Closed
Description
Describe the bug
It appears that the rule 200005 is missing the log action, which is present for the other rules of the ModSecurity Recommended Rules.
This applies to the version
- v3.0.13: https://github.com/owasp-modsecurity/ModSecurity/blob/v3.0.13/modsecurity.conf-recommended#L158-L159, as well as
- v2.9.8: https://github.com/owasp-modsecurity/ModSecurity/blob/v2.9.8/modsecurity.conf-recommended#L111-L112.
The other rules with a deny action all have the log action:
v3.0.13:
$ grep -E ",(log|deny)" modsecurity.conf-recommended
"id:'200007', phase:2,t:none,log,deny,status:400,msg:'Failed to fully parse request body due to large argument count',severity:2"
"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
"id:'200003',phase:2,t:none,log,deny,status:400, \
"id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
"id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
v2.9.8:
$ grep -E ",(log|deny)" modsecurity.conf-recommended
"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
"id:'200003',phase:2,t:none,log,deny,status:400, \
"id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
"id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
Logs and dumps
Not applicable.
To Reproduce
Not applicable.
Expected behavior
I would expect the rule 200005 to explicitly use the log action like the other rules.
Server (please complete the following information):
- ModSecurity version (and connector): v3.0.13 and v2.9.8
- WebServer: Not applicable.
- OS (and distro): Not applicable.
Rule Set (please complete the following information):
- Running any public or commercial rule set? ModSecurity Recommended Rules
- What is the version number? Not applicable.
Additional context
--