owasp-modsecurity · Sebitosh · May 18, 2025 · May 25, 2025
diff --git a/README.md b/README.md
@@ -620,6 +620,16 @@ To combine the default check on the current rule id with additional checks, the
 
 This way, the status check will be used in addition to the default rule id check.
 
+For writing negative tests, you can also use the `no_expect_ids` test in the same way: 
+
+```yaml
+          output:
+            log:
+                no_expect_ids: []
+``` 
+
+This way, the current rule id will be appended and the check verifies it does not show up in logs.
+
 Exact properties, syntax, available checks and parameters are dependent on the used version of `go-ftw`. The generator will simply replace what is defined under the `output` field in the corresponding field of the generated test case.
 
  As described for `go-ftw`,  [if any of the checks fail the test will fail](https://github.com/coreruleset/go-ftw?tab=readme-ov-file#how-log-parsing-works).

diff --git a/config_tests/CONF_000_GLOBAL.yaml b/config_tests/CONF_000_GLOBAL.yaml
@@ -13,6 +13,15 @@ global:
           log,\
           msg:'%{MATCHED_VAR_NAME} was caught in phase:${PHASE}$',\
           ver:'${VERSION}$'"
+  - name: "Non-disruptive SecRule for TARGETS"
+    template: |
+      SecRule ${TARGET}$ "${OPERATOR}$ ${OPARG}$" \
+          "id:${CURRID}$,\
+          phase:${PHASE}$,\
+          t:none,\
+          log,\
+          msg:'%{MATCHED_VAR_NAME} was caught in phase:${PHASE}$',\
+          ver:'${VERSION}$'"
   default_tests_phase_methods:
   - 1: get
   - 2: post

diff --git a/config_tests/CONF_026_TARGET_MATCHED_VARS_NAMES-NEG.yaml b/config_tests/CONF_026_TARGET_MATCHED_VARS_NAMES-NEG.yaml
@@ -0,0 +1,37 @@
+target: MATCHED_VARS_NAMES
+rulefile: MRTS_026_MATCHED_VARS_NAMES-NEG.conf
+testfile: MRTS_026_MATCHED_VARS_NAMES-NEG.yaml
+templates:
+- Non-disruptive SecRule for TARGETS
+colkey:
+- - ''
+operator:
+- '@contains'
+oparg:
+- ARGS:matched_vars_names_negative_test
+generation:
+  before_each: |
+    SecRule ARGS "@rx matched_vars_names_negative_test" "id:${CURRID}$, phase:${PHASE}$, pass, log, msg:'matched vars is: %{MATCHED_VARS_NAMES}'"
+    SecRule ARGS "@rx matched_vars_names_test" "id:${CURRID}$, phase:${PHASE}$, pass, log, msg:'matched vars is: %{MATCHED_VARS_NAMES}'"
+phase:
+- 1
+- 2
+- 3
+- 4
+- 5
+testdata:
+  phase_methods:
+    1: get
+    2: post
+    3: post
+    4: post
+    5: post
+  targets:
+    - target: ''
+      test:
+        data:
+          matched_vars_names_test: matched_vars_names_test
+          matched_vars_names_negative_test: matched_vars_names_negative_test
+        output:
+          log:
+            no_expect_ids: []
diff --git a/config_tests/CONF_026_TARGET_MATCHED_VARS_NAMES.yaml b/config_tests/CONF_026_TARGET_MATCHED_VARS_NAMES.yaml
@@ -0,0 +1,38 @@
+target: MATCHED_VARS_NAMES
+rulefile: MRTS_026_MATCHED_VARS_NAMES.conf
+testfile: MRTS_026_MATCHED_VARS_NAMES.yaml
+templates:
+- Non-disruptive SecRule for TARGETS
+colkey:
+- - ''
+operator:
+- '@contains'
+oparg:
+- ARGS:matched_vars_names_test
+- ARGS_NAMES:matched_vars_names_test
+- REQUEST_COOKIES:matched_vars_names_test
+generation:
+  before_each: |
+    SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES "@rx matched_vars_names_test" "id:${CURRID}$, phase:${PHASE}$, pass, log, msg:'matched vars is: %{MATCHED_VARS_NAMES}'"
+phase:
+- 1
+- 2
+- 3
+- 4
+- 5
+testdata:
+  phase_methods:
+    1: get
+    2: post
+    3: post
+    4: post
+    5: post
+  targets:
+    - target: ''
+      test:
+        data:
+          matched_vars_names_test: matched_vars_names_test
+        input:
+          headers:
+            - name: Cookie
+              value: matched_vars_names_test=matched_vars_names_test
diff --git a/generated/rules/MRTS_026_MATCHED_VARS_NAMES-NEG.conf b/generated/rules/MRTS_026_MATCHED_VARS_NAMES-NEG.conf
@@ -0,0 +1,55 @@
+SecRule ARGS "@rx matched_vars_names_negative_test" "id:100092, phase:1, pass, log, msg:'matched vars is: %{MATCHED_VARS_NAMES}'"
+SecRule ARGS "@rx matched_vars_names_test" "id:100093, phase:1, pass, log, msg:'matched vars is: %{MATCHED_VARS_NAMES}'"
+
+SecRule MATCHED_VARS_NAMES "@contains ARGS:matched_vars_names_negative_test" \
+    "id:100094,\
+    phase:1,\
+    t:none,\
+    log,\
+    msg:'%{MATCHED_VAR_NAME} was caught in phase:1',\
+    ver:'MRTS/0.1'"
+
+SecRule ARGS "@rx matched_vars_names_negative_test" "id:100095, phase:2, pass, log, msg:'matched vars is: %{MATCHED_VARS_NAMES}'"
+SecRule ARGS "@rx matched_vars_names_test" "id:100096, phase:2, pass, log, msg:'matched vars is: %{MATCHED_VARS_NAMES}'"
+
+SecRule MATCHED_VARS_NAMES "@contains ARGS:matched_vars_names_negative_test" \
+    "id:100097,\
+    phase:2,\
+    t:none,\
+    log,\
+    msg:'%{MATCHED_VAR_NAME} was caught in phase:2',\
+    ver:'MRTS/0.1'"
+
+SecRule ARGS "@rx matched_vars_names_negative_test" "id:100098, phase:3, pass, log, msg:'matched vars is: %{MATCHED_VARS_NAMES}'"
+SecRule ARGS "@rx matched_vars_names_test" "id:100099, phase:3, pass, log, msg:'matched vars is: %{MATCHED_VARS_NAMES}'"
+
+SecRule MATCHED_VARS_NAMES "@contains ARGS:matched_vars_names_negative_test" \
+    "id:100100,\
+    phase:3,\
+    t:none,\
+    log,\
+    msg:'%{MATCHED_VAR_NAME} was caught in phase:3',\
+    ver:'MRTS/0.1'"
+
+SecRule ARGS "@rx matched_vars_names_negative_test" "id:100101, phase:4, pass, log, msg:'matched vars is: %{MATCHED_VARS_NAMES}'"
+SecRule ARGS "@rx matched_vars_names_test" "id:100102, phase:4, pass, log, msg:'matched vars is: %{MATCHED_VARS_NAMES}'"
+
+SecRule MATCHED_VARS_NAMES "@contains ARGS:matched_vars_names_negative_test" \
+    "id:100103,\
+    phase:4,\
+    t:none,\
+    log,\
+    msg:'%{MATCHED_VAR_NAME} was caught in phase:4',\
+    ver:'MRTS/0.1'"
+
+SecRule ARGS "@rx matched_vars_names_negative_test" "id:100104, phase:5, pass, log, msg:'matched vars is: %{MATCHED_VARS_NAMES}'"
+SecRule ARGS "@rx matched_vars_names_test" "id:100105, phase:5, pass, log, msg:'matched vars is: %{MATCHED_VARS_NAMES}'"
+
+SecRule MATCHED_VARS_NAMES "@contains ARGS:matched_vars_names_negative_test" \
+    "id:100106,\
+    phase:5,\
+    t:none,\
+    log,\
+    msg:'%{MATCHED_VAR_NAME} was caught in phase:5',\
+    ver:'MRTS/0.1'"
+
diff --git a/generated/rules/MRTS_026_MATCHED_VARS_NAMES.conf b/generated/rules/MRTS_026_MATCHED_VARS_NAMES.conf
@@ -0,0 +1,150 @@
+SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES "@rx matched_vars_names_test" "id:100107, phase:1, pass, log, msg:'matched vars is: %{MATCHED_VARS_NAMES}'"
+
+SecRule MATCHED_VARS_NAMES "@contains ARGS:matched_vars_names_test" \
+    "id:100108,\
+    phase:1,\
+    t:none,\
+    log,\
+    msg:'%{MATCHED_VAR_NAME} was caught in phase:1',\
+    ver:'MRTS/0.1'"
+
+SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES "@rx matched_vars_names_test" "id:100109, phase:2, pass, log, msg:'matched vars is: %{MATCHED_VARS_NAMES}'"
+
+SecRule MATCHED_VARS_NAMES "@contains ARGS:matched_vars_names_test" \
+    "id:100110,\
+    phase:2,\
+    t:none,\
+    log,\
+    msg:'%{MATCHED_VAR_NAME} was caught in phase:2',\
+    ver:'MRTS/0.1'"
+
+SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES "@rx matched_vars_names_test" "id:100111, phase:3, pass, log, msg:'matched vars is: %{MATCHED_VARS_NAMES}'"
+
+SecRule MATCHED_VARS_NAMES "@contains ARGS:matched_vars_names_test" \
+    "id:100112,\
+    phase:3,\
+    t:none,\
+    log,\
+    msg:'%{MATCHED_VAR_NAME} was caught in phase:3',\
+    ver:'MRTS/0.1'"
+
+SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES "@rx matched_vars_names_test" "id:100113, phase:4, pass, log, msg:'matched vars is: %{MATCHED_VARS_NAMES}'"
+
+SecRule MATCHED_VARS_NAMES "@contains ARGS:matched_vars_names_test" \
+    "id:100114,\
+    phase:4,\
+    t:none,\
+    log,\
+    msg:'%{MATCHED_VAR_NAME} was caught in phase:4',\
+    ver:'MRTS/0.1'"
+
+SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES "@rx matched_vars_names_test" "id:100115, phase:5, pass, log, msg:'matched vars is: %{MATCHED_VARS_NAMES}'"
+
+SecRule MATCHED_VARS_NAMES "@contains ARGS:matched_vars_names_test" \
+    "id:100116,\
+    phase:5,\
+    t:none,\
+    log,\
+    msg:'%{MATCHED_VAR_NAME} was caught in phase:5',\
+    ver:'MRTS/0.1'"
+
+SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES "@rx matched_vars_names_test" "id:100117, phase:1, pass, log, msg:'matched vars is: %{MATCHED_VARS_NAMES}'"
+
+SecRule MATCHED_VARS_NAMES "@contains ARGS_NAMES:matched_vars_names_test" \
+    "id:100118,\
+    phase:1,\
+    t:none,\
+    log,\
+    msg:'%{MATCHED_VAR_NAME} was caught in phase:1',\
+    ver:'MRTS/0.1'"
+
+SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES "@rx matched_vars_names_test" "id:100119, phase:2, pass, log, msg:'matched vars is: %{MATCHED_VARS_NAMES}'"
+
+SecRule MATCHED_VARS_NAMES "@contains ARGS_NAMES:matched_vars_names_test" \
+    "id:100120,\
+    phase:2,\
+    t:none,\
+    log,\
+    msg:'%{MATCHED_VAR_NAME} was caught in phase:2',\
+    ver:'MRTS/0.1'"
+
+SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES "@rx matched_vars_names_test" "id:100121, phase:3, pass, log, msg:'matched vars is: %{MATCHED_VARS_NAMES}'"
+
+SecRule MATCHED_VARS_NAMES "@contains ARGS_NAMES:matched_vars_names_test" \
+    "id:100122,\
+    phase:3,\
+    t:none,\
+    log,\
+    msg:'%{MATCHED_VAR_NAME} was caught in phase:3',\
+    ver:'MRTS/0.1'"
+
+SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES "@rx matched_vars_names_test" "id:100123, phase:4, pass, log, msg:'matched vars is: %{MATCHED_VARS_NAMES}'"
+
+SecRule MATCHED_VARS_NAMES "@contains ARGS_NAMES:matched_vars_names_test" \
+    "id:100124,\
+    phase:4,\
+    t:none,\
+    log,\
+    msg:'%{MATCHED_VAR_NAME} was caught in phase:4',\
+    ver:'MRTS/0.1'"
+
+SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES "@rx matched_vars_names_test" "id:100125, phase:5, pass, log, msg:'matched vars is: %{MATCHED_VARS_NAMES}'"
+
+SecRule MATCHED_VARS_NAMES "@contains ARGS_NAMES:matched_vars_names_test" \
+    "id:100126,\
+    phase:5,\
+    t:none,\
+    log,\
+    msg:'%{MATCHED_VAR_NAME} was caught in phase:5',\
+    ver:'MRTS/0.1'"
+
+SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES "@rx matched_vars_names_test" "id:100127, phase:1, pass, log, msg:'matched vars is: %{MATCHED_VARS_NAMES}'"
+
+SecRule MATCHED_VARS_NAMES "@contains REQUEST_COOKIES:matched_vars_names_test" \
+    "id:100128,\
+    phase:1,\
+    t:none,\
+    log,\
+    msg:'%{MATCHED_VAR_NAME} was caught in phase:1',\
+    ver:'MRTS/0.1'"
+
+SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES "@rx matched_vars_names_test" "id:100129, phase:2, pass, log, msg:'matched vars is: %{MATCHED_VARS_NAMES}'"
+
+SecRule MATCHED_VARS_NAMES "@contains REQUEST_COOKIES:matched_vars_names_test" \
+    "id:100130,\
+    phase:2,\
+    t:none,\
+    log,\
+    msg:'%{MATCHED_VAR_NAME} was caught in phase:2',\
+    ver:'MRTS/0.1'"
+
+SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES "@rx matched_vars_names_test" "id:100131, phase:3, pass, log, msg:'matched vars is: %{MATCHED_VARS_NAMES}'"
+
+SecRule MATCHED_VARS_NAMES "@contains REQUEST_COOKIES:matched_vars_names_test" \
+    "id:100132,\
+    phase:3,\
+    t:none,\
+    log,\
+    msg:'%{MATCHED_VAR_NAME} was caught in phase:3',\
+    ver:'MRTS/0.1'"
+
+SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES "@rx matched_vars_names_test" "id:100133, phase:4, pass, log, msg:'matched vars is: %{MATCHED_VARS_NAMES}'"
+
+SecRule MATCHED_VARS_NAMES "@contains REQUEST_COOKIES:matched_vars_names_test" \
+    "id:100134,\
+    phase:4,\
+    t:none,\
+    log,\
+    msg:'%{MATCHED_VAR_NAME} was caught in phase:4',\
+    ver:'MRTS/0.1'"
+
+SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES "@rx matched_vars_names_test" "id:100135, phase:5, pass, log, msg:'matched vars is: %{MATCHED_VARS_NAMES}'"
+
+SecRule MATCHED_VARS_NAMES "@contains REQUEST_COOKIES:matched_vars_names_test" \
+    "id:100136,\
+    phase:5,\
+    t:none,\
+    log,\
+    msg:'%{MATCHED_VAR_NAME} was caught in phase:5',\
+    ver:'MRTS/0.1'"
+
diff --git a/generated/rules/MRTS_110_XML.conf b/generated/rules/MRTS_110_XML.conf
@@ -1,5 +1,5 @@
 SecRule XML:/* "@beginsWith foo" \
-    "id:100092,\
+    "id:100137,\
     phase:2,\
     deny,\
     t:none,\
@@ -8,7 +8,7 @@ SecRule XML:/* "@beginsWith foo" \
     ver:'MRTS/0.1'"
 
 SecRule XML:/* "@beginsWith foo" \
-    "id:100093,\
+    "id:100138,\
     phase:3,\
     deny,\
     t:none,\
@@ -17,7 +17,7 @@ SecRule XML:/* "@beginsWith foo" \
     ver:'MRTS/0.1'"
 
 SecRule XML:/* "@beginsWith foo" \
-    "id:100094,\
+    "id:100139,\
     phase:4,\
     deny,\
     t:none,\

diff --git a/generated/tests/regression/tests/100094_MRTS_026_MATCHED_VARS_NAMES-NEG.yaml b/generated/tests/regression/tests/100094_MRTS_026_MATCHED_VARS_NAMES-NEG.yaml
@@ -0,0 +1,28 @@
+---
+meta:
+  author: MRTS generate-rules.py
+  enabled: true
+  name: MRTS_026_MATCHED_VARS_NAMES-NEG.yaml
+  description: Desc
+tests:
+- test_title: 100094-1
+  ruleid: 100094
+  test_id: 1
+  desc: 'Test case for rule 100094, #1'
+  stages:
+  - description: Send request
+    input:
+      dest_addr: 127.0.0.1
+      port: 80
+      protocol: http
+      method: GET
+      headers:
+        User-Agent: OWASP MRTS test agent
+        Host: localhost
+        Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+      uri: /?matched_vars_names_test=matched_vars_names_test&matched_vars_names_negative_test=matched_vars_names_negative_test
+      version: HTTP/1.1
+    output:
+      log:
+        no_expect_ids:
+        - 100094