ModSecurity: Rule -- Basic


1. RULE引擎开关

SecRuleEngine

  • Description:SecRule引擎开关
  • Scope: Any
  • Syntax: SecRuleEngine On|Off|DetectionOnly
    • On|Off|DetectionOnly
      • On
      • Off: 默认关闭
      • DetectionOnly:只检测,不防护
SecRuleEngine DetectionOnly

2. 添加RULE

SecRule

  • Description: 添加一个rule
  • Scope: Any
  • Syntax: SecRule VARIABLES OPERATOR [ACTIONS]
    • VARIABLES:Where to look, 检查位置;
    • OPERATOR:How to look, 对VARIABLES所取的内容进行匹配
    • ACTIONS:What should Mod_Security do, 当匹配成功后,应该做什么,比如 记log、阻断等等。没有指定action则用default action。
SecRule ARGS "@rx attack" "phase:1,log,deny,id:1"

SecRuleScript

  • Description: 调用Lua脚本进行匹配
  • Scope: Any
  • Syntax:SecRuleScript DIR ACTIONS
    • DIR: lua脚本
    • ACTIONS
SecRuleScript "/path/to/file.lua" "block"

SecAction

  • Description:配置强制action
  • Scope: Any
  • Syntax: SecAction "action1,action2,action3,..."
SecAction nolog,phase:1,initcol:RESOURCE=%{REQUEST_FILENAME}

SecDefaultAction

  • Description: 配置default action
  • Scope: Any
  • Syntax: SecDefaultAction "action1,action2,action3"
    • Action list: 默认配置为"phase:2,log,auditlog,pass"
SecDefaultAction "phase:1,log,auditlog,pass"

3. Disable RULE

SecRuleRemoveById

  • Description:Disable指定ID的RULE,该命令必须在指定ID的RULE后面
  • Scope: Any
  • Syntax: SecRuleRemoveById ID ID RANGE ...
SecRuleRemoveByID 1 2 "9000-9010"

SecRuleRemoveByMsg

  • Description:Disable匹配message的RULE,该命令必须在匹配message的RULE后面
  • Scope: Any
  • Syntax: SecRuleRemoveByMsg REGEX
SecRuleRemoveByMsg "FAIL"

SecRuleRemoveByTag

  • Description:Disable匹配tag的RULE,该命令必须在匹配tag的RULE后面
  • Scope: Any
  • Syntax: SecRuleRemoveByTag REGEX
 SecRuleRemoveByTag "WEB_ATTACK/XSS"

4. Update RULE

SecRuleUpdateActionById

  • Description:Update匹配ID的RULE的ACTIONS
    • 不能改写rule ID和phase
    • 一条rule中只允许配置一个的action:改写
    • 一条rule中允许配置多个的action:添加
  • Scope: Any
  • Syntax: SecRuleUpdateActionById RULEID[:offset] ACTIONLIST
    • RULEID[:offset]
    • Action list
SecRuleUpdateActionById 12345 "deny,status:403"

SecRuleUpdateTargetById

  • Description:更新VARIABLE
  • Scope:Any
  • Syntax: SecRuleUpdateTargetById RULEID TARGET1[,TARGET2,TARGET3] REPLACED_TARGET
    • RULEID
    • 新添加的target list
    • 被替换的target
#添加target
SecRuleUpdateTargetById 12345 "!ARGS:foo"

#替换指定target
SecRuleUpdateTargetById 958895 REQUEST_URI REQUEST_FILENAME

SecRuleUpdateTargetByMsg

  • Description:更新VARIABLE
  • Scope: Any
  • Syntax: SecRuleUpdateTargetByMsg TEXT TARGET1[,TARGET2,TARGET3] REPLACED_TARGET
    • TEXT: message
    • 新添加的target list
    • 被替换的target

SecRuleUpdateTargetByTag

  • Description:更新VARIABLE
  • Scope: Any
  • Syntax: SecRuleUpdateTargetByTag TEXT TARGET1[,TARGET2,TARGET3] REPLACED_TARGET
    • TEXT: tag
    • 新添加的target list
    • 被替换的target

5. 远程RULE

SecRemoteRules

  • Description:加载远程RULE
  • Scope: Any
  • Syntax: SecRemoteRules [crypto] key https://url
    • [crypto] :只支持TLS
    • key:Remote server 根据key发送RULE
    • https://url: 远程服务器上的RULE文件
SecRemoteRules some-key https://www.yourserver.com/plain-text-rules.txt

SecRemoteRulesFailAction

  • Description:远程RULE加载失败后的action,改名了也影响@ipMatchFromFile从远程服务器检索远程文件。
  • Scope:Any
  • Syntax: SecRemoteRulesFailAction Abort|Warn
    • Abort|Warn:默认配置为Abord

6. RULE继承

SecRuleInheritance

  • Description:是否开启从父RULE继承
  • Scope:Any
  • Syntax: SecRuleInheritance On|Off
    • On|Off:默认开启

7. RULE跳转

SecMarker

  • Description:创建一个marker,与skipAfter联合使用
  • Scope: Any
  • Syntax: SecMarker ID|TEXT
SecMarker BEGIN_HOST_CHECK

        SecRule &REQUEST_HEADERS:Host "@eq 0" \
                "skipAfter:END_HOST_CHECK,phase:2,rev:'2.1.1',t:none,block,msg:'Request Missing a Host Header',id:'960008',tag:'PROTOCOL_VIOLATION/MISSING_HEADER_HOST',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
        SecRule REQUEST_HEADERS:Host "^$" \
                "phase:2,rev:'2.1.1',t:none,block,msg:'Request Missing a Host Header',id:'960008',tag:'PROTOCOL_VIOLATION/MISSING_HEADER_HOST',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"

SecMarker END_HOST_CHECK

8. 规则集签名

SecComponentSignature

  • Description:规则集签名,该签名将被记录在audit log中
  • Scope: Main
  • Syntax: SecComponentSignature "COMPONENT_NAME/X.Y.Z (COMMENT)"

9. 性能调试

SecRulePerfTime

  • Description:设置一条RULE执行做需要的时间阈值,超过该阈值的RULE将被记录在audit log Part H;用于性能调优。
  • Scope: Any
  • Syntax: SecRulePerfTime USECS

10. 正则表达式相关配置

SecPcreMatchLimit

  • Description: 设置 PCRE 库中的匹配限制。
  • Scope: Main, not allowed inside VirtualHosts.
  • Syntax: SecPcreMatchLimit value
    • Default: 1500

SecPcreMatchLimitRecursion

  • Description: 设置 PCRE 库中的递归匹配限制。
  • Scope: Main,not allowed inside VirtualHosts.
  • Syntax: SecPcreMatchLimitRecursion value
    • Default: 1500

11. 多web应用分离

SecWebAppId

  • Description: 创建application namespace, 允许单独的持久会话和用户存储。当在同一台服务器上部署多个应用程序时, 应用程序命名空间用于避免会话 id 和用户 id 之间的冲突。如果未使用, 则可能会发生会话 id 之间的冲突。application namespace也被记录在审核日志中 (使用WebApp-Info header的log H 部分)。

  • Scope: Any, 与VirtualHost配合使用

  • Syntax: SecWebAppId "NAME"

<VirtualHost *:80> 
ServerName app1.example.com 
SecWebAppId "App1" ...
</virtualhost>

<VirtualHost *:80> 
ServerName app2.example.com 
SecWebAppId "App2" ...
</virtualhost>

12. Others

SecChrootDir

  • Description: 配置web server process的工作目录。
  • Scope: Main,不支持VirtualHost
  • Syntax: SecChrootDir /path/to/chroot/dir

SecCollectionTimeout seconds

  • Description: Specifies the collections timeout. Default is 3600 seconds.
  • Scope: Any
  • Syntax: SecCollectionTimeout seconds

SecInterceptOnError

  • Description: 配置在rule处理失败时如何响应。
  • Scope: Main
  • Syntax: SecInterceptOnError On|Off
    • On: 不再执行同一phase中的其他rule,不执行拦截
    • Off: 跳过当前执行失败的rule,继续向下执行

SecCacheTransformations

  • Description: 控制转换的缓存, 这可能加快复杂规则集的处理速度。Version: < v2.5.6
  • Scope: Any
  • Syntax: SecCacheTransformations On|Off [options]
    • On: 缓存变换, (per transaction, per phase) 允许相同的变换只执行一次。
    • Off: 不缓存
    • incremental:on|off: Enabling this option will cache every transformation instead of just the final transformation. The default is off.
    • maxitems:N: Do not allow more than N transformations to be cached. Cache will be disabled once this number is reached. A zero value is interpreted as unlimited. This option may be useful to limit caching for a form with a large number of variables. The default value is 512.
    • minlen:N: Do not cache the transformation if the variable’s length is less than N bytes. The default setting is 32.
    • maxlen:N: Do not cache the transformation if the variable’s length is more than N bytes. A zero value is interpreted as unlimited. The default setting is 1024.
Example Usage: SecCacheTransformations On "minlen:64,maxlen:0"

SecStatusEngine

  • Description: 将软件版本信息发送给ModSecurity Project团队
  • Scope: Any
  • Syntax: SecStatusEngine On|Off
    • Default off

Reference:
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual

推荐阅读更多精彩内容