Merge pull request #1233 from fzipi/v3.1/dev-1229-backported

Backport 1187 - renaming matched_var/s

rules/REQUEST-901-INITIALIZATION.conf

@@ -270,7 +270,7 @@ SecRule REQUEST_HEADERS:User-Agent "@rx ^.*$" \
     pass,\
     t:none,t:sha1,t:hexEncode,\
     nolog,\
-    setvar:'tx.ua_hash=%{matched_var}'"
+    setvar:'tx.ua_hash=%{MATCHED_VAR}'"
 
 SecAction \
     "id:901321,\

rules/REQUEST-910-IP-REPUTATION.conf

@@ -45,7 +45,7 @@ SecRule TX:DO_REPUT_BLOCK "@eq 1" \
     skipAfter:BEGIN-REQUEST-BLOCKING-EVAL"
     SecRule IP:REPUT_BLOCK_FLAG "@eq 1" \
         "setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}'"
+        setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
 
 
 #
@@ -75,7 +75,7 @@ SecRule TX:HIGH_RISK_COUNTRY_CODES "!@rx ^$" \
         SecRule GEO:COUNTRY_CODE "@within %{tx.high_risk_country_codes}" \
             "setvar:'tx.msg=%{rule.msg}',\
             setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-            setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}',\
+            setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
             setvar:'ip.reput_block_flag=1',\
             setvar:'ip.reput_block_reason=%{rule.msg}',\
             expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
@@ -103,7 +103,7 @@ SecRule TX:HIGH_RISK_COUNTRY_CODES "!@rx ^$" \
 #    severity:'CRITICAL',\
 #    setvar:'tx.msg=%{rule.msg}',\
 #    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-#    setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}',\
+#    setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
 #    setvar:'ip.reput_block_flag=1',\
 #    setvar:'ip.reput_block_reason=%{rule.msg}',\
 #    expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
@@ -187,7 +187,7 @@ SecRule TX:block_search_ip "@eq 1" \
     SecRule TX:httpbl_msg "@rx Search Engine" \
         "setvar:'tx.msg=%{rule.msg}',\
         setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}',\
+        setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
         setvar:'ip.reput_block_flag=1',\
         setvar:'ip.reput_block_reason=%{rule.msg}',\
         setvar:'ip.previous_rbl_check=1',\
@@ -210,7 +210,7 @@ SecRule TX:block_spammer_ip "@eq 1" \
     SecRule TX:httpbl_msg "@rx (?i)^.*? spammer .*?$" \
         "setvar:'tx.msg=%{rule.msg}',\
         setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}',\
+        setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
         setvar:'ip.reput_block_flag=1',\
         setvar:'ip.reput_block_reason=%{rule.msg}',\
         setvar:'ip.previous_rbl_check=1',\
@@ -233,7 +233,7 @@ SecRule TX:block_suspicious_ip "@eq 1" \
     SecRule TX:httpbl_msg "@rx (?i)^.*? suspicious .*?$" \
         "setvar:'tx.msg=%{rule.msg}',\
         setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}',\
+        setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
         setvar:'ip.reput_block_flag=1',\
         setvar:'ip.reput_block_reason=%{rule.msg}',\
         setvar:'ip.previous_rbl_check=1',\
@@ -256,7 +256,7 @@ SecRule TX:block_harvester_ip "@eq 1" \
     SecRule TX:httpbl_msg "@rx (?i)^.*? harvester .*?$" \
         "setvar:'tx.msg=%{rule.msg}',\
         setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}',\
+        setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
         setvar:'ip.reput_block_flag=1',\
         setvar:'ip.reput_block_reason=%{rule.msg}',\
         setvar:'ip.previous_rbl_check=1',\

rules/REQUEST-911-METHOD-ENFORCEMENT.conf

@@ -29,7 +29,7 @@ SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" \
     phase:2,\
     block,\
     msg:'Method is not allowed by policy',\
-    logdata:'%{matched_var}',\
+    logdata:'%{MATCHED_VAR}',\
     tag:'application-multi',\
     tag:'language-multi',\
     tag:'platform-multi',\
@@ -43,7 +43,7 @@ SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" \
     ver:'OWASP_CRS/3.1.0',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/POLICY/METHOD_NOT_ALLOWED-%{matched_var_name}=%{matched_var}'"
+    setvar:'tx.%{rule.id}-OWASP_CRS/POLICY/METHOD_NOT_ALLOWED-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
 
 
 

rules/REQUEST-913-SCANNER-DETECTION.conf

@@ -50,7 +50,7 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}',\
+    setvar:'tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
     setvar:'ip.reput_block_flag=1',\
     setvar:'ip.reput_block_reason=%{rule.msg}',\
     expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
@@ -75,7 +75,7 @@ SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@pmf scanners-headers.data" \
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}',\
+    setvar:'tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
     setvar:'ip.reput_block_flag=1',\
     setvar:'ip.reput_block_reason=%{rule.msg}',\
     expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
@@ -102,7 +102,7 @@ SecRule REQUEST_FILENAME|ARGS "@pmf scanners-urls.data" \
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}',\
+    setvar:'tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
     setvar:'ip.reput_block_flag=1',\
     setvar:'ip.reput_block_reason=%{rule.msg}',\
     expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
@@ -145,7 +145,7 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scripting-user-agents.data" \
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/AUTOMATION/SCRIPTING-%{matched_var_name}=%{matched_var}',\
+    setvar:'tx.%{rule.id}-OWASP_CRS/AUTOMATION/SCRIPTING-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
     setvar:'ip.reput_block_flag=1',\
     setvar:'ip.reput_block_reason=%{rule.msg}',\
     expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
@@ -182,7 +182,7 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile crawlers-user-agents.data" \
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/AUTOMATION/CRAWLER-%{matched_var_name}=%{matched_var}',\
+    setvar:'tx.%{rule.id}-OWASP_CRS/AUTOMATION/CRAWLER-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
     setvar:'ip.reput_block_flag=1',\
     setvar:'ip.reput_block_reason=%{rule.msg}',\
     expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"