我正在灯栈上运行一个Web门户。 我正在面对一个导出buttonfunction的问题,当我点击它redirect到Apachetesting页面的button。 当我在mod_security中注释#Include modsecurity.d / base_rules / *。conf时,它工作正常。
我增加了价值 – > SecDebugLogLevel 9,并看到有很多规则创build了几个日志。 有人可以解释我如何find阻止我的function的确切规则?
触发的规则将在标准的Apache错误日志中,您应该看到一个[id: XXXX]字段,它是被触发的规则ID(本例中为950001)以及定义该规则的configuration文件( /www/apache2/conf/modsecurity.d/crs/owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf在这个例子中):
[Mon May 09 09:15:06.253373 2016] [-:error] [pid 25094:tid 140713241073408] [client 123.123.123.123:52197] [client 123.123.123.123] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:\\\\b(?:(?:s(?:t(?:d(?:dev(_pop|_samp)?)?|r(?:_to_date|cmp))|u(?:b(?:str(?:ing(_index)?)?|(?:dat|tim)e)|m)|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha(1|2)?|oundex|chema|ig?n|pace|qrt)|i(?:s(null|_(free_lock|ipv4_compat|ipv4_mapped|ipv4| ..." at ARGS:utm_campaign. [file "/www/apache2/conf/modsecurity.d/crs/owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "125"] [id "950001"] [rev "2"] [msg "SQL Injection Attack"] [data "Matched Data: field( found within ARGS:utm_campaign:blah blah blaj"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "www.exmaple.com"] [uri "/"] [unique_id "VzBHCn8AAAEAAGIGrQcAAACE"]
在ModSecurity审计日志(提供它已被configuration)的更多细节,你可以得到请求的全部细节,在H部分,你会看到如上所述的行,其中还包括激发的[id:XXXX]
--bc9c8737-H-- Message: Access denied with code 403 (phase 2). Pattern match "(?i:\\b(?:(?:s(?:t(?:d(?:dev(_pop|_samp)?)?|r(?:_to_date|cmp))|u(?:b(?:str(?:ing(_index)?)?|(?:dat|tim)e)|m)|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha(1|2)?|oundex|chema|ig?n|pace|qrt)|i(?:s(null|_(free_lock|ipv4_compat|ipv4_mapped|ipv4| ..." at ARGS:utm_campaign. [file "/www/apache2/conf/modsecurity.d/crs/owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "125"] [id "950001"] [rev "2"] [msg "SQL Injection Attack"] [data "Matched Data: field( found within ARGS:utm_campaign: blah blah blah"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
很多细节将在ModSecuritydebugging日志(再次提供它已被configuration),但通过每个规则运行,很难看到真正的解雇! 说实话,除非你有一个特殊的问题来进行debugging,否则不应该使用debug进行运行,因为它会logging每个请求的大量数据。