Description
Hi,
I wrote a simple program and detect the potential attacks, and I find that rule message(or log data) I get from callback differs.
[log:ModSecurity: Warning. Matched "Operator
Rx' with parameter(?:^([\d.]+|[[\da-f:]+]|[\da-f:]+)(:[\d]+)?$)' against variableREQUEST_HEADERS:Host' (Value:192.168.2.230' ) [file "/root/cleanset/z01_waf_jc/rules/crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "743"] [id "920350"] [rev ""] [msg "Host header is a numeric IP address"] [data "192.168.2.230"] [severity "4"] [ver "OWASP_CRS/3.4.0-dev"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "127.0.0.1"] [uri "/"] [unique_id "1653876579"] [ref "o0,13o0,13v38,13"]]
[log:ModSecurity: Warning. detected SQLi using libinjection. [file "/root/cleanset/z01_waf_jc/rules/crs/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "46"] [id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: 1&1 found within ARGS:id: 1 AND 1=1"] [severity "2"] [ver "OWASP_CRS/3.4.0-dev"] [maturity "0"] [accuracy "0"] [hostname "127.0.0.1"] [uri "/"] [unique_id "1653876579"] [ref "v9,9"]]
[log:ModSecurity: Warning. Matched "OperatorGe' with parameter5' against variableTX:ANOMALY_SCORE' (Value:8' ) [file "/root/cleanset/z01_waf_jc/rules/crs/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "139"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 8)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.4.0-dev"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "127.0.0.1"] [uri "/"] [unique_id "1653876579"] [ref ""]]
These logs came from a attack pcap. The one triggered SQLi does not contain any TAGs, and looked up to the rule 942100 does have TAGs. Could anyone have any idea how this happened? Thanks ahead.