IIS 10.0 上的 ModSecurity 默认安装 运行,CRS 规则集生成大量错误
ModSecurity default installation running on IIS 10.0 with CRS rule set generating a lot of errors
我刚刚在 Windows 10 上的 IIS 10.0 运行 上安装了 ModSecurity。然而,即使 "clean" 安装仅通过访问默认的 IIS 站点也会产生很多错误。
通过查看 eventvwr 并发出单个请求,我总共收到了 14 个针对 localhost.
的 GET 请求的新错误
每个事件都有以下描述:
The description for Event ID 1 from source ModSecurity cannot be
found. Either the component that raises this event is not installed on
your local computer or the installation is corrupted. You can install
or repair the component on the local computer.
If the event originated on another computer, the display information
had to be saved with the event.
The following information was included with the event:
事件数据:
[client ] ModSecurity: IPmatch: bad IPv4 specification "". [hostname "HOSTNAME"] [uri "/"] [unique_id "18158513704000290822"]
[client ] ModSecurity: Rule processing failed. [hostname "HOSTNAME"] [uri "/"] [unique_id "18158513704000290822"]
[client ] ModSecurity: Rule 15448555590 [id "981172"][file "C:\/Program Files/ModSecurity IIS/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "157"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "HOSTNAME"] [uri "/"] [unique_id "18158513704000290822"]
[client ] ModSecurity: Rule 154485cd4a0 [id "981243"][file "C:\/Program Files/ModSecurity IIS/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "245"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "HOSTNAME"] [uri "/"] [unique_id "18158513704000290822"]
[client ] ModSecurity: IPmatch: bad IPv4 specification "". [hostname "HOSTNAME"] [uri "/"] [unique_id "18158513704000290822"]
[client ] ModSecurity: Rule processing failed. [hostname "HOSTNAME"] [uri "/"] [unique_id "18158513704000290822"]
[client ] ModSecurity: Rule 15448555590 [id "981172"][file "C:\/Program Files/ModSecurity IIS/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "157"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "HOSTNAME"] [uri "/"] [unique_id "18158513704000290822"]
[client ] ModSecurity: Rule 154485cd4a0 [id "981243"][file "C:\/Program Files/ModSecurity IIS/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "245"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "HOSTNAME"] [uri "/"] [unique_id "18158513704000290822"]
[client ] ModSecurity: Rule 15448555590 [id "981172"][file "C:\/Program Files/ModSecurity IIS/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "157"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "HOSTNAME"] [uri "/iisstart.htm"] [unique_id "18158513704000290822"]
[client ] ModSecurity: Rule 154485cd4a0 [id "981243"][file "C:\/Program Files/ModSecurity IIS/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "245"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "HOSTNAME"] [uri "/iisstart.htm"] [unique_id "18158513704000290822"]
[client ] ModSecurity: collections_remove_stale: Failed to access DBM file "C:/inetpub/temp/ip": Access is denied. [hostname "HOSTNAME"] [uri "/iisstart.htm"] [unique_id "18158513704000290822"]
[client ] ModSecurity: collections_remove_stale: Failed to access DBM file "C:/inetpub/temp/global": Access is denied. [hostname "HOSTNAME"] [uri "/iisstart.htm"] [unique_id "18158513704000290822"]
[client ] ModSecurity: Rule 15448555590 [id "981172"][file "C:\/Program Files/ModSecurity IIS/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "157"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "HOSTNAME"] [uri "/iisstart.png"] [unique_id "18158513704000290823"]
[client ] ModSecurity: Rule 154485cd4a0 [id "981243"][file "C:\/Program Files/ModSecurity IIS/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "245"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "HOSTNAME"] [uri "/iisstart.png"] [unique_id "18158513704000290823"]
我做了什么:
已安装 ModSecurity v2.9.1 for IIS MSI Installer - 64bits 和 Visual Studio 2013 Runtime (vcredist)。
已从 https://github.com/SpiderLabs/owasp-modsecurity-crs 下载 OWASP ModSecurity 核心规则集 (CRS) 并将文件夹放入 C:\Program Files\ModSecurity IIS。将名称 crs-setup.conf.example 更改为 crs-setup.conf。
在 \rules 下,我将 REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example 和 RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example 更改为不包含 .example。
已将 modsecurity_iis.conf 修改为以下内容:
Include modsecurity.conf
Include modsecurity_crs_10_setup.conf
Include owasp_crs\base_rules\*.conf
#OWASP-Rules
include owasp-modsecurity-crs/crs-setup.conf
include owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
include owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf
include owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
include owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf
include owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
include owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf
include owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf
include owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
include owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
include owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
include owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
include owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
include owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
include owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
include owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
include owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
include owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf
include owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf
include owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
include owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
include owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
include owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
include owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
include owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf
include owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
重新启动 IIS,然后检查事件查看器。我错过了什么或者这是正常行为吗?
关于我发现的描述:
This is just an warning. That is actually the ModSecurity letting you
know something about a given request. The "windows description" of the
event can be ignored. Look at the content...
https://github.com/SpiderLabs/ModSecurity/issues/877#issuecomment-267712103
1. Execution error - PCRE limits exceeded (-8): (null):
已将 modsecurity.conf 值修改为以下内容:
SecPcreMatchLimit 500000
SecPcreMatchLimitRecursion 500000
我开始使用审核日志,而不是从 EventLog 读取数据。可以通过 modsecurity.conf 启用。将格式设置为 JSON 而不是 Native 以编程方式读取日志文件。请记住授予用户 IIS_IUSRS 访问日志文件夹和文件的权限。
# -- Audit log configuration -------------------------------------------------
# Log the transactions that are marked by a rule, as well as those that
# trigger a server error (determined by a 5xx or 4xx, excluding 404,
# level response status codes).
#
SecAuditLogFormat JSON
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
# Log everything we know about a transaction.
SecAuditLogParts ABIJDEFHZ
# Use a single file for logging. This is much easier to look at, but
# assumes that you will use the audit log only ocassionally.
#
SecAuditLogType Serial
SecAuditLog c:\inetpub\logs\modsec_audit.log
# Specify the path for concurrent audit logging.
SecAuditLogStorageDir c:\inetpub\logs\
我刚刚在 Windows 10 上的 IIS 10.0 运行 上安装了 ModSecurity。然而,即使 "clean" 安装仅通过访问默认的 IIS 站点也会产生很多错误。
通过查看 eventvwr 并发出单个请求,我总共收到了 14 个针对 localhost.
每个事件都有以下描述:
The description for Event ID 1 from source ModSecurity cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
事件数据:
[client ] ModSecurity: IPmatch: bad IPv4 specification "". [hostname "HOSTNAME"] [uri "/"] [unique_id "18158513704000290822"]
[client ] ModSecurity: Rule processing failed. [hostname "HOSTNAME"] [uri "/"] [unique_id "18158513704000290822"]
[client ] ModSecurity: Rule 15448555590 [id "981172"][file "C:\/Program Files/ModSecurity IIS/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "157"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "HOSTNAME"] [uri "/"] [unique_id "18158513704000290822"]
[client ] ModSecurity: Rule 154485cd4a0 [id "981243"][file "C:\/Program Files/ModSecurity IIS/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "245"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "HOSTNAME"] [uri "/"] [unique_id "18158513704000290822"]
[client ] ModSecurity: IPmatch: bad IPv4 specification "". [hostname "HOSTNAME"] [uri "/"] [unique_id "18158513704000290822"]
[client ] ModSecurity: Rule processing failed. [hostname "HOSTNAME"] [uri "/"] [unique_id "18158513704000290822"]
[client ] ModSecurity: Rule 15448555590 [id "981172"][file "C:\/Program Files/ModSecurity IIS/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "157"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "HOSTNAME"] [uri "/"] [unique_id "18158513704000290822"]
[client ] ModSecurity: Rule 154485cd4a0 [id "981243"][file "C:\/Program Files/ModSecurity IIS/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "245"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "HOSTNAME"] [uri "/"] [unique_id "18158513704000290822"]
[client ] ModSecurity: Rule 15448555590 [id "981172"][file "C:\/Program Files/ModSecurity IIS/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "157"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "HOSTNAME"] [uri "/iisstart.htm"] [unique_id "18158513704000290822"]
[client ] ModSecurity: Rule 154485cd4a0 [id "981243"][file "C:\/Program Files/ModSecurity IIS/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "245"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "HOSTNAME"] [uri "/iisstart.htm"] [unique_id "18158513704000290822"]
[client ] ModSecurity: collections_remove_stale: Failed to access DBM file "C:/inetpub/temp/ip": Access is denied. [hostname "HOSTNAME"] [uri "/iisstart.htm"] [unique_id "18158513704000290822"]
[client ] ModSecurity: collections_remove_stale: Failed to access DBM file "C:/inetpub/temp/global": Access is denied. [hostname "HOSTNAME"] [uri "/iisstart.htm"] [unique_id "18158513704000290822"]
[client ] ModSecurity: Rule 15448555590 [id "981172"][file "C:\/Program Files/ModSecurity IIS/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "157"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "HOSTNAME"] [uri "/iisstart.png"] [unique_id "18158513704000290823"]
[client ] ModSecurity: Rule 154485cd4a0 [id "981243"][file "C:\/Program Files/ModSecurity IIS/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "245"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "HOSTNAME"] [uri "/iisstart.png"] [unique_id "18158513704000290823"]
我做了什么:
已安装 ModSecurity v2.9.1 for IIS MSI Installer - 64bits 和 Visual Studio 2013 Runtime (vcredist)。
已从 https://github.com/SpiderLabs/owasp-modsecurity-crs 下载 OWASP ModSecurity 核心规则集 (CRS) 并将文件夹放入 C:\Program Files\ModSecurity IIS。将名称 crs-setup.conf.example 更改为 crs-setup.conf。
在 \rules 下,我将 REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example 和 RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example 更改为不包含 .example。
已将 modsecurity_iis.conf 修改为以下内容:
Include modsecurity.conf
Include modsecurity_crs_10_setup.conf
Include owasp_crs\base_rules\*.conf
#OWASP-Rules
include owasp-modsecurity-crs/crs-setup.conf
include owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
include owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf
include owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
include owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf
include owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
include owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf
include owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf
include owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
include owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
include owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
include owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
include owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
include owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
include owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
include owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
include owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
include owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf
include owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf
include owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
include owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
include owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
include owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
include owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
include owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf
include owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
重新启动 IIS,然后检查事件查看器。我错过了什么或者这是正常行为吗?
关于我发现的描述:
This is just an warning. That is actually the ModSecurity letting you know something about a given request. The "windows description" of the event can be ignored. Look at the content...
https://github.com/SpiderLabs/ModSecurity/issues/877#issuecomment-267712103
1. Execution error - PCRE limits exceeded (-8): (null):
已将 modsecurity.conf 值修改为以下内容:
SecPcreMatchLimit 500000
SecPcreMatchLimitRecursion 500000
我开始使用审核日志,而不是从 EventLog 读取数据。可以通过 modsecurity.conf 启用。将格式设置为 JSON 而不是 Native 以编程方式读取日志文件。请记住授予用户 IIS_IUSRS 访问日志文件夹和文件的权限。
# -- Audit log configuration -------------------------------------------------
# Log the transactions that are marked by a rule, as well as those that
# trigger a server error (determined by a 5xx or 4xx, excluding 404,
# level response status codes).
#
SecAuditLogFormat JSON
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
# Log everything we know about a transaction.
SecAuditLogParts ABIJDEFHZ
# Use a single file for logging. This is much easier to look at, but
# assumes that you will use the audit log only ocassionally.
#
SecAuditLogType Serial
SecAuditLog c:\inetpub\logs\modsec_audit.log
# Specify the path for concurrent audit logging.
SecAuditLogStorageDir c:\inetpub\logs\