规则编号:
示例 01020003
01 标示规则大类,取值范围定义:01-29为固化规则;30为自定义规则;40及之后为学习引擎的规则
02标示规则子类,取值范围定义:01-99为子类范围
0003标示规则在子类中的具体编号,取值范围定义:0001-9999为具体编号范围
编号时,需要预留一些id,以备升级用。
第一个页面:固化规则
树状显示固化规则,规则编号为01010001-29999999
第二个页面:防盗链
防盗链
规则编号为:30010001-30019999
需要用户提供的参数:
SecHashParam的参数xxxxxx1,用来指定在URL中添加的字段名;
SecHashKey的参数xxxxxx2,用来当做密钥;
SecHashMethodRx或者SecHashMethodPm的参数xxxxxx3,用来匹配要加密的关键字
SecHashKey如果是SessionID的话需要提供SessionID在cookie中的具体名称xxxxx4,用来直接获取SessionID
# 条件
SecStreamOutBodyInspection On
SecContentInjection On
SecDisableBackendCompression On
# 如果用户选择的是sessionid加密,需要获取sessionid并校验是否获取成功,最好是有用户提供明确的sessionid名称xxxxx4
# 获取请求体头的sessionid
SecRule REQUEST_COOKIES:'/(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid)/' ".*" "phase:1,id:30010002,t:none ,msg:'SessionID Submitted.',setsid:%{matched_var},setvar:tx.sessionid=%{matched_var}"
# 获取返回头中的sessionid
SecRule RESPONSE_HEADERS:/Set-Cookie2?/ "(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid).*?=([^s].*?);s?)" "phase:3,id:30010003,t:none ,capture,setsid:%{TX.6},setvar:tx.sessionid=%{TX.6}"
# 对指定字段进行指定方法的加密,xxxxxx1为新加字段名称
SecHashEngine On
SecHashParam "xxxxxx1"
# 以下三个SecHashKey只能选一种,xxxxxx2为必选加密密钥,选择RemoteIP和SessionID方式时,还要加上绘画中的RemoteIP和SessionID
SecHashKey "xxxxxx2" KeyOnly
#SecHashKey "xxxxxx2" RemoteIP
#SecHashKey "xxxxxx2" SessionID
# 这个地方应加了一个校验,在SessionID和RemoteIP选项下,需要检验这两个值是否为空
# SecRule &TX:SESSIONID "@eq 0" "phase:3,id:30010004,pass,t:none,msg:'TX.SESSIONID DOES NOT EXIST',skipAfter:END_SEC_HASH"
# SecRule TX:SESSIONID "^$" "phase:3,id:30010005,pass,t:none,msg:'SESSIONID IS NULL',skipAfter:END_SEC_HASH"
# SecRule &AGRS:REMOTE_ADDR "@eq 0" "phase:3,id:30010006,pass,t:none,msg:'REMOTE_ADDR DOES NOT EXIST',skipAfter:END_SEC_HASH"
# SecRule REMOTE_ADDR "^$" "phase:3,id:30010007,pass,t:none,msg:'REMOTE_ADDR IS NULL',skipAfter:END_SEC_HASH"
# 要加密的关键字等,xxxxxx3为关键字,SecHashMethodRx支持正则表达式,SecHashMethodPm支持明确字符串
# SecHashMethodRx TYPE "string1|string2|string3..."
# SecHashMethodPm TYPE "string1 string2 string3..."
TYPE可为以下几种:
# HashHref: Used to sign href= html elements
# HashFormAction: Used to sign form action= html elements
# HashIframeSrc: Used to sign iframe src= html elements
# HashframeSrc: Used to sign frame src= html elements
# HashLocation: Used to sign Location response header
# 对加密后的字段进行校验 xxxxxx3应该与加密关键字一致
# 默认动作 ,deny,status:505
SecRule REQUEST_URI "@validateHash xxxxxx3" "phase:2,id:30010001"
SecMarker END_SEC_HASH
#多个关键字的话为
#SecRule REQUEST_URI "@validateHash xxxxxx3| xxxxxx4" "phase:2,id:30010001"
第三个页面:隐藏表单参数
规则编号为:30020001-30029999
需要用户提供的参数:
需要加密的隐藏参数名称xxxxxx1
# apache需要加编译选项 --enable-lua --with-lua=/usr/local/
# modsecurity需要加编译选项 --with-lua=/usr/local/
# Hmac.lua需要放在类似/usr/local/share/lua/5.1/的地方
# Makefile 这个makefile是lua/src下修改过的,目的是编译出liblua.so,编译出后放在系统lib下
# 这一系列规则可能需要的参数:要防护的隐藏参数名,lua脚本中用到的加密关键字
# 测试的html如下,供参考
<title> Crypto test </title>
<form action="test.html" method="POST">
Price <input type="hidden" name="price" value="100">
<input type="submit">
</form>
# 规则配置如下
SecStreamOutBodyInspection On
SecContentInjection On
SecDisableBackendCompression On
SecRule RESPONSE_BODY "name=" xxxxxx1" value="([a-zA-Z0-9]+)" "phase:4,chain,id:30020001,pass,capture,exec:/usr/local/apache2/conf.d/CreateHMAC.lua"
SecRule STREAM_OUTPUT_BODY "@rsub s/name=" xxxxxx1" value="[a-zA-Z0-9]+">/name=" xxxxxx1" value="%{TX.1}"><input type="hidden" name=" xxxxxx1Hmac" value="%{TX. xxxxxx1Hmac}">|00|/d"
SecRule &ARGS: xxxxxx1 "@ge 1" "phase:2,id:30020002,t:none,chain,deny,log,msg:'Missing xxxxxx1Hmac parameter'"
SecRule &ARGS: xxxxxx1Hmac "!@ge 1"
SecRule &ARGS: xxxxxx1 "@ge 1" "phase:2,id:30020003,t:none,chain,nolog,exec:/usr/local/apache2/conf.d/VerifyHMAC.lua"
SecRule &ARGS: xxxxxx1Hmac "@ge 1"
SecRule &TX:block "@gt 0" "phase:2,id:30020004,log,msg:'Invalid HMAC submitted',deny"
P行,se:2,id:1001017,severity:2"
第四个页面:应用层dos防御
规则编号为:30030001-30039999
connection flood
# 这部分攻击基本可以用mod_evasive模块来解决
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 5
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 360
</IfModule>
相关参数
DOSHashTableSize 3097:定义哈希表大小。
DOSSiteCount 50:允许客户机的最大并发连接。
DOSPageCount 2:允许客户机访问同一页的间隔。
DOSPageInterval 1:网页访问计数器间隔。
DOSSiteInterval 1:全站访问计数器间隔。
DOSSiteInterval 60:加入黑名单后拒绝访问时间。
DOSEmailNotify xxxx@gmail.com:有IP加入黑名单后通知管理员。
DOSSystemCommand "sudo iptables -A INPUT -s %s -j DROP":IP加入黑名单后执行的系统命令。
DOSLogDir "/tmp":锁定机制临时目录。
DOSWhiteList 127.0.0.1:防范白名单,不阻止白名单IP。
慢速连接防御
# mod_reqtimeout模块可以针对请求头和请求体进行超时时间限制
# http://httpd.apache.org/docs/trunk/mod/mod_reqtimeout.html
# 下面这条规则的解释是
# header发送完成初始设定时间是20秒,每发送500字节数据,加1秒,但总时间不超过40秒
# body发送完成初始设定时间是30秒,每法送1000字节数据,加1秒,不设定上限
RequestReadTimeout header=20-40,MinRate=500 body=30,MinRate=1000
# 这几条规则是防御range header的dos攻击,此种攻击的特征是Request-Range有大量0-1,1-2,2-3这种的分段
SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "^bytes=s*((d+)?-(d+)?\,){5,}" "chain,id:30030003,phase:1,t:none,log,msg:'Truncating Large Range Header Field.',capture,pass"
SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "^bytes=s*((d+)?-(d+)?\,){5}" "chain,capture"
SecRule TX:0 "^(.*),$" "capture,setenv:range_header=%{tx.1}"
RequestHeader unset Range env=range_header
RequestHeader set Range "%{range_header}e" env=range_header
参数校验
已知Hash校验
SecRule ARGS_NAMES "@pmFromFile hash_dos_param_names.data" "phase:2,t:none,id:30030001,msg:'Hash DoS PoC Attack Identified.'"
参数众多且值很多相同的情况下,认为是dos攻击
SecRule &ARGS "@ge 1000" "chain,phase:2,t:none,id:30030002,deny,msg:'Possible Hash DoS Attack Identified.'"
SecRule REQUEST_BODY "^w*?=(.*?)&w*?=(.*?)&w*?=(.*?)&w*?=(.*?)&" "chain,capture"
SecRule TX:1 "@streq %{tx.2}" "chain,setvar:tx.hash_dos_match=+1"
SecRule TX:2 "@streq %{tx.3}" "chain,setvar:tx.hash_dos_match=+1"
SecRule TX:3 "@streq %{tx.4}" "chain,setvar:tx.hash_dos_match=+1"
SecRule TX:HASH_DOS_MATCH "@eq 3"
限制每个ip SERVER_BUSY_WRITE状态进程的数量
SecWriteStateLimit 50
限制每个ip SERVER_BUSY_READ 状态进程的数量
SecReadStateLimit 50
第五个页面:敏感信息相关
规则编号为:30040001-30049999
响应码
SecRule RESPONSE_STATUS "^(501)$" "deny,msg:'The response status is not allowed!',phase:3,id:30040001,severity:2"
卡类信息、电话等:
手机号信息
SecRule RESPONSE_BODY "(1(([35][0-9])|(47)|[8][0126789]))d{8}" "deny,msg:'There is a mobile phone number in the response body!',id:30040002,phase:4,severity:2"
身份证信息
SecRule RESPONSE_BODY "((11|12|13|14|15|21|22|23|31|32|33|34|35|36|37|41|42|43|44|45|46|50|51|52|53|54|61|62|63|64|65)[0-9]{4})(([1|2][0-9]{3}[0|1][0-9][0-3][0-9][0-9]{3}[Xx0-9])|([0-9]{2}[0|1][0-9][0-3][0-9][0-9]{3})) | ((11|12|13|14|15|21|22|23|31|32|33|34|35|36|37|41|42|43|44|45|46|50|51|52|53|54|61|62|63|64|65)[0-9]{4})(([0-9]{2}[0|1][0-9][0-3][0-9][0-9]{3}))" "phase:4,severity:2,id:30040003,msg:'There is a id card number in the response body!'"
#SecRule RESPONSE_BODY "((11|12|13|14|15|21|22|23|31|32|33|34|35|36|37|41|42|43|44|45|46|50|51|52|53|54|61|62|63|64|65)[0-9]{4})(([0-9]{2}[0|1][0-9][0-3][0-9][0-9]{3}))" "msg:'There is a id card number in the response body!',phase:4,severity:2,id:"
中国信用卡信息
SecRule RESPONSE_BODY "@verifyCC ^(d{4}[- ]){3}d{4}|d{16}$" "phase:4,severity:2,t:none,t:removeWhitespace,msg:'There is a credit card number in the response body!',id:30040004"
以下是备选信用卡规则:
# 各种信用卡信息
# 中国信用卡
^(d{4}[- ]){3}d{4}|d{16}$
#国外信用卡判断
SecRule ARGS "@verifyCC (?:^|[^d])(d{4}-?d{4}-?d{2}-?d{2}-?d{1,4})(?:[^d]|$)"
"phase:2,id:'981078',t:none,skip:1"
# GSA SmartPay
SecRule ARGS "@verifyCC (?:^|[^d])((?:5568|4(?:486|716))-?d{4}-?d{2}-?d{2}-?d{4}|8699-?d{4}-?d{2}-?d{2}-?d{3})(?:[^d]|$)"
"phase:2,t:none,msg:'GSA SmartPay Credit Card Number detected in user input',id:'920019',severity:'5'"
# MasterCard
SecRule ARGS "@verifyCC (?:^|[^d])(5[1-5]d{2}-?d{4}-?d{2}-?d{2}-?d{4})(?:[^d]|$)"
"phase:2,t:none,msg:'MasterCard Credit Card Number detected in user input',id:'920005',severity:'5'"
# Visa
SecRule ARGS "@verifyCC (?:^|[^d])(4d{3}-?d{4}-?d{2}-?d{2}-?d(?:d{3})??)(?:[^d]|$)"
"phase:2,t:none,,msg:'Visa Credit Card Number detected in user input',id:'920007',severity:'5'"
# American Express
SecRule ARGS "@verifyCC (?:^|[^d])(3[47]d{2}-?d{4}-?d{2}-?d{2}-?d{3})(?:[^d]|$)"
"phase:2,t:none,msg:'American Express Credit Card Number detected in user input',id:'920009',severity:'5'"
# Diners Club
SecRule ARGS "@verifyCC (?:^|[^d])((?:30[0-5]|3[68]d)d-?d{4}-?d{2}-?d{2}-?d{2})(?:[^d]|$)"
"phase:2,t:none,msg:'Diners Club Credit Card Number detected in user input',id:'920011',severity:'5'"
# enRoute
#SecRule ARGS "(?:^|[^d])(2(?:014|149)-?d{4}-?d{2}-?d{2}-?d{2}|55d{2}-?d{4}-?d{2}-?d{2}-?d{3})(?:[^d]|$)"
# "phase:2,t:none,msg:'enRoute Credit Card Number detected in user input',id:'920013',severity:'5'"
# Discover
SecRule ARGS "@verifyCC (?:^|[^d])(6(?:011|5d{2})-?d{4}-?d{2}-?d{2}-?d{4})(?:[^d]|$)"
"phase:2,t:none,msg:'Discover Credit Card Number detected in user input',id:'920015',severity:'5'"
# JCB
SecRule ARGS "@verifyCC (?:^|[^d])(3d{3}-?d{4}-?d{2}-?d{2}-?d{4}|(?:1800|21(?:31|00))-?d{4}-?d{2}-?d{2}-?d{3})(?:[^d]|$)"
"phase:2,t:none,msg:'JCB Credit Card Number detected in user input',id:'920017',severity:'5'"
SecRule RESPONSE_BODY "\%[Bb][3456][0-9]{3,3}[x20-]{0,3}[0-9]{4,6}[x20-]{0,3}[0-9]{2,5}[x20-]{0,3}[0-9]{0,4}^[^^]+^[0-9]+?"
"phase:4,t:none,block,msg:'Possible Credit Card Track 1 Data Leakage.',severity:'1',id:'920021',tag:'WASCTC/5.2',tag:'PCI/3.3',setvar:tx.anomaly_score=+{tx.critical_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/CC-%{matched_var_name}=%{tx.0}"
SecRule RESPONSE_BODY ";[3456][0-9]{3,3}[x20-]{0,3}[0-9]{4,6}[x20-]{0,3}[0-9]{2,5}[x20-]{0,3}[0-9]{0,4}[=Dd][0-9]+?"
"phase:4,t:none,block,msg:'Possible Credit Card Track 2 Data Leakage.',severity:'1',id:'920022',tag:'WASCTC/5.2',tag:'PCI/3.3',setvar:tx.anomaly_score=+{tx.critical_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/CC-%{matched_var_name}=%{tx.0}"
SecRule RESPONSE_BODY "[^0-9][3456][0-9]{3,3}[x20-]{0,3}[0-9]{4,6}[x20-]{0,3}[0-9]{2,5}[x20-]{0,3}[0-9]{0,4}[^0-9]"
"phase:4,t:none,block,msg:'Possible Credit Card PAN Data Leakage.',severity:'1',id:'920023',tag:'WASCTC/5.2',tag:'PCI/3.3',setvar:tx.anomaly_score=+{tx.critical_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/CC-%{matched_var_name}=%{tx.0}"
敏感字过滤
这个地方可以考虑敏感字做成文件的形式
SecStreamOutBodyInspection On
SecRule STREAM_OUTPUT_BODY "@rsub s/A /B" "phase:4,id:30040005,t:none,nolog,pass"
第六个页面:Cookie防护
规则编号为:30050001-30059999
允许的最大Cookie个数(1-256)
SecRule &REQUEST_COOKIES "@gt 20" "t:none,deny,msg:'There is too many cookies in the request!',phase:1,id:30050001,severity:2"
允许的Cookie名最大长度(1-256)
SecRule REQUEST_COOKIES_NAMES "@gt 256" "t:none,t:length,deny,msg:'The cookie name is too long!',phase:1,id:30050002,severity:2"
允许的Cookie值最大长度(1-1024)
SecRule REQUEST_COOKIES "@gt 1024" "t:none,t:length,deny,msg:'The cookie value is too long!',phase:1,id:30050003,severity:2"
# 此项研究暂时涉及两部分,一部分是给cookie加上HTTPOnly和secure属性,一部分是设计新命令,给cookie加密或者在cookie最后加上加密签名,可能还有部分命令要在开发过程中造出来
# 这个地方可能需要用户提供cookie的特征
# 获取到响应头中cookie没有加HTTPOnly属性
SecRule RESPONSE_HEADERS:/Set-Cookie2?/ "!(?i:;? ?httponly;?)" "chain,phase:3,t:none,pass,nolog,id: 30050004"
SecRule MATCHED_VAR "(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid))" "t:none,setenv:http_cookie=%{matched_var}"
# 结合上条规则,给cookie加上HTTPOnly属性,HTTPOnly是防止cookie被javascript程序获取
Header set Set-Cookie "%{http_cookie}e; HTTPOnly" env=http_cookie
# 给cookie加secure属性,secure属性是设置cookie以安全的形式向服务器传输,也就是只能在 HTTPS 连接中被浏览器传递到服务器端进行会话验证,如果是 HTTP 连接则不会传递该信息,所以不会被窃取。
Header edit Set-Cookie "^((?i:(_?(COOKIE|TOKEN)|atlassian.xsrf.token|[aj]?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid))=(?i:(?!secure).)+)$" "$1; secure" env=secure_site
# 一下这两条规则是临时造出来的,需要在设计和开发阶段实现,TEXT为密钥,Encrypt为选择对cookie进行加密,Sign为选择对cookie加签名
SetCookieProMethod TEXT Encrypt | Sign
Cookie防护可以修改mod_usertrack 模块实现所需功能
第七个页面:访问防护
规则编号为:30060101-30069999
禁止请求的文件后缀名
SecRule REQUEST_BASENAME "(.initest)$" "t:none,deny,msg:'The extension name of request file is not allowed!',phase:1,id:30060101,severity:2"
指定页面只能指定IP访问
需要用途提供指定IP xxxxxx1和URI xxxxxx2
SecRule REMOTE_ADDR "^( xxxxxx1)$" "phase:1,t:none,t:lowercase,chain,pass,id:30060102"
SecRule REQUEST_URI "( xxxxxx2)"
指定页面不允许指定IP访问
需要用户提供客户端IP xxxxxx1和URI xxxxxx2
SecRule REMOTE_ADDR "^( xxxxxx1)$" "phase:1,t:none,t:lowercase,chain,pass,id:30060103"
SecRule REQUEST_URI "( xxxxxx2)"
第八个页面:HTTP请求限制
规则编号为:30070001-30079999
允许的URL最大长度(1-4096)
SecRule REQUEST_URI "@gt 256" "t:none,t:length,deny,msg:'The URL of request is too long!',id:30070001,severity:2,phase:1"
允许的报头最大个数(1-256)
SecRule &REQUEST_HEADERS "@gt 20"deny,msg:'There is too many request headers!',phase:1,id:30070002,severity:2"
允许的报头名最大长度(1-256)
SecRule REQUEST_HEADERS_NAMES "@gt 32"t:none,t:length,deny,msg:'The request header name is too long!',phase:1,id:30070003,severity:2"
允许的报头值最大长度(1-4096)
SecRule REQUEST_HEADERS "@gt 512" "t:none,t:length,deny,msg:'The request header value is too long!',phase:1,id:30070004,severity:2"
允许的请求行最大长度(1-1024)
SecRule REQUEST_LINE "@gt 256" "t:none,t:length,deny,msg:'The request line is too long!',phase:1,id:30070005,severity:2"
允许的请求体长度最大值(1-65536)
SecRule REQUEST_BODY "@gt 4096" "t:length,deny,msg:'The request body is too large!',phase:2,id:30070006,severity:2"
允许的查询串最大长度(1-1024)
SecRule QUERY_STRING "@gt 256" "t:none,t:length,deny,msg:'The query string is too long!',phase:1,id:30070007,severity:2"
允许的参数名最大长度(1-256)
SecRule ARGS_NAMES "@gt 32" "t:none,t:length,deny,msg:'The argument name is too long!',phase:2,id:30070008,severity:2"
允许的参数值最大长度(1-1024)
SecRule ARGS "@gt 256" "t:none,t:length,deny,msg:'The argument value is too long!',phase:2,id:30070009,severity:2"
允许的参数值总长度最大值(1-65535
SecRule ARGS_COMBINED_SIZE "@gt 4096" "t:none,deny,msg:'The combined size of arguments is too large!',phase:2,id:30070010,severity:2"
允许的参数个数最大值(1-256)
SecRule &ARGS "@gt 20" "t:none, msg:' Total arguments size exceeded',phase:2,id:30070011,severity:2 "
允许的方法
SecRule REQUEST_METHOD "!^(post|head|get)$" "t:none,t:lowercase,deny,msg:'The method of request is not allowed!',phase:1,id:30070021,severity:2"
允许的协议版本
SecRule REQUEST_PROTOCOL "!^(http/0.9|http/1.0|http/1.1)$" "t:none,t:lowercase,deny,msg:'The protocol of request is not allowed!',phase:1,id:30070031,severity:2"
禁止的user-agent
SecRule REQUEST_HEADERS:user-agent "^(Agenttest)$" "t:none,deny,msg:'The value of user-agent is not allowed!',phase:1,id:30070041,severity:2"
允许的content-type
SecRule REQUEST_METHOD "!^(get|head|profind|options)$" "phase:1,chain,t:none,t:lowercase,deny,msg:'The content-type of request is not allowed!',id:30070051,severity:2"
SecRule REQUEST_HEADERS:content-type "^(.*)$" "chain"
SecRule REQUEST_HEADERS:content-type "!^(contenttest)$" "t:none,t:lowercase"
第九个页面:Xml相关防护
规则编号为:30080001-30089999
# xml内容的解析需要用程序来解决,参考程序为rexml.c,具体实现的时候可以再研究libxml库,看有没有更好的函数来直接用
最大树结构: 建议: 20 范围: 1 - 65535
最大名称长度:建议: 64范围: 1 - 65535
最大树结点: 建议: 10000范围: 1 - 65535
最大子节点: 建议: 100范围: 1 - 65535
最大节点属性:建议: 32范围: 1 - 65535
属性名称最大长度:建议: 64范围: 1 - 65535
属性值最大长度: 建议: 1024范围: 1 - 65535
最大CDATA长度:建议:1024范围: 1 - 65535
阻断DTD:DTD的描述元素和它们在一个XML文档嵌套结构。设置此参数是阻断同时包含内嵌或外部的DTD要求
# 利用.xsd文件对xml文件进行校验
# Parse the request bodies that contain XML
SecRule REQUEST_HEADERS:Content-Type ^text/xml$ "phase:1,id:30080001,nolog,pass,t:lowercase,ctl:requestBodyProcessor=XML"
# Validate XML payload against DTD
SecRule XML "@validateSchema /path/to/xml.xsd" "phase:2,id:191,deny,msg:'Failed DTD validation'"
# 利用.dtd文件对xml文件进行校验
# Parse the request bodies that contain XML
SecRule REQUEST_HEADERS:Content-Type ^text/xml$ "phase:1,id:30080002,nolog,pass,t:lowercase,ctl:requestBodyProcessor=XML"
# Validate XML payload against DTD
SecRule XML "@validateDTD /path/to/xml.dtd" "phase:2,id:181,deny,msg:'Failed DTD validation'"
mod_xml2en模块式操作xml等内容的,可以考虑在此模块中添加对xml文件的过滤
第十个页面:登陆统计
规则编号为:30090001-30090099
需要用户提供用户名xxxxxx1、密码xxxxxx2和登陆URI xxxxxx3,用于统计
SecMarker BEGIN_LOGIN_AUDIT
SecRule &ARGS: xxxxxx1"@eq 0" "skipAfter:END_LOGIN_AUDIT"
SecRule &ARGS: xxxxxx2"@eq 0" "skipAfter:END_LOGIN_AUDIT"
SecRule REQUEST_URI "^(xxxxxx3)$" "pass,msg:'Login with username:[%{ARGS. xxxxxx1}] and password:[%{ARGS. Xxxxxx2}]!',phase:2,id:30090001,severity:3"
SecMarker END_LOGIN_AUDIT
第八个页面:上传防护
规则编号为:30100001-30109999
允许的上传文件大小(1-10485760)
SecRule FILES_SIZES "@gt 1048576" "deny,msg:'The uploading file is too large!',phase:2,id:30100001,severity:2"
允许的上传文件总大小(1-10485760)
SecRule FILES_COMBINED_SIZE "@gt 1048576" "deny,msg:'The combined uploading file size is too large!',phase:2,id:30100002,severity:2"
允许的上传文件个数(1-10)
SecRule &FILES "@gt 3" "deny,msg:'There are too many uploading files!',phase:2,id:30100003,severity:2"
允许上传的文件类型
SecRule &FILES "@eq 0" "skipAfter:END_UPLOAD_CHECK"
SecRule FILES "!(.jpgtest)$" "t:none,deny,msg:'The extension name of uploading file is not allowed!',phase:2,id:30100010,severity:2"
SecAction "t:none,pass,msg:'上传文件XXXXXXXXXXXXXX!',phase:2,id:30100011,severity:2"
SecMarker END_UPLOAD_CHECK
木马等扫描和病毒等扫描,用类似的规则,调用不同脚本
格式检查
SecRule FILES_TMPNAMES "@inspectFile /webwall/engine/tool/filescan.sh" "msg:'The uploading file is dangerous!',phase:2,id:30100012,severity:1"
Webshell检查
SecRule FILES_TMPNAMES "@inspectFile /webwall/engine/tool/filescan.sh" "msg:'The uploading file is dangerous!',phase:2,id:30100013,severity:1"
病毒检查
SecRule FILES_TMPNAMES "@inspectFile /webwall/engine/tool/filescan.sh" "msg:'The uploading file is dangerous!',phase:2,id:30100014,severity:1"
第九个页面:防护白名单
规则编号为:30110001-30119999
不进行规则匹配的文件名
SecRule REQUEST_BASENAME "(.jpg|.gif|.html)$" "allow,id:30110001,phase:1"
不进行规则匹配的URI
SecRule REQUEST_URI "(/index/test)" "allow,id:30110002,phase:1"
不进行规则匹配的IP
SecRule REMOTE_ADDR "(192.168.1.1)" "allow,id:30110003,phase:1"