modsecurity将certiantypes的cookiesjoin白名单

我看到我们的服务器上生成的Cookie似乎来自网站中的第三方对象,并且在login或浏览网站时不显示自己。

cookies是随机的,但都以Wm开头。 所以其中一些可能是wm_cm_12345-12345-12345-12345,其中一些可能是wm-wtchd-22。 我想,也许我可以让他们不警惕,如果他们是W *。

如何将Wm开始的cookies添加到白名单中?

以及您可能想要包含的任何其他想法,以及如何将这些白名单列入白名单?

谢谢

一个示例cookie

TX:981243-Detects classic SQL injection probings 2/2-OWASP_CRS/WEB_ATTACK/SQLI-REQUEST_COOKIES:wm_rx_123456eabcdef7890_0edb4989-1523-ff12-ccab-beddddaaffccc. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_49_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 41, SQLi=9, XSS=): Last Matched Message: 981243-Detects classic SQL injection probings 2/2"] [data "Last Matched Data: \\x22:61"] [hostname "Somefoowebsite.com"] [uri "/images/nyancat.jpg"] 

我看到的另一个例子是:

 [30/Nov/2015:13:54:27 --0700] [bumblebeetune.com/sid#7fee134ee758][rid#7fee13b510d8][/nyancat.foo][2] Warning. Pattern match "(.*)" at TX:981243-Detects classic SQL injection probings 2/2-OWASP_CRS/WEB_ATTACK/SQLI-REQUEST_COOKIES:[30/Nov/2015:13:54:27 --0700] [bumblebeetuna.com/sid#7fee134ee758][rid#7fee13b510d8][/nyancat.foo][2] Warning. Pattern match "(.*)" at TX:981243-Detects classic SQL injection probings 2/2-OWASP_CRS/WEB_ATTACK/SQLI-REQUEST_COOKIES:wm_ct_877bb6e0e4744fd6a270f70f3e0c8a67_d464ab47-3cf0-fe3f-89d5-bd785f7bdcfa. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_49_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 18, SQLi=4, XSS=): Last Matched Message: 981243-Detects classic SQL injection probings 2/2"] [data "Last Matched Data: \x22:61"]. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_49_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 18, SQLi=4, XSS=): Last Matched Message: 981243-Detects classic SQL injection probings 2/2"] [data "Last Matched Data: \x22:61"] 

你可以做你想要的东西,你可以像这样添加configuration(详见这里 ):

 SecRuleUpdateTargetById 981243 !REQUEST_COOKIES:'/^wm.*/' 

实际上,对于一些常规的Cookie,内置了这个规则,正如您在查看原始规则的规则定义时所看到的,该规则错误地标记为误报(Google Analytics使用的__utm和类似分析软件使用的_pk_ref)标记:

SecRule REQUEST_COOKIES |!REQUEST_COOKIES:/ __ utm / |!REQUEST_COOKIES:/ _ pk_ref / | REQUEST_COOKIES_NAMES | ARGS_NAMES | ARGS | XML:/ *“(?i:(?:[\' ´'']\s*?\*.+(?:x?or|div|like|between|and|id)\W*?[\"' ''''] \ d)|(?:\ ^ [\' ´''])|(?:^[\w\s\"' ''' – ] +(?<=和\ s)(?<=或| xor | div | like | between | and \ s)(?<= xor \ s )(?<= nand \ s)(?<=不\ s)(?<= \ | \ |)(?<= \&\&)\ w +()|(?:[\' ´''][\s\d]*?[^\w\s]+\W*?\d\W*?.*?[\"' '''\ d])|(?:[\' ´'']\s*?[^\w\s?]+\s*?[^\w\s]+\s*?[\"' ''''])|(?:[\“' ´'']\s*?[^\w\s]+\s*?[\W\d].*?(?:#|--))|(?:[\"' '''']。 *(s :d)|( s :[\' ´'']\s*?(x?or|div|like|between|and)\s[^\d]+[\w-]+.*?\d)|(?:[()\*<>%+-][\w-]+[^\w\s]+[\"' ''''] [^,])) “”phase:2,capture,t:none,t:urlDecodeUni,block,msg:'检测经典SQL注入testing2/2',id:'981243',标记:'OWASP_CRS / WEB_ATTACK / SQL_INJECTION',logdata:'匹配的数据:%{MATCHED_VAR_NAME}:%{MATCHED_VAR}',严重性:2,%set { SETVAR:tx.sql_injection_score = + 1,SETVAR:tx.anomaly_score = +%{tx.critical_anomaly_score},SETVAR : 'TX%{tx.msg} -OWASP_CRS / WEB_ATTACK / SQLI – %{matched_var_name} =%{tx.0}'”

现在,如果你能指出我们的正则expression式,那么你就是比我更好的人,但是你可以在开头看到它应用于哪个cookie的configuration。

请注意,最好添加上面的configuration来dynamic修改规则,而不是编辑规则本身,因为升级规则将覆盖任何编辑,而覆盖可以保留(假设它们在升级后仍然存在的独立覆盖文件中)。