Merge pull request coreruleset#3567 from fzipi/release-v4

chore: release v4
fzipi · Feb 14, 2024 · 1d95422 · 1d95422
2 parents 8f96954 + f1b9ac3
commit 1d95422
Show file tree

Hide file tree

Showing 36 changed files with 469 additions and 469 deletions.
diff --git a/CHANGES.md b/CHANGES.md
@@ -1,4 +1,4 @@
-# OWASP ModSecurity Core Rule Set (CRS) CHANGES
+# OWASP CRS CHANGES
 
 ## Report Bugs/Issues to GitHub Issues Tracker or the mailinglist
 * https://github.com/coreruleset/coreruleset/issues

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -37,7 +37,7 @@
 * Adhere to an 80 character line length limit where possible.
 * Add comments where possible and clearly explain any new rules.
 * Comments must not appear between chained rules and should instead be placed before the start of a rule chain.
-* All [chained rules](https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#chain) should be indented like so, for readability:
+* All [chained rules](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#chain) should be indented like so, for readability:
 ```
 SecRule .. .. \
     "..."
@@ -129,7 +129,7 @@ If testing a CRS regular expression using a third party tool, it may be useful t
 
 ### When and Why to Anchor Regular Expressions
 
-Engines running the OWASP Core Rule Set will use regular expressions to _search_ the input string, i.e., the regular expression engine is asked to find the first match in the input string. If an expression needs to match the entire input then the expression must be anchored appropriately.
+Engines running the OWASP CRS will use regular expressions to _search_ the input string, i.e., the regular expression engine is asked to find the first match in the input string. If an expression needs to match the entire input then the expression must be anchored appropriately.
 
 #### Beginning of String Anchor (^)
 
@@ -183,7 +183,7 @@ It is sometimes necessary to match the entire input string to ensure that it _ex
 
 Other anchors apart from `^` caret and `$` dollar exist, such as `\A`, `\G`, and `\Z` in PCRE. CRS **strongly discourages** the use of other anchors for the following reasons:
 
-- Not all regular expression engines support all anchors and the OWASP Core Rule Set should be compatible with as many regular expression engines as possible.
+- Not all regular expression engines support all anchors and the OWASP CRS should be compatible with as many regular expression engines as possible.
 - Their function is sometimes not trivial.
 - They aren't well known and would require additional documentation.
 - In most cases that would justify their use the regular expression can be transformed into a form that doesn't require them, or the rule can be transformed (e.g., with an additional chain rule).
@@ -238,7 +238,7 @@ Possessive quantifiers (e.g., `x++`) and atomic groups (e.g., `(?>x)`) are tools
 
 Traditional regular expression engines use backtracking to solve some additional problems, such as finding a string that is preceded or followed by another string. While this functionality can certainly come in handy and has its place in certain applications, it can also lead to performance issues and, in uncontrolled environments, open up possibilities for attacks (the term "[ReDoS](https://en.wikipedia.org/wiki/ReDoS)" is often used to describe an attack that exhausts process or system resources due to excessive backtracking).
 
-The OWASP Core Rule Set tries to be compatible with non-backtracking regular expression engines, such as RE2, because:
+The OWASP CRS tries to be compatible with non-backtracking regular expression engines, such as RE2, because:
 
 - Non-backtracking engines are less vulnerable to ReDoS attacks.
 - Non-backtracking engines can often outperform backtracking engines.
@@ -303,7 +303,7 @@ The types of rules that are allowed at each paranoia level are as follows:
 
 **PL 2:**
 
-* [Chain](https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29#chain) usage is allowed
+* [Chain](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v2.x%29#chain) usage is allowed
 * Confirmed matches use score critical
 * Matches that cause false positives are limited to using scores notice or warning
 * Low false positive rates

diff --git a/INSTALL.md b/INSTALL.md
@@ -4,7 +4,7 @@ This guide aims to get a CRS installation up and running. This guide assumes tha
 
 ## Downloading the Rule Set
 
-The first step is to download the Core Rule Set itself. The CRS project strongly recommends using a [supported version](https://github.com/coreruleset/coreruleset/security/policy).
+The first step is to download the CRS itself. The CRS project strongly recommends using a [supported version](https://github.com/coreruleset/coreruleset/security/policy).
 
 Official CRS releases can be found at the following URL: https://github.com/coreruleset/coreruleset/releases.
 
@@ -81,7 +81,7 @@ Now all the CRS files will be located below the `/etc/crs4` directory.
 
 ### Setting Up the Main Configuration File
 
-After extracting the rule set files, the next step is to set up the main OWASP Core Rule Set configuration file. An example configuration file is provided as part of the release package, located in the main directory: `crs-setup.conf.example`.
+After extracting the rule set files, the next step is to set up the main OWASP CRS configuration file. An example configuration file is provided as part of the release package, located in the main directory: `crs-setup.conf.example`.
 
 {{% notice note %}}
 Other aspects of ModSecurity, particularly engine-specific parameters, are controlled by the ModSecurity "recommended" configuration rules, `modsecurity.conf-recommended`. This file comes packaged with ModSecurity itself.

diff --git a/KNOWN_BUGS.md b/KNOWN_BUGS.md
@@ -39,7 +39,7 @@ or the CRS Google Group at
   type by default, as specified in RFC 3902. OF IMPORTANCE, application/soap+xml is
   indicative that XML will be provided. In accordance with this, ModSecurity's XML
   Request Body Processor should also be configured to support this MIME type. Within
-  the ModSecurity project, [commit 5e4e2af](https://github.com/SpiderLabs/ModSecurity/commit/5e4e2af7a6f07854fee6ed36ef4a381d4e03960e)
+  the ModSecurity project, [commit 5e4e2af](https://github.com/owasp-modsecurity/ModSecurity/commit/5e4e2af7a6f07854fee6ed36ef4a381d4e03960e)
   has been merged to support this endeavour. However, if you are running a modified or
   preexisting version of the modsecurity.conf provided by this repository, you may
   wish to upgrade rule '200000' accordingly. The rule now appears as follows:

diff --git a/LICENSE b/LICENSE
@@ -186,7 +186,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright 2022 Core Rule Set project
+   Copyright 2024 OWASP CRS project
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

diff --git a/README.md b/README.md
@@ -7,13 +7,13 @@
 
 
 
-# OWASP ModSecurity Core Rule Set (CRS)
+# OWASP CRS
 
-The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts.
+The OWASP CRS is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts.
 
 ## CRS Resources
 
-Please see the [OWASP ModSecurity Core Rule Set page](https://coreruleset.org/) to get introduced to the CRS and view resources on installation, configuration, and working with the CRS.
+Please see the [OWASP CRS page](https://coreruleset.org/) to get introduced to the CRS and view resources on installation, configuration, and working with the CRS.
 
 ## Contributing to the CRS
 
@@ -28,6 +28,6 @@ We strive to make the OWASP ModSecurity CRS accessible to a wide audience of beg
 ## License
 
 Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.</br>
-Copyright (c) 2021-2024 Core Rule Set project. All rights reserved.
+Copyright (c) 2021-2024 CRS project. All rights reserved.
 
-The OWASP ModSecurity Core Rule Set is distributed under Apache Software License (ASL) version 2. Please see the enclosed LICENSE file for full details.
+The OWASP CRS is distributed under Apache Software License (ASL) version 2. Please see the enclosed LICENSE file for full details.
diff --git a/SECURITY.md b/SECURITY.md
@@ -68,7 +68,7 @@ gpg: Good signature from "OWASP Core Rule Set <[email protected]>" [ultim
 
 ## Reporting a Vulnerability
 
-We strive to make the OWASP ModSecurity CRS accessible to a wide audience of beginner and experienced users.
+We strive to make the OWASP CRS accessible to a wide audience of beginner and experienced users.
 We welcome bug reports, false positive alert reports, evasions, usability issues, and suggestions for new detections.
 Submit these types of non-vulnerability related issues via Github.
 Please include your installed version and the relevant portions of your audit log.
@@ -87,4 +87,4 @@ We are happy to work with the community to provide CVE identifiers for any disco
 
 If in doubt, feel free to reach out to us!
 
-The OWASP ModSecurity CRS Team.
+The OWASP CRS Team.
diff --git a/crs-setup.conf.example b/crs-setup.conf.example
@@ -1,9 +1,9 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.4.0.0-rc2
+# OWASP CRS ver.4.0.0
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
+# Copyright (c) 2021-2024 CRS project. All rights reserved.
 #
-# The OWASP ModSecurity Core Rule Set is distributed under
+# The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
 # Please see the enclosed LICENSE file for full details.
 # ------------------------------------------------------------------------
@@ -12,7 +12,7 @@
 #
 # -- [[ Introduction ]] --------------------------------------------------------
 #
-# The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack
+# The OWASP CRS is a set of generic attack
 # detection rules that provide a base level of protection for any web
 # application. They are written for the open source, cross-platform
 # ModSecurity Web Application Firewall.
@@ -694,7 +694,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #
 # -- [[ Easing In / Sampling Percentage ]] -------------------------------------
 #
-# Adding the Core Rule Set to an existing productive site can lead to false
+# Adding the CRS to an existing productive site can lead to false
 # positives, unexpected performance issues and other undesired side effects.
 #
 # It can be beneficial to test the water first by enabling the CRS for a

diff --git a/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example b/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example
@@ -1,9 +1,9 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.4.0.0-rc2
+# OWASP CRS ver.4.0.0
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
+# Copyright (c) 2021-2024 CRS project. All rights reserved.
 #
-# The OWASP ModSecurity Core Rule Set is distributed under
+# The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
 # Please see the enclosed LICENSE file for full details.
 # ------------------------------------------------------------------------