Add logdata to some rules (#980)

fzipi · web-flow · commit cf4d2f19cb88 · 2017-12-15T11:25:25.000-03:00
* Add logdata the rules proposed.
diff --git a/rules/REQUEST-910-IP-REPUTATION.conf b/rules/REQUEST-910-IP-REPUTATION.conf
@@ -63,6 +63,7 @@ SecRule TX:HIGH_RISK_COUNTRY_CODES "!@rx ^$" \
     block,\
     t:none,\
     msg:'Client IP is from a HIGH Risk Country Location.',\
+    logdata:'%{MATCHED_VAR}',\
     tag:'application-multi',\
     tag:'language-multi',\
     tag:'platform-multi',\
diff --git a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
@@ -423,6 +423,7 @@ SecRule REQUEST_URI "@rx \%(?:(?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \
     block,\
     t:none,\
     msg:'URL Encoding Abuse Attack Attempt',\
+    logdata:'%{matched_var}',\
     tag:'application-multi',\
     tag:'language-multi',\
     tag:'platform-multi',\
@@ -443,6 +444,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^(?:application\/x-www-form-urlencoded
     block,\
     t:none,\
     msg:'URL Encoding Abuse Attack Attempt',\
+    logdata:'%{matched_var}',\
     tag:'application-multi',\
     tag:'language-multi',\
     tag:'platform-multi',\
@@ -475,6 +477,7 @@ SecRule TX:CRS_VALIDATE_UTF8_ENCODING "@eq 1" \
     block,\
     t:none,\
     msg:'UTF8 Encoding Abuse Attack Attempt',\
+    logdata:'%{matched_var}',\
     tag:'application-multi',\
     tag:'language-multi',\
     tag:'platform-multi',\
@@ -513,6 +516,7 @@ SecRule REQUEST_URI|REQUEST_BODY "@rx \%u[fF]{2}[0-9a-fA-F]{2}" \
     block,\
     t:none,\
     msg:'Unicode Full/Half Width Abuse Attack Attempt',\
+    logdata:'%{matched_var_name}=%{matched_var}',\
     tag:'application-multi',\
     tag:'language-multi',\
     tag:'platform-iis',\
@@ -567,6 +571,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 1-255" \
     block,\
     t:none,t:urlDecodeUni,\
     msg:'Invalid character in request (null character)',\
+    logdata:'%{matched_var_name}=%{matched_var}',\
     tag:'application-multi',\
     tag:'language-multi',\
     tag:'platform-multi',\
@@ -821,6 +826,7 @@ SecRule &TX:MAX_NUM_ARGS "@eq 1" \
     block,\
     t:none,\
     msg:'Too many arguments in request',\
+    logdata:'%{matched_var_name}=%{matched_var}',\
     tag:'application-multi',\
     tag:'language-multi',\
     tag:'platform-multi',\
@@ -846,6 +852,7 @@ SecRule &TX:ARG_NAME_LENGTH "@eq 1" \
     block,\
     t:none,\
     msg:'Argument name too long',\
+    logdata:'%{matched_var_name}=%{matched_var}',\
     tag:'application-multi',\
     tag:'language-multi',\
     tag:'platform-multi',\
@@ -870,6 +877,7 @@ SecRule &TX:ARG_LENGTH "@eq 1" \
     block,\
     t:none,\
     msg:'Argument value too long',\
+    logdata:'%{matched_var_name}=%{matched_var}',\
     tag:'application-multi',\
     tag:'language-multi',\
     tag:'platform-multi',\
@@ -894,6 +902,7 @@ SecRule &TX:TOTAL_ARG_LENGTH "@eq 1" \
     block,\
     t:none,\
     msg:'Total arguments size exceeded',\
+    logdata:'%{matched_var_name}=%{matched_var}',\
     tag:'application-multi',\
     tag:'language-multi',\
     tag:'platform-multi',\
@@ -946,6 +955,7 @@ SecRule &TX:COMBINED_FILE_SIZES "@eq 1" \
     block,\
     t:none,\
     msg:'Total uploaded files size too large',\
+    logdata:'%{matched_var_name}=%{matched_var}',\
     tag:'application-multi',\
     tag:'language-multi',\
     tag:'platform-multi',\
@@ -1189,6 +1199,7 @@ SecRule ARGS "@rx \%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \
     block,\
     t:none,\
     msg:'Multiple URL Encoding Detected',\
+    logdata:'%{matched_var}',\
     tag:'application-multi',\
     tag:'language-multi',\
     tag:'platform-multi',\
@@ -1245,6 +1256,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 9,10,13,
     block,\
     t:none,t:urlDecodeUni,\
     msg:'Invalid character in request (non printable characters)',\
+    logdata:'%{matched_var_name}=%{matched_var}',\
     tag:'application-multi',\
     tag:'language-multi',\
     tag:'platform-multi',\
@@ -1330,6 +1342,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteR
     block,\
     t:none,t:urlDecodeUni,\
     msg:'Invalid character in request (outside of printable chars below ascii 127)',\
+    logdata:'%{matched_var_name}=%{matched_var}',\
     tag:'application-multi',\
     tag:'language-multi',\
     tag:'platform-multi',\
@@ -1385,8 +1398,9 @@ SecRule ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteRange 38,44-46,48-58,61,65-90
     "id:920273,\
     phase:2,\
     block,\
-    msg:'Invalid character in request (outside of very strict set)',\
     t:none,t:urlDecodeUni,\
+    msg:'Invalid character in request (outside of very strict set)',\
+    logdata:'%{matched_var_name}=%{matched_var}',\
     tag:'application-multi',\
     tag:'language-multi',\
     tag:'platform-multi',\
@@ -1409,6 +1423,7 @@ SecRule REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent|!REQUEST_HEADERS:Referer|!RE
     block,\
     t:none,t:urlDecodeUni,\
     msg:'Invalid character in request headers (outside of very strict set)',\
+    logdata:'%{matched_var_name}=%{matched_var}',\
     tag:'application-multi',\
     tag:'language-multi',\
     tag:'platform-multi',\
