这是我第二次使用OWASP规则集configurationModSecurity。 以前我使用过规则集的版本2.2.5,现在在不同的服务器2.2.9上。
我试图configurationexception检测,所以我已经禁用error.loglogging非exception。
一切似乎正在工作,但是当超过exception阈值时,我收到了单个exception的许多日志条目。 以前这只是一个日志条目,多个似乎过多。
我触发了一个简单的XSS攻击, error.log显示如下:
[Fri Jul 01 09:25:09.234394 2016] [:error] [pid 17771:tid 139978059269888] [client 81.102.141.69] ModSecurity: Warning. Pattern match "(?i)(<script[^>]*>[\\\\s\\\\S]*?<\\\\/script[^>]*>|<script[^>]*>[\\\\s\\\\S]*?<\\\\/script[[\\\\s\\\\S]]*[\\\\s\\\\S]|<script[^>]*>[\\\\s\\\\S]*?<\\\\/script[\\\\s]*[\\\\s]|<script[^>]*>[\\\\s\\\\S]*?<\\\\/script|<script[^>]*>[\\\\s\\\\S]*?)" at ARGS:p. [file "/etc/apache2/modsecurity-crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "14"] [id "973336"] [rev "1"] [msg "XSS Filter - Category 1: Script Tag Vector"] [data "Matched Data: <script>alert('simple-xss-test')</script> found within ARGS:p: <script>alert('simple-xss-test')</script>"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "1"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "domain.co.uk"] [uri "/robots.txt"] [unique_id "V3Yo5dRurOYAAEVrxjEAAADJ"] [Fri Jul 01 09:25:09.235629 2016] [:error] [pid 17771:tid 139978059269888] [client 81.102.141.69] ModSecurity: Warning. Pattern match "(.*)" at TX:950109-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-ARGS:p. [file "/etc/apache2/modsecurity-crs/activated_rules/modsecurity_crs_49_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 39, SQLi=14, XSS=12): Last Matched Message: XSS Attack Detected"] [data "Last Matched Data: %3Cscript%3Ealert(%27simple-xss-test%27)%3C/script%3E"] [hostname "domain.co.uk"] [uri "/robots.txt"] [unique_id "V3Yo5dRurOYAAEVrxjEAAADJ"] [Fri Jul 01 09:25:09.235701 2016] [:error] [pid 17771:tid 139978059269888] [client 81.102.141.69] ModSecurity: Warning. Pattern match "(.*)" at TX:960024-OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION-ARGS:p. [file "/etc/apache2/modsecurity-crs/activated_rules/modsecurity_crs_49_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 39, SQLi=14, XSS=12): Last Matched Message: XSS Attack Detected"] [data "Last Matched Data: ')</"] [hostname "domain.co.uk"] [uri "/robots.txt"] [unique_id "V3Yo5dRurOYAAEVrxjEAAADJ"] [Fri Jul 01 09:25:09.235767 2016] [:error] [pid 17771:tid 139978059269888] [client 81.102.141.69] ModSecurity: Warning. Pattern match "(.*)" at TX:950901-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-ARGS:p. [file "/etc/apache2/modsecurity-crs/activated_rules/modsecurity_crs_49_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 39, SQLi=14, XSS=12): Last Matched Message: XSS Attack Detected"] [data "Last Matched Data: script>alert"] [hostname "domain.co.uk"] [uri "/robots.txt"] [unique_id "V3Yo5dRurOYAAEVrxjEAAADJ"] [Fri Jul 01 09:25:09.235834 2016] [:error] [pid 17771:tid 139978059269888] [client 81.102.141.69] ModSecurity: Warning. Pattern match "(.*)" at TX:981173-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-ARGS:p. [file "/etc/apache2/modsecurity-crs/activated_rules/modsecurity_crs_49_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 39, SQLi=14, XSS=12): Last Matched Message: XSS Attack Detected"] [data "Last Matched Data: <script>alert('"] [hostname "domain.co.uk"] [uri "/robots.txt"] [unique_id "V3Yo5dRurOYAAEVrxjEAAADJ"] [Fri Jul 01 09:25:09.235900 2016] [:error] [pid 17771:tid 139978059269888] [client 81.102.141.69] ModSecurity: Warning. Pattern match "(.*)" at TX:981243-Detects classic SQL injection probings 2/2-OWASP_CRS/WEB_ATTACK/SQLI-ARGS:p. [file "/etc/apache2/modsecurity-crs/activated_rules/modsecurity_crs_49_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 39, SQLi=14, XSS=12): Last Matched Message: XSS Attack Detected"] [data "Last Matched Data: >alert('s"] [hostname "domain.co.uk"] [uri "/robots.txt"] [unique_id "V3Yo5dRurOYAAEVrxjEAAADJ"] [Fri Jul 01 09:25:09.236009 2016] [:error] [pid 17771:tid 139978059269888] [client 81.102.141.69] ModSecurity: Warning. Pattern match "(.*)" at TX:973336-OWASP_CRS/WEB_ATTACK/XSS-ARGS:p. [file "/etc/apache2/modsecurity-crs/activated_rules/modsecurity_crs_49_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 39, SQLi=14, XSS=12): Last Matched Message: XSS Attack Detected"] [data "Last Matched Data: <script>alert('simple-xss-test')</script>"] [hostname "domain.co.uk"] [uri "/robots.txt"] [unique_id "V3Yo5dRurOYAAEVrxjEAAADJ"] [Fri Jul 01 09:25:09.236075 2016] [:error] [pid 17771:tid 139978059269888] [client 81.102.141.69] ModSecurity: Warning. Pattern match "(.*)" at TX:973307-OWASP_CRS/WEB_ATTACK/XSS-ARGS:p. [file "/etc/apache2/modsecurity-crs/activated_rules/modsecurity_crs_49_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 39, SQLi=14, XSS=12): Last Matched Message: XSS Attack Detected"] [data "Last Matched Data: alert("] [hostname "domain.co.uk"] [uri "/robots.txt"] [unique_id "V3Yo5dRurOYAAEVrxjEAAADJ"] [Fri Jul 01 09:25:09.236367 2016] [:error] [pid 17771:tid 139978059269888] [client 81.102.141.69] ModSecurity: Warning. Operator GE matched 15 at TX:inbound_anomaly_score. [file "/etc/apache2/modsecurity-crs/activated_rules/modsecurity_crs_60_correlation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 39, SQLi=14, XSS=12): XSS Attack Detected"] [hostname "domain.co.uk"] [uri "/robots.txt"] [unique_id "V3Yo5dRurOYAAEVrxjEAAADJ"]
似乎正在发生的是规则#981176(我明白是否阻止)logging对攻击的每一个匹配,而不是只生成一个exception的日志条目。 如您所见,每行都包含相同的unique_id
我已经比较了旧的2.2.5规则集和2.29,我看不出任何可能导致这种情况的差异。
理想情况下,我想在exception超过阈值时收到一个日志条目,以便我可以在modsec_audit.log进行调查。 据我了解,这应该是这样的。
任何想法如何减less到一个单一的日志条目,我曾经有?
谢谢
这应该通过更改modsecurity_crs_10_setup.conf文件中定义的SecDefaultAction来设置。 默认是在下面(除了从deny变为passexception评分改变),并将所有logging到错误和审计日志:
SecDefaultAction "phase:1,pass,log" SecDefaultAction "phase:2,pass,log"
只要将其logging在审计日志中,使用以下内容:
SecDefaultAction "phase:1,pass,nolog,auditlog" SecDefaultAction "phase:2,pass,nolog,auditlog"
那是什么设置?
您可能会对如何停止logging主要规则而不是总结规则(在检查exception分数的情况下)感到困惑。 关键是普通规则(例如960024)不会根据默认值定义日志logging和正确的块,所以取决于这些默认值:
"phase:2,capture,t:none,t:urlDecodeUni,block,id:'960024'...etc.
虽然检查exception分数的规则(如981176)明确地“logging”和“拒绝”,所以不需要默认值来告诉它做到这一点:
"chain,phase:2,id:'981176',t:none,deny,log
这就是为什么更改默认意味着核心规则不会login错误日志,但总结exception规则。
所以这应该解决你不正确地收到规则973336的第一个警报,因为它不应该logging。
但是,我不明白,为什么你收到规则981176几个警报 – 每个规则提醒一个。 这似乎是错误的,因为它应该只logging一次最后一次警报。
但是在2.9.1之前,ModSecurity使用它自己的错误日志而不是使用标准的Apache日志logging。 因此在将ModSecurity升级到2.9.1之后,可能需要再次尝试。 看到这个错误的更多细节: https : //github.com/SpiderLabs/ModSecurity/pull/840
或者,如果这不起作用,然后尝试电子邮件[email protected]。 并在那里询问,因为他们可能更好地理解exception评分日志应该如何工作(我自己并没有诚实地使用它)。 有关此邮件列表的更多详细信息,请参阅https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set 。