自定義規則總結

時間 2019-11-30

標籤自定義規則總結简体版

原文原文鏈接

規則編號：

示例 01020003javascript

01 標示規則大類，取值範圍定義：01-29爲固化規則；30爲自定義規則；40及以後爲學習引擎的規則php

02標示規則子類，取值範圍定義：01-99爲子類範圍html

0003標示規則在子類中的具體編號，取值範圍定義：0001-9999爲具體編號範圍java

編號時，須要預留一些id，以備升級用。web

第一個頁面：固化規則

樹狀顯示固化規則，規則編號爲01010001-29999999正則表達式

第二個頁面：防盜鏈

防盜鏈

規則編號爲：30010001-30019999shell

須要用戶提供的參數：apache

SecHashParam的參數xxxxxx1，用來指定在URL中添加的字段名；瀏覽器

SecHashKey的參數xxxxxx2，用來當作密鑰；安全

SecHashMethodRx或者SecHashMethodPm的參數xxxxxx3，用來匹配要加密的關鍵字

SecHashKey若是是SessionID的話須要提供SessionID在cookie中的具體名稱xxxxx4，用來直接獲取SessionID

# 條件

SecStreamOutBodyInspection On

SecContentInjection On

SecDisableBackendCompression On

# 若是用戶選擇的是sessionid加密，須要獲取sessionid並校驗是否獲取成功，最好是有用戶提供明確的sessionid名稱xxxxx4

# 獲取請求體頭的sessionid

SecRule REQUEST_COOKIES:'/(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid)/' ".*" "phase:1,id:30010002,t:none ,msg:'SessionID Submitted.',setsid:%{matched_var},setvar:tx.sessionid=%{matched_var}"

# 獲取返回頭中的sessionid

SecRule RESPONSE_HEADERS:/Set-Cookie2?/ "(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid).*?=([^\s].*?)\;\s?)" "phase:3,id:30010003,t:none ,capture,setsid:%{TX.6},setvar:tx.sessionid=%{TX.6}"

# 對指定字段進行指定方法的加密，xxxxxx1爲新加字段名稱

SecHashEngine On

SecHashParam "xxxxxx1"

# 如下三個SecHashKey只能選一種，xxxxxx2爲必選加密密鑰，選擇RemoteIP和SessionID方式時，還要加上繪畫中的RemoteIP和SessionID

SecHashKey "xxxxxx2" KeyOnly

#SecHashKey "xxxxxx2" RemoteIP

#SecHashKey "xxxxxx2" SessionID

# 這個地方應加了一個校驗，在SessionID和RemoteIP選項下，須要檢驗這兩個值是否爲空

# SecRule &TX:SESSIONID "@eq 0" "phase:3,id:30010004,pass,t:none,msg:'TX.SESSIONID DOES NOT EXIST',skipAfter:END_SEC_HASH"

# SecRule TX:SESSIONID "^$" "phase:3,id:30010005,pass,t:none,msg:'SESSIONID IS NULL',skipAfter:END_SEC_HASH"

# SecRule &AGRS:REMOTE_ADDR "@eq 0" "phase:3,id:30010006,pass,t:none,msg:'REMOTE_ADDR DOES NOT EXIST',skipAfter:END_SEC_HASH"

# SecRule REMOTE_ADDR "^$" "phase:3,id:30010007,pass,t:none,msg:'REMOTE_ADDR IS NULL',skipAfter:END_SEC_HASH"

# 要加密的關鍵字等，xxxxxx3爲關鍵字，SecHashMethodRx支持正則表達式，SecHashMethodPm支持明確字符串

# SecHashMethodRx TYPE "string1|string2|string3..."

# SecHashMethodPm TYPE "string1 string2 string3..."

TYPE可爲如下幾種：

# HashHref: Used to sign href= html elements

# HashFormAction: Used to sign form action= html elements

# HashIframeSrc: Used to sign iframe src= html elements

# HashframeSrc: Used to sign frame src= html elements

# HashLocation: Used to sign Location response header

# 對加密後的字段進行校驗 xxxxxx3應該與加密關鍵字一致

# 默認動做 ,deny,status:505

SecRule REQUEST_URI "@validateHash xxxxxx3" "phase:2,id:30010001"

SecMarker END_SEC_HASH

#多個關鍵字的話爲

#SecRule REQUEST_URI "@validateHash xxxxxx3| xxxxxx4" "phase:2,id:30010001"

第三個頁面：隱藏表單參數

規則編號爲：30020001-30029999

須要用戶提供的參數：

須要加密的隱藏參數名稱xxxxxx1

# apache須要加編譯選項 --enable-lua --with-lua=/usr/local/

# modsecurity須要加編譯選項 --with-lua=/usr/local/

# Hmac.lua須要放在相似/usr/local/share/lua/5.1/的地方

# Makefile 這個makefile是lua/src下修改過的，目的是編譯出liblua.so，編譯出後放在系統lib下

# 這一系列規則可能須要的參數：要防禦的隱藏參數名，lua腳本中用到的加密關鍵字

# 測試的html以下，供參考

<title> Crypto test </title>

Price <input type="hidden" name="price" value="100">

</form>

# 規則配置以下

SecStreamOutBodyInspection On

SecContentInjection On

SecDisableBackendCompression On

SecRule RESPONSE_BODY "name=\" xxxxxx1\" value=\"([a-zA-Z0-9]+)" "phase:4,chain,id:30020001,pass,capture,exec:/usr/local/apache2/conf.d/CreateHMAC.lua"

SecRule STREAM_OUTPUT_BODY "@rsub s/name=\" xxxxxx1\" value=\"[a-zA-Z0-9]+\">/name=\" xxxxxx1\" value=\"%{TX.1}\"><input type=\"hidden\" name=\" xxxxxx1Hmac\" value=\"%{TX. xxxxxx1Hmac}\">|00|/d"

SecRule &ARGS: xxxxxx1 "@ge 1" "phase:2,id:30020002,t:none,chain,deny,log,msg:'Missing xxxxxx1Hmac parameter'"

SecRule &ARGS: xxxxxx1Hmac "!@ge 1"

SecRule &ARGS: xxxxxx1 "@ge 1" "phase:2,id:30020003,t:none,chain,nolog,exec:/usr/local/apache2/conf.d/VerifyHMAC.lua"

SecRule &ARGS: xxxxxx1Hmac "@ge 1"

SecRule &TX:block "@gt 0" "phase:2,id:30020004,log,msg:'Invalid HMAC submitted',deny"

P行,se:2,id:1001017,severity:2"

第四個頁面：應用層dos防護

規則編號爲：30030001-30039999

connection flood

# 這部分攻擊基本能夠用mod_evasive模塊來解決

DOSHashTableSize 3097

DOSPageCount 5

DOSSiteCount 50

DOSPageInterval 1

DOSSiteInterval 1

DOSBlockingPeriod 360

</IfModule>

相關參數

DOSHashTableSize 3097：定義哈希表大小。

DOSSiteCount 50：容許客戶機的最大併發鏈接。

DOSPageCount 2：容許客戶機訪問同一頁的間隔。

DOSPageInterval 1：網頁訪問計數器間隔。

DOSSiteInterval 1：全站訪問計數器間隔。

DOSSiteInterval 60：加入黑名單後拒絕訪問時間。

DOSEmailNotify xxxx@gmail.com：有IP加入黑名單後通知管理員。

DOSSystemCommand "sudo iptables -A INPUT -s %s -j DROP"：IP加入黑名單後執行的系統命令。

DOSLogDir "/tmp"：鎖定機制臨時目錄。

DOSWhiteList 127.0.0.1：防範白名單，不阻止白名單IP。

慢速鏈接防護

# mod_reqtimeout模塊能夠針對請求頭和請求體進行超時時間限制

# http://httpd.apache.org/docs/trunk/mod/mod_reqtimeout.html

# 下面這條規則的解釋是

# header發送完成初始設定時間是20秒，每發送500字節數據，加1秒，但總時間不超過40秒

# body發送完成初始設定時間是30秒，每法送1000字節數據，加1秒，不設定上限

RequestReadTimeout header=20-40,MinRate=500 body=30,MinRate=1000

# 這幾條規則是防護range header的dos攻擊，此種攻擊的特徵是Request-Range有大量0-1,1-2,2-3這種的分段

SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "^bytes=\s*((\d+)?\-(\d+)?\,){5,}" "chain,id:30030003,phase:1,t:none,log,msg:'Truncating Large Range Header Field.',capture,pass"

SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "^bytes=\s*((\d+)?\-(\d+)?\,){5}" "chain,capture"

SecRule TX:0 "^(.*),$" "capture,setenv:range_header=%{tx.1}"

RequestHeader unset Range env=range_header

RequestHeader set Range "%{range_header}e" env=range_header

參數校驗

已知Hash校驗

SecRule ARGS_NAMES "@pmFromFile hash_dos_param_names.data" "phase:2,t:none,id:30030001,msg:'Hash DoS PoC Attack Identified.'"

參數衆多且值不少相同的狀況下，認爲是dos攻擊

SecRule &ARGS "@ge 1000" "chain,phase:2,t:none,id:30030002,deny,msg:'Possible Hash DoS Attack Identified.'"

SecRule REQUEST_BODY "^\w*?=(.*?)&\w*?=(.*?)&\w*?=(.*?)&\w*?=(.*?)&" "chain,capture"

SecRule TX:1 "@streq %{tx.2}" "chain,setvar:tx.hash_dos_match=+1"

SecRule TX:2 "@streq %{tx.3}" "chain,setvar:tx.hash_dos_match=+1"

SecRule TX:3 "@streq %{tx.4}" "chain,setvar:tx.hash_dos_match=+1"

SecRule TX:HASH_DOS_MATCH "@eq 3"

限制每一個ip SERVER_BUSY_WRITE狀態進程的數量

SecWriteStateLimit 50

限制每一個ip SERVER_BUSY_READ 狀態進程的數量

SecReadStateLimit 50

第五個頁面：敏感信息相關

規則編號爲：30040001-30049999

響應碼

SecRule RESPONSE_STATUS "^(501)$" "deny,msg:'The response status is not allowed!',phase:3,id:30040001,severity:2"

卡類信息、電話等：

手機號信息

SecRule RESPONSE_BODY "(1(([35][0-9])|(47)|[8][0126789]))\d{8}" "deny,msg:'There is a mobile phone number in the response body!',id:30040002,phase:4,severity:2"

身份證信息

SecRule RESPONSE_BODY "((11|12|13|14|15|21|22|23|31|32|33|34|35|36|37|41|42|43|44|45|46|50|51|52|53|54|61|62|63|64|65)[0-9]{4})(([1|2][0-9]{3}[0|1][0-9][0-3][0-9][0-9]{3}[Xx0-9])|([0-9]{2}[0|1][0-9][0-3][0-9][0-9]{3})) | ((11|12|13|14|15|21|22|23|31|32|33|34|35|36|37|41|42|43|44|45|46|50|51|52|53|54|61|62|63|64|65)[0-9]{4})(([0-9]{2}[0|1][0-9][0-3][0-9][0-9]{3}))" "phase:4,severity:2,id:30040003,msg:'There is a id card number in the response body!'"

#SecRule RESPONSE_BODY "((11|12|13|14|15|21|22|23|31|32|33|34|35|36|37|41|42|43|44|45|46|50|51|52|53|54|61|62|63|64|65)[0-9]{4})(([0-9]{2}[0|1][0-9][0-3][0-9][0-9]{3}))" "msg:'There is a id card number in the response body!',phase:4,severity:2,id:"

中國信用卡信息

SecRule RESPONSE_BODY "@verifyCC ^(\d{4}[- ]){3}\d{4}|\d{16}$" "phase:4,severity:2,t:none,t:removeWhitespace,msg:'There is a credit card number in the response body!',id:30040004"

如下是備選信用卡規則：

# 各類信用卡信息

# 中國信用卡

^(\d{4}[- ]){3}\d{4}|\d{16}$

#國外信用卡判斷

SecRule ARGS "@verifyCC (?:^|[^\d])(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})(?:[^\d]|$)" \

"phase:2,id:'981078',t:none,skip:1"

# GSA SmartPay

SecRule ARGS "@verifyCC (?:^|[^\d])((?:5568|4(?:486|716))\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4}|8699\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)" \

"phase:2,t:none,msg:'GSA SmartPay Credit Card Number detected in user input',id:'920019',severity:'5'"

# MasterCard

SecRule ARGS "@verifyCC (?:^|[^\d])(5[1-5]\d{2}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4})(?:[^\d]|$)" \

"phase:2,t:none,msg:'MasterCard Credit Card Number detected in user input',id:'920005',severity:'5'"

# Visa

SecRule ARGS "@verifyCC (?:^|[^\d])(4\d{3}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d(?:\d{3})??)(?:[^\d]|$)" \

"phase:2,t:none,,msg:'Visa Credit Card Number detected in user input',id:'920007',severity:'5'"

# American Express

SecRule ARGS "@verifyCC (?:^|[^\d])(3[47]\d{2}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)" \

"phase:2,t:none,msg:'American Express Credit Card Number detected in user input',id:'920009',severity:'5'"

# Diners Club

SecRule ARGS "@verifyCC (?:^|[^\d])((?:30[0-5]|3[68]\d)\d\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{2})(?:[^\d]|$)" \

"phase:2,t:none,msg:'Diners Club Credit Card Number detected in user input',id:'920011',severity:'5'"

# enRoute

#SecRule ARGS "(?:^|[^\d])(2(?:014|149)\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{2}|55\d{2}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)" \

# "phase:2,t:none,msg:'enRoute Credit Card Number detected in user input',id:'920013',severity:'5'"

# Discover

SecRule ARGS "@verifyCC (?:^|[^\d])(6(?:011|5\d{2})\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4})(?:[^\d]|$)" \

"phase:2,t:none,msg:'Discover Credit Card Number detected in user input',id:'920015',severity:'5'"

# JCB

SecRule ARGS "@verifyCC (?:^|[^\d])(3\d{3}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4}|(?:1800|21(?:31|00))\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)" \

"phase:2,t:none,msg:'JCB Credit Card Number detected in user input',id:'920017',severity:'5'"

SecRule RESPONSE_BODY "\%[Bb][3456][0-9]{3,3}[\x20\-]{0,3}[0-9]{4,6}[\x20\-]{0,3}[0-9]{2,5}[\x20\-]{0,3}[0-9]{0,4}\^[^\^]+\^[0-9]+\?" \

"phase:4,t:none,block,msg:'Possible Credit Card Track 1 Data Leakage.',severity:'1',id:'920021',tag:'WASCTC/5.2',tag:'PCI/3.3',setvar:tx.anomaly_score=+{tx.critical_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/CC-%{matched_var_name}=%{tx.0}"

SecRule RESPONSE_BODY "\;[3456][0-9]{3,3}[\x20\-]{0,3}[0-9]{4,6}[\x20\-]{0,3}[0-9]{2,5}[\x20\-]{0,3}[0-9]{0,4}[=Dd][0-9]+\?" \

"phase:4,t:none,block,msg:'Possible Credit Card Track 2 Data Leakage.',severity:'1',id:'920022',tag:'WASCTC/5.2',tag:'PCI/3.3',setvar:tx.anomaly_score=+{tx.critical_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/CC-%{matched_var_name}=%{tx.0}"

SecRule RESPONSE_BODY "[^0-9][3456][0-9]{3,3}[\x20\-]{0,3}[0-9]{4,6}[\x20\-]{0,3}[0-9]{2,5}[\x20\-]{0,3}[0-9]{0,4}[^0-9]" \

"phase:4,t:none,block,msg:'Possible Credit Card PAN Data Leakage.',severity:'1',id:'920023',tag:'WASCTC/5.2',tag:'PCI/3.3',setvar:tx.anomaly_score=+{tx.critical_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/CC-%{matched_var_name}=%{tx.0}"

敏感字過濾

這個地方能夠考慮敏感字作成文件的形式

SecStreamOutBodyInspection On

SecRule STREAM_OUTPUT_BODY "@rsub s/A /B" "phase:4,id:30040005,t:none,nolog,pass"

第六個頁面：Cookie防禦

規則編號爲：30050001-30059999

容許的最大Cookie個數(1-256)

SecRule &REQUEST_COOKIES "@gt 20" "t:none,deny,msg:'There is too many cookies in the request!',phase:1,id:30050001,severity:2"

容許的Cookie名最大長度(1-256)

SecRule REQUEST_COOKIES_NAMES "@gt 256" "t:none,t:length,deny,msg:'The cookie name is too long!',phase:1,id:30050002,severity:2"

容許的Cookie值最大長度(1-1024)

SecRule REQUEST_COOKIES "@gt 1024" "t:none,t:length,deny,msg:'The cookie value is too long!',phase:1,id:30050003,severity:2"

# 此項研究暫時涉及兩部分，一部分是給cookie加上HTTPOnly和secure屬性，一部分是設計新命令，給cookie加密或者在cookie最後加上加密簽名，可能還有部分命令要在開發過程當中造出來

# 這個地方可能須要用戶提供cookie的特徵

# 獲取到響應頭中cookie沒有加HTTPOnly屬性

SecRule RESPONSE_HEADERS:/Set-Cookie2?/ "!(?i:\;? ?httponly;?)" "chain,phase:3,t:none,pass,nolog,id: 30050004"

SecRule MATCHED_VAR "(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid))" "t:none,setenv:http_cookie=%{matched_var}"

# 結合上條規則，給cookie加上HTTPOnly屬性，HTTPOnly是防止cookie被javascript程序獲取

Header set Set-Cookie "%{http_cookie}e; HTTPOnly" env=http_cookie

# 給cookie加secure屬性，secure屬性是設置cookie以安全的形式向服務器傳輸，也就是隻能在 HTTPS 鏈接中被瀏覽器傳遞到服務器端進行會話驗證，若是是 HTTP 鏈接則不會傳遞該信息，因此不會被竊取。

# 一下這兩條規則是臨時造出來的，須要在設計和開發階段實現，TEXT爲密鑰，Encrypt爲選擇對cookie進行加密，Sign爲選擇對cookie加簽名

SetCookieProMethod TEXT Encrypt | Sign

Cookie防禦能夠修改mod_usertrack 模塊實現所需功能

第七個頁面：訪問防禦

規則編號爲：30060101-30069999

禁止請求的文件後綴名

SecRule REQUEST_BASENAME "(\.initest)$" "t:none,deny,msg:'The extension name of request file is not allowed!',phase:1,id:30060101,severity:2"

指定頁面只能指定IP訪問

須要用途提供指定IP xxxxxx1和URI xxxxxx2

SecRule REMOTE_ADDR "^( xxxxxx1)$" "phase:1,t:none,t:lowercase,chain,pass,id:30060102"

SecRule REQUEST_URI "( xxxxxx2)"

指定頁面不容許指定IP訪問

須要用戶提供客戶端IP xxxxxx1和URI xxxxxx2

SecRule REMOTE_ADDR "^( xxxxxx1)$" "phase:1,t:none,t:lowercase,chain,pass,id:30060103"

SecRule REQUEST_URI "( xxxxxx2)"

第八個頁面：HTTP請求限制

規則編號爲：30070001-30079999

容許的URL最大長度(1-4096)

SecRule REQUEST_URI "@gt 256" "t:none,t:length,deny,msg:'The URL of request is too long!',id:30070001,severity:2,phase:1"

容許的報頭最大個數(1-256)

SecRule &REQUEST_HEADERS "@gt 20"deny,msg:'There is too many request headers!',phase:1,id:30070002,severity:2"

容許的報頭名最大長度(1-256)

SecRule REQUEST_HEADERS_NAMES "@gt 32"t:none,t:length,deny,msg:'The request header name is too long!',phase:1,id:30070003,severity:2"

容許的報頭值最大長度(1-4096)

SecRule REQUEST_HEADERS "@gt 512" "t:none,t:length,deny,msg:'The request header value is too long!',phase:1,id:30070004,severity:2"

容許的請求行最大長度(1-1024)

SecRule REQUEST_LINE "@gt 256" "t:none,t:length,deny,msg:'The request line is too long!',phase:1,id:30070005,severity:2"

容許的請求體長度最大值(1-65536)

SecRule REQUEST_BODY "@gt 4096" "t:length,deny,msg:'The request body is too large!',phase:2,id:30070006,severity:2"

容許的查詢串最大長度(1-1024)

SecRule QUERY_STRING "@gt 256" "t:none,t:length,deny,msg:'The query string is too long!',phase:1,id:30070007,severity:2"

容許的參數名最大長度(1-256)

SecRule ARGS_NAMES "@gt 32" "t:none,t:length,deny,msg:'The argument name is too long!',phase:2,id:30070008,severity:2"

容許的參數值最大長度(1-1024)

SecRule ARGS "@gt 256" "t:none,t:length,deny,msg:'The argument value is too long!',phase:2,id:30070009,severity:2"

容許的參數值總長度最大值(1-65535

SecRule ARGS_COMBINED_SIZE "@gt 4096" "t:none,deny,msg:'The combined size of arguments is too large!',phase:2,id:30070010,severity:2"

容許的參數個數最大值(1-256)

SecRule &ARGS "@gt 20" "t:none, msg:' Total arguments size exceeded',phase:2,id:30070011,severity:2 "

容許的方法

SecRule REQUEST_METHOD "!^(post|head|get)$" "t:none,t:lowercase,deny,msg:'The method of request is not allowed!',phase:1,id:30070021,severity:2"

容許的協議版本

SecRule REQUEST_PROTOCOL "!^(http\/0\.9|http\/1\.0|http\/1\.1)$" "t:none,t:lowercase,deny,msg:'The protocol of request is not allowed!',phase:1,id:30070031,severity:2"

禁止的user-agent

SecRule REQUEST_HEADERS:user-agent "^(Agenttest)$" "t:none,deny,msg:'The value of user-agent is not allowed!',phase:1,id:30070041,severity:2"

容許的content-type

SecRule REQUEST_METHOD "!^(get|head|profind|options)$" "phase:1,chain,t:none,t:lowercase,deny,msg:'The content-type of request is not allowed!',id:30070051,severity:2"

SecRule REQUEST_HEADERS:content-type "^(.*)$" "chain"

SecRule REQUEST_HEADERS:content-type "!^(contenttest)$" "t:none,t:lowercase"

第九個頁面：Xml相關防禦

規則編號爲：30080001-30089999

# xml內容的解析須要用程序來解決，參考程序爲rexml.c，具體實現的時候能夠再研究libxml庫，看有沒有更好的函數來直接用

最大樹結構: 建議: 20 範圍: 1 - 65535

最大名稱長度:建議: 64範圍: 1 - 65535

最大樹結點: 建議: 10000範圍: 1 - 65535

最大子節點: 建議: 100範圍: 1 - 65535

最大節點屬性:建議: 32範圍: 1 - 65535

屬性名稱最大長度:建議: 64範圍: 1 - 65535

屬性值最大長度: 建議: 1024範圍: 1 - 65535

最大CDATA長度：建議:1024範圍: 1 - 65535

阻斷DTD:DTD的描述元素和它們在一個XML文檔嵌套結構。設置此參數是阻斷同時包含內嵌或外部的DTD要求

# 利用.xsd文件對xml文件進行校驗

# Parse the request bodies that contain XML

SecRule REQUEST_HEADERS:Content-Type ^text/xml$ "phase:1,id:30080001,nolog,pass,t:lowercase,ctl:requestBodyProcessor=XML"

# Validate XML payload against DTD

SecRule XML "@validateSchema /path/to/xml.xsd" "phase:2,id:191,deny,msg:'Failed DTD validation'"

# 利用.dtd文件對xml文件進行校驗

# Parse the request bodies that contain XML

SecRule REQUEST_HEADERS:Content-Type ^text/xml$ "phase:1,id:30080002,nolog,pass,t:lowercase,ctl:requestBodyProcessor=XML"

# Validate XML payload against DTD

SecRule XML "@validateDTD /path/to/xml.dtd" "phase:2,id:181,deny,msg:'Failed DTD validation'"

mod_xml2en模塊式操做xml等內容的，能夠考慮在此模塊中添加對xml文件的過濾

第十個頁面：登錄統計

規則編號爲：30090001-30090099

須要用戶提供用戶名xxxxxx一、密碼xxxxxx2和登錄URI xxxxxx3，用於統計

SecMarker BEGIN_LOGIN_AUDIT

SecRule &ARGS: xxxxxx1"@eq 0" "skipAfter:END_LOGIN_AUDIT"

SecRule &ARGS: xxxxxx2"@eq 0" "skipAfter:END_LOGIN_AUDIT"

SecRule REQUEST_URI "^(xxxxxx3)$" "pass,msg:'Login with username:[%{ARGS. xxxxxx1}] and password:[%{ARGS. Xxxxxx2}]!',phase:2,id:30090001,severity:3"

SecMarker END_LOGIN_AUDIT

第八個頁面：上傳防禦

規則編號爲：30100001-30109999

容許的上傳文件大小(1-10485760)

SecRule FILES_SIZES "@gt 1048576" "deny,msg:'The uploading file is too large!',phase:2,id:30100001,severity:2"

容許的上傳文件總大小(1-10485760)

SecRule FILES_COMBINED_SIZE "@gt 1048576" "deny,msg:'The combined uploading file size is too large!',phase:2,id:30100002,severity:2"

容許的上傳文件個數(1-10)

SecRule &FILES "@gt 3" "deny,msg:'There are too many uploading files!',phase:2,id:30100003,severity:2"

容許上傳的文件類型

SecRule &FILES "@eq 0" "skipAfter:END_UPLOAD_CHECK"

SecRule FILES "!(\.jpgtest)$" "t:none,deny,msg:'The extension name of uploading file is not allowed!',phase:2,id:30100010,severity:2"

SecAction "t:none,pass,msg:'上傳文件XXXXXXXXXXXXXX!',phase:2,id:30100011,severity:2"

SecMarker END_UPLOAD_CHECK

木馬等掃描和病毒等掃描，用相似的規則，調用不一樣腳本

格式檢查

SecRule FILES_TMPNAMES "@inspectFile /webwall/engine/tool/filescan.sh" "msg:'The uploading file is dangerous!',phase:2,id:30100012,severity:1"

Webshell檢查

SecRule FILES_TMPNAMES "@inspectFile /webwall/engine/tool/filescan.sh" "msg:'The uploading file is dangerous!',phase:2,id:30100013,severity:1"

病毒檢查

SecRule FILES_TMPNAMES "@inspectFile /webwall/engine/tool/filescan.sh" "msg:'The uploading file is dangerous!',phase:2,id:30100014,severity:1"

第九個頁面：防禦白名單

規則編號爲：30110001-30119999

不進行規則匹配的文件名

SecRule REQUEST_BASENAME "(\.jpg|\.gif|\.html)$" "allow,id:30110001,phase:1"

不進行規則匹配的URI

SecRule REQUEST_URI "(\/index\/test)" "allow,id:30110002,phase:1"

不進行規則匹配的IP

SecRule REMOTE_ADDR "(192\.168\.1\.1)" "allow,id:30110003,phase:1"

相關標籤/搜索

每日一句

每一个你不满意的现在，都有一个你没有努力的曾经。