我刚刚为Apache mod_security安装了CRS,它将报告所有PDF文件为可能的攻击。 具体而言,这是modsecurity_crs_20_protocol_violations.conf导致这些文件以0开头的麻烦。
当用户试图下载任何PDF文件,我得到这个日志(域名更改):
[Tue Jul 08 15:02:40.695235 2014] [ratelimit:error] [pid 6875:tid 140072931452672] [client 149.255.82.154:57722] AH01457: rl: brigade pass failed., referer: http://example.com/downloads/ [Tue Jul 08 15:02:41.081811 2014] [:error] [pid 6875:tid 140072923059968] [client 149.255.82.154] ModSecurity: Warning. String match "bytes=0-" at REQUEST_HEADERS:Range. [file "/etc/httpd/crs/activated_rules /modsecurity_crs_20_protocol_violations.conf"] [line "428"] [id "958291"] [rev "2"] [msg "Range: field exists and begins with 0."] [data "bytes=0-65535"] [severity "WARNING"] [ver "OWASP_CRS/2.2.9"] [maturity "6"] [accuracy "8"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ"] [hostname "example.com"] [uri "/app/files/broz_pd.pdf"] [unique_id "U7vr8X8AAAEAABrbRKQAAACB"]
我试图通过创build一个modsecurity_15_whitelist.conf添加PDF文件的白名单:
SecRule ".*\.pdf$" "phase:1,id:158963,t:none,nolog,noauditlog,pass"
(并重新启动Apache)没有成功。
谁能帮我摆脱这些误报?