banner

[Rule] Rules  [Home] Main Forum  [Portal] Portal  
[Members] Member Listing  [Statistics] Statistics  [Search] Search  [Reading Room] Reading Room 
[Register] Register  
[Login] Loginhttp  | https  ]
 
Forum Index Thảo luận bảo mật Hỏi về cách íntall Mod_Security_CRS  XML
  [Question]   Hỏi về cách íntall Mod_Security_CRS 10/06/2011 22:53:38 (+0700) | #1 | 240240
[Avatar]
Michael_Scotfield
Member

[Minus]    0    [Plus]
Joined: 12/10/2009 02:23:16
Messages: 43
Location: Fox River Prison
Offline
[Profile] [PM]
Em đã cái đặt mod_security cho server. quá trình setup và set rule để test thử mod_security không vấn đề gì, nhưng khi em add mod_security_crs vào, thì test thử với 1 vài kiểu tấn công, nhưng đều pass qua hết, trong audit log thì có ghi lại 1 list các rule trùng, nhưng hình như mặc đỉnh rule mọi thứ đều pass thì phải.
Không biết là do em install sai, hay crs đòi hỏi phải nắm rõ rule, để bik lúc nào deny lúc nào pass ?.Ai có install CRS rồi giúp em cái này với

Cụ thể em test với 1 con shell trên máy local bằng url
Code:
http://localhost/c99.php

Audit log ghi nhận
Code:
SecAction "phase:1,t:none,nolog,pass,setvar:tx.critical_anomaly_score=5,setvar:tx.error_anomaly_score=4,setvar:tx.warning_anomaly_score=3,setvar:tx.notice_anomaly_score=2"

SecAction "phase:1,t:none,nolog,pass,setvar:tx.inbound_anomaly_score_level=5"

SecAction "phase:1,t:none,nolog,pass,setvar:tx.outbound_anomaly_score_level=4"

SecAction "phase:1,t:none,nolog,pass,setvar:tx.paranoid_mode=0"

SecAction "phase:1,t:none,nolog,pass,setvar:tx.max_num_args=255"

SecAction "phase:1,t:none,nolog,pass,setvar:'tx.allowed_methods=GET HEAD POST OPTIONS',setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded multipart/form-data text/xml application/xml application/x-amf',setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1',setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/',setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/'"

SecRule "REQUEST_HEADERS:User-Agent" "@rx ^(.*)$" "phase:1,t:none,pass,nolog,t:sha1,t:hexEncode,setvar:tx.ua_hash=%{matched_var}"

SecAction "phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash}"

SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:1,log,chain,rev:2.1.2,t:none,block,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tagsmilieROTOCOL_VIOLATION/EVASION,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tagsmilieCI/6.5.10,tag:http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.3"
#SecRule "REQUEST_HEADERS:Content-Length" "!@rx ^0?$" "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"

SecRule "REQUEST_METHOD" "!@rx ^OPTIONS$" "phase:2,log,chain,rev:2.1.2,t:none,block,msg:'Request Missing an Accept Header',severity:2,id:960015,tagsmilieROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tagsmilieCI/6.5.10"
#SecRule "&REQUEST_HEADERS:Accept" "@eq 0" "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"

SecRule "REQUEST_METHOD" "!@rx ^OPTIONS$" "phase:2,log,chain,rev:2.1.2,t:none,block,msg:'Request Has an Empty Accept Header',severity:2,id:960021,tagsmilieROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"
#SecRule "REQUEST_HEADERS:Accept" "@rx ^$" "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"

SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,log,chain,rev:2.1.2,t:none,block,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5"
#SecRule "REQUEST_HEADERS:Content-Length" "!@rx ^0$" "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"

SecRule "&TX:MAX_NUM_ARGS" "@eq 1" "phase:2,log,chain,t:none,block,msg:'Too many arguments in request',id:960335,severity:4,rev:2.1.2"
#SecRule "&ARGS" "@gt %{tx.max_num_args}" "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"

SecRule "REQUEST_BASENAME" "@rx \\.(.*)$" "phase:2,log,chain,capture,setvar:tx.extension=.%{tx.1}/,t:none,t:urlDecodeUni,t:lowercase,block,msg:'URL file extension is restricted by policy',severity:2,id:960035,tagsmilieOLICY/EXT_RESTRICTED,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tagsmilieCI/6.5.10,logdata:%{TX.0}"
#SecRule "TX:EXTENSION" "@within %{tx.restricted_extensions}" "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.policy_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-POLICY/EXT_RESTRICTED-%{matched_var_name}=%{matched_var}"

SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,log,chain,t:none,block,msg:'HTTP header is restricted by policy',id:960038,tagsmilieOLICY/HEADER_RESTRICTED,tagsmilieOLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tagsmilieCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tagsmilieCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name='/%{tx.0}/'"
#SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.policy_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}"

SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,log,chain,t:none,block,msg:'HTTP header is restricted by policy',id:960038,tagsmilieOLICY/HEADER_RESTRICTED,tagsmilieOLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tagsmilieCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tagsmilieCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name='/%{tx.0}/'"
#SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.policy_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}"

SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,log,chain,t:none,block,msg:'HTTP header is restricted by policy',id:960038,tagsmilieOLICY/HEADER_RESTRICTED,tagsmilieOLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tagsmilieCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tagsmilieCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name='/%{tx.0}/'"
#SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.policy_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}"

SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,log,chain,t:none,block,msg:'HTTP header is restricted by policy',id:960038,tagsmilieOLICY/HEADER_RESTRICTED,tagsmilieOLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tagsmilieCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tagsmilieCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name='/%{tx.0}/'"
#SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.policy_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}"

SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,log,chain,t:none,block,msg:'HTTP header is restricted by policy',id:960038,tagsmilieOLICY/HEADER_RESTRICTED,tagsmilieOLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tagsmilieCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tagsmilieCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name='/%{tx.0}/'"
#SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.policy_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}"

SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,log,chain,t:none,block,msg:'HTTP header is restricted by policy',id:960038,tagsmilieOLICY/HEADER_RESTRICTED,tagsmilieOLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tagsmilieCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tagsmilieCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name='/%{tx.0}/'"
#SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.policy_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}"

SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,log,chain,t:none,block,msg:'HTTP header is restricted by policy',id:960038,tagsmilieOLICY/HEADER_RESTRICTED,tagsmilieOLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tagsmilieCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tagsmilieCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name='/%{tx.0}/'"
#SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.policy_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}"

SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,log,chain,t:none,block,msg:'HTTP header is restricted by policy',id:960038,tagsmilieOLICY/HEADER_RESTRICTED,tagsmilieOLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tagsmilieCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tagsmilieCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name='/%{tx.0}/'"
#SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.policy_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}"

SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,log,chain,t:none,block,msg:'HTTP header is restricted by policy',id:960038,tagsmilieOLICY/HEADER_RESTRICTED,tagsmilieOLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tagsmilieCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tagsmilieCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name='/%{tx.0}/'"
#SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.policy_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}"

SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,log,chain,t:none,block,msg:'HTTP header is restricted by policy',id:960038,tagsmilieOLICY/HEADER_RESTRICTED,tagsmilieOLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tagsmilieCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tagsmilieCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name='/%{tx.0}/'"
#SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.policy_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}"

SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,log,chain,t:none,block,msg:'HTTP header is restricted by policy',id:960038,tagsmilieOLICY/HEADER_RESTRICTED,tagsmilieOLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tagsmilieCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tagsmilieCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name='/%{tx.0}/'"
#SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.policy_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}"

SecRule "TXsmilieARANOID_MODE" "!@eq 1" "phase:2,t:none,nolog,skipAfter:END_SESSION_FIXATION"

SecRule "TXsmilieARANOID_MODE" "!@eq 1" "phase:2,t:none,nolog,skipAfter:END_FILE_INJECTION"

SecRule "TXsmilieARANOID_MODE" "!@eq 1" "phase:2,t:none,nolog,skipAfter:END_COMMAND_ACCESS"

SecRule "TXsmilieARANOID_MODE" "!@eq 1" "phase:2,t:none,nolog,skipAfter:END_COMMAND_INJECTION"

SecRule "TXsmilieARANOID_MODE" "!@eq 1" "phase:2,rev:2.1.2,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK"

SecRule "TXsmilieARANOID_MODE" "!@eq 1" "phase:2,t:none,nolog,skipAfter:END_XSS_CHECK"

SecRule "RESPONSE_BODY" "!@pm iframe" "phase:4,rev:2.1.2,t:none,capture,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,nolog,skipAfter:END_IFRAME_CHECK"

SecRule "RESPONSE_BODY" "!@pmFromFile modsecurity_50_outbound.data" "phase:4,rev:2.1.2,t:none,capture,t:urlDecodeUni,t:htmlEntityDecode,nolog,skipAfter:END_OUTBOUND_CHECK"
Breaking!!!!!
[Up] [Print Copy]
[digg] [delicious] [google] [yahoo] [technorati] [reddit] [stumbleupon]
Go to: 
 Users currently in here 
1 Anonymous

Powered by JForum - Extended by HVAOnline
 hvaonline.net  |  hvaforum.net  |  hvazone.net  |  hvanews.net  |  vnhacker.org
1999 - 2013 © v2012|0504|218|