From 872cadbbcffd1b4643c31414d1406f488a2abc99 Mon Sep 17 00:00:00 2001 From: Max Leske <250711+theseion@users.noreply.github.com> Date: Sun, 7 Jul 2024 16:30:23 +0200 Subject: [PATCH] fix: use proper capture for log output of 932300 932300 should have the `capture` action since `TX.0` is used in `logdata`. Currently, `TX.0` will simply contain the last value assigned to it by any previously run rule. Fixes #3761 --- rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf | 1 + .../932300.yaml | 27 ++++++++++++++++++- 2 files changed, 27 insertions(+), 1 deletion(-) diff --git a/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf b/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf index bf505c425..c96d912b4 100644 --- a/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf +++ b/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf @@ -1232,6 +1232,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME "id:932300,\ phase:2,\ block,\ + capture,\ t:none,t:escapeSeqDecode,\ msg:'Remote Command Execution: SMTP Command Execution',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ diff --git a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932300.yaml b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932300.yaml index d7c20aa4a..129d4aeae 100644 --- a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932300.yaml +++ b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932300.yaml @@ -1,6 +1,6 @@ --- meta: - author: "fzipi, azurit" + author: "fzipi, azurit, Max Leske" description: "Remote Command Execution: SMTP Command Injection test cases" rule_id: 932300 tests: @@ -156,3 +156,28 @@ tests: output: log: no_expect_ids: [932300] + - test_id: 10 + desc: | + Make sure that log contains matched payload. + Without the `capture` action, the log data would include the last + value of `TX.0`. While writing this test, the previous value of `TX.0` + was always `user-agent` (set by rule 920451). + Note that the previous value of `TX.0` depends on the payload of this test. + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Accept: "*/*" + Host: "localhost" + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: "/post" + data: |- + textarea=%0D%0AMAIL%20FROM%3A%3CSmith%40bar.com%3E + version: HTTP/1.1 + output: + log: + expect_ids: [932300] + match_regex: |- + Matched Data:.*MAIL FROM: found within ARGS:textarea:.*MAIL FROM: