modsecurity创建规则禁用GET请求 [英] modsecurity create rule disable GET request

问题描述

我想创建一个mod security2x规则，它将阻止GET请求到一个特定的URL。例如，我想用GET中的URL阻止URL header：'www.test.com'

我从来没有在modsecurity中做过规则，也不确定这是否适用于异常检测模式。 b
$ b

这将是GET请求的一个例子： GET / secure / bla / test / etc /

这是我目前为止的内容： SecRule ARGSwww.test.com阶段：2，log，deny，id：'1234'，msg：'403访问拒绝'

解决方案

您需要这样的内容：

  SecRule REQUEST_URI@streq / secure / bla / test / etc /\ 
phase：1，id：1234，t：none，t： urlDecode，t：小写，t：normalizePath，deny，status：403，msg：'403拒绝访问'，链
 SecRule REQUEST_METHOD@streq gett：none，t：小写
  

您需要将两条规则链接在一起t检查两个条件（路径是/ secure / bla / test / etc / 和方法是GET）。

如果要添加检查主机的第三条规则（例如，如果你有多个虚拟主机，并且这个URL对于某些GET请求有效），那么你可以：

  SecRule REQUEST_URI @streq / secure / bla / test / etc /\ 
phase：1，id：1234，t：none，t：urlDecode，t：小写，t：normalizePath，deny，status：403， msg：'403 Access Denied'，链
 SecRule REQUEST_METHOD@streq gett：none，t：小写，链
 SecRule SERVER_NAME@streq www.example.com
  

或者，您也可以使用REQUEST_URI_RAW，其中包含协议和主机名以及请求的资源：

  SecRule REQUEST_URI_RAW^ https：//www.test.com/secure/bla/test/etc/\ 
 phase：1，id：1234，t：none，t：urlDecode，t：小写，t：normalizePath，deny，status：403，msg：'403拒绝访问'，链
 SecRule REQUEST_METHOD@streq gett：none，t：lowercase
  

你会注意到我还增加了很多几个转化的乐趣ctions（ t：位），以帮助避免试图绕过此规则的人（例如，如 / secure / bla / TEST /../test/etc/ ）。

所有这在参考手册中进行了介绍： https://github.com/SpiderLabs/ModSecurity/wiki /参考手册，但需要一些练习习惯我会承认！

异常检测模式简单意味着可能触发有效的规则请求不会立即被阻止，而是会被分配一个分数，如果该请求的所有规则的总分超过了某个阈值，那么它会阻塞，否则阻塞。这允许嘈杂的规则仍然被包括在内，但是要被忽略，除非许多吵闹的规则都被请求引发，或者一个重要的规则被解雇。

有没有什么能阻止你像上面所做的那样用拒绝选项明确地阻止 - 即使在异常检测模式下。这个规则看起来对于一个合法的请求而言是非常安全的（一旦你已经测试过它的工作！），所以我只是从直接阻止，因为我已经做了上面的。另一种方法是用 block替换 deny ，setvar：tx.anomaly_score = +％{tx.critical_anomaly_score} 如果稍后检查分数，效果会有相同的效果，但是在我看来，这个规则的可读性会不必要地变得复杂，因为它总是会阻止它。

与传统评分相比，异常评分更详细地在这篇博客文章中： http://blog.modsecurity.org/2010/11/advanced-topic-of-the-week-traditional-vs-anomaly-scoring-detection-modes.html p>

I want to create a mod security2x rule that will block the GET request to a specific URL.

for example I want to block the URL with the GET in the header: 'www.test.com'

I've never made a rule within modsecurity, and not sure this will work with anomaly detection mode.

This would be an example of the GET request: GET/secure/bla/test/etc/

This is what I have so far: SecRule ARGS "www.test.com" phase:2,log,deny,id:'1234',msg:'403 Access Denied'

解决方案

You want something like this:

SecRule REQUEST_URI "@streq /secure/bla/test/etc/" \
     "phase:1,id:1234,t:none,t:urlDecode,t:lowercase,t:normalizePath,deny,status:403,msg:'403 Access Denied',chain"
    SecRule REQUEST_METHOD "@streq get" "t:none,t:lowercase"

You need to chain two rules together as you want to check two conditions (path is /secure/bla/test/etc/ and method is GET).

If you want to add a third rule to check the host (e.g. if you have multiple virtual hosts and this URL is valid for GET requests on some of them), then you can:

SecRule REQUEST_URI "@streq /secure/bla/test/etc/" \
     "phase:1,id:1234,t:none,t:urlDecode,t:lowercase,t:normalizePath,deny,status:403,msg:'403 Access Denied',chain"
    SecRule REQUEST_METHOD "@streq get" "t:none,t:lowercase,chain"
         SecRule SERVER_NAME "@streq www.example.com"

Or alternatively you can use REQUEST_URI_RAW which will include the protocol and hostname as well as the resource requested:

SecRule REQUEST_URI_RAW "^https?://www.test.com/secure/bla/test/etc/" \
     "phase:1,id:1234,t:none,t:urlDecode,t:lowercase,t:normalizePath,deny,status:403,msg:'403 Access Denied',chain"
    SecRule REQUEST_METHOD "@streq get" "t:none,t:lowercase" 

You'll notice I've also added quite a few transformation functions (the t: bits) to help avoid people trying to get around this rule (e.g. with a path like /secure/bla/TEST/../test/etc/).

All of this is covered in the reference manual: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual but does take a bit of practice to get used to I'll admit!

Anomaly detection mode simple means rules that might fire for valid requests do not blocked immediately but instead, assigned a score and if the total score of all the rules for that request is above a certain threshold then it blocks, if not it doesn't. This allows for "noisy" rules to still be included but to be ignored unless lots of noisy rules all fire for a request, or if one important rule is fired.

There is nothing to stop you explicitly blocking with the "deny" option as I have done above - even in anomaly detection mode. This rule seems fairly safe from ever firing accidentally for a legitimate request (once you have tested it works!) so I would just go from straight blocking as I have done above. The alternative is to replace deny with block,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score} which will have the same effect when the score is checked later but in my mind needlessly complicates the readability of the rule since it will always block anyway.

Anomaly scoring versus traditional scoring is covered in more detail in this blog post: http://blog.modsecurity.org/2010/11/advanced-topic-of-the-week-traditional-vs-anomaly-scoring-detection-modes.html

这篇关于modsecurity创建规则禁用GET请求的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！