I want to create a mod security2x rule that will block the GET request to a specific URL.
我想创建一个mod security2x规则,它将阻止对特定URL的GET请求。
for example I want to block the URL with the GET in the header: 'www.test.com'
例如,我想在标题中使用GET阻止URL:'www.test.com'
I've never made a rule within modsecurity, and not sure this will work with anomaly detection mode.
我从未在modsecurity中制定过规则,并且不确定这是否适用于异常检测模式。
This would be an example of the GET request: GET/secure/bla/test/etc/
这将是GET请求的一个示例:GET / secure / bla / test / etc /
This is what I have so far: SecRule ARGS "www.test.com" phase:2,log,deny,id:'1234',msg:'403 Access Denied'
这就是我到目前为止:SecRule ARGS“www.test.com”阶段:2,log,deny,id:'1234',msg:'403 Access Denied'
1 个解决方案
#1
0
You want something like this:
你想要这样的东西:
SecRule REQUEST_URI "@streq /secure/bla/test/etc/" \
"phase:1,id:1234,t:none,t:urlDecode,t:lowercase,t:normalizePath,deny,status:403,msg:'403 Access Denied',chain"
SecRule REQUEST_METHOD "@streq get" "t:none,t:lowercase"
You need to chain two rules together as you want to check two conditions (path is /secure/bla/test/etc/ and method is GET).
您需要将两个规则链接在一起,因为您要检查两个条件(路径是/ secure / bla / test / etc /,方法是GET)。
If you want to add a third rule to check the host (e.g. if you have multiple virtual hosts and this URL is valid for GET requests on some of them), then you can:
如果要添加第三条规则来检查主机(例如,如果您有多个虚拟主机,并且此URL对某些虚拟主机的GET请求有效),则可以:
SecRule REQUEST_URI "@streq /secure/bla/test/etc/" \
"phase:1,id:1234,t:none,t:urlDecode,t:lowercase,t:normalizePath,deny,status:403,msg:'403 Access Denied',chain"
SecRule REQUEST_METHOD "@streq get" "t:none,t:lowercase,chain"
SecRule SERVER_NAME "@streq www.example.com"
Or alternatively you can use REQUEST_URI_RAW which will include the protocol and hostname as well as the resource requested:
或者您可以使用REQUEST_URI_RAW,其中包括协议和主机名以及请求的资源:
SecRule REQUEST_URI_RAW "^https?://www.test.com/secure/bla/test/etc/" \
"phase:1,id:1234,t:none,t:urlDecode,t:lowercase,t:normalizePath,deny,status:403,msg:'403 Access Denied',chain"
SecRule REQUEST_METHOD "@streq get" "t:none,t:lowercase"
You'll notice I've also added quite a few transformation functions (the t: bits) to help avoid people trying to get around this rule (e.g. with a path like /secure/bla/TEST/../test/etc/).
您会注意到我还添加了相当多的转换函数(t:bits)以帮助避免人们试图绕过此规则(例如,使用/secure/bla/TEST/../test/etc/这样的路径)。
All of this is covered in the reference manual: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual but does take a bit of practice to get used to I'll admit!
所有这些都在参考手册中介绍:https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual但是我需要做一些练习来习惯我承认!
Anomaly detection mode simple means rules that might fire for valid requests do not blocked immediately but instead, assigned a score and if the total score of all the rules for that request is above a certain threshold then it blocks, if not it doesn't. This allows for "noisy" rules to still be included but to be ignored unless lots of noisy rules all fire for a request, or if one important rule is fired.
异常检测模式简单意味着可能触发有效请求的规则不会立即被阻止,而是分配一个分数,如果该请求的所有规则的总分高于某个阈值,则阻止,如果不是,则阻止。这允许仍然包括“嘈杂”规则但是要被忽略,除非许多嘈杂的规则都为请求触发,或者如果触发了一个重要规则。
There is nothing to stop you explicitly blocking with the "deny" option as I have done above - even in anomaly detection mode. This rule seems fairly safe from ever firing accidentally for a legitimate request (once you have tested it works!) so I would just go from straight blocking as I have done above. The alternative is to replace deny with block,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score} which will have the same effect when the score is checked later but in my mind needlessly complicates the readability of the rule since it will always block anyway.
如上所述,即使在异常检测模式下,也没有什么可以阻止你使用“拒绝”选项明确阻止。这个规则似乎相当安全,不会因为合法的请求而被意外触发(一旦你测试了它就行了!)所以我会像上面所做的那样直接阻止。另一种方法是用block替换deny,setvar:tx.anomaly_score = +%{tx.critical_anomaly_score},这会在以后检查得分时产生相同的效果,但在我看来,由于它总会阻塞,因此不必要地使规则的可读性复杂化无论如何。
Anomaly scoring versus traditional scoring is covered in more detail in this blog post: http://blog.modsecurity.org/2010/11/advanced-topic-of-the-week-traditional-vs-anomaly-scoring-detection-modes.html
此博客文章中详细介绍了异常评分与传统评分:http://blog.modsecurity.org/2010/11/advanced-topic-of-the-week-traditional-vs-anomaly-scoring-detection-modes html的
#1
0
You want something like this:
你想要这样的东西:
SecRule REQUEST_URI "@streq /secure/bla/test/etc/" \
"phase:1,id:1234,t:none,t:urlDecode,t:lowercase,t:normalizePath,deny,status:403,msg:'403 Access Denied',chain"
SecRule REQUEST_METHOD "@streq get" "t:none,t:lowercase"
You need to chain two rules together as you want to check two conditions (path is /secure/bla/test/etc/ and method is GET).
您需要将两个规则链接在一起,因为您要检查两个条件(路径是/ secure / bla / test / etc /,方法是GET)。
If you want to add a third rule to check the host (e.g. if you have multiple virtual hosts and this URL is valid for GET requests on some of them), then you can:
如果要添加第三条规则来检查主机(例如,如果您有多个虚拟主机,并且此URL对某些虚拟主机的GET请求有效),则可以:
SecRule REQUEST_URI "@streq /secure/bla/test/etc/" \
"phase:1,id:1234,t:none,t:urlDecode,t:lowercase,t:normalizePath,deny,status:403,msg:'403 Access Denied',chain"
SecRule REQUEST_METHOD "@streq get" "t:none,t:lowercase,chain"
SecRule SERVER_NAME "@streq www.example.com"
Or alternatively you can use REQUEST_URI_RAW which will include the protocol and hostname as well as the resource requested:
或者您可以使用REQUEST_URI_RAW,其中包括协议和主机名以及请求的资源:
SecRule REQUEST_URI_RAW "^https?://www.test.com/secure/bla/test/etc/" \
"phase:1,id:1234,t:none,t:urlDecode,t:lowercase,t:normalizePath,deny,status:403,msg:'403 Access Denied',chain"
SecRule REQUEST_METHOD "@streq get" "t:none,t:lowercase"
You'll notice I've also added quite a few transformation functions (the t: bits) to help avoid people trying to get around this rule (e.g. with a path like /secure/bla/TEST/../test/etc/).
您会注意到我还添加了相当多的转换函数(t:bits)以帮助避免人们试图绕过此规则(例如,使用/secure/bla/TEST/../test/etc/这样的路径)。
All of this is covered in the reference manual: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual but does take a bit of practice to get used to I'll admit!
所有这些都在参考手册中介绍:https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual但是我需要做一些练习来习惯我承认!
Anomaly detection mode simple means rules that might fire for valid requests do not blocked immediately but instead, assigned a score and if the total score of all the rules for that request is above a certain threshold then it blocks, if not it doesn't. This allows for "noisy" rules to still be included but to be ignored unless lots of noisy rules all fire for a request, or if one important rule is fired.
异常检测模式简单意味着可能触发有效请求的规则不会立即被阻止,而是分配一个分数,如果该请求的所有规则的总分高于某个阈值,则阻止,如果不是,则阻止。这允许仍然包括“嘈杂”规则但是要被忽略,除非许多嘈杂的规则都为请求触发,或者如果触发了一个重要规则。
There is nothing to stop you explicitly blocking with the "deny" option as I have done above - even in anomaly detection mode. This rule seems fairly safe from ever firing accidentally for a legitimate request (once you have tested it works!) so I would just go from straight blocking as I have done above. The alternative is to replace deny with block,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score} which will have the same effect when the score is checked later but in my mind needlessly complicates the readability of the rule since it will always block anyway.
如上所述,即使在异常检测模式下,也没有什么可以阻止你使用“拒绝”选项明确阻止。这个规则似乎相当安全,不会因为合法的请求而被意外触发(一旦你测试了它就行了!)所以我会像上面所做的那样直接阻止。另一种方法是用block替换deny,setvar:tx.anomaly_score = +%{tx.critical_anomaly_score},这会在以后检查得分时产生相同的效果,但在我看来,由于它总会阻塞,因此不必要地使规则的可读性复杂化无论如何。
Anomaly scoring versus traditional scoring is covered in more detail in this blog post: http://blog.modsecurity.org/2010/11/advanced-topic-of-the-week-traditional-vs-anomaly-scoring-detection-modes.html
此博客文章中详细介绍了异常评分与传统评分:http://blog.modsecurity.org/2010/11/advanced-topic-of-the-week-traditional-vs-anomaly-scoring-detection-modes html的