Multimatch rule hits have msg and data fields empty in audit logs · Issue #2573 · owasp-modsecurity/ModSecurity (original) (raw)

Describe the bug

For rules that have been tagged with "multimatch", the audit logs are incomplete. Example below of rule 942130, the msg and data fields are empty. The issue is generic to all the rules tagged with "multimatch".

ModSecurity: Warning. Matched "Operator Rx' with parameter (?i:[\s'"()]*?\b([\d\w]+)\b[\s'\"()]_?(?:<(?:=(?:[\s'"()]*?(?!\b\1\b)[\d\w]+|>[\s'\"()]_?(?:\b\1\b))|>?[\s'"()]*?(?!\b\1\b)[\d\w]+)|(?:not\s+(?:regexp|like)|is\s+not|>=?|!=|\^)[\s'\"()]*?(?!\ (78 characters omitted)' against variable ARGS:json.comment' (Value: The taste of the juice is not good. {{js-email}} ' ) [file "/usr/local/appsentinels-onprem/config/policies/shop1/waf/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "621"] [id "942130"] [rev ""] [msg ""] [data ""] [severity "0"]
[ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [hostname "172.20.0.5"] [uri "/api/Feedbacks/8"] [unique_id "1622108344"] [ref "o17,18o18,5v13,50"]

The issue is not seen if the multimatch field is taken off the rule. All is well then.

Logs and dumps

Output of:

  1. DebugLogs (level 9)
    modsec_debug.log
  2. AuditLogs

modsec_audit.log

  1. Error logs
  2. If there is a crash, the core dump file.

To Reproduce

Steps to reproduce the behavior:
Configure in detectiononly mode and run the below sample curl command,

curl -i -X POST -H 'Content-type: application/json' http://XXXXXXXX:XXXX/api/Feedbacks/8 -d '{"captcha":"14","rating":3,"captchaId":0,"comment":" The taste of the juice is not good. {{js-email}} ","UserId":39}'

Expected behavior
msg field should have been populated with "SQL Injection Attack: SQL Tautology Detected"

Server (please complete the following information):

Rule Set (please complete the following information):