@abtnode/router-provider 1.16.46-beta-20250703-024219-4029ee97 → 1.16.46-beta-20250704-234926-09d872ad

package/lib/nginx/includes/security/crs4/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf

@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.9.0
+# OWASP CRS ver.4.16.0
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -23,8 +23,8 @@
 #
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.16.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.16.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
 #
 # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
 #
@@ -63,8 +63,9 @@ SecRule REQUEST_LINE "!@rx (?i)^(?:get /[^#\?]*(?:\?[^\s\x0b#]*)?(?:#[^\s\x0b]*)
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'WARNING',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
 
@@ -118,8 +119,9 @@ SecRule FILES|FILES_NAMES "!@rx (?i)^(?:&(?:(?:[acegilnorsuz]acut|[aeiou]grav|[a
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -147,8 +149,9 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^\d+$" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -181,8 +184,9 @@ SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     chain"
     SecRule REQUEST_HEADERS:Content-Length "!@rx ^0?$" \
@@ -206,8 +210,9 @@ SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     chain"
     SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \
@@ -246,8 +251,9 @@ SecRule REQUEST_PROTOCOL "!@within HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'WARNING',\
     chain"
     SecRule REQUEST_METHOD "@streq POST" \
@@ -276,8 +282,9 @@ SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'WARNING',\
     chain"
     SecRule &REQUEST_HEADERS:Content-Length "!@eq 0" \
@@ -314,8 +321,9 @@ SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx (\d+)-(\d+)" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'WARNING',\
     chain"
     SecRule TX:2 "@lt %{tx.1}" \
@@ -346,89 +354,12 @@ SecRule REQUEST_HEADERS:Connection "@rx \b(?:keep-alive|close),\s?(?:keep-alive|
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'WARNING',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
 
-#
-# Check URL encodings
-#
-# -=[ Rule Logic ]=-
-# There are two different chained rules.    We need to separate them as we are inspecting two
-# different variables - REQUEST_URI_RAW and REQUEST_BODY.   For REQUEST_BODY, we only want to
-# run the @validateUrlEncoding operator if the content-type is application/x-www-form-urlencoding.
-#
-# We exclude the last path segment from validation because it could be a file name, which could
-# easily contain a '%' character that is not part of a URI encoded sequence.
-#
-# -=[ References ]=-
-# http://www.ietf.org/rfc/rfc1738.txt
-#
-# -=[ Example payload ]=-
-# http://localhost/?s=a%20b%20c%'/
-# reason: %'/ is not a valid url encoding
-#
-# Regular expression generated from regex-assembly/920220-chain1.ra.
-# To update the regular expression run the following shell script
-# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
-#   crs-toolchain regex update 920220-chain1
-#
-SecRule REQUEST_URI_RAW "@rx \x25" \
-    "id:920220,\
-    phase:1,\
-    block,\
-    t:none,t:urlDecodeUni,\
-    msg:'URL Encoding Abuse Attack Attempt',\
-    logdata:'%{REQUEST_URI_RAW}',\
-    tag:'application-multi',\
-    tag:'language-multi',\
-    tag:'platform-multi',\
-    tag:'attack-protocol',\
-    tag:'paranoia-level/1',\
-    tag:'OWASP_CRS',\
-    tag:'capec/1000/255/153/267/72',\
-    ver:'OWASP_CRS/4.9.0',\
-    severity:'CRITICAL',\
-    chain"
-    SecRule REQUEST_URI_RAW "@rx ^(.*)/(?:[^\?]+)?(\?.*)?$" \
-        "capture,\
-        chain"
-        SecRule TX:1|TX:2 "@validateUrlEncoding" \
-            "t:none,t:urlDecodeUni,\
-            setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
-
-
-# Validate URI encoding of the last path segment, only if it does not look like a file name.
-# A file name could easily contain a '%' character that is not part of a URI encoded sequence.
-#
-# Regular expression generated from regex-assembly/920221.ra.
-# To update the regular expression run the following shell script
-# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
-#   crs-toolchain regex update 920221
-#
-SecRule REQUEST_BASENAME "!@rx ^.*%.*\.[^\s\x0b\.]+$" \
-    "id:920221,\
-    phase:1,\
-    block,\
-    capture,\
-    t:none,t:urlDecodeUni,\
-    msg:'URL Encoding Abuse Attack Attempt',\
-    logdata:'%{REQUEST_BASENAME}',\
-    tag:'application-multi',\
-    tag:'language-multi',\
-    tag:'platform-multi',\
-    tag:'attack-protocol',\
-    tag:'paranoia-level/1',\
-    tag:'OWASP_CRS',\
-    tag:'capec/1000/255/153/267/72',\
-    ver:'OWASP_CRS/4.9.0',\
-    severity:'CRITICAL',\
-    chain"
-    SecRule TX:0 "@validateUrlEncoding" \
-        "t:none,t:urlDecodeUni,\
-        setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
-
 
 #
 # Check UTF encoding
@@ -452,8 +383,9 @@ SecRule TX:CRS_VALIDATE_UTF8_ENCODING "@eq 1" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/255/153/267',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'WARNING',\
     chain"
     SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "@validateUtf8Encoding" \
@@ -496,8 +428,9 @@ SecRule REQUEST_URI|REQUEST_BODY "@rx (?i)%uff[0-9a-f]{2}" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/255/153/267/72',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'WARNING',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
 
@@ -539,7 +472,7 @@ SecRule REQUEST_URI|REQUEST_BODY "@rx (?i)%uff[0-9a-f]{2}" \
 # 920274 generally has few positives. However, it would detect rare attacks
 # on Accept request headers and friends.
 
-SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 1-255" \
+SecRule REQUEST_URI_RAW|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 1-255" \
     "id:920270,\
     phase:2,\
     block,\
@@ -552,8 +485,9 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 1-255" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -583,9 +517,10 @@ SecRule &REQUEST_HEADERS:Host "@eq 0" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
     tag:'PCI/6.5.10',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'WARNING',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}',\
     skipAfter:END-HOST-CHECK"
@@ -603,8 +538,9 @@ SecRule REQUEST_HEADERS:Host "@rx ^$" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -643,8 +579,9 @@ SecRule REQUEST_HEADERS:Accept "@rx ^$" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'NOTICE',\
     chain"
     SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \
@@ -668,8 +605,9 @@ SecRule REQUEST_HEADERS:Accept "@rx ^$" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'NOTICE',\
     chain"
     SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \
@@ -701,8 +639,9 @@ SecRule REQUEST_HEADERS:User-Agent "@rx ^$" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'NOTICE',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.notice_anomaly_score}'"
 
@@ -738,8 +677,9 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'NOTICE',\
     chain"
     SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \
@@ -782,9 +722,10 @@ SecRule REQUEST_HEADERS:Host "@rx (?:^([\d.]+|\[[\da-f:]+\]|[\da-f:]+)(:[\d]+)?$
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
     tag:'PCI/6.5.10',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'WARNING',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
 
@@ -815,8 +756,9 @@ SecRule &TX:MAX_NUM_ARGS "@eq 1" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     chain"
     SecRule &ARGS "@gt %{tx.max_num_args}" \
@@ -840,8 +782,9 @@ SecRule &TX:ARG_NAME_LENGTH "@eq 1" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     chain"
     SecRule ARGS_NAMES "@gt %{tx.arg_name_length}" \
@@ -867,8 +810,9 @@ SecRule &TX:ARG_LENGTH "@eq 1" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     chain"
     SecRule ARGS "@gt %{tx.arg_length}" \
@@ -891,8 +835,9 @@ SecRule &TX:TOTAL_ARG_LENGTH "@eq 1" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     chain"
     SecRule ARGS_COMBINED_SIZE "@gt %{tx.total_arg_length}" \
@@ -916,8 +861,9 @@ SecRule &TX:MAX_FILE_SIZE "@eq 1" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     chain"
     SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)multipart/form-data" \
@@ -942,8 +888,9 @@ SecRule &TX:COMBINED_FILE_SIZES "@eq 1" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     chain"
     SecRule FILES_COMBINED_SIZE "@gt %{tx.combined_file_sizes}" \
@@ -981,9 +928,10 @@ SecRule REQUEST_HEADERS:Content-Type "!@rx ^[\w/.+*-]+(?:\s?;\s*(?:action|bounda
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/255/153',\
     tag:'PCI/12.1',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -1004,9 +952,10 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s]+" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/255/153',\
     tag:'PCI/12.1',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     setvar:'tx.content_type=|%{tx.0}|',\
     chain"
@@ -1032,9 +981,10 @@ SecRule REQUEST_HEADERS:Content-Type "@rx charset\s*=\s*[\"']?([^;\"'\s]+)" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/255/153',\
     tag:'PCI/12.1',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     setvar:'tx.content_type_charset=|%{tx.1}|',\
     chain"
@@ -1059,9 +1009,10 @@ SecRule REQUEST_HEADERS:Content-Type "@rx charset.*?charset" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/255/153',\
     tag:'PCI/12.1',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -1081,9 +1032,10 @@ SecRule REQUEST_PROTOCOL "!@within %{tx.allowed_http_versions}" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
     tag:'PCI/6.5.10',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -1104,9 +1056,10 @@ SecRule REQUEST_BASENAME "@rx \.([^.]+)$" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
     tag:'PCI/6.5.10',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     setvar:'tx.extension=.%{tx.1}/',\
     chain"
@@ -1131,9 +1084,10 @@ SecRule REQUEST_FILENAME "@rx \.[^.~]+~(?:/.*|)$" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
     tag:'PCI/6.5.10',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -1185,9 +1139,10 @@ SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
     tag:'PCI/12.1',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     setvar:'tx.header_name_920450_%{tx.0}=/%{tx.0}/',\
     chain"
@@ -1219,9 +1174,10 @@ SecRule REQUEST_HEADERS:Accept-Encoding "@gt 100" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/255/153',\
     tag:'PCI/12.1',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -1253,7 +1209,8 @@ SecRule REQUEST_HEADERS:Accept "!@rx ^(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\*
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.9.0',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -1275,8 +1232,9 @@ SecRule REQBODY_PROCESSOR "!@streq JSON" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/255/153/267/72',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     chain"
     SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?i)\x5cu[0-9a-f]{4}" \
@@ -1300,7 +1258,8 @@ SecRule REQUEST_URI_RAW "@contains #" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.9.0',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -1332,13 +1291,14 @@ SecRule &REQUEST_HEADERS:Content-Type "@gt 1" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.9.0',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.16.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.16.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
 #
 # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
 #
@@ -1376,8 +1336,9 @@ SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d
     tag:'attack-protocol',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'WARNING',\
     chain"
     SecRule REQUEST_BASENAME "!@endsWith .pdf" \
@@ -1400,8 +1361,9 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \
     tag:'attack-protocol',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'WARNING',\
     chain"
     SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){63}" \
@@ -1421,8 +1383,9 @@ SecRule ARGS "@rx %[0-9a-fA-F]{2}" \
     tag:'attack-protocol',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/255/153/267/120',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'WARNING',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'"
 
@@ -1430,7 +1393,7 @@ SecRule ARGS "@rx %[0-9a-fA-F]{2}" \
 #
 # PL2: This is a stricter sibling of 920270.
 #
-SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 9,10,13,32-126,128-255" \
+SecRule REQUEST_URI_RAW|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 9,10,13,32-126,128-255" \
     "id:920271,\
     phase:2,\
     block,\
@@ -1443,8 +1406,9 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 9,10,13,
     tag:'attack-protocol',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 
@@ -1469,9 +1433,10 @@ SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \
     tag:'attack-protocol',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
     tag:'PCI/6.5.10',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'NOTICE',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.notice_anomaly_score}'"
 
@@ -1492,8 +1457,9 @@ SecRule FILES_NAMES|FILES "@rx ['\";=\x5c]" \
     tag:'attack-protocol',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 
@@ -1517,8 +1483,9 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \
     tag:'attack-protocol',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     chain"
     SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \
@@ -1543,9 +1510,10 @@ SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \
     tag:'attack-protocol',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
     tag:'PCI/12.1',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     setvar:'tx.header_name_920451_%{tx.0}=/%{tx.0}/',\
     chain"
@@ -1571,8 +1539,9 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)application/x-www-form-urlencoded
     tag:'attack-protocol',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/255/153/267/72',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'WARNING',\
     chain"
     SecRule REQUEST_BODY "@rx \x25" \
@@ -1580,8 +1549,8 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)application/x-www-form-urlencoded
         SecRule REQUEST_BODY "@validateUrlEncoding" \
             "setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'"
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.16.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.16.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
 #
 # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
 #
@@ -1592,7 +1561,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920016,phase:2,pass,nolog,tag:'O
 # This rule is also triggered by the following exploit(s):
 # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ]
 #
-SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteRange 32-36,38-126" \
+SecRule REQUEST_URI_RAW|REQUEST_HEADERS|ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteRange 32-36,38-126" \
     "id:920272,\
     phase:2,\
     block,\
@@ -1605,8 +1574,9 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteR
     tag:'attack-protocol',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
 
@@ -1638,9 +1608,10 @@ SecRule &REQUEST_HEADERS:Accept "@eq 0" \
     tag:'attack-protocol',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
     tag:'PCI/6.5.10',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'NOTICE',\
     chain"
     SecRule REQUEST_METHOD "!@rx ^(?:OPTIONS|CONNECT)$" \
@@ -1672,8 +1643,9 @@ SecRule &REQUEST_HEADERS:x-up-devcap-post-charset "@ge 1" \
     tag:'attack-protocol',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     chain"
     SecRule REQUEST_HEADERS:User-Agent "@rx ^(?i)up" \
@@ -1725,8 +1697,9 @@ SecRule &REQUEST_HEADERS:Cache-Control "@gt 0" \
     tag:'header-allowlist',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     chain"
     SecRule REQUEST_HEADERS:Cache-Control "!@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(?:\s*\,\s*|$)){1,7}$" \
@@ -1755,14 +1728,15 @@ SecRule REQUEST_HEADERS:Accept-Encoding "!@rx br|compress|deflate|(?:pack200-)?g
     tag:'attack-protocol',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/255/153',\
     tag:'PCI/12.1',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.16.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.16.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
 #
 # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
 #
@@ -1784,8 +1758,9 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \
     tag:'attack-protocol',\
     tag:'paranoia-level/4',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'WARNING',\
     chain"
     SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){6}" \
@@ -1811,8 +1786,9 @@ SecRule ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteRange 38,44-46,48-58,61,65-90
     tag:'attack-protocol',\
     tag:'paranoia-level/4',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
 
@@ -1832,8 +1808,9 @@ SecRule REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent|!REQUEST_HEADERS:Referer|!RE
     tag:'attack-protocol',\
     tag:'paranoia-level/4',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
 
@@ -1858,8 +1835,9 @@ SecRule REQUEST_HEADERS:Sec-Fetch-User|REQUEST_HEADERS:Sec-CH-UA-Mobile "!@rx ^(
     tag:'attack-protocol',\
     tag:'paranoia-level/4',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
 
@@ -1902,8 +1880,9 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?:^|[^\x5c])\x5c[cdegh
     tag:'attack-protocol',\
     tag:'paranoia-level/4',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/153/267',\
-    ver:'OWASP_CRS/4.9.0',\
+    ver:'OWASP_CRS/4.16.0',\
     severity:'CRITICAL',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"