Closed
Description
The following rule:
SecRule ARGS:test "." "id:1006,phase:2,pass,log,msg:'HIT: %{MATCHED_VAR}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
Results in the following audit log block:
...
{
"chain": false,
"rules": [
{
"actionset": {
"id": "1006",
"is_chained": false,
"logdata": "Matched Data: /etc/passwd found within REMOTE_ADDR: 127.0.0.1",
"msg": "HIT: 127.0.0.1",
"phase": 2
},
"config": {
"filename": "/apache/conf/httpd.conf_pod_2016-06-28_06:13",
"line_num": 233
},
"is_matched": true,
"operator": {
"negated": false,
"operator": "rx",
"operator_param": ".",
"target": "ARGS:test"
},
"unparsed": "SecRule \"ARGS:test\" \"@rx .\" \"phase:2,id:1006,pass,log,msg:'HIT: %{MATCHED_VAR}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'\""
}
]
},
...
msg and logdata are obviously wrong.
If you look at the native alert, it is perfectly ok:
[2016-06-28 06:19:00.628478] [-:error] 127.0.0.1:59413 V3H6tH8AAQEAADNUhysAAAAA [client 127.0.0.1] ModSecurity: Warning. Pattern match "." at ARGS:test. [file "/apache/conf/httpd.conf_pod_2016-06-28_06:13"] [line "233"] [id "1006"] [msg "HIT: /etc/passwd"] [data "Matched Data: found within ARGS:test: /etc/passwd"] [hostname "localhost"] [uri "/index.html"] [unique_id "V3H6tH8AAQEAADNUhysAAAAA"]