Modsecurity:过度误报
我刚刚在服务器上设置了,原则上它工作得很好,但是我得到了很多错误消息。
我正在使用OWASP ModSecurity核心规则集(CRS),本质上是“开箱即用”。
我运行的模式是“自成一体”(传统)模式,而不是协作(异常)模式:
SecDefaultAction "phase:1,deny,log"
SecDefaultAction "phase:2,deny,log"特别关注的是SQL注入集。双管道(双通道)、双尖括号(>>)和大量其他输入将触发规则并导致页面被阻塞。其中许多可以很容易地出现在合法的用户输入中。
是否有一种优雅的方式,可以有选择地允许不一定表示通过注入攻击的公共输入?我知道我现在已经用光了,但是对几乎每一个用例来说,阻塞双管和尖括号都太严格了吧?
回答 3
Stack Overflow用户
发布于 2015-11-30 22:54:25
首先要做的是切换到异常评分,而不是将默认操作设置为拒绝,这将真正减少假+ves的数量。
第二,切换到DetectionOnly模式并让它运行几天,您将了解要解决的问题。对于每一个假阳性考虑:
- 修改应用程序源
- 禁用该特定规则
- 如果您知道应用程序代码中存在保护,则禁用对该参数、URL和&c的modsec。
Ivan的ModSecurity现在有点进展了,但是它确实是最好的资源,可以为它后面的应用程序定制so,不幸的是它有一个糟糕的索引,所以我建议您可以搜索一个电子版本。遗憾的是,在modsec中有许多隐藏的窍门,你必须一个接一个地找到,要么查看源代码,要么浏览书中的一个小文本框,要么把调试级别提高到5,看看modsec到底在做什么。
Stack Overflow用户
发布于 2015-12-01 18:46:30
库利有一些优点,我也绝对推荐ModSecurity手册。在我看来,切换到异常模式确实需要一些习惯和额外的努力来监控,所以我个人更喜欢在阻塞模式下运行,并关闭噪音规则。
您确实需要在DetectionOnly模式下运行,并在CRS规则变得有用之前对它们进行调优,这确实需要时间。经过几个月的迭代,我才感到舒服,才把它切换到阻塞模式。
尤其是SQL注入规则非常容易过度警告。
下面是一些您可能希望关闭或修改的CRS v2公共规则--特别是在传统的警报模式中:
#Lots of browsers don't send accept header so disable rule 960015 which blocks that:
SecRuleRemoveById 960015
#ModSecurity does not handle gzip files and falsely alerts code leakage for such binary files so disable this rule
SecRuleRemoveById 970903
#Range header is set by some Android devices so ignore that rule
SecRuleRemoveById 958291
#We allow Google Tag Manager which uses small iframe so disable the rules that disallow small iframes:
SecRuleRemoveById 981000
SecRuleRemoveById 981001
#These produce many false positives as checking for things like lots of spaces and ' characters (valid in names and addresses). So disable.
SecRuleRemoveById 950109
SecRuleRemoveById 950901
SecRuleRemoveById 960024
SecRuleRemoveById 973338
SecRuleRemoveById 981172
SecRuleRemoveById 981173
SecRuleRemoveById 981231
SecRuleRemoveById 981242
SecRuleRemoveById 981243
SecRuleRemoveById 981245
SecRuleRemoveById 981246
SecRuleRemoveById 981248
SecRuleRemoveById 981257
SecRuleRemoveById 981260
SecRuleRemoveById 981318
SecRuleRemoveById 981319
SecRuleRemoveById 981320
#Allow Search argument (q) to include SQL words:
SecRuleUpdateTargetById 959071 !ARGS:'q'
SecRuleUpdateTargetById 959072 !ARGS:'q'
SecRuleUpdateTargetById 981247 !ARGS:'q'
#Passwords can (and arguable should!) contain special chars
SecRuleUpdateTargetById 950010 !ARGS:'/[pP](ass)?word/'
SecRuleUpdateTargetById 981240 !ARGS:'/[pP](ass)?word/'
#Email address can contain some SQL injection phrases
SecRuleUpdateTargetById 981241 !ARGS:'/[eE](-)?mail/'
#Remove checking of rules which checks for http calls in arguments will have URLs in them
SecRuleUpdateTargetById 950007 !ARGS:'utm_referrer'
SecRuleUpdateTargetById 950120 !ARGS:'utm_referrer'
SecRuleUpdateTargetById 973304 !ARGS:'utm_referrer'
SecRuleUpdateTargetById 981241 !ARGS:'utm_referrer'
SecRuleUpdateTargetById 981256 !ARGS:'utm_referrer'CRS v3经历了一个规则id重命名,一些规则被删除了,因此下面给出了上面的v3等价物:
#Lots of browsers don't send accept header so disable rule 920300 which blocks that:
SecRuleRemoveById 920300
#These produce many false positives as checking for things like lots of spaces and ' characters (valid in names and addresses). So disable.
SecRuleRemoveById 920230
SecRuleRemoveById 942130
SecRuleRemoveById 942460
SecRuleRemoveById 941140
SecRuleRemoveById 942420
SecRuleRemoveById 942430
SecRuleRemoveById 942440
SecRuleRemoveById 942330
SecRuleRemoveById 942370
SecRuleRemoveById 942260
SecRuleRemoveById 942340
SecRuleRemoveById 942210
SecRuleRemoveById 942200
SecRuleRemoveById 942450
SecRuleRemoveById 942110
SecRuleRemoveById 942120
SecRuleRemoveById 942140
#Allow Search argument (q) to include SQL words:
SecRuleUpdateTargetById 942390 !ARGS:'q'
SecRuleUpdateTargetById 942400 !ARGS:'q'
SecRuleUpdateTargetById 942360 !ARGS:'q'
#Passwords can (and arguable should!) contain special chars
SecRuleUpdateTargetById 942300 !ARGS:'/[pP](ass)?word/'
#Email address can contain some SQL injection phrases
SecRuleUpdateTargetById 942230 !ARGS:'/[eE](-)?mail/'
#Remove checking of rules which checks for http calls in arguments will have URLs in them
SecRuleUpdateTargetById 931130 !ARGS:'utm_referrer'
SecRuleUpdateTargetById 942230 !ARGS:'utm_referrer'
SecRuleUpdateTargetById 942250 !ARGS:'utm_referrer'当然,完全关闭这些规则(就像我在上面代码片段的前半部分中所做的那样)将降低ModSecurity的有效性,因此您需要决定这是否适合您的网站。
关闭特定参数的规则(就像我在上面代码片段的后半段中所做的那样)通常是首选的,但同样只有您可以决定这些参数是否不需要规则提供的保护。
Stack Overflow用户
发布于 2016-10-16 19:33:52
下面是我们所使用的wordpress配置(https://stackoverflow.com/a/34027786/1008215)。
SecRuleRemoveById 950109
SecRuleRemoveById 950120
SecRuleRemoveById 950901
SecRuleRemoveById 960008
SecRuleRemoveById 960015
SecRuleRemoveById 973338
SecRuleRemoveById 981242
SecRuleRemoveById 981243
SecRuleRemoveById 981245
SecRuleRemoveById 981246
SecRuleRemoveById 981248
SecRuleRemoveById 981257
SecRuleRemoveById 981319
SecRuleRemoveById 981320https://stackoverflow.com/questions/33989273
复制相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号