[英]OWASP corerulet warning "invalid http request line" triggered by CONNECT method
Summary:概括:
I have setup a basic WAF with mod-security and the OWASP coreruleset 3.3.2.我已经设置了一个带有 mod-security 和OWASP coreruleset 3.3.2 的基本 WAF。 When using the WAF I see lots of warnings in modsec_audit.log regarding the CONNECT method, which trigger crs rule 920100:
使用 WAF 时,我在 modsec_audit.log 中看到很多关于 CONNECT 方法的警告,这些警告触发了 crs 规则 920100:
Message: Warning.
消息:警告。 Match of "rx ^(?i:(?:[az]{3,10}\\s+(?:\\w{3,7}?://[\\w\\-\\./] (?::\\d+)?)?/[^?#] (?:\\?[^#\\s] )?(?:#[\\S] )?|connect (?:\\d{1,3}\\.){3}\\d{1,3}\\.?(?::\\d+)?|options \\ )\\s+[\\w\\./]+|get /[^?#] (?:\\?[^#\\s] )?(?:#[\\S] )?)$" against "REQUEST_LINE" required.
"rx ^(?i:(?:[az]{3,10}\\s+(?:\\w{3,7}?://[\\w\\-\\./] (?::\\ d+)?)?/[^?#] (?:\\?[^#\\s] )?(?:#[\\S] )?|connect (?:\\d{1,3}\\.){ 3}\\d{1,3}\\.?(?::\\d+)?|options \\ )\\s+[\\w\\./]+|get /[^?#] (?:\\?[^# \\s] )?(?:#[\\S] )?)$" 反对 "REQUEST_LINE" 需要。 [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "63"] [id "920100"] [msg "Invalid HTTP Request Line"] [data "CONNECT oneofmy.longer.hostname.here.abcde.com:443 HTTP/1.1"] [severity "WARNING"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"]
[文件“/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf”] [行“63”] [id“920100”] [msg“无效的HTTP请求行"] [数据 "CONNECT oneofmy.longer.hostname.here.abcde.com:443 HTTP/1.1"] [严重性 "警告"] [ver "OWASP_CRS/3.3.2"] [标签 "application-multi"] [标签"language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"]
Details regarding setup: I set up the WAF with mod_security 2.9.2 and httpd.有关设置的详细信息:我使用 mod_security 2.9.2 和 httpd 设置了 WAF。 I used the
crs-setup.conf.example
provided by crs and only modified these two settings regarding threshhold and allowing the CONNECT http method.我使用了
crs-setup.conf.example
提供的crs-setup.conf.example
并且只修改了关于阈值和允许 CONNECT http 方法的这两个设置。 (CONNECT method is used in our setup for proxy purposes). (CONNECT 方法在我们的设置中用于代理目的)。
SecAction \
"id:900110,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:tx.inbound_anomaly_score_threshold=5,\
setvar:tx.outbound_anomaly_score_threshold=4"
SecAction \
"id:900200,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS CONNECT'"
What I have tried so far:到目前为止我尝试过的:
CONNECT oneofmy.longer.hostname.here.abcde.com:443 HTTP/1.1
CONNECT oneofmy.longer.hostname.here.abcde.com:443 HTTP/1.1
Looking at the part of the regular expression for rule 920100 that deals with the CONNECT
method:查看处理
CONNECT
方法的规则 920100 的正则表达式部分:
connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?
we can see that it's looking for an IPv4 address.我们可以看到它正在寻找一个 IPv4 地址。 For example, it would match on (and hence not raise an alert for) a request line like the following:
例如,它将匹配(因此不会发出警报)请求行,如下所示:
CONNECT 1.2.3.4:80 HTTP/1.1
As you say, the RFC seems to allow for domain names to be used with the CONNECT
method, however, rule 920100 is not currently written to allow for this.正如您所说,RFC 似乎允许将域名与
CONNECT
方法一起使用,但是,当前未编写规则 920100 来允许此操作。 This seems to be the cause of your issue.这似乎是您的问题的原因。
With further investigation and testing, the rule can probably be expanded in a future CRS release to allow for domain names in CONNECT
requests.通过进一步的调查和测试,该规则可能会在未来的 CRS 版本中扩展,以允许在
CONNECT
请求中使用域名。
To address this issue right now, you can add a rule exclusion to your Apache configuration.要立即解决此问题,您可以在 Apache 配置中添加规则排除项。 There are two ways you can do this:
有两种方法可以做到这一点:
#
# -- CRS Rule Exclusion: 920100 - Invalid HTTP Request Line
#
# Turn off rule due to issues with CONNECT requests
#
SecRuleRemoveById 920100
As a configure time rule exclusion, this should be placed after the inclusion of the Core Rule Set in your Apache configuration (because the rule that's being removed must be added/included in the first place before it can then be removed!).作为配置的时间规则的排斥,这应该被放置在你的Apache配置列入核心规则集之后(因为必须加入多数民众赞成被删除的规则/包括在首位然后才能删除!)。
#
# -- CRS Rule Exclusion: 920100 - Invalid HTTP Request Line
#
# Turn off rule for CONNECT requests, which cause issues
#
SecRule REQUEST_METHOD "@streq CONNECT" \
"id:1000,\
phase:1,\
pass,\
nolog,\
ctl:ruleRemoveById=920100"
As a runtime time rule exclusion, this should be placed before the inclusion of the CRS in your Apache configuration (because the rule that's being modified must be modified before it fires off during execution).作为运行时规则排除,这应该放在 Apache 配置中包含 CRS之前(因为必须在执行期间触发之前修改正在修改的规则)。
I can't find any mention of anyone else using ModSecurity with the CRS in this way, ie fielding CONNECT
requests.我找不到任何其他人以这种方式将 ModSecurity 与 CRS 一起使用,即处理
CONNECT
请求。 The CRS rules aren't written to accommodate having a domain name in the request line, so you may find that you run into further false positives as a result. CRS 规则不是为了适应在请求行中包含域名而编写的,因此您可能会发现结果会遇到更多误报。 You would need to deal with those in a similar way to that described above.
您需要以与上述类似的方式处理这些问题。
(You can find an excellent tutorial on the subject of writing rule exclusions here: https://www.netnea.com/cms/apache-tutorial-8_handling-false-positives-modsecurity-core-rule-set/ ). (您可以在此处找到有关编写规则排除主题的优秀教程: https : //www.netnea.com/cms/apache-tutorial-8_handling-false-positives-modsecurity-core-rule-set/ )。
Hopefully this helps.希望这会有所帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.