--------------------------
Version 1.6.1 - 2008/04/22
--------------------------

- Fixed a bug where phases and transformations where not specified explicitly
    in rules. The issue affected a significant number of rules, and we strongly
		recommend to upgrade.

--------------------------
Version 1.6.0 - 2008/02/19
--------------------------

New Rulesets & Features:
- 42 - Tight Security
    This ruleset contains currently 2 rules which are considered highly prone
    to FPs. They take care of Path Traversal attacks, and RFI attacks. This
    ruleset is included in the optional_rulesets dir
- 42 - Comment Spam
    Comment Spam is used by the spammers to increase their rating in search
    engines by posting links to their site in other sites that allow posting
    of comments and messages. The rules in this ruleset will work against that.
    (Requires ModSecurity 2.5)
- Tags
    A single type of attack is often detected by multiple rules. The new alert
    classification tags solve this issue by providing an alternative alert type
    indication and can serve for filtering and analysis of audit logs.
    The classification tags are hierarchical with slashes separating levels.
    Usually there are two levels with the top level describing the alert group
    and the lower level denoting the alert type itself, for example:
    WEB_ATTACK/SQL_INJECTION.

False Positives Fixes:
- Rule 960903 - Moved to phase 4 instead of 5 to avoid FPs
- Rule 950107 - Will look for invalid url decoding in variables that are not
                automatically url decoded

Additional rules logic:
- Using the new "logdata" action for logging the matched signature in rules
- When logging an event once, init the collection only if the alert needs to log
- Using the new operator @pm as a qualifier before large rules to enhance
    performance (Requires ModSecurity 2.5)
- SQL injection - A smarter regexp is used to detect 1=1,2=2,etc.. and not
    only 1=1. (Thanks to Marc Stern for the idea) 
- New XSS signatures - iframe & flash XSS


-------------------------
Version 1.5.1 - 2007/12/6
-------------------------

False Positives Fixes:
- Protocol Anomalies (file 21) - exception for Apache SSL pinger (Request: GET /)

New Events:
- 960019 - Detect HTTP/0.9 Requests
  HTTP/0.9 request are not common these days. This rule will log by default,
  and block in the blocking version of file 21
  
Other Fixes:
- File 40, Rules 950004,950005 - Repaired the correction for the double
  url decoding problem
- File 55 contained empty regular expressions. Fixed.             

------------------------
Version 1.5 - 2007/11/23
------------------------

New Rulesets:
- 23 - Request Limits
    "Judging by appearances". This rulesets contains rules blocking based on
    the size of the request, for example, a request with too many arguments
    will be denied.

Default policy changes:
- XML protection off by default
- BLOCKING dir renamed to optional_rules
- Ruleset 55 (marketing) is now optional (added to the optional_rules dir)
- Ruleset 21 - The exception for apache internal monitor will not log anymore

New Events:
- 960912 - Invalid request body
  Malformed content will not be parsed by modsecurity, but still there might
  be applications that will parse it, ignoring the errors.
- 960913 - Invalid Request
  Will trigger a security event when request was rejected by apache with
  code 400, without going through ModSecurity rules.

Additional rules logic:
- 950001 - New signature: delete from
- 950007 - New signature: waitfor delay

False Positives Fixes:
- 950006 - Will not be looking for /cc pattern in User-Agent header
- 950002 - "Internet Explorer" signature removed
- Double decoding bug used to cause FPs. Some of the parameters are already
  url-decoded by apache. This caused FPs when the rule performed another
  url-decoding transformation. The rules have been split so that parameters
  already decoded by apache will not be decoded by the rules anymore.
- 960911 - Expression is much more permissive now
- 950801 - Commented out entirely. NOTE: If your system uses UTF8 encoding,
           then you should uncomment this rule (in file 20)

--------------------------
version 1.4.3 - 2007/07/21
--------------------------

New Events:
- 950012 - HTTP Request Smuggling
  For more info on this attack:
  http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf
- 960912 - Invalid request body
  Malformed content will not be parsed by modsecurity, but still there might
  be applications that will parse it, ignoring the errors.
- 960913 - Invalid Request
  Will trigger a security event when request was rejected by apache with
  code 400, without going through ModSecurity rules.

False Positives Fixes:
- 950107 - Will allow a % sign in the middle of a string as well
- 960911 - A more accurate expression based on the rfc:
            http://www.ietf.org/rfc/rfc2396.txt
- 950015 - Will not look for http/ pattern in the request headers

Additional rules logic:
- Since Apache applies scope directives only after ModSecurity phase 1
  this directives cannot be used to exclude phase 1 rules. Therefore
  we moved all inspection rules to phase 2.


--------------------------------
version 1.4 build 2 - 2007/05/17
--------------------------------

New Feature:
- Search for signatures in XML content
    XML Content will be parsed and ispected for signatures

New Events:
- 950116 - Unicode Full/Half Width Abuse Attack Attempt
    Full-width unicode can by used to bypass content inspection. Such encoding will be forbidden
    http://www.kb.cert.org/vuls/id/739224
- 960911 - Invalid HTTP request line
    Enforce request line to be valid, i.e.: <METHOD> <path> <HTTP version>
- 960904 - Request Missing Content-Type (when there is content)
    When a request contains content, the content-type must be specified. If not, the content will not be inspected
- 970018 - IIS installed in default location (any drive)
    Log once if IIS in installed in the /Inetpub directory (on any drive, not only C)
- 950019 - Email Injection
    Web forms used for sending mail (such as "tell a friend") are often manipulated by spammers for sending anonymous emails

Regular expressions fixes:
- Further optimization of some regular expressions (using the non-greediness operator)
    The non-greediness operator, <?>, prevents excessive backtracking

FP fixes:
- Rule 950107 - Will allow a parameter to end in a % sign from now on

------------------------
version 1.4 - 2007/05/02
------------------------

New Events:
- 970021 - WebLogic information disclosure
    Matching of "<title>JSP compile error</title>" in the response body, will trigger this rule, with severity 4 (Warning)
- 950015,950910,950911 - HTTP Response Splitting
    Looking for HTTP Response Splitting patterns as described in Amit Klein's excellent white paper:
    http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf
ModSecurity does not support compressed content at the moment. Thus, the following rules have been added:
- 960902 - Content-Encoding in request not supported
    Any incoming compressed request will be denied
- 960903 - Content-Encoding in response not suppoted
    An outgoing compressed response will be logged to alert, but ONLY ONCE.

False Positives Fixes:
- Removed <.exe>,<.shtml> from restricted extensions
- Will not be looking for SQL Injection signatures <root@>,<coalesce> in the Via request header
- Excluded Referer header from SQL injection, XSS and command injection rules
- Excluded X-OS-Prefs header from command injection rule
- Will be looking for command injection signatures in
  REQUEST_COOKIES|REQUEST_COOKIES_NAMES instead of REQUEST_HEADERS:Cookie.
- Allowing charset specification in the <application/x-www-form-urlencoded> Content-Type

Additional rules logic:
- Corrected match of OPTIONS method in event 960015
- Changed location for event 960014 (proxy access) to REQUEST_URI_RAW
- Moved all rules apart from method inspection from phase 1 to phase 2 -
    This will enable viewing content if such a rule triggers as well as setting
    exceptions using Apache scope tags.
- Added match for double quote in addition to single quote for <or x=x> signature (SQL Injection)
- Added 1=1 signature (SQL Injection)

--------------------------------
version 1.3.2 build 4 2007/01/17
--------------------------------

Fixed apache 2.4 dummy requests exclusion
Added persistent PDF UXSS detection rule

--------------------------------
Version 1.3.2 build 3 2007/01/10
--------------------------------

Fixed regular expression in rule 960010 (file #30) to allow multipart form data
content

--------------------------
Version 1.3.2 - 2006/12/27
--------------------------

New events:
- 960037  Directory is restricted by policy
- 960038  HTTP header is restricted by policy

Regular expressions fixes:
- Regular expressions with @ at end of beginning (for example "@import)
- Regular expressions with un-escaped "."
- Command Injections now always require certain characters both before and after the command. Important since many are common English words (finger, mail)
- The command injection wget is not searched in the UA header as it has different meaning there.
- LDAP Fixed to reduce FPs:
  + More accurate regular expressions
  + high bit characters not accpeted between signature tokens.
- Do not detect <?xml as a PHP tag in both PHP injection and PHP source leakage
- Removed Java from automation UA
- When validating encoding, added regexp based chained rule that accepts both %xx and %uxxxxx encoding bypassing a limitation of "@validateUrlEncoding"

Additional rules logic:
- Checks for empty headers in addition to missing ones  (Host, Accept and User-Agent)
- OPTIONS method does not require an accept header.
- Apache keep alive request exception.
- PROPFIND and OPTIONS can be used without content-encoding (like HEAD and GET)
- Validate byte range checks by default only that no NULL char exists.
- Added CSS to allowed extensions in strict rule sets.
- Changed default action in file #50 to pass instead of deny.
- Moved IP host header from protocol violations to protocol anomalies.

Modified descriptions:
- 950107: URL Encoding Abuse Attack Attempt
- 950801: UTF8 Encoding Abuse Attack Attempt
- Added matched pattern in many events using capture and %{TX.0}
- Added ctl:auditLogParts=+E for outbound events and attacks to collect response.

------------------------
Version 1.2 - 2006/11/19
------------------------

Changes:
+ Move all events to the range of events allocated to Thinking Stone, now Breach
by prefixing all event IDs with "9".
+ Reverse severities to follow the Syslog format used by ModSecurity, now 1 is
the highest and 5 the lowest.

Bug fixes:
+ Removed quotes from list of mime types inspected on exit (directive
SecResponseBodyMimeType)
+ Corrected "cd .." signature. Now the periods are escaped.
+ Too many FPs with events 950903 & 950905. Commented them out until fixed.

------------------------
Version 1.1 - 2006/10/18
------------------------

Initial version
