Description
Describe the bug
For rules that have been tagged with "multimatch", the audit logs are incomplete. Example below of rule 942130, the msg and data fields are empty. The issue is generic to all the rules tagged with "multimatch".
ModSecurity: Warning. Matched "Operator Rx' with parameter (?i:[\s'"()]*?\b([\d\w]+)\b[\s'\"()]?(?:<(?:=(?:[\s'"()]*?(?!\b\1\b)[\d\w]+|>[\s'\"()]?(?:\b\1\b))|>?[\s'"()]*?(?!\b\1\b)[\d\w]+)|(?:not\s+(?:regexp|like)|is\s+not|>=?|!=|\^)[\s'\"()]*?(?!\ (78 characters omitted)' against variable ARGS:json.comment' (Value: The taste of the juice is not good. {{js-email}} ' ) [file "/usr/local/appsentinels-onprem/config/policies/shop1/waf/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "621"] [id "942130"] [rev ""] [msg ""] [data ""] [severity "0"]
[ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [hostname "172.20.0.5"] [uri "/api/Feedbacks/8"] [unique_id "1622108344"] [ref "o17,18o18,5v13,50"]
The issue is not seen if the multimatch field is taken off the rule. All is well then.
Logs and dumps
Output of:
-
DebugLogs (level 9)
modsec_debug.log -
AuditLogs
- Error logs
- If there is a crash, the core dump file.
To Reproduce
Steps to reproduce the behavior:
Configure in detectiononly mode and run the below sample curl command,
curl -i -X POST -H 'Content-type: application/json' http://XXXXXXXX:XXXX/api/Feedbacks/8 -d '{"captcha":"14","rating":3,"captchaId":0,"comment":" The taste of the juice is not good. {{js-email}} ","UserId":39}'
Expected behavior
msg field should have been populated with "SQL Injection Attack: SQL Tautology Detected"
Server (please complete the following information):
- ModSecurity v3.0.1
- WebServer: Using libmodsecurity integrated with our application
- OS (and distro): Linux
Rule Set (please complete the following information):
- Running any public or commercial rule set? CRS rule set
- What is the version number? checked out at 2020-15-12