Skip to content

Rule 200005 missing log action? #3260

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
studersi opened this issue Sep 25, 2024 · 3 comments
Closed

Rule 200005 missing log action? #3260

studersi opened this issue Sep 25, 2024 · 3 comments
Labels
2.x Related to ModSecurity version 2.x 3.x Related to ModSecurity version 3.x config Related to default config

Comments

@studersi
Copy link

Describe the bug

It appears that the rule 200005 is missing the log action, which is present for the other rules of the ModSecurity Recommended Rules.
This applies to the version

The other rules with a deny action all have the log action:

v3.0.13:

$ grep -E ",(log|deny)" modsecurity.conf-recommended 
"id:'200007', phase:2,t:none,log,deny,status:400,msg:'Failed to fully parse request body due to large argument count',severity:2"
"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
"id:'200003',phase:2,t:none,log,deny,status:400, \
    "id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
        "id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"

v2.9.8:

$ grep -E ",(log|deny)" modsecurity.conf-recommended 
"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
"id:'200003',phase:2,t:none,log,deny,status:400, \
"id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
        "id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"

Logs and dumps

Not applicable.

To Reproduce

Not applicable.

Expected behavior

I would expect the rule 200005 to explicitly use the log action like the other rules.

Server (please complete the following information):

  • ModSecurity version (and connector): v3.0.13 and v2.9.8
  • WebServer: Not applicable.
  • OS (and distro): Not applicable.

Rule Set (please complete the following information):

  • Running any public or commercial rule set? ModSecurity Recommended Rules
  • What is the version number? Not applicable.

Additional context

--
@studersi studersi added the 2.x Related to ModSecurity version 2.x label Sep 25, 2024
@airween
Copy link
Member

airween commented Sep 26, 2024

Hi @studersi,

thanks for reporting this - yes, you are right, that's the expected form for that rule (in both cases: v2 and v3).

Would you mind to send PR's (for both versions)?

This was referenced Oct 2, 2024
Merged
Merged
@airween airween added the 3.x Related to ModSecurity version 3.x label Oct 2, 2024
@airween
Copy link
Member

airween commented Oct 2, 2024

See PR's #3266 and #3267 - those solve this issue in both versions.

Feel free to close this if there is no other question.

@marcstern marcstern added the config Related to default config label Oct 3, 2024
@studersi
Copy link
Author

studersi commented Oct 7, 2024

See PR's #3266 and #3267 - those solve this issue in both versions.

Feel free to close this if there is no other question.

Perfect, thanks @airween!

@studersi studersi closed this as completed Oct 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2.x Related to ModSecurity version 2.x 3.x Related to ModSecurity version 3.x config Related to default config
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@airween @marcstern @studersi