这是我第二次使用 OWASP 规则集配置 ModSecurity。之前我使用过规则集的 2.2.5 版本,现在在另一台服务器上使用的是 2.2.9 版本。
我正在尝试配置异常检测,因此我禁用了error.log非异常的日志记录。
一切似乎都正常,但是当异常阈值超出时,我会收到单个异常的多个日志条目。以前这只是一个日志条目,多个似乎太多了。
我正在触发一个简单的 XSS 攻击,并error.log显示以下内容:
[Fri Jul 01 09:25:09.234394 2016] [:error] [pid 17771:tid 139978059269888] [client 81.102.141.69] ModSecurity: Warning. Pattern match "(?i)(<script[^>]*>[\\\\s\\\\S]*?<\\\\/script[^>]*>|<script[^>]*>[\\\\s\\\\S]*?<\\\\/script[[\\\\s\\\\S]]*[\\\\s\\\\S]|<script[^>]*>[\\\\s\\\\S]*?<\\\\/script[\\\\s]*[\\\\s]|<script[^>]*>[\\\\s\\\\S]*?<\\\\/script|<script[^>]*>[\\\\s\\\\S]*?)" at ARGS:p. [file "/etc/apache2/modsecurity-crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "14"] [id "973336"] [rev "1"] [msg "XSS Filter - Category 1: Script Tag Vector"] [data "Matched Data: <script>alert('simple-xss-test')</script> found within ARGS:p: <script>alert('simple-xss-test')</script>"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "1"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "domain.co.uk"] [uri "/robots.txt"] [unique_id "V3Yo5dRurOYAAEVrxjEAAADJ"]
[Fri Jul 01 09:25:09.235629 2016] [:error] [pid 17771:tid 139978059269888] [client 81.102.141.69] ModSecurity: Warning. Pattern match "(.*)" at TX:950109-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-ARGS:p. [file "/etc/apache2/modsecurity-crs/activated_rules/modsecurity_crs_49_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 39, SQLi=14, XSS=12): Last Matched Message: XSS Attack Detected"] [data "Last Matched Data: %3Cscript%3Ealert(%27simple-xss-test%27)%3C/script%3E"] [hostname "domain.co.uk"] [uri "/robots.txt"] [unique_id "V3Yo5dRurOYAAEVrxjEAAADJ"]
[Fri Jul 01 09:25:09.235701 2016] [:error] [pid 17771:tid 139978059269888] [client 81.102.141.69] ModSecurity: Warning. Pattern match "(.*)" at TX:960024-OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION-ARGS:p. [file "/etc/apache2/modsecurity-crs/activated_rules/modsecurity_crs_49_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 39, SQLi=14, XSS=12): Last Matched Message: XSS Attack Detected"] [data "Last Matched Data: ')</"] [hostname "domain.co.uk"] [uri "/robots.txt"] [unique_id "V3Yo5dRurOYAAEVrxjEAAADJ"]
[Fri Jul 01 09:25:09.235767 2016] [:error] [pid 17771:tid 139978059269888] [client 81.102.141.69] ModSecurity: Warning. Pattern match "(.*)" at TX:950901-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-ARGS:p. [file "/etc/apache2/modsecurity-crs/activated_rules/modsecurity_crs_49_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 39, SQLi=14, XSS=12): Last Matched Message: XSS Attack Detected"] [data "Last Matched Data: script>alert"] [hostname "domain.co.uk"] [uri "/robots.txt"] [unique_id "V3Yo5dRurOYAAEVrxjEAAADJ"]
[Fri Jul 01 09:25:09.235834 2016] [:error] [pid 17771:tid 139978059269888] [client 81.102.141.69] ModSecurity: Warning. Pattern match "(.*)" at TX:981173-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-ARGS:p. [file "/etc/apache2/modsecurity-crs/activated_rules/modsecurity_crs_49_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 39, SQLi=14, XSS=12): Last Matched Message: XSS Attack Detected"] [data "Last Matched Data: <script>alert('"] [hostname "domain.co.uk"] [uri "/robots.txt"] [unique_id "V3Yo5dRurOYAAEVrxjEAAADJ"]
[Fri Jul 01 09:25:09.235900 2016] [:error] [pid 17771:tid 139978059269888] [client 81.102.141.69] ModSecurity: Warning. Pattern match "(.*)" at TX:981243-Detects classic SQL injection probings 2/2-OWASP_CRS/WEB_ATTACK/SQLI-ARGS:p. [file "/etc/apache2/modsecurity-crs/activated_rules/modsecurity_crs_49_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 39, SQLi=14, XSS=12): Last Matched Message: XSS Attack Detected"] [data "Last Matched Data: >alert('s"] [hostname "domain.co.uk"] [uri "/robots.txt"] [unique_id "V3Yo5dRurOYAAEVrxjEAAADJ"]
[Fri Jul 01 09:25:09.236009 2016] [:error] [pid 17771:tid 139978059269888] [client 81.102.141.69] ModSecurity: Warning. Pattern match "(.*)" at TX:973336-OWASP_CRS/WEB_ATTACK/XSS-ARGS:p. [file "/etc/apache2/modsecurity-crs/activated_rules/modsecurity_crs_49_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 39, SQLi=14, XSS=12): Last Matched Message: XSS Attack Detected"] [data "Last Matched Data: <script>alert('simple-xss-test')</script>"] [hostname "domain.co.uk"] [uri "/robots.txt"] [unique_id "V3Yo5dRurOYAAEVrxjEAAADJ"]
[Fri Jul 01 09:25:09.236075 2016] [:error] [pid 17771:tid 139978059269888] [client 81.102.141.69] ModSecurity: Warning. Pattern match "(.*)" at TX:973307-OWASP_CRS/WEB_ATTACK/XSS-ARGS:p. [file "/etc/apache2/modsecurity-crs/activated_rules/modsecurity_crs_49_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 39, SQLi=14, XSS=12): Last Matched Message: XSS Attack Detected"] [data "Last Matched Data: alert("] [hostname "domain.co.uk"] [uri "/robots.txt"] [unique_id "V3Yo5dRurOYAAEVrxjEAAADJ"]
[Fri Jul 01 09:25:09.236367 2016] [:error] [pid 17771:tid 139978059269888] [client 81.102.141.69] ModSecurity: Warning. Operator GE matched 15 at TX:inbound_anomaly_score. [file "/etc/apache2/modsecurity-crs/activated_rules/modsecurity_crs_60_correlation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 39, SQLi=14, XSS=12): XSS Attack Detected"] [hostname "domain.co.uk"] [uri "/robots.txt"] [unique_id "V3Yo5dRurOYAAEVrxjEAAADJ"]
似乎正在发生的是规则 #981176(我理解为执行阻止的规则)正在记录针对攻击的每一个匹配项,而不是只为异常生成一个日志条目。如您所见,每行都包含相同的unique_id
我已将旧版 2.2.5 规则集与 2.29 规则集进行了比较,没有发现可能导致此问题的任何差异。
理想情况下,我希望当异常超过阈值时收到一个日志条目,以便我可以进行调查modsec_audit.log。据我了解,它应该以这种方式运行。
有什么想法可以像我以前一样将其减少为一个单一的日志条目吗?
谢谢
答案1
应通过更改 modsecurity_crs_10_setup.conf 文件中定义的 SecDefaultAction 来设置。默认值如下(除了从 更改为deny以pass进行异常评分外),并将所有内容记录到错误和审计日志中:
SecDefaultAction "phase:1,pass,log"
SecDefaultAction "phase:2,pass,log"
要将其记录在审计日志中,请使用以下命令:
SecDefaultAction "phase:1,pass,nolog,auditlog"
SecDefaultAction "phase:2,pass,nolog,auditlog"
就是这样设定的吗?
您可能有点困惑,为什么这会停止记录主要规则,而不会停止记录摘要规则(检查异常分数的地方)。关键是正常规则(例如 960024)没有定义记录,只是根据默认值进行阻止,因此确实依赖于这些默认值:
"phase:2,capture,t:none,t:urlDecodeUni,block,id:'960024'...etc.
虽然检查异常分数的规则(例如 981176)明确地“记录”和“拒绝”,所以不需要默认值来告诉它这样做:
"chain,phase:2,id:'981176',t:none,deny,log
这就是为什么更改默认值意味着核心规则不会记录错误日志但摘要异常规则会记录。
因此,这应该可以解决您错误地收到的针对规则 973336 的第一个警报,因为它不应该记录。
然而,我不明白的是,为什么您会收到规则 981176 的多个警报 - 每条规则收到一个警报。这对我来说似乎是错误的,因为它应该只记录最后一次警报一次。
然而,在 2.9.1 之前,ModSecurity 使用自己的错误日志记录,而不是使用标准 Apache 日志记录。因此,在将 ModSecurity 升级到 2.9.1 后,可能值得再次尝试。有关更多详细信息,请参阅此错误:https://github.com/SpiderLabs/ModSecurity/pull/840
或者,如果这不起作用,请尝试发送电子邮件[电子邮件保护]. 并在那里询问,因为他们可能更了解异常评分日志应该如何工作(老实说,我自己不使用它)。请参阅https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set了解该邮件列表的更多详细信息。