OWASP ModSecurity Core Rule Set (CRS)的基本使用

Preface　

　　前述文章開源WAF工具ModSecurity，介紹了ModSecurity作為Nginx的動態加載模塊的基本安裝和使用。

　　本篇簡單介紹ModSecurity CRS規則集的使用。

# nginx -v　　　　　　　　　　　　　　　　# nginx版本
nginx version: nginx/1.17.6
# which nginx　　　　　　　　　　　　　　# nginx可執行文件路徑
/usr/sbin/nginx
# find / -name nginx.conf　　　　　　 # nginx配置文件路徑
/etc/nginx/nginx.conf
# ls /etc/nginx/modules/　　　　　　　# modsecurity模塊位置
ngx_http_modsecurity_module.so
# ls /etc/nginx/modsec/*.conf　　　　 # modsecurity配置文件路徑
/etc/nginx/modsec/main.conf  /etc/nginx/modsec/modsecurity.conf

　　如果參照前面給出的鏈接，除了版本上可能會有差異外（由於更新），其它的是一樣的。

OWASP CRS

下載OWASP規則並生成配置文件

# cd /etc/nginx/modsec/　　　　　　# 切換到我們設置的modsecurity配置文件路徑
# git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git　　　　# 下載CRS規則文件
# cd owasp-modsecurity-crs　　　　
# cp crs-setup.conf.example  crs-setup.conf　　　　# 使用默認配置
# git branch
* v3.3/dev　　　　　　　　　　　　# 目前在最新的3.3分支

配置OWASP規則

　　編輯crs-setup.conf文件（使用命令）。

# sed -ie 's/SecDefaultAction "phase:1,log,auditlog,pass"/#SecDefaultAction "phase:1,log,auditlog,pass"/g' crs-setup.conf
# sed -ie 's/SecDefaultAction "phase:2,log,auditlog,pass"/#SecDefaultAction "phase:2,log,auditlog,pass"/g' crs-setup.conf
# sed -ie 's/#.*SecDefaultAction "phase:1,log,auditlog,deny,status:403"/SecDefaultAction "phase:1,log,auditlog,deny,status:403"/g' crs-setup.conf
# sed -ie 's/# SecDefaultAction "phase:2,log,auditlog,deny,status:403"/SecDefaultAction "phase:2,log,auditlog,deny,status:403"/g' crs-setup.conf

生成例外排除請求的配置文件

# pwd　　　　　　　　　 　　　　　# 當前已在這個路徑　　　　　　　　　
/etc/nginx/modsec/owasp-modsecurity-crs
# cp rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf　　　　# 例外排除請求
# cp rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf　　　　# 例外排除請求
$ cp rules/*.data ..　　　　　 # data文件拷貝至modsecurity配置文件路徑，即/etc/nginx/modsec

# cd /etc/nginx/modsec/
# ls　　　　# /etc/nginx/modsec路徑下的內容是這樣
crawlers-user-agents.data  java-errors.data   owasp-modsecurity-crs           php-function-names-933151.data  scanners-headers.data       sql-errors.data
iis-errors.data            lfi-os-files.data  php-config-directives.data      php-variables.data              scanners-urls.data          unicode.mapping
java-classes.data          main.conf          php-errors.data                 restricted-files.data           scanners-user-agents.data   unix-shell.data
java-code-leakages.data    modsecurity.conf   php-function-names-933150.data  restricted-upload.data          scripting-user-agents.data  windows-powershell-commands.data

　　其中：

• modsecurity.conf為modsecurity的配置文件；
• main.conf為我們自己添加的主配置文件，規則都可添加到這里，方便進行管理；

添加規則

　　在main.conf配置文件中添加我們想要的規則：

# vim main.conf    # 以下是main.conf中的內容
# Include the recommended configuration
include modsecurity.conf
include owasp-modsecurity-crs/crs-setup.conf
include owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
include owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf
Include owasp-modsecurity-crs/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
include owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
include owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf
include owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
include owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf
include owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf
include owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
include owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
include owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
include owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
include owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
include owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
include owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
include owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
include owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
include owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf
include owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf
include owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
include owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
include owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
include owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
include owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
include owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf
include owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
# A test rule
SecRule ARGS:testparam "@contains test" "id:1234,deny,log,status:403"

　　【注】考慮到可能對主機性能上的損耗，可以根據實際需求加入對應的漏洞的防護規則即可。

測試

# nginx -s reload　　　　　　# 重載配置
# nginx -t　　　　　　　　　　# 測試 
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

# curl -D - http://localhost/?id=1　　　　　　# 正常訪問
HTTP/1.1 200 OK
Server: nginx/1.17.6
Date: Tue, 26 Nov 2019 08:09:01 GMT
Content-Type: text/plain
Content-Length: 32
Connection: keep-alive

Thank you for requesting /?id=1

# curl -D - http://localhost/?id='1 and 1=1'　　# 測試是否存在SQL注入
HTTP/1.1 403 Forbidden　　　　　　　　　　　　　　　<<== 會被攔截
Server: nginx/1.17.6
Date: Tue, 26 Nov 2019 08:09:02 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive

<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.17.6</center>
</body>
</html>

# curl -D - http://localhost/?input='<script>alert(/xss/)</script>'　　　　# 測試XSS
HTTP/1.1 403 Forbidden　　　　　　　　　　　　　　<<== 同樣會被攔截
Server: nginx/1.17.6
Date: Tue, 26 Nov 2019 08:09:40 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive

<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.17.6</center>
</body>
</html>

查看日志文件

　　modsecurity日志文件：/var/log/modsec_audit.log

 

 　　可以清楚的看到日志中記錄了XSS的攻擊記錄。

　　ModSecurity CRS規則集的基本使用就是這樣，最主要的是要知道CRS規則集中的內容，規則的編寫，才能編寫出符合自己要求的規則。

參考

　　利用 ModSecurity 在 Nginx 上構建 WAF

　　　　https://www.hi-linux.com/posts/45920.html