Nightly releases are snapshots of the development activity on the Core Rule Set project that may include new features and bug fixes scheduled for upcoming releases. These releases are made available to make it easier for users to test their existing configurations against the Core Rule Set code base for potential issues or to experiment with new features, with a chance to provide feedback on ways to improve the changes before being released.

As these releases are snapshots of the latest code, you may encounter an issue compared to the latest stable release so users are encouraged to run nightly releases in a non production environment. If you encounter an issue, please check our issue tracker to see if the issue has already been reported; if a report hasn't been made, please report it so we can review the issue and make any needed fixes.

What's Changed

• fix: 9EA-241022 v3 by @RedXanadu in #3906

Full Changelog: v3.3.6...v3.3.7

What's Changed

⭐ Important changes

• fix: 9EA-241022 v4 by @RedXanadu in #3905

🆕 New features and detections 🎉

• chore: set up nginx tests by @theseion in #3856

🧰 Other Changes

• fix: remove unnecessary capture groups by @TimDiam0nd in #3849
• fix(942120): update operators by @Xhoenix in #3841
• fix(933120): do not match on base64 encoded strings by @fzipi in #3863
• fix(refactor): 942130 and 942131 regex-assembly by @Xhoenix in #3862
• fix(942520): SQL operators can be one or more characters by @Xhoenix in #3845
• chore: remove verify id-range by @fzipi in #3885
• chore: remove find-max-datalen-in-tests by @fzipi in #3891
• chore: remove honeypot sensor by @fzipi in #3883
• chore: remove browser tools by @fzipi in #3887
• chore: remove send-payload-pls by @fzipi in #3879
• chore: remove geo-location by @fzipi in #3875
• chore: remove crs2 renumbering by @fzipi in #3873
• chore: remove change-version script by @fzipi in #3869
• chore: remove join multiline rules by @fzipi in #3877
• chore: remove av-scanning by @fzipi in #3871
• chore: remove util virtual patching by @fzipi in #3889
• fix: include v3.3.6 release notes in latest by @fzipi in #3867
• chore: remove fp-finder by @fzipi in #3893

New Contributors

• @evidencebp made their first contribution in #3837
• @mtaket made their first contribution in #3855

Full Changelog: v4.7.0...v4.8.0

What's Changed

🆕 New features and detections 🎉

• feat: added sendgrid.env into restricted files by @azurit in #3823

🧰 Other Changes

• fix: Changed regex (920470) to match multiple whitespaces after Content-Type parameters to avoid false-positives by @lostmann-owl-it in #3818
• fix: fp with user-agent containing ; pg (932239 PL2) by @franbuehler in #3727
• fix: update xss detection with onwebkitplaybacktargetavailabilitychanged event by @fzipi in #3822
• feat: refactoring (944110 PL1) by @azurit in #3715

New Contributors

• @lostmann-owl-it made their first contribution in #3818

Full Changelog: v4.6.0...v4.7.0

What's Changed

⭐ Important changes

• fix: prevent using backslash in file names by @fzipi in #3799
• feat: add new rule to catch invalid character in multipart headers by @airween, @theseion, @fzipi in #3796

Big thanks tu @luelueking for reporting us these two ☝️ .

🧰 Other Changes

• feat: rule to detect bash tilde expansion by @Xhoenix in #3765
• fix: Update 932270's ver by @airween in #3786
• perf: remove unnecessary chain rule and capture (921180 PL3) by @EsadCetiner in #3787
• fix: add pem to restricted file extensions by @EsadCetiner in #3789
• fix(942160): check REQUEST_FILENAME by @mat1010 in #3782

New Contributors

• @mat1010 made their first contribution in #3782

Full Changelog: v4.5.0...v4.6.0

What's Changed

⭐ Important changes

• fix: prevent using backslash in file names (v3) by @fzipi in #3800
• feat: add new rule to catch invalid character in multipart headers (v3) by @airween (ported by @fzipi) in #3797

Big thanks tu @luelueking for reporting us these two ☝️ .

Full Changelog: v3.3.5...v3.3.6

What's Changed

🆕 New features and detections 🎉

• feat: added arithmetic expansion payload by @Xhoenix in #3756

🧰 Other Changes

• fix(security): alias false negative by @Xhoenix in #3740
• feat: add test overrides for nginx by @theseion in #3369
• fix: use proper capture for log output of 932300 by @theseion in #3763
• chore: use lowercase character class for 932320 by @theseion in #3772
• fix: remove nonnecessary variable (932260 PL1) by @dune73 in #3773

New Contributors

• @aryehb made their first contribution in #3755

Full Changelog: v4.4.0...v4.5.0

What's Changed

🆕 New features and detections 🎉

• feat: skip response rules if data are compressed by @azurit in #3742, #3712

🧰 Other Changes

• fix(934140): update regex by @fzipi in #3731
• fix: replacing t:UrlDecode with t:UrlDecodeUni (921240 PL1, 932170 PL1, 932171 PL1, 932190 PL3, 932190 PL1, 933211 PL3, 941310 PL1, 941350 PL1) by @azurit in #3713

Full Changelog: v4.3.0...v4.4.0

What's Changed

🆕 New features and detections 🎉

• feat: catch Java PostgreSQL errors (951240 PL1) by @azurit in #3686
• feat: block The Mysterious Mozlila User Agent bot (913100 PL1) by @brentclark in #3646

🧰 Other Changes

• fix: Oracle SQL database data leakage FP (951120 PL1) by @azurit in #3685
• fix: typos in 920330 and 942280 tests by @TimDiam0nd in #3688
• test: change pl-1 to pl1 to be inline with others by @TimDiam0nd in #3690
• feat: use renovate to update docker-compose by @theseion in #3697
• fix: FP for sched (932235 PL1, 932236 PL2, 932237 PL3, 932239 PL2, … by @theseion in #3701
• fix: collections not being initialized without User-Agent header by @azurit in #3645
• feat: refactoring of rule 941310 (PL1 941310) by @azurit in #3700
• fix: resolving more FPs with Oracle error messages (951120 PL1) by @azurit in #3703
• fix: removing double t:urlDecodeUni (920221 PL1, 920440 PL1, 932200 PL2, 932205 PL2, 932206 PL2) by @azurit in #3699
• fix: false positives from PHP config directives and functions (933120 PL1, 933151 PL2) by @ssigwart in #3638
• feat: prevent detection of web shells rules as malware by Windows Defender (955260 PL1) by @azurit in #3687
• fix: fp with name axel by removing it from rce rule (932260 PL1) by @franbuehler in #3705

New Contributors

• @TimDiam0nd made their first contribution in #3688
• @brentclark made their first contribution in #3646

Full Changelog: v4.2.0...v4.3.0

Version 4.2.0 - 2024-04-23

Changes with direct rule impact (sorted by lowest rule ID per change where available):

• fix: increase length of Accept-Encoding header from 50 to 100 (920520 PL1) (Franziska Bühler) [#3661]
• fix: add missing roundcube files (930120 PL1, 930121 PL2, 930130 PL1, 932180 PL1) (Esad Cetiner) [#3635]
• fix: add visudo and cscli to unix-shell.data (932160 PL1, 932161 PL2) (Esad Cetiner) [#3663]
• feat: block crowdsec cscli and visudo commands (932235 PL1, 932236 PL2, 932237 PL3, 932239 PL2, 932260 PL1) (Esad Cetiner) [#3649]
• fix: add detection for php evasion attempt (933100 PL1) (Franziska Bühler) [#3667]

Changes without direct rule impact:

• feat: disassemble php rule (933100 PL1) (Franziska Bühler) [#3662]
• chore: remove references to nonexistant 942110 rule (Esad Cetiner) [#3648]

Full Changelog: v4.1.0...v4.2.0