查找 Mod_security 特定规则的步骤

tag-icon tag-icon mod-security
查找 Mod_security 特定规则的步骤

我在 Lamp 堆栈上运行 Web 门户。我遇到了导出按钮功能问题,单击该按钮时,它会重定向到 Apache 测试页面。当我在 mod_security 中注释 #Include modsecurity.d/base_rules/*.conf 时,它运行正常。

我已添加值 -> SecDebugLogLevel 9,并看到有多个使用大量规则创建的日志。有人能解释一下如何找到阻止我功能的确切规则吗?

答案1

触发的规则将出现在标准 Apache 错误日志中,您应该看到一个[id: XXXX]字段,它是触发的规则 ID(此示例中为 950001)和定义该规则的配置文件(/www/apache2/conf/modsecurity.d/crs/owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf在此示例中):

[Mon May 09 09:15:06.253373 2016] [-:error] [pid 25094:tid 140713241073408] [client 123.123.123.123:52197] [client 123.123.123.123] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:\\\\b(?:(?:s(?:t(?:d(?:dev(_pop|_samp)?)?|r(?:_to_date|cmp))|u(?:b(?:str(?:ing(_index)?)?|(?:dat|tim)e)|m)|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha(1|2)?|oundex|chema|ig?n|pace|qrt)|i(?:s(null|_(free_lock|ipv4_compat|ipv4_mapped|ipv4| ..." at ARGS:utm_campaign. [file "/www/apache2/conf/modsecurity.d/crs/owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "125"] [id "950001"] [rev "2"] [msg "SQL Injection Attack"] [data "Matched Data: field( found within ARGS:utm_campaign:blah blah blaj"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "www.exmaple.com"] [uri "/"] [unique_id "VzBHCn8AAAEAAGIGrQcAAACE"]

更多详细信息请参阅 ModSecurity 审计日志(假设已配置),您可以在其中获得请求的完整详细信息,并且在 H 部分中,您会看到如上所示的行,其中还包括[id:XXXX]触发的内容:

--bc9c8737-H--
Message: Access denied with code 403 (phase 2). Pattern match "(?i:\\b(?:(?:s(?:t(?:d(?:dev(_pop|_samp)?)?|r(?:_to_date|cmp))|u(?:b(?:str(?:ing(_index)?)?|(?:dat|tim)e)|m)|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha(1|2)?|oundex|chema|ig?n|pace|qrt)|i(?:s(null|_(free_lock|ipv4_compat|ipv4_mapped|ipv4| ..." at ARGS:utm_campaign. [file "/www/apache2/conf/modsecurity.d/crs/owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "125"] [id "950001"] [rev "2"] [msg "SQL Injection Attack"] [data "Matched Data: field( found within ARGS:utm_campaign: blah blah blah"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]

ModSecurity 调试日志中会有很多详细信息(再次说明,前提是已配置),但该日志会遍历每条规则,因此很难看到实际触发的规则!说实话,除非您要调试特定问题,否则您不应该在调试状态下运行,因为它会为每个请求记录大量数据。

相关内容