rules with multiMatch may omit 'tag' information in audit log output

[chenjinlei]

Hi,

I wrote a simple program and detect the potential attacks, and I find that rule message(or log data) I get from callback differs.

[log:ModSecurity: Warning. Matched "Operator Rx' with parameter (?:^([\d.]+|[[\da-f:]+]|[\da-f:]+)(:[\d]+)?$)' against variable REQUEST_HEADERS:Host' (Value: 192.168.2.230' ) [file "/root/cleanset/z01_waf_jc/rules/crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "743"] [id "920350"] [rev ""] [msg "Host header is a numeric IP address"] [data "192.168.2.230"] [severity "4"] [ver "OWASP_CRS/3.4.0-dev"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "127.0.0.1"] [uri "/"] [unique_id "1653876579"] [ref "o0,13o0,13v38,13"]]
[log:ModSecurity: Warning. detected SQLi using libinjection. [file "/root/cleanset/z01_waf_jc/rules/crs/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "46"] [id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: 1&1 found within ARGS:id: 1 AND 1=1"] [severity "2"] [ver "OWASP_CRS/3.4.0-dev"] [maturity "0"] [accuracy "0"] [hostname "127.0.0.1"] [uri "/"] [unique_id "1653876579"] [ref "v9,9"]]
[log:ModSecurity: Warning. Matched "Operator Ge' with parameter 5' against variable TX:ANOMALY_SCORE' (Value: 8' ) [file "/root/cleanset/z01_waf_jc/rules/crs/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "139"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 8)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.4.0-dev"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "127.0.0.1"] [uri "/"] [unique_id "1653876579"] [ref ""]]

These logs came from a attack pcap. The one triggered SQLi does not contain any TAGs, and looked up to the rule 942100 does have TAGs. Could anyone have any idea how this happened? Thanks ahead.

[martinhsv]

Hello @chenjinlei ,

First, just to be precise, although you refer to 'rule message or log data', the rule 942100 log line does include expected information for both 'msg' and 'data'.

You have correctly noted that the expected 'tag' information is not present for 942100 (although it is present for the other two rules).

What is causing that effect with rule 942100 is the 'multiMatch' action. If you were to remove that action, then the 'tag' information would appear whenever there is a detection, along with the rest of the audit log information. (Of course, that doesn't mean it would be advisable to remove it; presumably it has been assessed by the rule writers as desirable to include multiMatch for that rule).

This is not intentional behaviour and it can appropriately be classified as a bug. It does, however, appear to be a longstanding bug in ModSecurity and not new to any recent release.

[chenjinlei]

Oh, thanks, @martinhsv !

and yes, it would be insecure to remove 'mulitMatch' action for this rule:

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@detectSQLi"
"id:942100,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,\
msg:'SQL Injection Attack Detected via libinjection',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-sqli',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.4.0-dev',\
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"

I think the target needs to be check before and after "t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,", this transformation...

Do you have any idea when this would be fixed? or is it easy to fix? maybe I can help to do some work...