Releases: coreruleset/coreruleset
Releases · coreruleset/coreruleset
v4.14.0
v4.14.0
This tag was signed with the committer’s verified signature.
The key has expired.
What's Changed
🆕 New features and detections 🎉
- feat: detect ASP web shells by @Xhoenix in #4063
- feat: detect compressed database dumps by @EsadCetiner in #4082
- feat: detect javascript methods import fetch console.log
console.dirby @EsadCetiner in #4076
🧰 Other Changes
- fix: fixing FPs related to rule 951220 by @azurit in #4079
- fix: don't block ttf font files by @EsadCetiner in #4081
- fix: 932270 FP by @Xhoenix in #3917
- fix(954100): detect forward slash in path by @Xhoenix in #4094
- fix: remove
.applicationfrom restricted extensions by @EsadCetiner in #4103 - fix: 44J-250329 by @EsadCetiner in #4107
Full Changelog: v4.13.0...v4.14.0
Contributors
azurit, Xhoenix, and EsadCetiner
Assets 8
v4.13.0
v4.13.0
This tag was signed with the committer’s verified signature.
The key has expired.
What's Changed
⭐ Important changes
🆕 New features and detections 🎉
- feat: block header related to CVE-2025-29927 (Next.js) by @azurit in #4053
- feat: added new XSS payloads by @Xhoenix in #4055
- feat: add potential malicious file extensions into tx.restricted_extensions by @Xhoenix in #4068
- feat: add additional files commonly accessed by bots by @EsadCetiner in #4069
- feat: adding .dist and .dpkg-dist into tx.restricted_extensions by @azurit in #4057
- feat: add more default session cookie names by @Xhoenix in #4062
🪦 Rule removals
🧰 Other Changes
- fix(934130): extend prototype pollution payload by @Xhoenix in #4036
- fix: rule 930110 is not supposed to match bare '..' without (back)slashes by @azurit in #4050
- fix: use boundary to fix false positive with email
firstname.dockery@host.tldby @EsadCetiner in #4045 - feat: refresh restricted-upload.data by @S0obi in #4046
- fix: tag inconsistency per file by @Xhoenix in #4031
- fix: added pre-check of unset TX variable by @airween in #4066
- fix: false positive found in quantitative testing round 2 for unix rce rules (932230 PL-1, 932235 PL-1, 932250 PL-1, 932260 PL-1, 932231 PL-2, 932220 PL-2, 932236 PL-2, 932239 PL-2, 932232 PL-3, 932238 PL-3) by @EsadCetiner in #4019
New Contributors
Full Changelog: v4.12.0...v4.13.0
Contributors
airween, azurit, and 4 other contributors
Assets 8
v4.12.0
v4.12.0
This tag was signed with the committer’s verified signature.
The key has expired.
What's Changed
🆕 New features and detections 🎉
- feat: prevent V1 cookie format use by @fzipi in #4006
- feat: added new restricted files for openstack and docker compose by @azurit in #4021
🧰 Other Changes
- fix: multipart header tag consistency by @Xhoenix in #3992
- fix: prevent invalid commands matches on 5 characters or less (932220 PL-2, 932230 PL-1, 932232 PL-3, 932235 PL-1, 932236 PL-2, 932237 PL-3, 932238 PL-3, 932239 PL-2, 932250 PL-1, 932260 PL-1) by @EsadCetiner in #3735
- docs: add warning about default charsets modification by @fzipi in #4003
- fix: response splitting rules and tests by @theseion in #4009
- fix(933160): use better regex by @fzipi in #4010
- fix: move fopen to 933160 to resolve fp with
RootAndLeafOpenCamera.jpg(933150 PL-1, 933160 PL-1) by @EsadCetiner in #4016 - fix(941210): update log message to reflect rule javascript word detection by @fzipi in #4023
- fix: remove .env from lfi-os-files.data by @theseion in #4024
New Contributors
Full Changelog: v4.11.0...v4.12.0
Contributors
theseion, azurit, and 4 other contributors
Assets 8
v4.11.0
v4.11.0
This tag was signed with the committer’s verified signature.
The key has expired.
What's Changed
🪦 Rule removals
🧰 Other Changes
- fix: remove aliases man, mi, si and resolve positives (932125 PL1) by @franbuehler in #3971
- fix: remove where, if, for and vol and resolve false positives (932380 PL1) by @franbuehler in #3972
- fix: make 932300 actually case-insensitive by @theseion in #3977
- fix: remove sql function names to resolve false positives (942151 PL1) by @franbuehler in #3973
- fix: issue 3809 by @Xhoenix in #3983
Full Changelog: v4.10.0...v4.11.0
Contributors
theseion, dune73, and 2 other contributors
Assets 8
v4.10.0
What's Changed
🆕 New features and detections 🎉
- feat: block CVE-2023-5003 by @azurit in #3955
- feat: prevent accessing PHP variables by @azurit in #3965
🧰 Other Changes
Full Changelog: v4.9.0...v4.10.0
Contributors
theseion and azurit
Assets 8
v4.9.0
What's Changed
⭐ Important changes
🆕 New features and detections 🎉
- feat: add fish shell files to restricted-files.data by @OhMyVolk in #3915
- feat: add quantitative testing to Git workflow by @airween in #3924
🧰 Other Changes
- feat: added support for new web shells by @azurit in #3898
- fix(security): remove double URL decode (921151 PL2, 932190 PL3, 942441 PL2, 942442 PL2, 942460 PL3) by @azurit in #3741
- docs: extended rule documentation (900200) by @dune73 in #3934
New Contributors
Full Changelog: v4.8.0...v4.9.0
Contributors
airween, dune73, and 3 other contributors
Assets 8
v3.3.7
Contributors
RedXanadu
Assets 8
v4.8.0
What's Changed
⭐ Important changes
- fix: 9EA-241022 v4 by @RedXanadu in #3905
🆕 New features and detections 🎉
🧰 Other Changes
- fix: remove unnecessary capture groups by @TimDiam0nd in #3849
- fix(942120): update operators by @Xhoenix in #3841
- fix(933120): do not match on base64 encoded strings by @fzipi in #3863
- fix(refactor): 942130 and 942131 regex-assembly by @Xhoenix in #3862
- fix(942520): SQL operators can be one or more characters by @Xhoenix in #3845
- chore: remove verify id-range by @fzipi in #3885
- chore: remove find-max-datalen-in-tests by @fzipi in #3891
- chore: remove honeypot sensor by @fzipi in #3883
- chore: remove browser tools by @fzipi in #3887
- chore: remove send-payload-pls by @fzipi in #3879
- chore: remove geo-location by @fzipi in #3875
- chore: remove crs2 renumbering by @fzipi in #3873
- chore: remove change-version script by @fzipi in #3869
- chore: remove join multiline rules by @fzipi in #3877
- chore: remove av-scanning by @fzipi in #3871
- chore: remove util virtual patching by @fzipi in #3889
- fix: include v3.3.6 release notes in latest by @fzipi in #3867
- chore: remove fp-finder by @fzipi in #3893
New Contributors
- @evidencebp made their first contribution in #3837
- @mtaket made their first contribution in #3855
Full Changelog: v4.7.0...v4.8.0
Contributors
theseion, fzipi, and 5 other contributors
Assets 8
v4.7.0
What's Changed
🆕 New features and detections 🎉
🧰 Other Changes
- fix: Changed regex (920470) to match multiple whitespaces after
Content-Typeparameters to avoid false-positives by @lostmann-owl-it in #3818 - fix: fp with user-agent containing ; pg (932239 PL2) by @franbuehler in #3727
- fix: update xss detection with onwebkitplaybacktargetavailabilitychanged event by @fzipi in #3822
- feat: refactoring (944110 PL1) by @azurit in #3715
New Contributors
- @lostmann-owl-it made their first contribution in #3818
Full Changelog: v4.6.0...v4.7.0
Contributors
azurit, fzipi, and 2 other contributors
Assets 8
v4.6.0
What's Changed
⭐ Important changes
- fix: prevent using backslash in file names by @fzipi in #3799
- feat: add new rule to catch invalid character in multipart headers by @airween, @theseion, @fzipi in #3796
Big thanks tu @luelueking for reporting us these two ☝️ .
🧰 Other Changes
- feat: rule to detect bash tilde expansion by @Xhoenix in #3765
- fix: Update 932270's
verby @airween in #3786 - perf: remove unnecessary chain rule and capture (921180 PL3) by @EsadCetiner in #3787
- fix: add pem to restricted file extensions by @EsadCetiner in #3789
- fix(942160): check REQUEST_FILENAME by @mat1010 in #3782
New Contributors
Full Changelog: v4.5.0...v4.6.0
Contributors
airween, theseion, and 5 other contributors