modsecurity 创建规则禁用 GET 请求 [英] modsecurity create rule disable GET request

问题描述

我想创建一个 mod security2x 规则来阻止对特定 URL 的 GET 请求.

I want to create a mod security2x rule that will block the GET request to a specific URL.

例如，我想在标题中使用 GET 来阻止 URL:'www.test.com'

for example I want to block the URL with the GET in the header: 'www.test.com'

我从未在 modsecurity 中制定过规则，也不确定这是否适用于异常检测模式.

I've never made a rule within modsecurity, and not sure this will work with anomaly detection mode.

这将是 GET 请求的示例:GET/secure/bla/test/etc/

This would be an example of the GET request: GET/secure/bla/test/etc/

这是我到目前为止所拥有的:SecRule ARGS "www.test.com" phase:2,log,deny,id:'1234',msg:'403 Access Denied'

This is what I have so far: SecRule ARGS "www.test.com" phase:2,log,deny,id:'1234',msg:'403 Access Denied'

推荐答案

你想要这样的东西:

SecRule REQUEST_URI "@streq /secure/bla/test/etc/" \
     "phase:1,id:1234,t:none,t:urlDecode,t:lowercase,t:normalizePath,deny,status:403,msg:'403 Access Denied',chain"
    SecRule REQUEST_METHOD "@streq get" "t:none,t:lowercase"

您需要将两个规则链接在一起，因为您要检查两个条件(路径为/secure/bla/test/etc/， 方法为 GET).

You need to chain two rules together as you want to check two conditions (path is /secure/bla/test/etc/ and method is GET).

如果您想添加第三条规则来检查主机(例如，如果您有多个虚拟主机并且此 URL 对其中一些虚拟主机的 GET 请求有效)，那么您可以:

If you want to add a third rule to check the host (e.g. if you have multiple virtual hosts and this URL is valid for GET requests on some of them), then you can:

SecRule REQUEST_URI "@streq /secure/bla/test/etc/" \
     "phase:1,id:1234,t:none,t:urlDecode,t:lowercase,t:normalizePath,deny,status:403,msg:'403 Access Denied',chain"
    SecRule REQUEST_METHOD "@streq get" "t:none,t:lowercase,chain"
         SecRule SERVER_NAME "@streq www.example.com"

或者，您也可以使用 REQUEST_URI_RAW，其中包含协议和主机名以及请求的资源:

Or alternatively you can use REQUEST_URI_RAW which will include the protocol and hostname as well as the resource requested:

SecRule REQUEST_URI_RAW "^https?://www.test.com/secure/bla/test/etc/" \
     "phase:1,id:1234,t:none,t:urlDecode,t:lowercase,t:normalizePath,deny,status:403,msg:'403 Access Denied',chain"
    SecRule REQUEST_METHOD "@streq get" "t:none,t:lowercase" 

你会注意到我还添加了很多转换函数(t: 位)来帮助避免人们试图绕过这个规则(例如使用像 /安全/bla/TEST/../test/etc/).

You'll notice I've also added quite a few transformation functions (the t: bits) to help avoid people trying to get around this rule (e.g. with a path like /secure/bla/TEST/../test/etc/).

所有这些都包含在参考手册中:https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual 但确实需要一些练习才能习惯我承认！

All of this is covered in the reference manual: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual but does take a bit of practice to get used to I'll admit!

异常检测模式简单意味着可能会触发有效请求的规则不会立即阻止，而是分配一个分数，如果该请求的所有规则的总分高于某个阈值，则它会阻止，否则它不会'不.这允许仍然包含嘈杂"规则但被忽略，除非许多嘈杂规则都为请求触发，或者如果触发了一个重要规则.

Anomaly detection mode simple means rules that might fire for valid requests do not blocked immediately but instead, assigned a score and if the total score of all the rules for that request is above a certain threshold then it blocks, if not it doesn't. This allows for "noisy" rules to still be included but to be ignored unless lots of noisy rules all fire for a request, or if one important rule is fired.

没有什么可以阻止您像我上面所做的那样使用拒绝"选项明确阻止 - 即使在异常检测模式下也是如此.这条规则似乎相当安全，不会因合法请求而意外触发(一旦您测试它有效！)所以我会像上面所做的那样直接阻止.另一种方法是将 deny 替换为 block,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score} 这将在稍后检查分数时具有相同的效果，但在我的想法不必要地使规则的可读性复杂化，因为无论如何它总是会阻塞.

There is nothing to stop you explicitly blocking with the "deny" option as I have done above - even in anomaly detection mode. This rule seems fairly safe from ever firing accidentally for a legitimate request (once you have tested it works!) so I would just go from straight blocking as I have done above. The alternative is to replace deny with block,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score} which will have the same effect when the score is checked later but in my mind needlessly complicates the readability of the rule since it will always block anyway.

异常评分与传统评分在这篇博文中有更详细的介绍:http://blog.modsecurity.org/2010/11/advanced-topic-of-the-week-traditional-vs-anomaly-scoring-detection-modes.html

Anomaly scoring versus traditional scoring is covered in more detail in this blog post: http://blog.modsecurity.org/2010/11/advanced-topic-of-the-week-traditional-vs-anomaly-scoring-detection-modes.html

这篇关于modsecurity 创建规则禁用 GET 请求的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！