

version 1.3.2 build 4 2007/01/17

Fixed apache 2.4 dummy requests exclusion
Added persistent PDF UXSS detection rule 


Vervion 1.3.2 build 3 2007/01/10

Fixed regular expresion in rule 960010 (file #30) to allow mulipart-data content


Version 1.3.2 - 2006/12/27 

New events:
- 960037  Directory is restricted by policy
- 960038  HTTP header is restricted by policy

Regular expressions fixes:
- Regular expressions with @ at end of beginning (for example "@import)
- Regular expressions with un-escaped "."
- Command Injections now always require certain characters both before and after the command. Important since many are common English words (finger, mail)
- The command injection wget is not searched in the UA header as it has different meaning there.
- LDAP Fixed to reduce FPs:
	+ More accurate regular expressions
	+ high bit characters not accpeted between signature tokens.
- Do not detect <?xml as a PHP tag in both PHP injection and PHP source leakage
- Removed Java from automation UA
- When validating encoding, added regexp based chained rule that accepts both %xx and %uxxxxx encoding bypassing a limitation of "@validateUrlEncoding"

Additional rules logic:
- Checks for empty headers in addition to missing ones  (Host, Accept and User-Agent)
- OPTIONS method does not require an accept header.
- Apache keep alive request exception.
- PROPFIND and OPTIONS can be used without content-encoding (like HEAD and GET)
- Validate byte range checks by default only that no NULL char exists.
- Added CSS to allowed extensions in strict rule sets.
- Changed default action in file #50 to pass instead of deny.
- Moved IP host header from protocol violations to protocol anomalies.

Modified descriptions: 
- 950107: URL Encoding Abuse Attack Attempt
- 950801: UTF8 Encoding Abuse Attack Attempt
- Added matched pattern in many events using capture and %{TX.0}
- Added ctl:auditLogParts=+E for outbound events and attacks to collect response.

--
Version 1.2 - 2006/11/19

Changes:
+ Move all events to the range of events allocated to Thinking Stone, now Breach
by prefixing all event IDs with "9".
+ Reverse severities to follow the Syslog format used by ModSecurity, now 1 is 
the highest and 5 the lowest.   

Bug fixes:
+ Removed quotes from list of mime types inspected on exit (directive 
SecResponseBodyMimeType)
+ Corrected "cd .." signature. Now the periods are escaped.
+ Too many FPs with events 950903 & 950905. Commented them out until fixed.

--
Version 1.1 - 2006/10/18

Initial version 
