自定义规则总结

时间 2019-11-30

标签自定义规则总结繁體版

原文原文链接

规则编号：

示例 01020003javascript

01 标示规则大类，取值范围定义：01-29为固化规则；30为自定义规则；40及以后为学习引擎的规则php

02标示规则子类，取值范围定义：01-99为子类范围html

0003标示规则在子类中的具体编号，取值范围定义：0001-9999为具体编号范围java

编号时，须要预留一些id，以备升级用。web

第一个页面：固化规则

树状显示固化规则，规则编号为01010001-29999999正则表达式

第二个页面：防盗链

防盗链

规则编号为：30010001-30019999shell

须要用户提供的参数：apache

SecHashParam的参数xxxxxx1，用来指定在URL中添加的字段名；浏览器

SecHashKey的参数xxxxxx2，用来当作密钥；安全

SecHashMethodRx或者SecHashMethodPm的参数xxxxxx3，用来匹配要加密的关键字

SecHashKey若是是SessionID的话须要提供SessionID在cookie中的具体名称xxxxx4，用来直接获取SessionID

# 条件

SecStreamOutBodyInspection On

SecContentInjection On

SecDisableBackendCompression On

# 若是用户选择的是sessionid加密，须要获取sessionid并校验是否获取成功，最好是有用户提供明确的sessionid名称xxxxx4

# 获取请求体头的sessionid

SecRule REQUEST_COOKIES:'/(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid)/' ".*" "phase:1,id:30010002,t:none ,msg:'SessionID Submitted.',setsid:%{matched_var},setvar:tx.sessionid=%{matched_var}"

# 获取返回头中的sessionid

SecRule RESPONSE_HEADERS:/Set-Cookie2?/ "(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid).*?=([^\s].*?)\;\s?)" "phase:3,id:30010003,t:none ,capture,setsid:%{TX.6},setvar:tx.sessionid=%{TX.6}"

# 对指定字段进行指定方法的加密，xxxxxx1为新加字段名称

SecHashEngine On

SecHashParam "xxxxxx1"

# 如下三个SecHashKey只能选一种，xxxxxx2为必选加密密钥，选择RemoteIP和SessionID方式时，还要加上绘画中的RemoteIP和SessionID

SecHashKey "xxxxxx2" KeyOnly

#SecHashKey "xxxxxx2" RemoteIP

#SecHashKey "xxxxxx2" SessionID

# 这个地方应加了一个校验，在SessionID和RemoteIP选项下，须要检验这两个值是否为空

# SecRule &TX:SESSIONID "@eq 0" "phase:3,id:30010004,pass,t:none,msg:'TX.SESSIONID DOES NOT EXIST',skipAfter:END_SEC_HASH"

# SecRule TX:SESSIONID "^$" "phase:3,id:30010005,pass,t:none,msg:'SESSIONID IS NULL',skipAfter:END_SEC_HASH"

# SecRule &AGRS:REMOTE_ADDR "@eq 0" "phase:3,id:30010006,pass,t:none,msg:'REMOTE_ADDR DOES NOT EXIST',skipAfter:END_SEC_HASH"

# SecRule REMOTE_ADDR "^$" "phase:3,id:30010007,pass,t:none,msg:'REMOTE_ADDR IS NULL',skipAfter:END_SEC_HASH"

# 要加密的关键字等，xxxxxx3为关键字，SecHashMethodRx支持正则表达式，SecHashMethodPm支持明确字符串

# SecHashMethodRx TYPE "string1|string2|string3..."

# SecHashMethodPm TYPE "string1 string2 string3..."

TYPE可为如下几种：

# HashHref: Used to sign href= html elements

# HashFormAction: Used to sign form action= html elements

# HashIframeSrc: Used to sign iframe src= html elements

# HashframeSrc: Used to sign frame src= html elements

# HashLocation: Used to sign Location response header

# 对加密后的字段进行校验 xxxxxx3应该与加密关键字一致

# 默认动做 ,deny,status:505

SecRule REQUEST_URI "@validateHash xxxxxx3" "phase:2,id:30010001"

SecMarker END_SEC_HASH

#多个关键字的话为

#SecRule REQUEST_URI "@validateHash xxxxxx3| xxxxxx4" "phase:2,id:30010001"

第三个页面：隐藏表单参数

规则编号为：30020001-30029999

须要用户提供的参数：

须要加密的隐藏参数名称xxxxxx1

# apache须要加编译选项 --enable-lua --with-lua=/usr/local/

# modsecurity须要加编译选项 --with-lua=/usr/local/

# Hmac.lua须要放在相似/usr/local/share/lua/5.1/的地方

# Makefile 这个makefile是lua/src下修改过的，目的是编译出liblua.so，编译出后放在系统lib下

# 这一系列规则可能须要的参数：要防御的隐藏参数名，lua脚本中用到的加密关键字

# 测试的html以下，供参考

<title> Crypto test </title>

Price <input type="hidden" name="price" value="100">

</form>

# 规则配置以下

SecStreamOutBodyInspection On

SecContentInjection On

SecDisableBackendCompression On

SecRule RESPONSE_BODY "name=\" xxxxxx1\" value=\"([a-zA-Z0-9]+)" "phase:4,chain,id:30020001,pass,capture,exec:/usr/local/apache2/conf.d/CreateHMAC.lua"

SecRule STREAM_OUTPUT_BODY "@rsub s/name=\" xxxxxx1\" value=\"[a-zA-Z0-9]+\">/name=\" xxxxxx1\" value=\"%{TX.1}\"><input type=\"hidden\" name=\" xxxxxx1Hmac\" value=\"%{TX. xxxxxx1Hmac}\">|00|/d"

SecRule &ARGS: xxxxxx1 "@ge 1" "phase:2,id:30020002,t:none,chain,deny,log,msg:'Missing xxxxxx1Hmac parameter'"

SecRule &ARGS: xxxxxx1Hmac "!@ge 1"

SecRule &ARGS: xxxxxx1 "@ge 1" "phase:2,id:30020003,t:none,chain,nolog,exec:/usr/local/apache2/conf.d/VerifyHMAC.lua"

SecRule &ARGS: xxxxxx1Hmac "@ge 1"

SecRule &TX:block "@gt 0" "phase:2,id:30020004,log,msg:'Invalid HMAC submitted',deny"

P行,se:2,id:1001017,severity:2"

第四个页面：应用层dos防护

规则编号为：30030001-30039999

connection flood

# 这部分攻击基本能够用mod_evasive模块来解决

DOSHashTableSize 3097

DOSPageCount 5

DOSSiteCount 50

DOSPageInterval 1

DOSSiteInterval 1

DOSBlockingPeriod 360

</IfModule>

慢速链接防护

# mod_reqtimeout模块能够针对请求头和请求体进行超时时间限制

# http://httpd.apache.org/docs/trunk/mod/mod_reqtimeout.html

# 下面这条规则的解释是

# header发送完成初始设定时间是20秒，每发送500字节数据，加1秒，但总时间不超过40秒

# body发送完成初始设定时间是30秒，每法送1000字节数据，加1秒，不设定上限

RequestReadTimeout header=20-40,MinRate=500 body=30,MinRate=1000

# 这几条规则是防护range header的dos攻击，此种攻击的特征是Request-Range有大量0-1,1-2,2-3这种的分段

SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "^bytes=\s*((\d+)?\-(\d+)?\,){5,}" "chain,id:30030003,phase:1,t:none,log,msg:'Truncating Large Range Header Field.',capture,pass"

SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "^bytes=\s*((\d+)?\-(\d+)?\,){5}" "chain,capture"

SecRule TX:0 "^(.*),$" "capture,setenv:range_header=%{tx.1}"

RequestHeader unset Range env=range_header

RequestHeader set Range "%{range_header}e" env=range_header

参数校验

已知Hash校验

SecRule ARGS_NAMES "@pmFromFile hash_dos_param_names.data" "phase:2,t:none,id:30030001,msg:'Hash DoS PoC Attack Identified.'"

参数众多且值不少相同的状况下，认为是dos攻击

SecRule &ARGS "@ge 1000" "chain,phase:2,t:none,id:30030002,deny,msg:'Possible Hash DoS Attack Identified.'"

SecRule REQUEST_BODY "^\w*?=(.*?)&\w*?=(.*?)&\w*?=(.*?)&\w*?=(.*?)&" "chain,capture"

SecRule TX:1 "@streq %{tx.2}" "chain,setvar:tx.hash_dos_match=+1"

SecRule TX:2 "@streq %{tx.3}" "chain,setvar:tx.hash_dos_match=+1"

SecRule TX:3 "@streq %{tx.4}" "chain,setvar:tx.hash_dos_match=+1"

SecRule TX:HASH_DOS_MATCH "@eq 3"

限制每一个ip SERVER_BUSY_WRITE状态进程的数量

SecWriteStateLimit 50

限制每一个ip SERVER_BUSY_READ 状态进程的数量

SecReadStateLimit 50

第五个页面：敏感信息相关

规则编号为：30040001-30049999

响应码

SecRule RESPONSE_STATUS "^(501)$" "deny,msg:'The response status is not allowed!',phase:3,id:30040001,severity:2"

卡类信息、电话等：

手机号信息

SecRule RESPONSE_BODY "(1(([35][0-9])|(47)|[8][0126789]))\d{8}" "deny,msg:'There is a mobile phone number in the response body!',id:30040002,phase:4,severity:2"

身份证信息

SecRule RESPONSE_BODY "((11|12|13|14|15|21|22|23|31|32|33|34|35|36|37|41|42|43|44|45|46|50|51|52|53|54|61|62|63|64|65)[0-9]{4})(([1|2][0-9]{3}[0|1][0-9][0-3][0-9][0-9]{3}[Xx0-9])|([0-9]{2}[0|1][0-9][0-3][0-9][0-9]{3})) | ((11|12|13|14|15|21|22|23|31|32|33|34|35|36|37|41|42|43|44|45|46|50|51|52|53|54|61|62|63|64|65)[0-9]{4})(([0-9]{2}[0|1][0-9][0-3][0-9][0-9]{3}))" "phase:4,severity:2,id:30040003,msg:'There is a id card number in the response body!'"

#SecRule RESPONSE_BODY "((11|12|13|14|15|21|22|23|31|32|33|34|35|36|37|41|42|43|44|45|46|50|51|52|53|54|61|62|63|64|65)[0-9]{4})(([0-9]{2}[0|1][0-9][0-3][0-9][0-9]{3}))" "msg:'There is a id card number in the response body!',phase:4,severity:2,id:"

中国信用卡信息

SecRule RESPONSE_BODY "@verifyCC ^(\d{4}[- ]){3}\d{4}|\d{16}$" "phase:4,severity:2,t:none,t:removeWhitespace,msg:'There is a credit card number in the response body!',id:30040004"

如下是备选信用卡规则：

# 各类信用卡信息

# 中国信用卡

^(\d{4}[- ]){3}\d{4}|\d{16}$

#国外信用卡判断

SecRule ARGS "@verifyCC (?:^|[^\d])(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})(?:[^\d]|$)" \

"phase:2,id:'981078',t:none,skip:1"

# GSA SmartPay

SecRule ARGS "@verifyCC (?:^|[^\d])((?:5568|4(?:486|716))\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4}|8699\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)" \

"phase:2,t:none,msg:'GSA SmartPay Credit Card Number detected in user input',id:'920019',severity:'5'"

# MasterCard

SecRule ARGS "@verifyCC (?:^|[^\d])(5[1-5]\d{2}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4})(?:[^\d]|$)" \

"phase:2,t:none,msg:'MasterCard Credit Card Number detected in user input',id:'920005',severity:'5'"

# Visa

SecRule ARGS "@verifyCC (?:^|[^\d])(4\d{3}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d(?:\d{3})??)(?:[^\d]|$)" \

"phase:2,t:none,,msg:'Visa Credit Card Number detected in user input',id:'920007',severity:'5'"

# American Express

SecRule ARGS "@verifyCC (?:^|[^\d])(3[47]\d{2}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)" \

"phase:2,t:none,msg:'American Express Credit Card Number detected in user input',id:'920009',severity:'5'"

# Diners Club

SecRule ARGS "@verifyCC (?:^|[^\d])((?:30[0-5]|3[68]\d)\d\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{2})(?:[^\d]|$)" \

"phase:2,t:none,msg:'Diners Club Credit Card Number detected in user input',id:'920011',severity:'5'"

# enRoute

#SecRule ARGS "(?:^|[^\d])(2(?:014|149)\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{2}|55\d{2}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)" \

# "phase:2,t:none,msg:'enRoute Credit Card Number detected in user input',id:'920013',severity:'5'"

# Discover

SecRule ARGS "@verifyCC (?:^|[^\d])(6(?:011|5\d{2})\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4})(?:[^\d]|$)" \

"phase:2,t:none,msg:'Discover Credit Card Number detected in user input',id:'920015',severity:'5'"

# JCB

SecRule ARGS "@verifyCC (?:^|[^\d])(3\d{3}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4}|(?:1800|21(?:31|00))\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)" \

"phase:2,t:none,msg:'JCB Credit Card Number detected in user input',id:'920017',severity:'5'"

SecRule RESPONSE_BODY "\%[Bb][3456][0-9]{3,3}[\x20\-]{0,3}[0-9]{4,6}[\x20\-]{0,3}[0-9]{2,5}[\x20\-]{0,3}[0-9]{0,4}\^[^\^]+\^[0-9]+\?" \

"phase:4,t:none,block,msg:'Possible Credit Card Track 1 Data Leakage.',severity:'1',id:'920021',tag:'WASCTC/5.2',tag:'PCI/3.3',setvar:tx.anomaly_score=+{tx.critical_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/CC-%{matched_var_name}=%{tx.0}"

SecRule RESPONSE_BODY "\;[3456][0-9]{3,3}[\x20\-]{0,3}[0-9]{4,6}[\x20\-]{0,3}[0-9]{2,5}[\x20\-]{0,3}[0-9]{0,4}[=Dd][0-9]+\?" \

"phase:4,t:none,block,msg:'Possible Credit Card Track 2 Data Leakage.',severity:'1',id:'920022',tag:'WASCTC/5.2',tag:'PCI/3.3',setvar:tx.anomaly_score=+{tx.critical_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/CC-%{matched_var_name}=%{tx.0}"

SecRule RESPONSE_BODY "[^0-9][3456][0-9]{3,3}[\x20\-]{0,3}[0-9]{4,6}[\x20\-]{0,3}[0-9]{2,5}[\x20\-]{0,3}[0-9]{0,4}[^0-9]" \

"phase:4,t:none,block,msg:'Possible Credit Card PAN Data Leakage.',severity:'1',id:'920023',tag:'WASCTC/5.2',tag:'PCI/3.3',setvar:tx.anomaly_score=+{tx.critical_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/CC-%{matched_var_name}=%{tx.0}"

敏感字过滤

这个地方能够考虑敏感字作成文件的形式

SecStreamOutBodyInspection On

SecRule STREAM_OUTPUT_BODY "@rsub s/A /B" "phase:4,id:30040005,t:none,nolog,pass"

第六个页面：Cookie防御

规则编号为：30050001-30059999

容许的最大Cookie个数(1-256)

SecRule &REQUEST_COOKIES "@gt 20" "t:none,deny,msg:'There is too many cookies in the request!',phase:1,id:30050001,severity:2"

容许的Cookie名最大长度(1-256)

SecRule REQUEST_COOKIES_NAMES "@gt 256" "t:none,t:length,deny,msg:'The cookie name is too long!',phase:1,id:30050002,severity:2"

容许的Cookie值最大长度(1-1024)

SecRule REQUEST_COOKIES "@gt 1024" "t:none,t:length,deny,msg:'The cookie value is too long!',phase:1,id:30050003,severity:2"

# 此项研究暂时涉及两部分，一部分是给cookie加上HTTPOnly和secure属性，一部分是设计新命令，给cookie加密或者在cookie最后加上加密签名，可能还有部分命令要在开发过程当中造出来

# 这个地方可能须要用户提供cookie的特征

# 获取到响应头中cookie没有加HTTPOnly属性

SecRule RESPONSE_HEADERS:/Set-Cookie2?/ "!(?i:\;? ?httponly;?)" "chain,phase:3,t:none,pass,nolog,id: 30050004"

SecRule MATCHED_VAR "(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid))" "t:none,setenv:http_cookie=%{matched_var}"

# 结合上条规则，给cookie加上HTTPOnly属性，HTTPOnly是防止cookie被javascript程序获取

Header set Set-Cookie "%{http_cookie}e; HTTPOnly" env=http_cookie

# 给cookie加secure属性，secure属性是设置cookie以安全的形式向服务器传输，也就是只能在 HTTPS 链接中被浏览器传递到服务器端进行会话验证，若是是 HTTP 链接则不会传递该信息，因此不会被窃取。

# 一下这两条规则是临时造出来的，须要在设计和开发阶段实现，TEXT为密钥，Encrypt为选择对cookie进行加密，Sign为选择对cookie加签名

SetCookieProMethod TEXT Encrypt | Sign

Cookie防御能够修改mod_usertrack 模块实现所需功能

第七个页面：访问防御

规则编号为：30060101-30069999

禁止请求的文件后缀名

SecRule REQUEST_BASENAME "(\.initest)$" "t:none,deny,msg:'The extension name of request file is not allowed!',phase:1,id:30060101,severity:2"

指定页面只能指定IP访问

须要用途提供指定IP xxxxxx1和URI xxxxxx2

SecRule REMOTE_ADDR "^( xxxxxx1)$" "phase:1,t:none,t:lowercase,chain,pass,id:30060102"

SecRule REQUEST_URI "( xxxxxx2)"

指定页面不容许指定IP访问

须要用户提供客户端IP xxxxxx1和URI xxxxxx2

SecRule REMOTE_ADDR "^( xxxxxx1)$" "phase:1,t:none,t:lowercase,chain,pass,id:30060103"

SecRule REQUEST_URI "( xxxxxx2)"

第八个页面：HTTP请求限制

规则编号为：30070001-30079999

容许的URL最大长度(1-4096)

SecRule REQUEST_URI "@gt 256" "t:none,t:length,deny,msg:'The URL of request is too long!',id:30070001,severity:2,phase:1"

容许的报头最大个数(1-256)

SecRule &REQUEST_HEADERS "@gt 20"deny,msg:'There is too many request headers!',phase:1,id:30070002,severity:2"

容许的报头名最大长度(1-256)

SecRule REQUEST_HEADERS_NAMES "@gt 32"t:none,t:length,deny,msg:'The request header name is too long!',phase:1,id:30070003,severity:2"

容许的报头值最大长度(1-4096)

SecRule REQUEST_HEADERS "@gt 512" "t:none,t:length,deny,msg:'The request header value is too long!',phase:1,id:30070004,severity:2"

容许的请求行最大长度(1-1024)

SecRule REQUEST_LINE "@gt 256" "t:none,t:length,deny,msg:'The request line is too long!',phase:1,id:30070005,severity:2"

容许的请求体长度最大值(1-65536)

SecRule REQUEST_BODY "@gt 4096" "t:length,deny,msg:'The request body is too large!',phase:2,id:30070006,severity:2"

容许的查询串最大长度(1-1024)

SecRule QUERY_STRING "@gt 256" "t:none,t:length,deny,msg:'The query string is too long!',phase:1,id:30070007,severity:2"

容许的参数名最大长度(1-256)

SecRule ARGS_NAMES "@gt 32" "t:none,t:length,deny,msg:'The argument name is too long!',phase:2,id:30070008,severity:2"

容许的参数值最大长度(1-1024)

SecRule ARGS "@gt 256" "t:none,t:length,deny,msg:'The argument value is too long!',phase:2,id:30070009,severity:2"

容许的参数值总长度最大值(1-65535

SecRule ARGS_COMBINED_SIZE "@gt 4096" "t:none,deny,msg:'The combined size of arguments is too large!',phase:2,id:30070010,severity:2"

容许的参数个数最大值(1-256)

SecRule &ARGS "@gt 20" "t:none, msg:' Total arguments size exceeded',phase:2,id:30070011,severity:2 "

容许的方法

SecRule REQUEST_METHOD "!^(post|head|get)$" "t:none,t:lowercase,deny,msg:'The method of request is not allowed!',phase:1,id:30070021,severity:2"

容许的协议版本

SecRule REQUEST_PROTOCOL "!^(http\/0\.9|http\/1\.0|http\/1\.1)$" "t:none,t:lowercase,deny,msg:'The protocol of request is not allowed!',phase:1,id:30070031,severity:2"

禁止的user-agent

SecRule REQUEST_HEADERS:user-agent "^(Agenttest)$" "t:none,deny,msg:'The value of user-agent is not allowed!',phase:1,id:30070041,severity:2"

容许的content-type

SecRule REQUEST_METHOD "!^(get|head|profind|options)$" "phase:1,chain,t:none,t:lowercase,deny,msg:'The content-type of request is not allowed!',id:30070051,severity:2"

SecRule REQUEST_HEADERS:content-type "^(.*)$" "chain"

SecRule REQUEST_HEADERS:content-type "!^(contenttest)$" "t:none,t:lowercase"

第九个页面：Xml相关防御

规则编号为：30080001-30089999

# xml内容的解析须要用程序来解决，参考程序为rexml.c，具体实现的时候能够再研究libxml库，看有没有更好的函数来直接用

最大树结构: 建议: 20 范围: 1 - 65535

最大名称长度:建议: 64范围: 1 - 65535

最大树结点: 建议: 10000范围: 1 - 65535

最大子节点: 建议: 100范围: 1 - 65535

最大节点属性:建议: 32范围: 1 - 65535

属性名称最大长度:建议: 64范围: 1 - 65535

属性值最大长度: 建议: 1024范围: 1 - 65535

最大CDATA长度：建议:1024范围: 1 - 65535

阻断DTD:DTD的描述元素和它们在一个XML文档嵌套结构。设置此参数是阻断同时包含内嵌或外部的DTD要求

# 利用.xsd文件对xml文件进行校验

# Parse the request bodies that contain XML

SecRule REQUEST_HEADERS:Content-Type ^text/xml$ "phase:1,id:30080001,nolog,pass,t:lowercase,ctl:requestBodyProcessor=XML"

# Validate XML payload against DTD

SecRule XML "@validateSchema /path/to/xml.xsd" "phase:2,id:191,deny,msg:'Failed DTD validation'"

# 利用.dtd文件对xml文件进行校验

# Parse the request bodies that contain XML

SecRule REQUEST_HEADERS:Content-Type ^text/xml$ "phase:1,id:30080002,nolog,pass,t:lowercase,ctl:requestBodyProcessor=XML"

# Validate XML payload against DTD

SecRule XML "@validateDTD /path/to/xml.dtd" "phase:2,id:181,deny,msg:'Failed DTD validation'"

mod_xml2en模块式操做xml等内容的，能够考虑在此模块中添加对xml文件的过滤

第十个页面：登录统计

规则编号为：30090001-30090099

须要用户提供用户名xxxxxx一、密码xxxxxx2和登录URI xxxxxx3，用于统计

SecMarker BEGIN_LOGIN_AUDIT

SecRule &ARGS: xxxxxx1"@eq 0" "skipAfter:END_LOGIN_AUDIT"

SecRule &ARGS: xxxxxx2"@eq 0" "skipAfter:END_LOGIN_AUDIT"

SecRule REQUEST_URI "^(xxxxxx3)$" "pass,msg:'Login with username:[%{ARGS. xxxxxx1}] and password:[%{ARGS. Xxxxxx2}]!',phase:2,id:30090001,severity:3"

SecMarker END_LOGIN_AUDIT

第八个页面：上传防御

规则编号为：30100001-30109999

容许的上传文件大小(1-10485760)

SecRule FILES_SIZES "@gt 1048576" "deny,msg:'The uploading file is too large!',phase:2,id:30100001,severity:2"

容许的上传文件总大小(1-10485760)

SecRule FILES_COMBINED_SIZE "@gt 1048576" "deny,msg:'The combined uploading file size is too large!',phase:2,id:30100002,severity:2"

容许的上传文件个数(1-10)

SecRule &FILES "@gt 3" "deny,msg:'There are too many uploading files!',phase:2,id:30100003,severity:2"

容许上传的文件类型

SecRule &FILES "@eq 0" "skipAfter:END_UPLOAD_CHECK"

SecRule FILES "!(\.jpgtest)$" "t:none,deny,msg:'The extension name of uploading file is not allowed!',phase:2,id:30100010,severity:2"

SecAction "t:none,pass,msg:'上传文件XXXXXXXXXXXXXX!',phase:2,id:30100011,severity:2"

SecMarker END_UPLOAD_CHECK

木马等扫描和病毒等扫描，用相似的规则，调用不一样脚本

格式检查

SecRule FILES_TMPNAMES "@inspectFile /webwall/engine/tool/filescan.sh" "msg:'The uploading file is dangerous!',phase:2,id:30100012,severity:1"

Webshell检查

SecRule FILES_TMPNAMES "@inspectFile /webwall/engine/tool/filescan.sh" "msg:'The uploading file is dangerous!',phase:2,id:30100013,severity:1"

病毒检查

SecRule FILES_TMPNAMES "@inspectFile /webwall/engine/tool/filescan.sh" "msg:'The uploading file is dangerous!',phase:2,id:30100014,severity:1"

第九个页面：防御白名单

规则编号为：30110001-30119999

不进行规则匹配的文件名

SecRule REQUEST_BASENAME "(\.jpg|\.gif|\.html)$" "allow,id:30110001,phase:1"

不进行规则匹配的URI

SecRule REQUEST_URI "(\/index\/test)" "allow,id:30110002,phase:1"

不进行规则匹配的IP

SecRule REMOTE_ADDR "(192\.168\.1\.1)" "allow,id:30110003,phase:1"