根据多个标准从CRS规则中删除目标
我有一个 WordPress 网站。 WP 站点在具有 ModSecurity 2.9.7 和 OWASP 核心规则集 3.1.0 的反向代理 (Apache 2.4.37) 后面运行。
WP 网站有一个自制主题,需要定期编辑(以短代码更新令牌)才能继续工作(。.. 是的,我知道!但不是我这样做的......< /em>)。很自然,这种编辑会导致 ModSecurity 出错。
我确实有允许进行编辑的规则排除 - 但我想将其限制为 IP 范围,以及相关的 REQUEST_URI 和 REQUEST_HEADERS:Referer。
第一次尝试:
SecRule REQUEST_URI "@beginsWith /wp-admin/admin-ajax.php" "phase:1,chain,nolog,pass,id:20010,ctl:ruleRemoveTargetById=933100;ARGS:newcontent"
SecRule REQUEST_HEADERS:Referer "@rx (?i)^https://example\.com/wp-admin/theme-editor\.php.*" "chain"
SecRule REMOTE_ADDR "@ipMatch 1.2.3.0/23,1.2.5.128/25"
这确实打开了 WAF/删除了目标,但不限制 IP 范围——可能也不限制 Referer。经过调查,我发现一条旧评论指出,一旦规则匹配,就会执行非破坏性操作。 ctl 是一个非中断性操作...
第二次尝试 - 将 ctl 操作移至链中的最后一个规则:
SecRule REQUEST_URI "@beginsWith /wp-admin/admin-ajax.php" "phase:1,chain,nolog,pass,id:20010"
SecRule REQUEST_HEADERS:Referer "@rx (?i)^https://example\.com/wp-admin/theme-editor\.php.*" "chain"
SecRule REMOTE_ADDR "@ipMatch 1.2.3.0/23,1.2.5.128/25" "ctl:ruleRemoveTargetById=933100;ARGS:newcontent"
无论哪种情况,这都不会删除目标(外部或内部)。
有没有办法通过 ctl 操作使链式方法发挥作用?或者有其他方法吗?
I have a WordPress site. The WP site is running behind a reverse proxy (Apache 2.4.37) with ModSecurity 2.9.7, and the OWASP Core Ruleset 3.1.0.
The WP site has a home-built theme, that requires periodical edits (updating the token in a shortcode) to keep working (... yes, I know! But it wasn't me that did that ...). Naturally enough, that editing trips up ModSecurity.
I do have the rule exclusions that allows that editing -- but I want to restrict it to an IP-range, and also to the relevant REQUEST_URI and REQUEST_HEADERS:Referer.
First try:
SecRule REQUEST_URI "@beginsWith /wp-admin/admin-ajax.php" "phase:1,chain,nolog,pass,id:20010,ctl:ruleRemoveTargetById=933100;ARGS:newcontent"
SecRule REQUEST_HEADERS:Referer "@rx (?i)^https://example\.com/wp-admin/theme-editor\.php.*" "chain"
SecRule REMOTE_ADDR "@ipMatch 1.2.3.0/23,1.2.5.128/25"
This indeed opens the WAF/removes the target, but does not restrict to the IP-range -- nor to Referer, probably. Investigating, I found a old comment pointing out that non-disruptive actions are executed as soon as the rule matches. ctl is a non-disruptive action ...
Second try -- move the ctl action to the last rule in the chain:
SecRule REQUEST_URI "@beginsWith /wp-admin/admin-ajax.php" "phase:1,chain,nolog,pass,id:20010"
SecRule REQUEST_HEADERS:Referer "@rx (?i)^https://example\.com/wp-admin/theme-editor\.php.*" "chain"
SecRule REMOTE_ADDR "@ipMatch 1.2.3.0/23,1.2.5.128/25" "ctl:ruleRemoveTargetById=933100;ARGS:newcontent"
This do not remove the target, in either case (external or internal).
Is there a way to make the chain approach work, with the ctl action? Or is there an alternative approach?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
modsecurity核心规则集在此处值班的开发人员。我刚刚测试了您的规则排除链,它对我有用。如果我不得不猜测为什么它不适合您,我会开始研究那个正则表达式。
用
@unconditionalMatch替换正则表达式,看看它是否开始为您工作。例如:如果 不起作用,请尝试以相同的方式替换
@ipmatch操作员。您会很快发现哪种规则会导致麻烦。另外,CRS版本3.1.0 IS 被认为是不安全的。至少,您应该考虑更新为3.1.x行的最新次要版本,即 v3.1.2 。
ModSecurity Core Rule Set Developer on Duty here. I've just tested your rule exclusion chain and it works for me. If I had to guess why it's not working for you, I'd start looking at that regular expression.
Replace the regular expression with
@unconditionalMatchand see if it starts working for you. E.g.:If that doesn't work then try replacing the
@ipMatchoperator in the same way. You'll quickly discover which rule is causing your trouble.Also, CRS version 3.1.0 is unsupported and considered to be insecure. At the very least, you should consider updating to the latest minor release of the 3.1.x line, which is v3.1.2.