modSecurity規則學習（四）——規則指令編寫

規則語言是使用9個指令實現：

語法：SecRule VARIABLES OPERATOR [TRANSFORMATION_FUNCTIONS, ACTIONS]

Variables 如下幾種：

Regular variables
Contain only one piece of information, or one string. For example, REMOTE_ADDR, always
contains the IP address of the client.
Collections
Groups of regular variables. Some collections (e.g., ARGS) allow enumeration, making
it possible to use its every member in a rule. Some other collections (e.g., ENV)

are not as flexible, but there is always going to be some way to extract individual regular
variables out of them.
Read-only collections
Many of the collections point to some data that cannot be modified, in which case
the collection itself will be available only for reading.
Read/write collections
When a collection is not based on immutable data ModSecurity will allow you to
modify it. A good example of a read/write collection is TX, which a collection that
starts empty and exists only as long as the currently processed transaction exists.
Special collections
Sometimes a collection is just a handy mechanism to retrieve information from
something that is not organised as a collection but it can seem that way. This is the
case with the XML collection, which takes an XPath expression as a (mandatory) parameter
and allows you to extract values out of an XML file.
Persistent collections
Some collections can be stored and retrieved later. This feature allows you to adopt a
wider view of your systems, for example tracking access per IP address or per session,
or per user account.

 

 

一、一個簡單的規則

在rule/目錄下建立myruls.conf

添加規則

SecRule ARGS "(testwwd)+" \
        "msg:'wwd22 test',\
        id:300102,\
        phase:request,\
        deny,\
        status:503"

nginx reload

測試：http://nginxip:nginxport/?test=testwwd

503攔截

二、針對struts漏洞

三、lua腳本

四、白名單、黑名單

六、自定義評分