Log message should indicate if operator is negative

[meirdev]

The rule:

SecRule ARGS:var "!@streq hello" "id:100,phase:1,deny,log"

Example of denied request:

curl http://localhost:8080/?var=hi

Log message:

Access denied with code 403 (phase 1). Matched "Operator `StrEq' with parameter `hello' against variable `ARGS:var' (Value: `hi' )

Reading the log message alone is confusing, why does @StrEq hello have a match for hi?

---

Also, I think the use of backticks (`) and single quotes (') in the log message should be fixed.

[airween]

SecRule ARGS:var "!@streq hello" "id:100,phase:1,deny,log"

Example of denied request:

curl http://localhost:8080/?var=hi

Log message:

Access denied with code 403 (phase 1). Matched "Operator `StrEq' with parameter `hello' against variable `ARGS:var' (Value: `hi' )

Reading the log message alone is confusing, why does @StrEq hello have a match for hi?

indeed the rule matches because the operator has a ! prefix, and hello != hi - but you're partially right, reading this in a log is a bit weird.

Would you mind to send a PR to fix this?

Please note that we have to check this in v2 too - if the situation is the same, then we must fix there too.

Also, I think the use of backticks (`) and single quotes (') in the log message should be fixed.

That's a bit harder issue, because I assume many user made their own logparser, and if we change the syntax, then all parser will be broken.

If we want to change that, we should discuss that with the community.