Update number of 'before' and 'after' bytes

pedrosousa · pedrosousa · commit c104b457587c · 2025-05-06T11:23:58.000+01:00
diff --git a/src/content/docs/waf/managed-rules/payload-logging/decrypt-in-logs.mdx b/src/content/docs/waf/managed-rules/payload-logging/decrypt-in-logs.mdx
@@ -27,7 +27,7 @@ Matched payload information includes the specific string that triggered a rule,
 
 Once you decrypt its value, the `encrypted_matched_data` property of the `Metadata` field in Logpush has a structure similar to the following:
 
-```jsonc
+```json
 {
 	// for fields with only one match (such as URI or user agent fields):
 	"<match_location>": {
@@ -37,13 +37,21 @@ Once you decrypt its value, the `encrypted_matched_data` property of the `Metada
 	},
 	// for fields with possible multiple matches (such as form, header, or body fields):
 	"<match_location>": [
-			{ "before": "<text_before_match_1>", "content": "<matched_text_1>", "after": "<text_after_match_1>" },
-			{ "before": "<text_before_match_2>", "content": "<matched_text_2>", "after": "<text_after_match_2>" }
+		{
+			"before": "<text_before_match_1>",
+			"content": "<matched_text_1>",
+			"after": "<text_after_match_1>"
+		},
+		{
+			"before": "<text_before_match_2>",
+			"content": "<matched_text_2>",
+			"after": "<text_after_match_2>"
+		}
 	]
 }
 ```
 
-The `before` and `after` properties are optional (there may be no content before/after the matched text) and will contain at most 25 bytes of content appearing before and after the match.
+The `before` and `after` properties are optional (there may be no content before/after the matched text) and will contain at most 15 bytes of content appearing before and after the match.
 
 Below are a few examples of payload matches:
 
@@ -52,15 +60,15 @@ Below are a few examples of payload matches:
 	"http.request.uri": {
 		"before": "/admin",
 		"content": "/.git/",
-		"after": "config",
+		"after": "config"
 	}
 }
 ```
 
 ```json title="Header value match"
 {
 	"http.request.headers.values[3]": [
-		{ "content": "phar://", "after": "example" },
+		{ "content": "phar://", "after": "example" }
 	]
 }
 ```
@@ -70,7 +78,7 @@ Below are a few examples of payload matches:
 	"http.request.body.raw": {
 		"before": "NY>",
 		"content": "<!ENTITY xxe SYSTEM \"file:///dev/random\">] > ",
-		"after": "<foo>&xxe;</foo>",
+		"after": "<foo>&xxe;</foo>"
 	}
 }
 ```

Original file line number	Diff line number	Diff line change
`@@ -27,7 +27,7 @@ Matched payload information includes the specific string that triggered a rule,`
`27`	`27`
`28`	`28`	Once you decrypt its value, the `encrypted_matched_data` property of the `Metadata` field in Logpush has a structure similar to the following:
`29`	`29`
`30`		-```jsonc
	`30`	+```json
`31`	`31`	`{`
`32`	`32`	`// for fields with only one match (such as URI or user agent fields):`
`33`	`33`	`"<match_location>": {`
@@ -37,13 +37,21 @@ Once you decrypt its value, the `encrypted_matched_data` property of the `Metada
`37`	`37`	`},`
`38`	`38`	`// for fields with possible multiple matches (such as form, header, or body fields):`
`39`	`39`	`"<match_location>": [`
`40`		`- { "before": "<text_before_match_1>", "content": "<matched_text_1>", "after": "<text_after_match_1>" },`
`41`		`- { "before": "<text_before_match_2>", "content": "<matched_text_2>", "after": "<text_after_match_2>" }`
	`40`	`+ {`
	`41`	`+ "before": "<text_before_match_1>",`
	`42`	`+ "content": "<matched_text_1>",`
	`43`	`+ "after": "<text_after_match_1>"`
	`44`	`+ },`
	`45`	`+ {`
	`46`	`+ "before": "<text_before_match_2>",`
	`47`	`+ "content": "<matched_text_2>",`
	`48`	`+ "after": "<text_after_match_2>"`
	`49`	`+ }`
`42`	`50`	`]`
`43`	`51`	`}`
`44`	`52`	```
`45`	`53`
`46`		-The `before` and `after` properties are optional (there may be no content before/after the matched text) and will contain at most 25 bytes of content appearing before and after the match.
	`54`	+The `before` and `after` properties are optional (there may be no content before/after the matched text) and will contain at most 15 bytes of content appearing before and after the match.
`47`	`55`
`48`	`56`	`Below are a few examples of payload matches:`
`49`	`57`
`@@ -52,15 +60,15 @@ Below are a few examples of payload matches:`
`52`	`60`	`"http.request.uri": {`
`53`	`61`	`"before": "/admin",`
`54`	`62`	`"content": "/.git/",`
`55`		`- "after": "config",`
	`63`	`+ "after": "config"`
`56`	`64`	`}`
`57`	`65`	`}`
`58`	`66`	```
`59`	`67`
`60`	`68`	```json title="Header value match"
`61`	`69`	`{`
`62`	`70`	`"http.request.headers.values[3]": [`
`63`		`- { "content": "phar://", "after": "example" },`
	`71`	`+ { "content": "phar://", "after": "example" }`
`64`	`72`	`]`
`65`	`73`	`}`
`66`	`74`	```
`@@ -70,7 +78,7 @@ Below are a few examples of payload matches:`
`70`	`78`	`"http.request.body.raw": {`
`71`	`79`	`"before": "NY>",`
`72`	`80`	`"content": "<!ENTITY xxe SYSTEM \"file:///dev/random\">] > ",`
`73`		`- "after": "<foo>&xxe;</foo>",`
	`81`	`+ "after": "<foo>&xxe;</foo>"`
`74`	`82`	`}`
`75`	`83`	`}`
`76`	`84`	```