From 274128197715fc375ef2b7a09c208c2d00a44a8d Mon Sep 17 00:00:00 2001 From: "Federico G. Schwindt" Date: Thu, 31 May 2018 14:52:04 +0100 Subject: [PATCH] Add or remove capture as appropriate --- rules/REQUEST-913-SCANNER-DETECTION.conf | 2 ++ rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf | 3 --- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/rules/REQUEST-913-SCANNER-DETECTION.conf b/rules/REQUEST-913-SCANNER-DETECTION.conf index ec6f9f960..11fd9de7d 100644 --- a/rules/REQUEST-913-SCANNER-DETECTION.conf +++ b/rules/REQUEST-913-SCANNER-DETECTION.conf @@ -60,6 +60,7 @@ SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@pmf scanners-headers.data" \ "id:913110,\ phase:2,\ block,\ + capture,\ t:none,t:lowercase,\ msg:'Found request header associated with security scanner',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ @@ -87,6 +88,7 @@ SecRule REQUEST_FILENAME|ARGS "@pmf scanners-urls.data" \ "id:913120,\ phase:2,\ block,\ + capture,\ t:none,t:lowercase,\ msg:'Found request filename/argument associated with security scanner',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ diff --git a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf index 886e91786..3f0b77f37 100644 --- a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf +++ b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf @@ -1146,7 +1146,6 @@ SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d "id:920200,\ phase:2,\ block,\ - capture,\ t:none,\ msg:'Range: Too many fields (6 or more)',\ logdata:'%{matched_var}',\ @@ -1173,7 +1172,6 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \ "id:920201,\ phase:2,\ block,\ - capture,\ t:none,\ msg:'Range: Too many fields for pdf request (63 or more)',\ logdata:'%{matched_var}',\ @@ -1371,7 +1369,6 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \ "id:920202,\ phase:2,\ block,\ - capture,\ t:none,\ msg:'Range: Too many fields for pdf request (6 or more)',\ logdata:'%{matched_var}',\