为什么 ModSecurity 中的 CRS 规则不能阻止所有威胁?

为什么 ModSecurity 中的 CRS 规则不能阻止所有威胁?

我正在配置新Ngnix v1.18.0服务器,并且ModSecurity-nginx v1.0.1.已将OWASP CRS 3.3.0规则添加到配置中。不幸的是,我无法清楚地判断规则是否有效。在阅读有关它的博客和文章时,我看到了 3 种确定它的可能性:

curl -H "User-Agent: Nobody" http://5x.xx.xx.xxx:8085,, 。curl http://5x.xx.xx.xxx:8085/?exec=/bin/bashcurl -I 'http://5x.xx.xx.xxx:8085/?param="><script>alert(1);</script>' --insecurecle

这些方法均不会阻止通过代码 403 进行的访问。我在执行这些命令时没有注意到这些事件的任何日志。日志/var/log/modsec_audit.log实际上包含一些信息,表明 CRS 规则正在运行... 采取这种行动的原因是什么?

modsec_audit.log文件包含如下报告:

ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Rx' with parameter `^[\d.:]+$' against variable `REQUEST_HEADERS:Host' (Value: `51.83.131.157' ) [file "/usr/local/coreruleset-3.3.0/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "718"] [id "920350"] [rev ""] [msg "Host header is a numeric IP address"] [data "51.83.131.157"] [severity "4"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "5x.xx.xx.xxx"] [uri "/api/v1"] [unique_id "1603116449"] [ref "o0,13v27,13"]

我的文件main.conf:

# Include the recommended configuration
Include /etc/nginx/modsec/modsecurity.conf

# A test rule
SecRule ARGS:testparam "@contains test" "id:1234,deny,log,status:403"

# OWASP CRS v3.3.0 rules
Include /usr/local/coreruleset-3.3.0/crs-setup.conf
Include /usr/local/coreruleset-3.3.0/rules/REQUEST-901-INITIALIZATION.conf
Include /usr/local/coreruleset-3.3.0/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
Include /usr/local/coreruleset-3.3.0/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
Include /usr/local/coreruleset-3.3.0/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf
Include /usr/local/coreruleset-3.3.0/rules/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf
Include /usr/local/coreruleset-3.3.0/rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf
Include /usr/local/coreruleset-3.3.0/rules/REQUEST-903.9006-XENFORO-EXCLUSION-RULES.conf
Include /usr/local/coreruleset-3.3.0/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
Include /usr/local/coreruleset-3.3.0/rules/REQUEST-910-IP-REPUTATION.conf
Include /usr/local/coreruleset-3.3.0/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
Include /usr/local/coreruleset-3.3.0/rules/REQUEST-912-DOS-PROTECTION.conf
Include /usr/local/coreruleset-3.3.0/rules/REQUEST-913-SCANNER-DETECTION.conf
Include /usr/local/coreruleset-3.3.0/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Include /usr/local/coreruleset-3.3.0/rules/REQUEST-921-PROTOCOL-ATTACK.conf
Include /usr/local/coreruleset-3.3.0/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
Include /usr/local/coreruleset-3.3.0/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
Include /usr/local/coreruleset-3.3.0/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
Include /usr/local/coreruleset-3.3.0/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
Include /usr/local/coreruleset-3.3.0/rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf
Include /usr/local/coreruleset-3.3.0/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Include /usr/local/coreruleset-3.3.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Include /usr/local/coreruleset-3.3.0/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
Include /usr/local/coreruleset-3.3.0/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
Include /usr/local/coreruleset-3.3.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf
Include /usr/local/coreruleset-3.3.0/rules/RESPONSE-950-DATA-LEAKAGES.conf
Include /usr/local/coreruleset-3.3.0/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
Include /usr/local/coreruleset-3.3.0/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf

答案1

规则920350被触发,因为您将请求发送到 IP 地址,而不是主机名。如果您的应用程序没有任何 DNS 条目,请在文件中创建一个条目/etc/hosts,并为该名称设置您的服务器。然后您必须像这样发送您的请求:curl http://your.dns.name:8085/?exec=/bin/bash- 如果您获得状态 403,并且您在日志中看到此信息,则您的引擎正常运行。

请注意,如果您的SecRuleEngine设置为DetectOnly,您将在日志中看到请求和结果,但不会收到 403。您必须将此设置更改为On

相关内容