Apache ModSecurity 基础介绍

一,主要功能:

SQL Injection (SQLi):阻止SQL注入

Cross Site Scripting (XSS):阻止跨站脚本攻击

Local File Inclusion (LFI):阻止利用本地文件包含漏洞进行攻击

Remote File Inclusione(RFI):阻止利用远程文件包含漏洞进行攻击

Remote Code Execution (RCE):阻止利用远程命令执行漏洞进行攻击

PHP Code Injectiod:阻止PHP代码注入

HTTP Protocol Violations:阻止违反HTTP协议的恶意访问

HTTPoxy:阻止利用远程代理感染漏洞进行攻击

Sshllshock:阻止利用Shellshock漏洞进行攻击

Session Fixation:阻止利用Session会话ID不变的漏洞进行攻击

Scanner Detection:阻止黑客扫描网站

Metadata/Error Leakages:阻止源代码/错误信息泄露

Project Honey Pot Blacklist:蜜罐项目黑名单

GeoIP Country Blocking:根据判断IP地址归属地来进行IP阻断


二,阶段处理分为 5 个阶段:

Request Header(phase:1):处理 requesst line 和 request headers

Request Body(phase:2):处理 request body

Response Header(phase:3):处理 response headers

Response Body(phase:4):处理 response body

Logging(phase:5):日志记录,添加header


三,添加例外:

修改modsecurity.conf配置

a、通过规则id: 添加SecRuleRemoveById id

b、SecRuleRemoveByMsg指令:通过Rule Msg禁用指定规则

c、url加白 :对指定路径关闭WAF检测/或只记录不拦截 

SecRuleEngine DetectionOnly (On或者Off)


四,规则新规则:

黑名单

#SecRule REMOTE_ADDR "@pmFromFile host.deny.data" "id:10087,phase:1,log,auditlog,deny,status:403,msg:'jinzhifangwen'"

#SecRule REMOTE_ADDR "@pmFromFile host.deny.data" "id:10088,phase:2,log,auditlog,deny,status:403,msg:'jinzhifangwen'"

白名单

SecRule REMOTE_ADDR "@pmFromFile host.allow.data" "id:10085,phase:1,nolog,pass,ctl:ruleEngine=off"

SecRule REMOTE_ADDR "@pmFromFile host.allow.data" "id:10086,phase:2,nolog,pass,ctl:ruleEngine=off"


五,审计日志文件 SecAuditLogParts 

定义主审计日志文件(串行日志记录格式)或并发日志记录索引文件(并发日志记录格式)的路径。 当与mlogc结合使用时(仅适用于并发日志记录),该指令定义mlogc位置和命令行。

如果您打算使用并发审计日志记录并想将审计日志数据发送到远程服务器,则需要部署ModSecurity日志收集器(mlogc),如下所示:

SecAuditLog "|/path/to/mlogc /path/to/mlogc.conf"


A:审计日志头(必须配置)

B:请求头

C:请求体(仅在请求体存在并且ModSecurity配置为拦截它时才存在。 这需要将SecRequestBodyAccess设置为On)

D:该值是为中间响应头保留,尚未有任何实际作用

E:中间响应体(仅当ModSecurity配置为拦截响应体并且审计日志引擎配置为记录时才存在。 拦截响应体需要将SecResponseBodyAccess设置为On)。 除非ModSecurity拦截中间响应体,否则中间响应体与实际响应体相同,在这种情况下,实际响应体将包含错误消息(Apache默认错误消息或ErrorDocument页面))

F:最终响应头(不包括日期和服务器标题,Apache始终在内容交付的后期阶段添加)

G:该值是为实际响应体保留,尚未有任何实际作用

H:审计日志追踪内容;

I:该部分是C的替代品。除了使用multipart/form-data编码,否则它在所有情况下记录的数据与C相同。 在这种情况下,它将记录一个假应用程序/ x-www-form-urlencoded正文,其中包含有关参数的信息,但不包含有关文件的信息。 如果您不想在审核日志中存储(通常很大)的文件,使用I比使用C更方便。

J:该部分包含有关使用multipart/form-data编码上传的文件的信息。

K:该部分包含了本次访问中所匹配到的所有规则(按每行一个进行记录)。规则是完全合格的,因此将显示继承的操作和默认操作符。V2.5.0以上支持。

Z:结尾分界线,表示本次日志记录完毕(必须配置)


六,规则文件

REQUEST-910-IP-REPUTATION.conf(可疑IP匹配)

REQUEST-912-DOS-PROTECTION.conf(DDOS攻击)

REQUEST-913-SCANNER-DETECTION.conf(扫描器检测)

REQUEST-920-PROTOCOL-ENFORCEMENT.conf(HTTP协议规范相关规则)

REQUEST-921-PROTOCOL-ATTACK.conf(协议攻击)

REQUEST-930-APPLICATION-ATTACK-LFI.conf(应用攻击-路径遍历)

REQUEST-931-APPLICATION-ATTACK-RFI.conf(远程文件包含)

REQUEST-932-APPLICATION-ATTACK-RCE.conf(远程命令执行)

REQUEST-933-APPLICATION-ATTACK-PHP.conf(PHP注入攻击)

REQUEST-941-APPLICATION-ATTACK-XSS.conf(XSS)

REQUEST-942-APPLICATION-ATTACK-SQLI.conf(SQL注入)

REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf(会话固定)

REQUEST-949-BLOCKING-EVALUATION.conf()

RESPONSE-950-DATA-LEAKAGES.conf(信息泄露)

RESPONSE-951-DATA-LEAKAGES-SQL.conf(SQL信息泄露)

RESPONSE-952-DATA-LEAKAGES-JAVA.conf(JAVA源代码泄露)

RESPONSE-953-DATA-LEAKAGES-PHP.conf(PHP信息泄露)

RESPONSE-954-DATA-LEAKAGES-IIS.conf(IIS信息泄露)



七,常用方法举例:

方法一、SecRuleRemoveById 指令:通过Rule ID禁用指定规则
<LocationMatch .*>
  SecRuleRemoveById 960017 #allow Host Header is a IP address
</LocationMatch>

方法二、SecRuleRemoveByMsg指令:通过Rule Msg禁用指定规则
<LocationMatch .*>
  SecRuleRemoveByMsg "Host header is a numeric IP address"
</LocationMatch>

方法三、url加白 :对指定路径关闭WAF检测/或只记录不拦截
<LocationMatch /xss.php>
  SecRuleEngine DetectionOnly(或者Off)
</LocationMatch>



八,规则 ID 参考

Rule ID	Paranoia
Level	Severity	Description (msg)
901001	PL1	none	Check if crs-set.conf was loaded
901450	PL1	none	Sampling: Disable the rule engine based on sampling_percentage
905100	PL1	none	Common Exeptions example rule
905110	PL1	none	Common Exeptions example rule
910000	PL1	critical	Request from Known Malicious Client (Based on previous traffic violations).
910100	PL1	critical	Client IP is from a HIGH Risk Country Location.
910150	PL1	critical	HTTP Blacklist match for search engine IP,
910160	PL1	critical	HTTP Blacklist match for spammer IP
910170	PL1	critical	HTTP Blacklist match for suspicious IP
910180	PL1	critical	HTTP Blacklist match for harvester IP
911100	PL1	critical	Method is not allowed by policy
912120	PL1	none	Denial of Service (DoS) attack identified from %{tx.real_ip} (%{tx.dos_block_counter} hits since last alert)"
912170	PL1	none	Potential Denial of Service (DoS) Attack from %{tx.real_ip} - # of Request Bursts: %{ip.dos_burst_counter}
912171	PL2	none	Potential Denial of Service (DoS) Attack from %{tx.real_ip} - # of Request Bursts: %{ip.dos_burst_counter}
913100	PL1	critical	Found User-Agent associated with security scanner
913101	PL2	critical	Found User-Agent associated with scripting/generic HTTP client
913102	PL2	critical	Found User-Agent associated with web crawler/bot
913110	PL1	critical	Found request header associated with security scanner
913120	PL1	critical	Found request filename/argument associated with security scanner
920100	PL1	notice	Invalid HTTP Request Line
920120	PL1	critical	Attempted multipart/form-data bypass
920130	PL1	critical	Failed to parse request body.
920140	PL1	critical	Multipart request body failed strict validation:
920160	PL1	critical	Content-Length HTTP header is not numeric.
920170	PL1	critical	GET or HEAD Request with Body Content.
920180	PL1	notice	POST request missing Content-Length Header.
920190	PL1	warning	Range: Invalid Last Byte Value.
920200	PL2	warning	Range: Too many fields (6 or more)
920201	PL2	warning	Range: Too many fields for pdf request (35 or more)
920202	PL4	warning	Range: Too many fields for pdf request (6 or more)
920210	PL1	warning	Multiple/Conflicting Connection Header Data Found.
920220	PL1	warning	URL Encoding Abuse Attack Attempt
920230	PL2	warning	Multiple URL Encoding Detected
920240	PL1	warning	URL Encoding Abuse Attack Attempt
920250	PL1	warning	UTF8 Encoding Abuse Attack Attempt
920260	PL1	warning	Unicode Full/Half Width Abuse Attack Attempt
920270	PL1	error	Invalid character in request (null character)
920271	PL2	critical	Invalid character in request (non printable characters)
920272	PL3	critical	Invalid character in request (outside of printable chars below ascii 127)
920273	PL4	critical	Invalid character in request (outside of very strict set)
920274	PL4	critical	Invalid character in request headers (outside of very strict set)
920280	PL1	warning	Request Missing a Host Header
920290	PL1	warning	Empty Host Header
920300	PL2	notice	Request Missing an Accept Header
920310	PL1	notice	Request Has an Empty Accept Header
920311	PL1	notice	Request Has an Empty Accept Header
920320	PL2	notice	Missing User Agent Header
920330	PL1	notice	Empty User Agent Header
920340	PL1	notice	Request Containing Content, but Missing Content-Type header
920350	PL1	warning	Host header is a numeric IP address
920360	PL1	critical	Argument name too long
920370	PL1	critical	Argument value too long
920380	PL1	critical	Too many arguments in request
920390	PL1	critical	Total arguments size exceeded
920400	PL1	critical	Uploaded file size too large
920410	PL1	critical	Total uploaded files size too large
920420	PL1	critical	Request content type is not allowed by policy
920430	PL1	critical	HTTP protocol version is not allowed by policy
920440	PL1	critical	URL file extension is restricted by policy
920450	PL1	critical	HTTP header is restricted by policy (%{MATCHED_VAR})
920460	PL4	critical	Abnormal character escape detected
921100	PL1	critical	HTTP Request Smuggling Attack.
921110	PL1	critical	HTTP Request Smuggling Attack
921120	PL1	critical	HTTP Response Splitting Attack
921130	PL1	critical	HTTP Response Splitting Attack
921140	PL1	critical	HTTP Header Injection Attack via headers
921150	PL1	critical	HTTP Header Injection Attack via payload (CR/LF detected)
921151	PL2	critical	HTTP Header Injection Attack via payload (CR/LF detected)
921160	PL1	critical	HTTP Header Injection Attack via payload (CR/LF and header-name detected)
921180	PL3	critical	HTTP Parameter Pollution (%{TX.1})
930100	PL1	critical	Path Traversal Attack (/../)
930110	PL1	critical	Path Traversal Attack (/../)
930120	PL1	critical	OS File Access Attempt
930130	PL1	critical	Restricted File Access Attempt
931100	PL1	critical	Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address
931110	PL1	critical	Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload
931120	PL1	critical	Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?)
931130	PL2	critical	Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link
932100	PL1	critical	Remote Command Execution: Unix Command Injection
932105	PL1	critical	Remote Command Execution: Unix Command Injection
932110	PL1	critical	Remote Command Execution: Windows Command Injection
932115	PL1	critical	Remote Command Execution: Windows Command Injection
932120	PL1	critical	Remote Command Execution: Windows PowerShell Command Found
932130	PL1	critical	Remote Command Execution: Unix Shell Expression Found
932140	PL1	critical	Remote Command Execution: Windows FOR/IF Command Found
932150	PL1	critical	Remote Command Execution: Direct Unix Command Execution
932160	PL1	critical	Remote Command Execution: Unix Shell Code Found
932170	PL1	critical	Remote Command Execution: Shellshock (CVE-2014-6271)
932171	PL1	critical	Remote Command Execution: Shellshock (CVE-2014-6271)
933100	PL1	critical	PHP Injection Attack: Opening/Closing Tag Found
933110	PL1	critical	PHP Injection Attack: PHP Script File Upload Found
933111	PL3	critical	PHP Injection Attack: PHP Script File Upload Found
933120	PL1	critical	PHP Injection Attack: Configuration Directive Found
933130	PL1	critical	PHP Injection Attack: Variables Found
933131	PL3	critical	PHP Injection Attack: Variables Found
933140	PL1	critical	PHP Injection Attack: I/O Stream Found
933150	PL1	critical	PHP Injection Attack: High-Risk PHP Function Name Found
933151	PL2	critical	PHP Injection Attack: Medium-Risk PHP Function Name Found
933160	PL1	critical	PHP Injection Attack: High-Risk PHP Function Call Found
933161	PL3	critical	PHP Injection Attack: Low-Value PHP Function Call Found
933170	PL1	critical	PHP Injection Attack: Serialized Object Injection
933180	PL1	critical	PHP Injection Attack: Variable Function Call Found
941100	PL1	critical	XSS Attack Detected via libinjection
941110	PL1	critical	XSS Filter - Category 1: Script Tag Vector
941120	PL1	critical	XSS Filter - Category 2: Event Handler Vector
941130	PL1	critical	XSS Filter - Category 3: Attribute Vector
941140	PL1	critical	XSS Filter - Category 4: Javascript URI Vector
941150	PL1	critical	XSS Filter - Category 5: Disallowed HTML Attributes
941160	PL1	critical	NoScript XSS InjectionChecker: HTML Injection
941170	PL1	critical	NoScript XSS InjectionChecker: Attribute Injection
941180	PL1	critical	Node-Validator Blacklist Keywords
941190	PL1	critical	IE XSS Filters - Attack Detected.
941200	PL1	critical	IE XSS Filters - Attack Detected.
941210	PL1	critical	IE XSS Filters - Attack Detected.
941220	PL1	critical	IE XSS Filters - Attack Detected.
941230	PL1	critical	IE XSS Filters - Attack Detected.
941240	PL1	critical	IE XSS Filters - Attack Detected.
941250	PL1	critical	IE XSS Filters - Attack Detected.
941260	PL1	critical	IE XSS Filters - Attack Detected.
941270	PL1	critical	IE XSS Filters - Attack Detected.
941280	PL1	critical	IE XSS Filters - Attack Detected.
941290	PL1	critical	IE XSS Filters - Attack Detected.
941300	PL1	critical	IE XSS Filters - Attack Detected.
941310	PL1	critical	US-ASCII Malformed Encoding XSS Filter - Attack Detected.
941320	PL2	critical	Possible XSS Attack Detected - HTML Tag Handler
941330	PL2	critical	IE XSS Filters - Attack Detected.
941340	PL2	critical	IE XSS Filters - Attack Detected.
941350	PL1	critical	UTF-7 Encoding IE XSS - Attack Detected.
942100	PL1	critical	SQL Injection Attack Detected via libinjection
942110	PL2	warning	SQL Injection Attack: Common Injection Testing Detected
942120	PL2	critical	SQL Injection Attack: SQL Operator Detected
942130	PL2	critical	SQL Injection Attack: SQL Tautology Detected.
942140	PL1	critical	SQL Injection Attack: Common DB Names Detected
942150	PL2	critical	SQL Injection Attack
942160	PL1	critical	Detects blind sqli tests using sleep() or benchmark().
942170	PL1	critical	Detects SQL benchmark and sleep injection attempts including conditional queries
942180	PL2	critical	Detects basic SQL authentication bypass attempts 1/3
942190	PL1	critical	Detects MSSQL code execution and information gathering attempts
942200	PL2	critical	Detects MySQL comment-/space-obfuscated injections and backtick termination
942210	PL2	critical	Detects chained SQL injection attempts 1/2
942220	PL1	critical	Looking for intiger overflow attacks, these are taken from skipfish, except 3.0.00738585072007e-308 is the "magic number" crash
942230	PL1	critical	Detects conditional SQL injection attempts
942240	PL1	critical	Detects MySQL charset switch and MSSQL DoS attempts
942250	PL1	critical	Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections
942251	PL3	critical	Detects HAVING injections
942260	PL2	critical	Detects basic SQL authentication bypass attempts 2/3
942270	PL1	critical	Looking for basic sql injection. Common attack string for mysql, oracle and others.
942280	PL1	critical	Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts
942290	PL1	critical	Finds basic MongoDB SQL injection attempts
942300	PL2	critical	Detects MySQL comments, conditions and ch(a)r injections
942310	PL2	critical	Detects chained SQL injection attempts 2/2
942320	PL1	critical	Detects MySQL and PostgreSQL stored procedure/function injections
942330	PL2	critical	Detects classic SQL injection probings 1/2
942340	PL2	critical	Detects basic SQL authentication bypass attempts 3/3
942350	PL1	critical	Detects MySQL UDF injection and other data/structure manipulation attempts
942360	PL1	critical	Detects concatenated basic SQL injection and SQLLFI attempts
942370	PL2	critical	Detects classic SQL injection probings 2/2
942380	PL2	critical	SQL Injection Attack
942390	PL2	critical	SQL Injection Attack
942400	PL2	critical	SQL Injection Attack
942410	PL2	critical	SQL Injection Attack
942420	PL3	warning	Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (8)
942421	PL4	warning	Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3)
942430	PL2	warning	Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)
942431	PL3	warning	Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6)
942432	PL4	warning	Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)
942440	PL2	critical	SQL Comment Sequence Detected.
942450	PL2	critical	SQL Hex Encoding Identified
942460	PL3	warning	Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters
943100	PL1	critical	Possible Session Fixation Attack: Setting Cookie Values in HTML
943110	PL1	critical	Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer
943120	PL1	critical	Possible Session Fixation Attack: SessionID Parameter Name with No Referer
949100	PL1	none	Request Denied by IP Reputation Enforcement.
949110	PL1	none	Check of inbound anomaly score
950100	PL2	error	The Application Returned a 500-Level Status Code
950130	PL1	error	Directory Listing
951110	PL1	critical	Microsoft Access SQL Information Leakage
951120	PL1	critical	Oracle SQL Information Leakage
951130	PL1	critical	DB2 SQL Information Leakage
951140	PL1	critical	EMC SQL Information Leakage
951150	PL1	critical	firebird SQL Information Leakage
951160	PL1	critical	Frontbase SQL Information Leakage
951170	PL1	critical	hsqldb SQL Information Leakage
951180	PL1	critical	informix SQL Information Leakage
951190	PL1	critical	ingres SQL Information Leakage
951200	PL1	critical	interbase SQL Information Leakage
951210	PL1	critical	maxDB SQL Information Leakage
951220	PL1	critical	mssql SQL Information Leakage
951230	PL1	critical	mysql SQL Information Leakage
951240	PL1	critical	postgres SQL Information Leakage
951250	PL1	critical	sqlite SQL Information Leakage
951260	PL1	critical	Sybase SQL Information Leakage
952100	PL1	error	Java Source Code Leakage
952110	PL1	error	Java Errors
953100	PL1	error	PHP Information Leakage
953110	PL1	error	PHP source code leakage
953120	PL1	error	PHP source code leakage
954100	PL1	error	Disclosure of IIS install location
954110	PL1	error	Application Availability Error
954120	PL1	error	IIS Information Leakage
954130	PL1	error	IIS Information Leakage
959100	PL1	none	Check of outbound anomaly score
980100	PL1	none	Anomaly score correlation rule
980110	PL1	none	Anomaly score correlation rule
980120	PL1	none	Anomaly score correlation rule
980130	PL1	none	Anomaly score correlation rule
980140	PL1	none	Anomaly score correlation rule
9001***	PL1	none	Drupal rule exception
9002***	PL1	none	WordPress rule exception




参考:

http://www.modsecurity.cn/chm/phase.html

https://www.jianshu.com/p/f9c636eb0d4c

http://tanjiti.lofter.com/post/1cc6c85b_10c4e155

https://www.netnea.com/cms/core-rule-set-inventory/


修改时间 2018-05-06

真诚赞赏,手留余香
赞赏
随机推荐
Node.js process.env 根据环境切换配置文件
ThinkPHP v3.1.2版本独立分组功能的解决思路
Electron 应用实战 (架构篇)
macOS 终端清理“新建远程连接”的历史记录
Naxsi 白名单设置
微信步步为营,百度节节溃败
Koa.js 路由 koa@router
如何实现瀑布流
MySQL 管理用户
树妖2