modsecurity:规则例子:匹配url
一,拦截包含一个字符串的访问:
1,例子:如下:
11.89.39.11 - - [23/Oct/2024:04:47:22 +0800] "GET /.git/config HTTP/1.1" 404 548
"-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36" "-" 0.000 或:
61.227.34.19 - - [23/Oct/2024:03:55:37 +0800] "GET /.env HTTP/1.1" 404 146 "-" "Mozilla/5.0 Keydrop" "-" 0.0002,规则代码:
SecRule REQUEST_URI "@contains .git" "id:2001,phase:1,deny,status:403"
SecRule REQUEST_URI "@contains .env" "id:2003,phase:1,deny,status:403"也可以用一条规则同时拦截多种情况:
SecRule REQUEST_URI "@rx \.git|\.env" "id:2001,phase:1,deny,status:403".在正则表达式中表示任意字符,所以前面加了\转义
二,拦截同时包含两个字符串的访问
1,例子:
14.38.23.16 - - [23/Oct/2024:03:40:02 +0800] "GET /js/_system/jQuery-File-Upload/server/php/index.php?file=tf2rghf.jpg HTTP/1.1"
404 146 "-" "ALittle Client" "-" 0.000这种在php后面加参数.jpg,目的是绕过一些过滤规则
2,解决:规则代码:
SecRule REQUEST_URI "@rx \.php.*\.jpg" "phase:1,deny,status:403,id:2100"在正则表达式中,.表示任意字符,*表示任意多个
也可以用chain的写法:
例子:
SecRule REQUEST_URI "@contains .php" "chain,phase:1,deny,status:403,id:2100"
SecRule REQUEST_URI "@contains .jpg"供参考
