot}%{_datarootdir}/mod_modsecurity_crs/rules/ -install -m0644 rules/*.data %{buildroot}%{_datarootdir}/mod_modsecurity_crs/rules/ -mv crs-setup.conf.example %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/crs-setup.conf - -# activate base_rules -for f in `ls %{buildroot}%{_datarootdir}/mod_modsecurity_crs/rules/` ; do - ln -s %{_datarootdir}/mod_modsecurity_crs/rules/$f %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/activated_rules/$f; -done - - -%files -%license LICENSE -%doc CHANGES README.md -%config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/activated_rules/* -%config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/crs-setup.conf -%{_datarootdir}/mod_modsecurity_crs - -%changelog -* Thu Jul 20 2023 Fedora Release Engineering - 3.3.4-6 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild - -* Tue Jun 06 2023 Luboš Uhliarik - 3.3.4-5 -- SPDX migration - -* Mon Mar 20 2023 Mikel Olasagasti Uranga - 3.3.4-4 -- Change URL to new official homepage - -* Thu Jan 19 2023 Fedora Release Engineering - 3.3.4-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild - -* Mon Dec 05 2022 Luboš Uhliarik - 3.3.4-2 -- Add Early blocking feature patch again - -* Fri Sep 30 2022 Luboš Uhliarik - 3.3.4-1 -- new version 3.3.4 - -* Wed Sep 07 2022 Luboš Uhliarik - 3.3.0-6 -- Fix application of early blocking patch - -* Wed Aug 31 2022 Luboš Uhliarik - 3.3.0-5 -- Backport early blocking feature - -* Thu Jul 21 2022 Fedora Release Engineering - 3.3.0-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild - -* Thu Jan 20 2022 Fedora Release Engineering - 3.3.0-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild - -* Thu Jul 22 2021 Fedora Release Engineering - 3.3.0-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild - -* Fri Mar 05 2021 Lubos Uhliarik - 3.2.0-1 -- new version 3.2.0 - -* Tue Jan 26 2021 Fedora Release Engineering - 3.0.0-12 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild - -* Tue Jul 28 2020 Fedora Release Engineering - 3.0.0-11 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - -* Wed Jan 29 2020 Fedora Release Engineering - 3.0.0-10 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild - -* Thu Jul 25 2019 Fedora Release Engineering - 3.0.0-9 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild - -* Fri Feb 01 2019 Fedora Release Engineering - 3.0.0-8 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild - -* Fri Jul 13 2018 Fedora Release Engineering - 3.0.0-7 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild - -* Thu Feb 08 2018 Fedora Release Engineering - 3.0.0-6 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild - -* Wed Jul 26 2017 Fedora Release Engineering - 3.0.0-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild - -* Sat Apr 22 2017 Athmane Madjoudj - 3.0.0-4 -- Exclude rule files should not be symlink - -* Sat Apr 22 2017 Athmane Madjoudj - 3.0.0-3 -- Use versioned obsoletes -- Move away from /lib since rules are data - -* Sat Apr 22 2017 Athmane Madjoudj - 3.0.0-2 -- Fix the install part since extra and experimental rules are not longer included in 3.x -- Remove EL5 bits since EL5/EPEL5 are OEL-ed -- Bump reqs - -* Sat Apr 22 2017 Athmane Madjoudj - 3.0.0-1 -- Update to 3.0.0 -- Clean up the spec - -* Fri Feb 10 2017 Fedora Release Engineering - 2.2.9.20160414git-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild - -* Fri Apr 29 2016 Athmane Madjoudj 2.2.9.20160414git-1 -- Update to 2.9.20160414git - -* Tue Mar 08 2016 Athmane Madjoudj 2.2.9.20160219git-1 -- Update to 2.2.9 -- Minor spec cleanup - -* Thu Feb 04 2016 Fedora Release Engineering - 2.2.8-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild - -* Wed Jun 17 2015 Fedora Release Engineering - 2.2.8-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild - -* Sat Jun 07 2014 Fedora Release Engineering - 2.2.8-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild - -* Sat Aug 03 2013 Fedora Release Engineering - 2.2.8-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild - -* Tue Jul 02 2013 Athmane Madjoudj 2.2.8-1 -- Update to 2.2.8 -- Adapt the spec file to new github tarball schema. -- Correct bugus date in the spec file. - -* Thu Feb 14 2013 Fedora Release Engineering - 2.2.6-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild - -* Mon Nov 19 2012 Peter Vrabec 2.2.6-4 -- "extras" subpackage is not provided on RHEL7 - -* Wed Oct 17 2012 Athmane Madjoudj 2.2.6-3 -- Remove the patch since we're requiring mod_security >= 2.7.0 -- Require mod_security >= 2.7.0 - -* Mon Oct 01 2012 Athmane Madjoudj 2.2.6-2 -- Add a patch to fix incompatible rules. -- Update to new git release - -* Sat Sep 15 2012 Athmane Madjoudj 2.2.6-1 -- Update to 2.2.6 -- Update spec file since upstream moved to Github. - -* Thu Sep 13 2012 Athmane Madjoudj 2.2.5-5 -- Enable extra rules sub-package for EPEL. - -* Tue Aug 28 2012 Athmane Madjoudj 2.2.5-4 -- Fix spec for el5 - -* Tue Aug 28 2012 Athmane Madjoudj 2.2.5-3 -- Add BuildRoot def for el5 compatibility - -* Fri Jul 20 2012 Fedora Release Engineering - 2.2.5-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild - -* Fri Jun 22 2012 Peter Vrabec 2.2.5-1 -- upgrade - -* Wed Jun 20 2012 Peter Vrabec 2.2.4-3 -- "extras" subpackage is not provided on RHEL - -* Thu May 03 2012 Peter Vrabec 2.2.4-2 -- fix fedora-review issues (#816975) - -* Thu Apr 19 2012 Peter Vrabec 2.2.4-1 -- initial package - - diff --git a/sources b/sources deleted file mode 100644 index 4d22b93..0000000 --- a/sources +++ /dev/null @@ -1 +0,0 @@ -SHA512 (v3.3.4.tar.gz) = a8b8b210054a9a4e3f8e45a5a9428110bb4075e40430e3fc16f4717e363af141265b1fb5c173ff96abeff0ac61ef5eef667a4b9cb703f8edc15e48deb3342827