[英]Why NGINX with OWASP-CRS do not log alerts properly?
我在記錄來自 OWASP-CRS 的警報時遇到問題。 例如,我提出請求:
https://host?exec=bin/bash
Mod security 正確阻止了此請求,但在錯誤日志中我只有一個警報:
2020/02/04 16:51:34 [error] x#x: *x [client xxxx] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `4' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "79"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "xxxx"] [uri "/"] [unique_id "8bbf3c25ee6f151f5fc09df9f11492db"] [ref ""], client: xxxx, server: localhost, request: "GET ?exec=bin/bash HTTP/1.1", host: "host"
當我從異常模式切換到獨立模式時,我有更詳細的警報:
2020/02/04 16:52:38 [error] xxx#xxx: *xxx [client xxxx] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:exec' (Value: `bin/bash' ) [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "496"] [id "932160"] [rev ""] [msg "Remote Command Execution: Unix Shell Code Found"] [data "Matched Data: bin/bash found within ARGS:exec: bin/bash"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION"] [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10/A1"] [tag "PCI/6.5.2"] [hostname "xxxx"] [uri "/"] [unique_id "401e59ce6bfbc7e6b2b98bcd65bfd64e"] [ref "o0,8v20,8t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercase"], client: xxx, server: localhost, request: "GET /?exec=bin/bash HTTP/1.1", host: "host"
為什么選擇異常模式時,我沒有像上面那樣的警報?
nginx: 1.16.1 owasp-crs: 3.2.0 nginx-connector: 1.1.0
原因是審計日志在 1.1.0 連接器中因任何破壞性操作而被破壞。 修復程序( https://github.com/SpiderLabs/ModSecurity-nginx/pull/175 )仍未發布。
使用NGINX的WAF owasp modsecurity crs中“尚不支持SecCollectionTimeout”
[英]“SecCollectionTimeout is not yet supported” in WAF owasp modsecurity crs with NGINX
如何防止 owasp/modsecurity Docker 容器覆蓋我的 nginx.conf
[英]How do I prevent owasp/modsecurity Docker container from overwriting my nginx.conf
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.