search

owasp-modsecurity / ModSecurity

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.
https://www.modsecurity.org
Apache License 2.0
8.25k stars 1.61k forks source link

Rule 200005 missing log action? #3260

Closed studersi closed 1 month ago

studersi commented 1 month ago

Describe the bug

It appears that the rule 200005 is missing the log action, which is present for the other rules of the ModSecurity Recommended Rules. This applies to the version

The other rules with a deny action all have the log action:

v3.0.13:

$ grep -E ",(log|deny)" modsecurity.conf-recommended 
"id:'200007', phase:2,t:none,log,deny,status:400,msg:'Failed to fully parse request body due to large argument count',severity:2"
"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
"id:'200003',phase:2,t:none,log,deny,status:400, \
    "id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
        "id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"

v2.9.8:

$ grep -E ",(log|deny)" modsecurity.conf-recommended 
"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
"id:'200003',phase:2,t:none,log,deny,status:400, \
"id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
        "id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"

Logs and dumps

Not applicable.

To Reproduce

Not applicable.

Expected behavior

I would expect the rule 200005 to explicitly use the log action like the other rules.

Server (please complete the following information):

Rule Set (please complete the following information):

Additional context

--

airween commented 1 month ago

Hi @studersi,

thanks for reporting this - yes, you are right, that's the expected form for that rule (in both cases: v2 and v3).

Would you mind to send PR's (for both versions)?

airween commented 1 month ago

See PR's #3266 and #3267 - those solve this issue in both versions.

Feel free to close this if there is no other question.

studersi commented 1 month ago

See PR's #3266 and #3267 - those solve this issue in both versions.

Feel free to close this if there is no other question.

Perfect, thanks @airween!