Multimatch rule hits have msg and data fields empty in audit logs

[Sachin-M-Desai]

Describe the bug

For rules that have been tagged with "multimatch", the audit logs are incomplete. Example below of rule 942130, the msg and data fields are empty. The issue is generic to all the rules tagged with "multimatch".

ModSecurity: Warning. Matched "Operator Rx' with parameter (?i:[\s'"()]*?\b([\d\w]+)\b[\s'\"()]?(?:<(?:=(?:[\s'"()]*?(?!\b\1\b)[\d\w]+|>[\s'\"()]?(?:\b\1\b))|>?[\s'"()]*?(?!\b\1\b)[\d\w]+)|(?:not\s+(?:regexp|like)|is\s+not|>=?|!=|\^)[\s'\"()]*?(?!\ (78 characters omitted)' against variable ARGS:json.comment' (Value: The taste of the juice is not good. {{js-email}} ' ) [file "/usr/local/appsentinels-onprem/config/policies/shop1/waf/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "621"] [id "942130"] [rev ""] [msg ""] [data ""] [severity "0"]
[ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [hostname "172.20.0.5"] [uri "/api/Feedbacks/8"] [unique_id "1622108344"] [ref "o17,18o18,5v13,50"]

The issue is not seen if the multimatch field is taken off the rule. All is well then.

Logs and dumps

Output of:

1. DebugLogs (level 9)
   modsec_debug.log

2. AuditLogs

modsec_audit.log

3. Error logs
4. If there is a crash, the core dump file.

To Reproduce

Steps to reproduce the behavior:
Configure in detectiononly mode and run the below sample curl command,

curl -i -X POST -H 'Content-type: application/json' http://XXXXXXXX:XXXX/api/Feedbacks/8 -d '{"captcha":"14","rating":3,"captchaId":0,"comment":" The taste of the juice is not good. {{js-email}} ","UserId":39}'

Expected behavior
msg field should have been populated with "SQL Injection Attack: SQL Tautology Detected"

Server (please complete the following information):

• ModSecurity v3.0.1
• WebServer: Using libmodsecurity integrated with our application
• OS (and distro): Linux

Rule Set (please complete the following information):

• Running any public or commercial rule set? CRS rule set
• What is the version number? checked out at 2020-15-12

[martinhsv]

Hi @Sachin-M-Desai ,

Thank you for the report. I am able to reproduce that effect in both v3.0.4 and current v3/master.

It looks like there is a fix for this in the (in-progress) 3.1 branch.

[Sachin-M-Desai]

Thank you so much for looking into it. Could you help us know when the fix or a potential fix might be available?

[martinhsv]

The timing on that being available in v3/master is uncertain.

[Sachin-M-Desai]

The timing on that being available in v3/master is uncertain.

Dont mind helping out to test any patch either if available early. Thanks again.

[martinhsv]

This functionality became broken as a side effect of:
1b7aa42

[martinhsv]

A fix for this is available in the related pull request for either use or testing.

Since some of the audit logging logic has proven to be fragile, I will hold off on merging it for at least a week or two to allow more time for verification.