Closed shaghayegh9574 closed 3 years ago
Hi @shaghayegh9574 ,
It sounds like this is duplicate of the open issue https://github.com/SpiderLabs/ModSecurity/issues/2573 .
Feel free to correct me if I am mistaken.
Hello @martinhsv, You are right, thank you.
Closing as duplicate.
Describe the bug
When a rule contains multimatch, modsecurity created logs with empty message.
Expected behavior
For example for bellow rule, modsecurity message should be Possible remote command execution, but it is empty.
Server:
Rule Set:
SecRule REQUEST_URI|ARGS|!ARGS:/msg/|!ARGS:post|!ARGS:/sql/|!ARGS:prefix|!ARGS:/body/|!ARGS:/search/|!ARGS:/message/|!ARGS:/text/|!ARGS:templatecode|!ARGS:areas|!ARGS:/illegalusernames/|!ARGS:/image/|!ARGS:resolution|!ARGS:depth|!ARGS:/email/|!ARGS:/comment/|!ARGS:mailbox|!ARGS:/descr/|!ARGS:/resolution/|!ARGS:/solution/|!ARGS:/txt/|!ARGS:body|!ARGS:/message/|!ARGS:/content/|!ARGS:/password/|!ARGS:FoxyData|!ARGS:/jform/|!ARGS:areas|!ARGS:templatecode|!ARGS:site_first|!ARGS:sendDescription|!ARGS:templatecode|!ARGS:areas|!ARGS:wpSummary|!ARGS:/keyword/ "(?:\b(?:cd|perl|killall|traceroute|python|r(?:pm|sync)|yum|apt-get|emerge|lynx|links|mkdir|elinks|cmd|pwd|wget|lwp-(?:download|request|mirror|rget)|id|uname|cvs|svn|(?:s|r)(?:cp|sh)|n(?:et(?:stat|cat)|asm)|rexec|smbclient|t?ftp|ncftp|curl|telnet|gcc|cc|g\+\+|whoami)\b |\brm\b \-[a-z] |\bcat\b /)" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:cmdline,multimatch,capture,id:340023,rev:4,severity:2,msg:'Possible remote command execution',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"