ModSecurity OWASP核心規則集的兩種配置模式
本文主要介紹OWASP核心規則集的兩種配置模式。
OWASP規則的官方Github地址: https://github.com/coreruleset/coreruleset 。
OWASP V3版本核心規則集目前支持兩種配置模式:
異常評分模式(默認)和獨自控制模式
異常評分模式 ,也可稱爲”協同檢測模式”,在此模式下,當檢測到威脅時,並不會直接阻斷此次請求,而是向下繼續進行規則匹配,每個匹配成功的規則都會增加”異常分數”,在對請求數據檢測結束時,以及對返回數據檢測結束時,都會對異常分數的總和進行判斷,如果大於設置的閾值,纔會進行阻斷動作,並向客戶端返回403代碼,審計日誌中也會記錄此次訪問中所有匹配成功的規則信息。
獨自控制模式 ,此模式是V2版本規則集的默認模式,它的工作方式是,只要有一條規則匹配成功,便攔截此次訪問,審計日誌中也只會記錄第一次檢測到威脅的規則信息。
因此,通過上述描述我們可以簡單得出兩種模式的優缺點:
異常評分模式 :由於每次請求都會匹配所有規則,因此在高併發情況下,效率相對較低,服務器資源佔用較高,但誤報率相對較低;
獨自控制模式 :檢測到一次威脅就直接阻斷請求,因此在高併發情況下,效率相對較高,服務器資源佔用較小,但誤報率相對較高。除此之外該模式還有一個優點,即可以通過全局配置,設置當訪問被攔截後,跳轉到自定義的提示頁面。
如何配置跳轉到自定義提示頁面,可參見 http://modsecurity.cn/practice/post/8.html 。
在配置上,兩者配置區別如下(在crs-setup.conf中進行配置):
異常評分模式 :
SecDefaultAction "phase:1,log,auditlog,pass" SecDefaultAction "phase:2,log,auditlog,pass"
由於是所有規則都進行匹配,因此SecDefaultAction並未使用”deny”關鍵詞,而是使用”pass”,即檢測到威脅後繼續下一規則的匹配。其中log代表記錄錯誤日誌,通常內容記錄在WEB服務的錯誤日誌文件中,auditlog代表記錄審計日誌,保存此次請求的詳細信息。如不需要記錄log或auditlog,直接刪除對應的關鍵詞即可。
獨自控制模式 :
SecDefaultAction "phase:1,log,auditlog,deny,status:403" SecDefaultAction "phase:2,log,auditlog,deny,status:403"
此配置表示,只要檢測到威脅,則使用”deny”關鍵詞對此次訪問進行阻斷,同時向服務器返回403錯誤代碼。
在審計日誌中,我們也能看到明顯的差異,比如模擬一次簡單的攻擊,如http://服務器IP/?param=%22%3E%3Cscript%3Ealert(1);%3C/script%3E,兩種模式所記錄的審計日誌如下(主要看日誌的H部分):
異常評分模式下的審計日誌 :
---5WCHvu3z---A-- [22/May/2020:17:16:14 +0800] 159013897435.560455 116.255.132.12 5289 172.21.0.15 80 ---5WCHvu3z---B-- GET /?param=%22%3E%3Cscript%3Ealert(1);%3C/script%3E HTTP/1.1 Host: 49.233.80.239 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36 Cookie: memSize=1838 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 ---5WCHvu3z---D-- ---5WCHvu3z---E-- <html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx/1.16.1</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a ---5WCHvu3z---F-- HTTP/1.1 403 Server: nginx/1.16.1 Date: Fri, 22 May 2020 09:16:14 GMT Content-Length: 555 Content-Type: text/html Connection: keep-alive ---5WCHvu3z---H-- ModSecurity: Warning. detected XSS using libinjection. [file "/usr/local/nginx/conf/modsecurity/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "37"] [id "<b>941100</b>"] [rev ""] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS:param: "><script>alert(1);</script>"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "172.21.0.15"] [uri "/"] [unique_id "159013897435.560455"] [ref "v12,28t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"] ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)<script[^>]*>[\s\S]*?' against variable `ARGS:param' (Value: `"><script>alert(1);</script>' ) [file "/usr/local/nginx/conf/modsecurity/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "68"] [id "<b>941110</b>"] [rev ""] [msg "XSS Filter - Category 1: Script Tag Vector"] [data "Matched Data: <script> found within ARGS:param: "><script>alert(1);</script>"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "172.21.0.15"] [uri "/"] [unique_id "159013897435.560455"] [ref "o2,8v12,28t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"] ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i:(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)(?:on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|d (3146 characters omitted)' against variable `ARGS:param' (Value: `"><script>alert(1);</script>' ) [file "/usr/local/nginx/conf/modsecurity/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "205"] [id "<b>941160</b>"] [rev ""] [msg "NoScript XSS InjectionChecker: HTML Injection"] [data "Matched Data: <script found within ARGS:param: "><script>alert(1);</script>"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "172.21.0.15"] [uri "/"] [unique_id "159013897435.560455"] [ref "o2,7o19,8v12,28t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `15' ) [file "/usr/local/nginx/conf/modsecurity/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "79"] [id "<b>949110</b>"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 15)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "172.21.0.15"] [uri "/"] [unique_id "159013897435.560455"] [ref ""]
上述審計日誌表示,此次訪問,分別觸發了ID爲941100、941110、941160三條規則,最終ID爲949110的規則對異常分數的總和進行判斷,發現大於設置的閾值,便執行阻斷操作,向客戶端返回403錯誤代碼,攔截此次訪問。
此次攔截在異常評分模式下涉及到的規則以及觸發流程如下:
首先,是REQUEST-901-INITIALIZATION.conf文件中的三條規則,ID分別爲901100、901120、901140,內容如下所示:
SecRule &TX:inbound_anomaly_score_threshold "@eq 0" \ "id:901100,\ phase:1,\ pass,\ nolog,\ setvar:'tx.inbound_anomaly_score_threshold=5'" SecRule &TX:paranoia_level "@eq 0" \ "id:901120,\ phase:1,\ pass,\ nolog,\ setvar:'tx.paranoia_level=1'" SecRule &TX:critical_anomaly_score "@eq 0" \ "id:901140,\ phase:1,\ pass,\ nolog,\ setvar:'tx.critical_anomaly_score=5'"
此三條規則通過setvar關鍵字分別初始了三個變量的值,tx.inbound_anomaly_score_threshold爲5,tx.paranoia_level爲1,tx.critical_anomaly_score爲5,其中tx.inbound_anomaly_score_threshold爲最終判斷是否要阻斷此次請求的閾值。
然後,此次訪問分別觸發了REQUEST-941-APPLICATION-ATTACK-XSS.conf文件中的三條規則,ID分別爲941100、941110、941160,內容如下:
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@detectXSS" \ "id:941100,\ phase:2,\ block,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ msg:'XSS Attack Detected via libinjection',\ logdata:'Matched Data: XSS data found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A3',\ tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.2.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<script[^>]*>[\s\S]*?" \ "id:941110,\ phase:2,\ block,\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ msg:'XSS Filter - Category 1: Script Tag Vector',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A3',\ tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.2.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)(?:on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|drop|over)|op)|i(?:s(?:c(?:hargingtimechange|onnect(?:ing|ed))|abled)|aling)|ata(?:setc(?:omplete|hanged)|(?:availabl|chang)e|error)|urationchange|ownloading|blclick)|Moz(?:M(?:agnifyGesture(?:Update|Start)?|ouse(?:PixelScroll|Hittest))|S(?:wipeGesture(?:Update|Start|End)?|crolledAreaChanged)|(?:(?:Press)?TapGestur|BeforeResiz)e|EdgeUI(?:C(?:omplet|ancel)|Start)ed|RotateGesture(?:Update|Start)?|A(?:udioAvailable|fterPaint))|c(?:o(?:m(?:p(?:osition(?:update|start|end)|lete)|mand(?:update)?)|n(?:t(?:rolselect|extmenu)|nect(?:ing|ed))|py)|a(?:(?:llschang|ch)ed|nplay(?:through)?|rdstatechange)|h(?:(?:arging(?:time)?ch)?ange|ecking)|(?:fstate|ell)change|u(?:echange|t)|l(?:ick|ose))|s(?:t(?:a(?:t(?:uschanged|echange)|lled|rt)|k(?:sessione|comma)nd|op)|e(?:ek(?:complete|ing|ed)|(?:lec(?:tstar)?)?t|n(?:ding|t))|(?:peech|ound)(?:start|end)|u(?:ccess|spend|bmit)|croll|how)|m(?:o(?:z(?:(?:pointerlock|fullscreen)(?:change|error)|(?:orientation|time)change|network(?:down|up)load)|use(?:(?:lea|mo)ve|o(?:ver|ut)|enter|wheel|down|up)|ve(?:start|end)?)|essage|ark)|a(?:n(?:imation(?:iteration|start|end)|tennastatechange)|fter(?:(?:scriptexecu|upda)te|print)|udio(?:process|start|end)|d(?:apteradded|dtrack)|ctivate|lerting|bort)|b(?:e(?:fore(?:(?:(?:de)?activa|scriptexecu)te|u(?:nload|pdate)|p(?:aste|rint)|c(?:opy|ut)|editfocus)|gin(?:Event)?)|oun(?:dary|ce)|l(?:ocked|ur)|roadcast|usy)|DOM(?:Node(?:Inserted(?:IntoDocument)?|Removed(?:FromDocument)?)|(?:CharacterData|Subtree)Modified|A(?:ttrModified|ctivate)|Focus(?:Out|In)|MouseScroll)|r(?:e(?:s(?:u(?:m(?:ing|e)|lt)|ize|et)|adystatechange|pea(?:tEven)?t|movetrack|trieving|ceived)|ow(?:s(?:inserted|delete)|e(?:nter|xit))|atechange)|p(?:op(?:up(?:hid(?:den|ing)|show(?:ing|n))|state)|a(?:ge(?:hide|show)|(?:st|us)e|int)|ro(?:pertychange|gress)|lay(?:ing)?)|t(?:ouch(?:(?:lea|mo)ve|en(?:ter|d)|cancel|start)|ransition(?:cancel|end|run)|ime(?:update|out)|ext)|u(?:s(?:erproximity|sdreceived)|p(?:gradeneeded|dateready)|n(?:derflow|load))|f(?:o(?:rm(?:change|input)|cus(?:out|in)?)|i(?:lterchange|nish)|ailed)|l(?:o(?:ad(?:e(?:d(?:meta)?data|nd)|start)|secapture)|evelchange|y)|g(?:amepad(?:(?:dis)?connected|button(?:down|up)|axismove)|et)|e(?:n(?:d(?:Event|ed)?|abled|ter)|rror(?:update)?|mptied|xit)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|valid|put))|o(?:(?:(?:ff|n)lin|bsolet)e|verflow(?:changed)?|pen)|SVG(?:(?:Unl|L)oad|Resize|Scroll|Abort|Error|Zoom)|h(?:e(?:adphoneschange|l[dp])|ashchange|olding)|v(?:o(?:lum|ic)e|ersion)change|w(?:a(?:it|rn)ing|heel)|key(?:press|down|up)|(?:AppComman|Loa)d|no(?:update|match)|Request|zoom)|s(?:tyle|rc)|background|formaction|lowsrc|ping)[\s\x08]*?=|<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?(?:(?:a\W*?(?:n\W*?i\W*?m\W*?a\W*?t\W*?e|p\W*?p\W*?l\W*?e\W*?t|u\W*?d\W*?i\W*?o)|b\W*?(?:i\W*?n\W*?d\W*?i\W*?n\W*?g\W*?s|a\W*?s\W*?e|o\W*?d\W*?y)|i?\W*?f\W*?r\W*?a\W*?m\W*?e|o\W*?b\W*?j\W*?e\W*?c\W*?t|i\W*?m\W*?a?\W*?g\W*?e?|e\W*?m\W*?b\W*?e\W*?d|p\W*?a\W*?r\W*?a\W*?m|v\W*?i\W*?d\W*?e\W*?o|l\W*?i\W*?n\W*?k)[^>\w]|s\W*?(?:c\W*?r\W*?i\W*?p\W*?t|t\W*?y\W*?l\W*?e|e\W*?t[^>\w]|v\W*?g)|m\W*?(?:a\W*?r\W*?q\W*?u\W*?e\W*?e|e\W*?t\W*?a[^>\w])|f\W*?o\W*?r\W*?m))" \ "id:941160,\ phase:2,\ block,\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ msg:'NoScript XSS InjectionChecker: HTML Injection',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A3',\ tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.2.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
三條規則中,每次都會通過setvar關鍵詞,將tx.anomaly_score_pl1變量的值加5,即+%{tx.critical_anomaly_score},%{}代表獲取變量的值。由於匹配了三次,因此此時tx.anomaly_score_pl1的值變成了15。
接下來,REQUEST-949-BLOCKING-EVALUATION.conf文件中的兩條規則被執行,ID分別爲949060、949110,規則內容如下:
SecRule TX:PARANOIA_LEVEL "@ge 1" \ "id:949060,\ phase:2,\ pass,\ t:none,\ nolog,\ setvar:'tx.anomaly_score=+%{tx.anomaly_score_pl1}'" SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \ "id:949110,\ phase:2,\ deny,\ t:none,\ log,\ msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.ANOMALY_SCORE})',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-generic',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score=%{tx.anomaly_score}'"
ID爲949060的規則表示,當tx.paranoia_level的值爲1時,創建變量tx.anomaly_score,同時賦予tx.anomaly_score_pl1變量的值,此時tx.anomaly_score的值也成爲了15,然後,ID爲949110的規則對tx.anomaly_score變量進行判斷,如果大於tx.inbound_anomaly_score_threshold變量的值,則通過deny關鍵詞進行阻斷,而tx.inbound_anomaly_score_threshold變量初始值爲5,15>5,tx.anomaly_score>tx.inbound_anomaly_score_threshold,條件匹配成功,此次訪問被阻斷。當然,實際參與此次訪問判斷的規則並非只有上述規則,本人只是將涉及到此次攔截的規則單獨摘取出來,進行攔截流程的簡要介紹。
獨自控制模式下的審計日誌:
---AHNuWePS---A-- [22/May/2020:17:13:41 +0800] 159013882129.161492 116.255.132.12 55959 172.21.0.15 80 ---AHNuWePS---B-- GET /?param=%22%3E%3Cscript%3Ealert(1);%3C/script%3E HTTP/1.1 Host: 49.233.80.239 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36 Cookie: memSize=1838 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 ---AHNuWePS---D-- ---AHNuWePS---E-- <html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx/1.16.1</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a ---AHNuWePS---F-- HTTP/1.1 403 Server: nginx/1.16.1 Date: Fri, 22 May 2020 09:13:41 GMT Content-Length: 555 Content-Type: text/html Connection: keep-alive ---AHNuWePS---H-- ModSecurity: Access denied with code 403 (phase 2). detected XSS using libinjection. [file "/usr/local/nginx/conf/modsecurity/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "37"] [id "941100"] [rev ""] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS:param: "><script>alert(1);</script>"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "172.21.0.15"] [uri "/"] [unique_id "159013882129.161492"] [ref "v12,28t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]
上述部分已經闡述,獨自控制模式是隻要檢測到一次威脅就直接攔截此次請求,因此日誌顯示僅觸發了ID爲941100的規則。
除此之外,通過DEBUG日誌分析,兩種模式下所進行的規則匹配次數也不相同。由於DEBUG日誌內容過多,因此此處不進行日誌內容展示,僅展示最終數據。
當通過訪問http://服務器IP/?param=%22%3E%3Cscript%3Ealert(1);%3C/script%3E進行模擬攻擊時:
異常評分模式下,包含初始化配置類等相關規則,共有340條規則被執行;
獨自控制模式下,包含初始化配置類等相關規則,共有282條規則被執行。
目前本人所使用的模式爲獨自控制模式。