modsecurity: 规则的体系三
一,modsecurity规则的级别:paranoia level
modsecurity根据规则可能存在的误报情况,设置了规则的级别,称之为PL(paranoia level),
共有4个级别,分别为1/2/3/4,
级别越高,漏报越少,误报越多。
用户可以根据实际业务情况适当调整,
默认设置PL=1,可以在crs-setup.conf中设置
配置文件:
crs-setup.conf默认的设置:
#
# -- [[ Paranoia Level Initialization ]] ---------------------------------------
#
# The Paranoia Level (PL) setting allows you to choose the desired level
# of rule checks that will add to your anomaly scores.
#
# With each paranoia level increase, the CRS enables additional rules
# giving you a higher level of security. However, higher paranoia levels
# also increase the possibility of blocking some legitimate traffic due to
# false alarms (also named false positives or FPs). If you use higher
# paranoia levels, it is likely that you will need to add some exclusion
# rules for certain requests and applications receiving complex input.
#
# - A paranoia level of 1 is default. In this level, most core rules
# are enabled. PL1 is advised for beginners, installations
# covering many different sites and applications, and for setups
# with standard security requirements.
# At PL1 you should face FPs rarely. If you encounter FPs, please
# open an issue on the CRS GitHub site and don't forget to attach your
# complete Audit Log record for the request with the issue.
# - Paranoia level 2 includes many extra rules, for instance enabling
# many regexp-based SQL and XSS injection protections, and adding
# extra keywords checked for code injections. PL2 is advised
# for moderate to experienced users desiring more complete coverage
# and for installations with elevated security requirements.
# PL2 comes with some FPs which you need to handle.
# - Paranoia level 3 enables more rules and keyword lists, and tweaks
# limits on special characters used. PL3 is aimed at users experienced
# at the handling of FPs and at installations with a high security
# requirement.
# - Paranoia level 4 further restricts special characters.
# The highest level is advised for experienced users protecting
# installations with very high security requirements. Running PL4 will
# likely produce a very high number of FPs which have to be
# treated before the site can go productive.
#
# All rules will log their PL to the audit log;
# example: [tag "paranoia-level/2"]. This allows you to deduct from the
# audit log how the WAF behavior is affected by paranoia level.
#
# It is important to also look into the variable
# tx.enforce_bodyproc_urlencoded (Enforce Body Processor URLENCODED)
# defined below. Enabling it closes a possible bypass of CRS.
#
# Uncomment this rule to change the default:
#
#SecAction \
# "id:900000,\
# phase:1,\
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.8.0-dev',\
# setvar:tx.blocking_paranoia_level=1"
# It is possible to execute rules from a higher paranoia level but not include
# them in the anomaly scoring. This allows you to take a well-tuned system on
# paranoia level 1 and add rules from paranoia level 2 without having to fear
# the new rules would lead to false positives that raise your score above the
# threshold.
# This optional feature is enabled by uncommenting the following rule and
# setting the tx.detection_paranoia_level.
# Technically, rules up to the level defined in tx.detection_paranoia_level
# will be executed, but only the rules up to tx.blocking_paranoia_level affect the
# anomaly scores.
# By default, tx.detection_paranoia_level is set to tx.blocking_paranoia_level.
# tx.detection_paranoia_level must not be lower than tx.blocking_paranoia_level.
#
# Please notice that setting tx.detection_paranoia_level to a higher paranoia
# level results in a performance impact that is equally high as setting
# tx.blocking_paranoia_level to said level.
#
#SecAction \
# "id:900001,\
# phase:1,\
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.8.0-dev',\
# setvar:tx.detection_paranoia_level=1"
二,规则的级别设置方式:
其规则的分级方式也很特别,是通过在规则文件中的位置进行的分级,下面简化下分级规则设置方法
级别规则设置方法:skipAfter和SecMarker
skipAfter:条件达成,跳到下个标记点
SecMarker:规则标记点
看一下规则设置的例子:
rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf:SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.8.0-dev',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf:SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.8.0-dev',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf:SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.8.0-dev',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf:SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.8.0-dev',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf:SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.8.0-dev',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf:SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.8.0-dev',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf:SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.8.0-dev',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf:SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.8.0-dev',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf:SecMarker "END-REQUEST-920-PROTOCOL-ENFORCEMENT"
