mod_security 规则 981203 误报
mod_security rule 981203 false positive
我刚刚在我的 Apache2 网络服务器上安装了 mod_security。
我从 OWASP CRS 激活了所有 base_rules/
。
我通过查看 /var/log/apache2/modsec_audit.log
的内部发现了误报。
目标URL是:
/mobile//index.cfm?gclid=Cj0KEQjw_qW9BRCcv-Xc5Jn-26gBEiQAM-iJhcydtemGoKm4rCJ7gbEgz5qL-MXF0tMh5BkaxVPZPYwaAvhW8P8HAQ
错误日志为:
Message: Warning. Pattern match
"([\~\!\@\#$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\xc2\xb4\xe2\x80\x99\xe2\x80\x98\`\<\>].*?){4,}"
at ARGS:gclid. [file
"/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character
Anomaly Detection Alert - Total # of special characters exceeded"]
[data "Matched Data: - found within ARGS:gclid:
Cj0KEQjw_qW9BRCcv-Xc5Jn-26gBEiQAM-iJhcydtemGoKm4rCJ7gbEgz5qL-MXF0tMh5BkaxVPZPYwaAvhW8P8HAQ"]
[ver "OWASP_CRS/2.2.8"] [maturity "9"] [accuracy "8"] [tag
"OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] Message: Warning. Operator LT
matched 5 at TX:inbound_anomaly_score. [file
"/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_60_correlation.conf"]
[line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound
Score: 3, SQLi=1, XSS=0): Restricted SQL Character Anomaly Detection
Alert - Total # of special characters exceeded"]
该消息是不言自明的,但是...对于我的网站来说,这不是恶意的 URL。
如何 'whitelist' 这种 URL(例如包含 gclid 参数)而不是完全禁用规则 981203?
您可以在定义其他规则后添加此配置:
SecRuleUpdateTargetById 981203 !ARGS:'gclid'
然而,我看到这条规则有很多误报,所以经常完全关闭它。 OWASP CRS 容易过度警报,需要大量调整。
请参阅此 post 以了解其他建议的常见规则调整:
我刚刚在我的 Apache2 网络服务器上安装了 mod_security。
我从 OWASP CRS 激活了所有 base_rules/
。
我通过查看 /var/log/apache2/modsec_audit.log
的内部发现了误报。
目标URL是:
/mobile//index.cfm?gclid=Cj0KEQjw_qW9BRCcv-Xc5Jn-26gBEiQAM-iJhcydtemGoKm4rCJ7gbEgz5qL-MXF0tMh5BkaxVPZPYwaAvhW8P8HAQ
错误日志为:
Message: Warning. Pattern match "([\~\!\@\#$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\xc2\xb4\xe2\x80\x99\xe2\x80\x98\`\<\>].*?){4,}" at ARGS:gclid. [file "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: - found within ARGS:gclid: Cj0KEQjw_qW9BRCcv-Xc5Jn-26gBEiQAM-iJhcydtemGoKm4rCJ7gbEgz5qL-MXF0tMh5BkaxVPZPYwaAvhW8P8HAQ"] [ver "OWASP_CRS/2.2.8"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] Message: Warning. Operator LT matched 5 at TX:inbound_anomaly_score. [file "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_60_correlation.conf"] [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound Score: 3, SQLi=1, XSS=0): Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"]
该消息是不言自明的,但是...对于我的网站来说,这不是恶意的 URL。
如何 'whitelist' 这种 URL(例如包含 gclid 参数)而不是完全禁用规则 981203?
您可以在定义其他规则后添加此配置:
SecRuleUpdateTargetById 981203 !ARGS:'gclid'
然而,我看到这条规则有很多误报,所以经常完全关闭它。 OWASP CRS 容易过度警报,需要大量调整。
请参阅此 post 以了解其他建议的常见规则调整: