-
-
Notifications
You must be signed in to change notification settings - Fork 201
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Coraza isn't matching a single rule multiple times like modsecurity does #760
Comments
Hi, thanks for the report. I will take a closer look as soon as possible. I'm wondering: is the anomaly score lower than the one computed by modsec? Could it be a matter of printed data rather than missing multiple matches? |
I tried to reproduce it, and I'm experiencing a different behavior (more like the opposite of this report).
All the Coraza:
Apache w/ModSecurity:
Coraza logs a total of I feel that also the overall anomaly score is consistent. Looking at the the total inbound score printed by
The discrepancy should indeed come from these 4 extra matches against So, I actually see extra matches rather than missing ones 🤔 Looking at your Coraza playground screenshots, seems like that the total score is 75, consistent with a CRS running in PL1 (see previous |
Any feedback @soujanyanmbri? |
Any movement here @soujanyanmbri @jptosso ? |
This issue has been open 30 days waiting for feedback. Remove the stale label or comment, or this will be closed in 14 days. |
This issue was closed because it has been inactive for 14 days since being marked as stale. |
Is this fixed ? |
Description
Modsec gives multiple matches of the same rule, while coraza doesn't.
Steps to reproduce
Run the test number: 930120-1 against modsec and coraza and check the matches with Rule: 930110
Expected Result:
Modsec matches:
id: 930110, rule_msg: Path Traversal Attack (/../) (110), match_msg: Matched Data: ../ found within ARGS:op: ../../../../../boot.ini
id: 930110, rule_msg: Path Traversal Attack (/../) (110), match_msg: Matched Data: /../ found within REQUEST_URI: /index.php?file=News&op=../../../../../boot.ini
id: 930110, rule_msg: Path Traversal Attack (/../) (110), match_msg: Matched Data: /../ found within REQUEST_URI: /index.php?file=news&op=../../../../../boot.ini
Actual result
Coraza matches:
id: 930110, rule_msg: Path Traversal Attack (/../) (110), match_msg: Matched Data: /../ found within REQUEST_URI: /index.php?file=News&op=../../../../../boot.ini%00, match_attr: http.url
The text was updated successfully, but these errors were encountered: