One violation in logs when two triggers sent

[lyona-lyo]

In the system just the first trigger/violation is registered and just the first violation is counted on proxy.

To Reproduce
Steps to reproduce the behavior:

1. Go to 'Content Filter Profiles'
2. Create New Content Filter Profile: fill Name and Tags, uncheck "Ignore Alphanumeric Input" and
   "Ignore Body"
3. Set for Headers Max Length 50
4. Save the Profile
5. Go to Security Policy
6. Open settings for default security policy
7. Change settings of Content Filter for default Match: / . Choose the Content Filter Profile which was created while steps 2 - 4 were performed and check Active Mode
8. Save Security Policy
9. Publish changes
10. Send the next curl:
    curl -vv [rbzdevelen001-prod-alb-514441289.eu-central-1.elb.amazonaws.com/home](http://rbzdevelen001-prod-alb-514441289.eu-central-1.elb.amazonaws.com/home) -H “host:default.site” -H “test:vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv” -d "b=c&d=<select>"

Should be registered 2 violations:

• header length in the Content Filter Profiles (50B)
• sql injection In this situation was registered and counted just the first one (header length). Please, look at "trigger_counters" and "content_filter_triggers" sections {"timestamp":"2022-11-24T12:16:31.580666001Z","@timestamp":"2022-11-24T12:16:31.580666001Z","curiesession":"691290c667b410237d81ada6414b1ed4f3b8b038939807664edcf3f9","curiesession_ids":[{"name":"sessionid","value":"691290c667b410237d81ada6414b1ed4f3b8b038939807664edcf3f9"}],"request_id":"921fcb9752a310de7b30435a83dacd7b","arguments":[{"name":"b","value":"c"},{"name":"d","value":"<select>"}],"path":"/home","path_parts":[{"name":"path","value":"/home"},{"name":"part1","value":"home"}],"authority":"default.site","cookies":[],"headers":[{"name":"content-length","value":"14"},{"name":"test","value":"vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv"},{"name":"content-type","value":"application/x-www-form-urlencoded"},{"name":"x-forwarded-port","value":"80"},{"name":"host","value":"default.site"},{"name":"x-amzn-trace-id","value":"Root=1-637f609f-01799a363ac683103e513ba3"},{"name":"x-forwarded-for","value":"199.203.196.185"},{"name":"x-forwarded-proto","value":"http"},{"name":"accept","value":"*/*"},{"name":"user-agent","value":"curl/7.79.1"}],"uri":"/home","ip":"199.203.196.185","method":"POST","response_code":473,"logs":["D 14µs Loading configuration from /cf-config/current/config","D 1882145µs Loaded profile e102e2d40c50 with 189 rules","D 3322479µs Loaded profile __defaultcontentfilter__ with 189 rules"],"processing_stage":6,"acl_triggers":[],"rate_limit_triggers":[],"global_filter_triggers":[{"id":"rbz-api-discovery","name":"API Discovery","active":false}],"content_filter_triggers":[{"type":"entry_too_large","actual":74,"expected":50,"name":"test","section":"headers","active":true}],"reason":"blocking - too large, size=74 threshold=50 - [header test]","tags":["args:2","geo-subregion:nil","geo-continent-name:asia","geo-continent-code:as","contentfiltername:cfp-test","contentfilterid:e102e2d40c50","action:content-filter-block","geo-asn:1680","api","aclname:acl-default","geo-region:haifa","ip:199-203-196-185","network:199-203-196-0-24","geo-country:israel","securitypolicy-entry:--default--","securitypolicy:default-security-policy","acl-def","aclid:--acldefault--","host:default-site","action:monitor","cfp-test-json","cookies:0","all","geo-city:or-akiva","tg-mpost","bot","headers:10","geo-org:cellcom-fixed-line-communication-l-p","status:473","status-class:4xx"],"proxy":[{"name":"request_id","value":"921fcb9752a310de7b30435a83dacd7b"},{"name":"bytes_sent","value":"189"},{"name":"realip","value":"199.203.196.185"},{"name":"request_time","value":"0.002"},{"name":"request_length","value":"386"},{"name":"status","value":"473"},{"name":"geo_long","value":32.5061},{"name":"geo_lat","value":34.9243},{"name":"container","value":"curieproxy-prod-78dd566c7d-vmnp2"}],"security_config":{"revision":"a7a81a5545cf92760be7d7153db93aff7ba39e9e","acl_active":true,"cf_active":true,"cf_rules":0,"rate_limit_rules":4,"global_filters_active":19},"trigger_counters":{"acl":0,"acl_active":0,"global_filters":1,"global_filters_active":0,"rate_limit":1,"rate_limit_active":0,"content_filters":1,"content_filters_active":1}}

[bartavelle]

This is the expected behavior, the first "block" stops the filtering. This is especially important for violations that could lead to denial of service of the filter, such as maximum size violations.

There are cases when you can see evidence of multiple violations, such as with multiple matching content filter rules. The reason is that all the content filter rules are matched at once, so there is no downside to reporting them all as this does not create extra work.

[tamarareblaze]

@bartavelle
So , if I understand correctly if we have more than one section we will not see it?
I mean if for contentfilterid has section: header and another one has section: args we will see only one?

And as max we will have content_filters_active: 1 ?

[bartavelle]

not exactly, things that are about the arguments will block at once, but things that are about signatures will all be applied at the same time and you'll get all the info