如何防止由 SignalR 引起的 Modsecurity 误报?
How can I prevent Modsecurity false positives caused by SignalR?
我最近建立了一个全新的开发服务器来试验 Modsecurity。但是,我收到了很多 false-positives 由使用 SignalR 的 .NET 4 应用程序生成的 client-server 通信。
如何在不影响 Modsecurity 效率的情况下防止 false-positives?
命中看起来很普通,所以我不想完全禁用规则,我想避免禁用 /signalr/ uri 上的命中,这会失去对 SignalR 的保护。
以下是我进行设置的方式:
- 我安装了 Windows Server 2012
- 已安装 IIS 角色
- 已安装所有 OS 更新
- 已通过 WebPlatformInstaller 安装 ModSecurity IIS
- 创建网站并部署应用程序
以下是我得到的三种常见误报:
SQL 认证绕过:
> [client 192.168.0.104:59945] ModSecurity: Warning. Pattern match
> "(?i:(?:in\s*?\(+\s*?select)|(?:(?:n?and|x?x?or|div|like|between|and|not
> |\|\||\&\&)\s+[\s\w+]+(?:regexp\s*?\(|sounds\s+like\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]|[=\d]+x))|([\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\s*?\d\s*?(?:--|#))
> ..." at ARGS:connectionData. [file "C:\/Program Files/ModSecurity
> IIS/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
> [line "239"] [id "981246"] [msg "Detects basic SQL authentication
> bypass attempts 3/3"] [data "Matched Data: \x22name\x22:\x22 found
> within ARGS:connectionData: [{\x22name\x22:\x22*****serverhub\x22}]"]
> [severity "CRITICAL"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]
> [hostname "*********"] [uri
> "/signalr/start?transport=webSockets&clientProtocol=1.4&connectionToken=iIxfXzLxKm9twEhHdomj4DI95so0QmpmqeTXD4Qe0VsQoJO47CHuEIuv2z7M%2B1TYx44PK5ko18t2aoaLb4WztjR1c8g0VP8MUaGkSO9KDftOzsGektSIDl%2FI1RPMQdTd&connectionData=%5B%7B%22name%22%3A%22*****serverhub%22%7D%5D&_=1461637088340"]
> [unique_id "17798225729515683844"]
受限 SQL 个字符:
> [client 192.168.0.104:59945] ModSecurity: Warning. Pattern match
> "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\\xc2\xb4\\xe2\x80\x99\\xe2\x80\x98\`\<\>].*?){4,}"
> at ARGS:connectionData. [file "C:\/Program Files/ModSecurity
> IIS/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
> [line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character
> Anomaly Detection Alert - Total # of special characters exceeded"]
> [data "Matched Data: \x22 found within ARGS:connectionData:
> [{\x22name\x22:\x22*****serverhub\x22}]"] [ver "OWASP_CRS/2.2.9"]
> [maturity "9"] [accuracy "8"] [tag
> "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "*********"] [uri
> "/signalr/start?transport=webSockets&clientProtocol=1.4&connectionToken=iIxfXzLxKm9twEhHdomj4DI95so0QmpmqeTXD4Qe0VsQoJO47CHuEIuv2z7M%2B1TYx44PK5ko18t2aoaLb4WztjR1c8g0VP8MUaGkSO9KDftOzsGektSIDl%2FI1RPMQdTd&connectionData=%5B%7B%22name%22%3A%22*****serverhub%22%7D%5D&_=1461637088340"]
> [unique_id "17798225729515683844"]
缺少接受 Header:
> [client 192.168.0.104:59949] ModSecurity: Warning. Operator EQ matched
> 0 at REQUEST_HEADERS. [file "C:\/Program Files/ModSecurity
> IIS/owasp_crs/base_rules/modsecurity_crs_21_protocol_anomalies.conf"]
> [line "47"] [id "960015"] [rev "1"] [msg "Request Missing an Accept
> Header"] [severity "NOTICE"] [ver "OWASP_CRS/2.2.9"] [maturity "9"]
> [accuracy "9"] [tag
> "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag
> "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname
> "*********"] [uri
> "/signalr/connect?transport=webSockets&clientProtocol=1.4&connectionToken=iIxfXzLxKm9twEhHdomj4DI95so0QmpmqeTXD4Qe0VsQoJO47CHuEIuv2z7M%2B1TYx44PK5ko18t2aoaLb4WztjR1c8g0VP8MUaGkSO9KDftOzsGektSIDl%2FI1RPMQdTd&connectionData=%5B%7B%22name%22%3A%22*****serverhub%22%7D%5D&tid=6"]
> [unique_id "17726168135477755906"]
PS:我没有在该特定应用程序中使用任何 SQL 技术。
对于前两个,我建议您添加以下规则以忽略这些规则的此 ConnectionData 参数:
SecRuleUpdateTargetById 981246 !ARGS:'ConnectionData'
SecRuleUpdateTargetById 981173 !ARGS:'ConnectionData'
最后,我建议完全删除该规则。我觉得它没那么有用,因为有一些浏览器(根据内存 Android)不发送 header:
SecRuleRemoveById 960015
您可能想阅读此答案以了解如何调整 ModSecurity:
Extra sensitive Mod Security rules giving 403 forbidden error
我最近建立了一个全新的开发服务器来试验 Modsecurity。但是,我收到了很多 false-positives 由使用 SignalR 的 .NET 4 应用程序生成的 client-server 通信。
如何在不影响 Modsecurity 效率的情况下防止 false-positives?
命中看起来很普通,所以我不想完全禁用规则,我想避免禁用 /signalr/ uri 上的命中,这会失去对 SignalR 的保护。
以下是我进行设置的方式:
- 我安装了 Windows Server 2012
- 已安装 IIS 角色
- 已安装所有 OS 更新
- 已通过 WebPlatformInstaller 安装 ModSecurity IIS
- 创建网站并部署应用程序
以下是我得到的三种常见误报:
SQL 认证绕过:
> [client 192.168.0.104:59945] ModSecurity: Warning. Pattern match
> "(?i:(?:in\s*?\(+\s*?select)|(?:(?:n?and|x?x?or|div|like|between|and|not
> |\|\||\&\&)\s+[\s\w+]+(?:regexp\s*?\(|sounds\s+like\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]|[=\d]+x))|([\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\s*?\d\s*?(?:--|#))
> ..." at ARGS:connectionData. [file "C:\/Program Files/ModSecurity
> IIS/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
> [line "239"] [id "981246"] [msg "Detects basic SQL authentication
> bypass attempts 3/3"] [data "Matched Data: \x22name\x22:\x22 found
> within ARGS:connectionData: [{\x22name\x22:\x22*****serverhub\x22}]"]
> [severity "CRITICAL"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]
> [hostname "*********"] [uri
> "/signalr/start?transport=webSockets&clientProtocol=1.4&connectionToken=iIxfXzLxKm9twEhHdomj4DI95so0QmpmqeTXD4Qe0VsQoJO47CHuEIuv2z7M%2B1TYx44PK5ko18t2aoaLb4WztjR1c8g0VP8MUaGkSO9KDftOzsGektSIDl%2FI1RPMQdTd&connectionData=%5B%7B%22name%22%3A%22*****serverhub%22%7D%5D&_=1461637088340"]
> [unique_id "17798225729515683844"]
受限 SQL 个字符:
> [client 192.168.0.104:59945] ModSecurity: Warning. Pattern match
> "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\\xc2\xb4\\xe2\x80\x99\\xe2\x80\x98\`\<\>].*?){4,}"
> at ARGS:connectionData. [file "C:\/Program Files/ModSecurity
> IIS/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
> [line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character
> Anomaly Detection Alert - Total # of special characters exceeded"]
> [data "Matched Data: \x22 found within ARGS:connectionData:
> [{\x22name\x22:\x22*****serverhub\x22}]"] [ver "OWASP_CRS/2.2.9"]
> [maturity "9"] [accuracy "8"] [tag
> "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "*********"] [uri
> "/signalr/start?transport=webSockets&clientProtocol=1.4&connectionToken=iIxfXzLxKm9twEhHdomj4DI95so0QmpmqeTXD4Qe0VsQoJO47CHuEIuv2z7M%2B1TYx44PK5ko18t2aoaLb4WztjR1c8g0VP8MUaGkSO9KDftOzsGektSIDl%2FI1RPMQdTd&connectionData=%5B%7B%22name%22%3A%22*****serverhub%22%7D%5D&_=1461637088340"]
> [unique_id "17798225729515683844"]
缺少接受 Header:
> [client 192.168.0.104:59949] ModSecurity: Warning. Operator EQ matched
> 0 at REQUEST_HEADERS. [file "C:\/Program Files/ModSecurity
> IIS/owasp_crs/base_rules/modsecurity_crs_21_protocol_anomalies.conf"]
> [line "47"] [id "960015"] [rev "1"] [msg "Request Missing an Accept
> Header"] [severity "NOTICE"] [ver "OWASP_CRS/2.2.9"] [maturity "9"]
> [accuracy "9"] [tag
> "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag
> "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname
> "*********"] [uri
> "/signalr/connect?transport=webSockets&clientProtocol=1.4&connectionToken=iIxfXzLxKm9twEhHdomj4DI95so0QmpmqeTXD4Qe0VsQoJO47CHuEIuv2z7M%2B1TYx44PK5ko18t2aoaLb4WztjR1c8g0VP8MUaGkSO9KDftOzsGektSIDl%2FI1RPMQdTd&connectionData=%5B%7B%22name%22%3A%22*****serverhub%22%7D%5D&tid=6"]
> [unique_id "17726168135477755906"]
PS:我没有在该特定应用程序中使用任何 SQL 技术。
对于前两个,我建议您添加以下规则以忽略这些规则的此 ConnectionData 参数:
SecRuleUpdateTargetById 981246 !ARGS:'ConnectionData'
SecRuleUpdateTargetById 981173 !ARGS:'ConnectionData'
最后,我建议完全删除该规则。我觉得它没那么有用,因为有一些浏览器(根据内存 Android)不发送 header:
SecRuleRemoveById 960015
您可能想阅读此答案以了解如何调整 ModSecurity: Extra sensitive Mod Security rules giving 403 forbidden error