ModSecurity:执行阶段只能由链启动器规则指定 [英] ModSecurity: Execution phases can only be specified by chain starter rules

查看：202 发布时间：2020/9/3 4:28:35 apache httpd.conf mod-security mod-security2

本文介绍了ModSecurity:执行阶段只能由链启动器规则指定的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

在modsecurity默认脚本中:

base_rules/modsecurity_crs_20_protocol_violations.conf

有一条规则960011:

SecRule REQUEST_METHOD "^(?:GET|HEAD)$" \
  "msg:'GET or HEAD Request with Body Content.',\
  severity:'2',\
  id:'960011',\
  ver:'OWASP_CRS/2.2.9',\
  rev:'1',\
  maturity:'9',\
  accuracy:'9',\
  phase:1,\
  block,\
  logdata:'%{matched_var}',\
  t:none,\
  tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\
  tag:'CAPEC-272',\
  chain"
    SecRule REQUEST_HEADERS:Content-Length "!^0?$"\
      "t:none,\
      setvar:'tx.msg=%{rule.msg}',\
      setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
      setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}'"

我只想禁用此规则的日志记录(它提供了太多的误报)，然后添加我自己的脚本

base_rules/z99_logging_suppress.conf

删除默认规则并创建新的相同规则-仅不记录:

SecRuleRemoveById 960011

SecRule REQUEST_METHOD "^(?:GET|HEAD)$" \
  "msg:'GET or HEAD Request with Body Content.',\
  severity:'2',\
  id:'9960011',\
  ver:'OWASP_CRS/2.2.9',\
  rev:'1',\
  maturity:'9',\
  accuracy:'9',\
  phase:1,\
  block,nolog,\
  logdata:'%{matched_var}',\
  t:none,\
  tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\
  tag:'CAPEC-272',\
  chain"
    SecRule REQUEST_HEADERS:Content-Length "!^0?$"\
      "t:none,\
      setvar:'tx.msg=%{rule.msg}',\
      setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
      setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}'"

与原始规则的唯一区别是新ID 9960011 和 nolog 附加项:

  ...
  id:'9960011',\
  ...
  block,nolog,\
  ...

但是当我使用此附加规则重新启动httpd时，出现错误:

AH00526: Syntax error on line 18 of /path/base_rules/z99_logging_suppress.conf:
ModSecurity: Execution phases can only be specified by chain starter rules.

相同的策略--- SecRuleRemoveById +然后用新的id重新创建---适用于我尝试过的所有其他默认规则，但不适用于此规则.

任何人都可以告诉我为什么吗?

解决方案

基本上，它说phase命令只能在链中的第一个规则中，而不能在构成链中一部分的后一个规则中./p>

您编写的规则没有任何问题，仅在第一个SecRule中指定了相位.实际上，我已经在实例上对其进行了尝试，并且可以正常工作.因此，有两件事之一出错了:

您已将其错误地复制并粘贴到此问题中.
上面定义了该规则的规则已经包含了一条链，因此留下了一条开放链，因此您的规则9960011实际上正在尝试从此继续.

或者正在发生其他奇怪的事情！但是我现在要用1或2:-)

In modsecurity default-script:

base_rules/modsecurity_crs_20_protocol_violations.conf

there is a rule, 960011:

SecRule REQUEST_METHOD "^(?:GET|HEAD)$" \
  "msg:'GET or HEAD Request with Body Content.',\
  severity:'2',\
  id:'960011',\
  ver:'OWASP_CRS/2.2.9',\
  rev:'1',\
  maturity:'9',\
  accuracy:'9',\
  phase:1,\
  block,\
  logdata:'%{matched_var}',\
  t:none,\
  tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\
  tag:'CAPEC-272',\
  chain"
    SecRule REQUEST_HEADERS:Content-Length "!^0?$"\
      "t:none,\
      setvar:'tx.msg=%{rule.msg}',\
      setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
      setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}'"

I only want to disable logging for this rule (it gives too many false positives), and therefore add my own script

base_rules/z99_logging_suppress.conf

to remove the default-rule and create a new identical rule -- only without logging:

SecRuleRemoveById 960011

SecRule REQUEST_METHOD "^(?:GET|HEAD)$" \
  "msg:'GET or HEAD Request with Body Content.',\
  severity:'2',\
  id:'9960011',\
  ver:'OWASP_CRS/2.2.9',\
  rev:'1',\
  maturity:'9',\
  accuracy:'9',\
  phase:1,\
  block,nolog,\
  logdata:'%{matched_var}',\
  t:none,\
  tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\
  tag:'CAPEC-272',\
  chain"
    SecRule REQUEST_HEADERS:Content-Length "!^0?$"\
      "t:none,\
      setvar:'tx.msg=%{rule.msg}',\
      setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
      setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}'"

The only differences to the original rule are the new id 9960011, and the nolog additions:

  ...
  id:'9960011',\
  ...
  block,nolog,\
  ...

But when I restart httpd with this additional rule, I get error:

AH00526: Syntax error on line 18 of /path/base_rules/z99_logging_suppress.conf:
ModSecurity: Execution phases can only be specified by chain starter rules.

The same strategy --- SecRuleRemoveById + then re-create it with new id --- works for all other default-rules I tried, but not for this one.

Anyone can tell me why that is?

解决方案

It basically says that the phase command can only be in the first rule in a chain and not in a subsequent rule which forms part of the chain.

There is nothing wrong with the rule as you have written it, phase is only specified in the first SecRule. In fact I've tried it on my instance and it works. So either one of two things has gone wrong:

You have copied and pasted it incorrectly into this question.
The rule above where you have defined this, has chain in it and so has left an open chain, that your rule 9960011 is then effectively trying to continue on from.

Or something else weird is happening! But I'm going with 1 or 2 for now :-)

这篇关于ModSecurity:执行阶段只能由链启动器规则指定的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！

查看全文

ModSecurity:执行阶段只能由链启动器规则指定 [英] ModSecurity: Execution phases can only be specified by chain starter rules

问题描述

相关文章

服务器开发最新文章

热门教程

热门工具

登录关闭

ModSecurity:执行阶段只能由链启动器规则指定 [英] ModSecurity: Execution phases can only be specified by chain starter rules

问题描述

相关文章

服务器开发最新文章

热门教程

热门工具

登录 关闭

登录关闭