复杂SecRule匹配不止一件事 [英] Complex SecRule that matches more than one thing

问题描述

我使用mod_security2一个新手。我只用它约3周之中。

I'm a newbie using mod_security2. I have only being using it for about 3 weeks.

希望有人能告诉我如何完成以下。
我正在寻找一种方法来创建一个规则：

Hope someone can tell me how to accomplish the following. I'm looking for a way to create a rule that:

1. 如果该URL，域名开始后 / SOMETHING


2. 和参数名称（包括任何地方日期或时间戳）或（恰好是 lastLogon ）


3. 和参数值相匹配的正则表达式 ^ [0-9] {4} - [0-9] {2} - [0-9] {2} T [0-9] { 2}：[0-9] {2}。？[0-9] {2} \\ [0-9] {3} [ - +] [0-9] {4} $


4. 或参数的名字正是过滤器（不管它有什么价值）


5. 然后做CTL：ruleRemoveTargetById = 981173

1. If the url, after the domain name begins with /SOMETHING
2. And the argument name (contains anywhere date or timestamp) or (is exactly lastLogon)
3. And the argument value matches the regex ^[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}\.[0-9]{3}[-+]?[0-9]{4}$
4. Or the argument name is exactly "filters" (no matter what value it has)
5. Then do ctl:ruleRemoveTargetById=981173

我想什么参考手册的缺失，是一个解释复杂的例子的SecRule。也许我只是找不到它，在这种情况下，请你原谅我，请点我在正确的方向。

What I think the Reference Manual is missing, is an explained complex example of SecRule. Maybe I just couldn't find it, in which case, please forgive me and please point me in the right direction.

我使用的是版本2.9.0

I'm using version 2.9.0

也许使用链或类似的东西？无法使它工作（因为需要布尔或）。我不知道。

Maybe using chain or something like that?. Couldn't make it work (because of the needed boolean or). I don't know.

既然我已经写求救这个要求，也许有捷径这将是很方便的知道：我有很多规则来写，如果域名之后的URL以 /开始申请SOMETHING ，有没有一种简单的方法来处理它们？

Since I'm already writing this request for help, maybe there is a shortcut it would be handy to know: I have many rules to write that apply if the url after the domain name begins with /SOMETHING, Is there an easy way to handle them?

先谢谢了。

推荐答案

工作规则是：

SecRule REQUEST_FILENAME "@beginsWith /SOMETHING" \
        "phase:1,t:none,nolog,pass,ctl:ruleRemoveTargetById=981173;ARGS:filters,id:'10000'"

SecRule ARGS:/(?i)^.*date.*$/|ARGS:/(?i)^.*timestamp.*$/|ARGS:/(?i)^lastLogin$/ \
        "@rx ^[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}\.[0-9]{3}[-+]?[0-9]{4}$" \
        "phase:2,chain,t:none,nolog,pass,id:'10010'"
    SecRule REQUEST_FILENAME "@beginsWith /SOMETING" "ctl:ruleRemoveById=981173"

我面对现在的问题是，第2阶段之一，我的 modsecurity_crs_15_customrules.conf 配置文件不执行，如果它被放置在只被执行 modsecurity.conf 。

The problem i'm facing now is that the phase 2 one is not executed in my modsecurity_crs_15_customrules.conf configuration file, it only gets executed if it is placed in modsecurity.conf.

我仍在寻找这个新问题的最终解决方案。 （参见：这个其他问题）

I'm still looking for a definitive solution for this new problem. (see: this other question)

这篇关于复杂SecRule匹配不止一件事的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！