wiki strmatch not correct.

[877509395]

Describe the bug

this "Note : Starting on ModSecurity v2.6.0 this operator supports a snort/suricata content style. ie: "@strmatch A|42|C|44|F"." not correct, the snort format "A|42|C|44|F" seems not supported.

because the string.find only match string, not snort format.

bool StrMatch::evaluate(Transaction *transaction, const std::string &input) {
std::string p(m_string->evaluate(transaction));
bool ret = input.find(p) != std::string::npos;

return ret;

}

Logs and dumps

[1653639854] [/?AAA=aaaaaaaaaa] [4] (Rule: 2800008) Executing operator "StrMatch" with param "aa|aa|aaa|aa" against ARGS:AAA.
[1653639854] [/?AAA=aaaaaaaaaa] [9] Target value: "aaaaaaaaaa" (Variable: ARGS:AAA)
[1653639854] [/?AAA=aaaaaaaaaa] [4] Rule returned 0.

Output of:

Notice: Be carefully to not leak any confidential information.

To Reproduce

Steps to reproduce the behavior:

curl cmd:
curl http://www.xxx.x?AAA=aaaaaaaaaa

Expected behavior
wiki should be fixed. remove "Note : Starting on ModSecurity v2.6.0 this operator supports a snort/suricata content style. ie: "@strmatch A|42|C|44|F"." not correct, the snort format "A|42|C|44|F""

Server (please complete the following information):

Rule Set (please complete the following information):
rule:
secRule ARGS.AAA "@strmatch aa|aa|aaa|aa" "id:2800008,phase:2,nolog"

Additional context

Add any other context about the problem here.

[martinhsv]

Hello @877509395 ,

You appear to be citing source code for ModSecurity v3. Note that the usable Reference Manual from which you quote is for v2.9.x only. (There is a comparable Reference Manual gradually being worked on, but for now it is referenced as DRAFT and "Do not rely on what you see here."

I believe the functionality works as advertised in v2.

In v3, there is an existing open issue for this functionality in a set of operators (not just strmatch). See #682.

I'll go ahead and close this as a duplicate.

[877509395]

got it