Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Meta-actions are not applied if multiMatch is enabled in the chain starter rule #2867

Closed
mlevogiannis opened this issue Jan 20, 2023 · 0 comments · Fixed by #2868
Closed

Meta-actions are not applied if multiMatch is enabled in the chain starter rule #2867

mlevogiannis opened this issue Jan 20, 2023 · 0 comments · Fixed by #2868

Comments

@mlevogiannis
Copy link
Contributor

Describe the bug

If the chain starter rule in a rule chain has multiMatch enabled, meta-actions (severity, data, msg, tag) are not applied and their respective fields are not populated in the audit log.

This issue is related to issues #2573 and #2754. PR #2673 fixed the former (and PR #2866 fixes the latter), however it explicitly excluded rule chains:

if (m_containsMultiMatchAction && !m_isChained) {

Logs and dumps

See regression test below:

---GrOr1Hxd---A--
[20/Jan/2023:13:58:23 +0000] 167422310350.316461 200.249.12.31 2313 200.249.12.31 80
---GrOr1Hxd---B--
GET /test.pl?param1=test&param2=tEst2 HTTP/1.1

---GrOr1Hxd---F--
HTTP/1.1 403

---GrOr1Hxd---H--
ModSecurity: Warning. Matched "Operator `Contains' with parameter `test2' against variable `ARGS:param2' (Value: `tEst2' ) [file "auditlog.json"] [line "3"] [id "1557"] [rev ""] [msg ""] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "200.249.12.31"] [uri "/test.pl"] [unique_id "167422310350.316461"] [ref "o0,5v32,5t:lowercase"]

---GrOr1Hxd---Z--

To Reproduce

The following regression test reproduces the problem (adapted from the regression tests in the aforemntioned PR):

  {
    "enabled": 1,
    "version_min": 300000,
    "version_max": 0,
    "title": "auditlog : rule chain, multiMatch data",
    "client": {
      "ip": "200.249.12.31",
      "port": 2313
    },
    "server": {
      "ip": "200.249.12.31",
      "port": 80
    },
    "request": {
      "headers": {
      },
      "uri": "\/test.pl?param1=test&param2=tEst2",
      "method": "GET",
      "http_version": 1.1,
      "body": ""
    },
    "expected": {
      "audit_log": "\\[msg \"testmsg\"\\]",
      "error_log": "",
      "http_code": 403
    },
    "rules": [
      "SecRuleEngine On",
      "SecDefaultAction \"phase:1,nolog,auditlog,deny,status:403\"",
      "SecRule ARGS \"@contains test2\" \"id:1557,phase:1,multiMatch,block,log,t:none,t:urlDecode,t:lowercase,msg:'testmsg',chain\" SecRule REQUEST_METHOD \"@streq GET\" \"t:none\"",
      "SecAuditEngine RelevantOnly",
      "SecAuditLogParts ABCFHZ",
      "SecAuditLog /tmp/test/modsec_audit_multimatch_5.log",
      "SecAuditLogDirMode 0766",
      "SecAuditLogFileMode 0666",
      "SecAuditLogType Serial",
      "SecAuditLogRelevantStatus \"^(?:5|4(?!04))\""
    ]
  }

Expected behavior

Meta-actions, which can only be used in the chain starter rule of a rule chain, should be applied when multiMatch is enabled in that rule.

Additional context

None.
mlevogiannis added a commit to grnet/ModSecurity that referenced this issue Jan 20, 2023
@mlevogiannis
Fix meta-actions not being applied in the chain starter rule if multi…
b71a112 
…Match is enabled

Fixes owasp-modsecurity#2867.
@mlevogiannis mlevogiannis mentioned this issue Jan 20, 2023
Merged
mlevogiannis added a commit to grnet/ModSecurity that referenced this issue Apr 25, 2023
@mlevogiannis
Fix meta-actions not being applied in the chain starter rule if multi…
1e6184b 
…Match is enabled

Fixes owasp-modsecurity#2867.
mlevogiannis added a commit to grnet/ModSecurity that referenced this issue Apr 27, 2023
@mlevogiannis
Fix meta-actions not being applied if multiMatch is enabled in the ch…
12add9a 
…ain starter rule

Meta-actions can only be used in non-chained rules or in the chain starter
rule of a rule chain. The m_chainedRuleParent member of the RuleWithActions
class is NULL only if the rule is not chained or if it is the chain starter
rule of a rule chain.

Fixes owasp-modsecurity#2867.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@mlevogiannis