Skip to content

Meta-actions are not applied if multiMatch is enabled in the chain starter rule #2867

New issue
New issue
Closed
#2868
Closed
Meta-actions are not applied if multiMatch is enabled in the chain starter rule#2867
#2868
@mlevogiannis

Description

@mlevogiannis
mlevogiannis
opened on Jan 20, 2023

Describe the bug

If the chain starter rule in a rule chain has multiMatch enabled, meta-actions (severity, data, msg, tag) are not applied and their respective fields are not populated in the audit log.

This issue is related to issues #2573 and #2754. PR #2673 fixed the former (and PR #2866 fixes the latter), however it explicitly excluded rule chains:

if (m_containsMultiMatchAction && !m_isChained) {

Logs and dumps

See regression test below:

---GrOr1Hxd---A--
[20/Jan/2023:13:58:23 +0000] 167422310350.316461 200.249.12.31 2313 200.249.12.31 80
---GrOr1Hxd---B--
GET /test.pl?param1=test&param2=tEst2 HTTP/1.1

---GrOr1Hxd---F--
HTTP/1.1 403

---GrOr1Hxd---H--
ModSecurity: Warning. Matched "Operator `Contains' with parameter `test2' against variable `ARGS:param2' (Value: `tEst2' ) [file "auditlog.json"] [line "3"] [id "1557"] [rev ""] [msg ""] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "200.249.12.31"] [uri "/test.pl"] [unique_id "167422310350.316461"] [ref "o0,5v32,5t:lowercase"]

---GrOr1Hxd---Z--

To Reproduce

The following regression test reproduces the problem (adapted from the regression tests in the aforemntioned PR):

  {
    "enabled": 1,
    "version_min": 300000,
    "version_max": 0,
    "title": "auditlog : rule chain, multiMatch data",
    "client": {
      "ip": "200.249.12.31",
      "port": 2313
    },
    "server": {
      "ip": "200.249.12.31",
      "port": 80
    },
    "request": {
      "headers": {
      },
      "uri": "\/test.pl?param1=test&param2=tEst2",
      "method": "GET",
      "http_version": 1.1,
      "body": ""
    },
    "expected": {
      "audit_log": "\\[msg \"testmsg\"\\]",
      "error_log": "",
      "http_code": 403
    },
    "rules": [
      "SecRuleEngine On",
      "SecDefaultAction \"phase:1,nolog,auditlog,deny,status:403\"",
      "SecRule ARGS \"@contains test2\" \"id:1557,phase:1,multiMatch,block,log,t:none,t:urlDecode,t:lowercase,msg:'testmsg',chain\" SecRule REQUEST_METHOD \"@streq GET\" \"t:none\"",
      "SecAuditEngine RelevantOnly",
      "SecAuditLogParts ABCFHZ",
      "SecAuditLog /tmp/test/modsec_audit_multimatch_5.log",
      "SecAuditLogDirMode 0766",
      "SecAuditLogFileMode 0666",
      "SecAuditLogType Serial",
      "SecAuditLogRelevantStatus \"^(?:5|4(?!04))\""
    ]
  }

Expected behavior

Meta-actions, which can only be used in the chain starter rule of a rule chain, should be applied when multiMatch is enabled in that rule.

Additional context

None.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions