modsecurity: 规则的体系二
一,各权重分数的初始化:
所在文件
rules/REQUEST-901-INITIALIZATION.conf规则:
SecAction \
"id:901200,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.8.0-dev',\
setvar:'tx.blocking_inbound_anomaly_score=0',\
setvar:'tx.detection_inbound_anomaly_score=0',\
setvar:'tx.inbound_anomaly_score_pl1=0',\
setvar:'tx.inbound_anomaly_score_pl2=0',\
setvar:'tx.inbound_anomaly_score_pl3=0',\
setvar:'tx.inbound_anomaly_score_pl4=0',\
setvar:'tx.sql_injection_score=0',\
setvar:'tx.xss_score=0',\
setvar:'tx.rfi_score=0',\
setvar:'tx.lfi_score=0',\
setvar:'tx.rce_score=0',\
setvar:'tx.php_injection_score=0',\
setvar:'tx.http_violation_score=0',\
setvar:'tx.session_fixation_score=0',\
setvar:'tx.blocking_outbound_anomaly_score=0',\
setvar:'tx.detection_outbound_anomaly_score=0',\
setvar:'tx.outbound_anomaly_score_pl1=0',\
setvar:'tx.outbound_anomaly_score_pl2=0',\
setvar:'tx.outbound_anomaly_score_pl3=0',\
setvar:'tx.outbound_anomaly_score_pl4=0',\
setvar:'tx.anomaly_score=0'"二,缺省的threshold值
文件名:
rules/REQUEST-901-INITIALIZATION.conf规则:
# Default Inbound Anomaly Threshold Level (rule 900110 in crs-setup.conf)
SecRule &TX:inbound_anomaly_score_threshold "@eq 0" \
"id:901100,\
phase:1,\
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.8.0-dev',\
setvar:'tx.inbound_anomaly_score_threshold=5'"
# Default Outbound Anomaly Threshold Level (rule 900110 in crs-setup.conf)
SecRule &TX:outbound_anomaly_score_threshold "@eq 0" \
"id:901110,\
phase:1,\
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.8.0-dev',\
setvar:'tx.outbound_anomaly_score_threshold=4'" 注意:看注释说明,也可以在crs-setup.conf中的900110规则设置
crs-setup.conf中针对threshold设置的900110规则如下:
# -- [[ Anomaly Scoring Mode Blocking Threshold Levels ]] ----------------------
#
# Here, you can specify at which cumulative anomaly score an inbound request,
# or outbound response, gets blocked.
#
# Most detected inbound threats will give a critical score of 5.
# Smaller violations, like violations of protocol/standards, carry lower scores.
#
# [ At default value ]
# If you keep the blocking thresholds at the defaults, the CRS will work
# similarly to previous CRS versions: a single critical rule match will cause
# the request to be blocked and logged.
#
# [ Using higher values ]
# If you want to make the CRS less sensitive, you can increase the blocking
# thresholds, for instance to 7 (which would require multiple rule matches
# before blocking) or 10 (which would require at least two critical alerts - or
# a combination of many lesser alerts), or even higher. However, increasing the
# thresholds might cause some attacks to bypass the CRS rules or your policies.
#
# [ New deployment strategy: Starting high and decreasing ]
# It is a common practice to start a fresh CRS installation with elevated
# anomaly scoring thresholds (>100) and then lower the limits as your
# confidence in the setup grows. You may also look into the Sampling
# Percentage section below for a different strategy to ease into a new
# CRS installation.
#
# [ Anomaly Threshold / Paranoia Level Quadrant ]
#
# High Anomaly Limit | High Anomaly Limit
# Low Paranoia Level | High Paranoia Level
# -> Fresh Site | -> Experimental Site
# ------------------------------------------------------
# Low Anomaly Limit | Low Anomaly Limit
# Low Paranoia Level | High Paranoia Level
# -> Standard Site | -> High Security Site
#
# Uncomment this rule to change the defaults:
#
#SecAction \
# "id:900110,\
# phase:1,\
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.8.0-dev',\
# setvar:tx.inbound_anomaly_score_threshold=5,\
# setvar:tx.outbound_anomaly_score_threshold=4"三,累积分数达到或超过阀值后的处理规则:
文件:
rules/REQUEST-949-BLOCKING-EVALUATION.conf规则:
# if early blocking is active, check threshold in phase 1
SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \
"id:949111,\
phase:1,\
deny,\
t:none,\
msg:'Inbound Anomaly Score Exceeded in phase 1 (Total Score: %{TX.BLOCKING_INBOUND_ANOMALY_SCORE})',\
tag:'anomaly-evaluation',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.8.0-dev',\
chain"
SecRule TX:EARLY_BLOCKING "@eq 1"
# always check threshold in phase 2
SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \
"id:949110,\
phase:2,\
deny,\
t:none,\
msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.BLOCKING_INBOUND_ANOMALY_SCORE})',\
tag:'anomaly-evaluation',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.8.0-dev'"
