Modsecurity:removeWhitespace 不工作
Modsecurity: removeWhitespace not working
我有以下规则:
SecRule REQUEST_HEADERS:Client-IP "@ipMatchFromFile test.txt"
"id:210487,t:none,t:urlDecodeUni,t:removeWhitespace,drop,msg:'IP-test'"
但是当我 运行 它时,我得到了响应:
T (0) urlDecodeUni: "111.22.33.44 " // note the space before the "
T (0) removeWhitespace: "111.22.33.44" // perfect! The space has been removed
Transformation completed in 4 usec.
Executing operator "ipMatchFromFile" with param "test.txt" against REQUEST_HEADERS:Client-IP.
Target value: "111.22.33.44" // target value has no space, hooray!
IPmatchFromFile: Total tree entries: 8, ipv4 8 ipv6 0
IPmatch: bad IPv4 specification "111.22.33.44 ". // why, oh why, is the space back!
Operator completed in 4 usec.
Operator error: IPmatch: bad IPv4 specification "111.22.33.44 ". // that space again!
Rule returned -1.
Rule processing failed.
Rule failed, not chained -> mode NEXT_RULE.
求Stack Overflow图例;告诉我如何修复它:-)
这应该可行,所以看起来像一个错误。不能说我真的尝试匹配需要先转换的 IP 地址。
因为它不是真正的 IP 地址,您可以改用 @pmFromFile 而不是 @ipMatchFromFile。请注意,the documentation 明确警告您需要在此处正确使用边界:
Because this operator does not check for boundaries when matching,
false positives are possible in some cases. For example, if you want
to use @pm for IP address matching, the phrase 1.2.3.4 will
potentially match more than one IP address (e.g., it will also match
1.2.3.40 or 1.2.3.41). To avoid the false positives, you can use your own boundaries in phrases. For example, use /1.2.3.4/ instead of just
1.2.3.4. Then, in your rules, also add the boundaries where appropriate. You will find a complete example in the example:
# Prepare custom REMOTE_ADDR variable
SecAction "phase:1,id:168,nolog,pass,setvar:tx.REMOTE_ADDR=/%{REMOTE_ADDR}/"
# Check if REMOTE_ADDR is blacklisted
SecRule TX:REMOTE_ADDR "@pmFromFile blacklist.txt" "phase:1,id:169,deny,msg:'Blacklisted IP address'"
The file blacklist.txt may contain:
# ip-blacklist.txt contents:
# NOTE: All IPs must be prefixed/suffixed with "/" as the rules
# will add in this character as a boundary to ensure
# the entire IP is matched.
# SecAction "phase:1,id:170,pass,nolog,setvar:tx.remote_addr='/%{REMOTE_ADDR}/'"
/1.2.3.4/
/5.6.7.8/
我有以下规则:
SecRule REQUEST_HEADERS:Client-IP "@ipMatchFromFile test.txt"
"id:210487,t:none,t:urlDecodeUni,t:removeWhitespace,drop,msg:'IP-test'"
但是当我 运行 它时,我得到了响应:
T (0) urlDecodeUni: "111.22.33.44 " // note the space before the "
T (0) removeWhitespace: "111.22.33.44" // perfect! The space has been removed
Transformation completed in 4 usec.
Executing operator "ipMatchFromFile" with param "test.txt" against REQUEST_HEADERS:Client-IP.
Target value: "111.22.33.44" // target value has no space, hooray!
IPmatchFromFile: Total tree entries: 8, ipv4 8 ipv6 0
IPmatch: bad IPv4 specification "111.22.33.44 ". // why, oh why, is the space back!
Operator completed in 4 usec.
Operator error: IPmatch: bad IPv4 specification "111.22.33.44 ". // that space again!
Rule returned -1.
Rule processing failed.
Rule failed, not chained -> mode NEXT_RULE.
求Stack Overflow图例;告诉我如何修复它:-)
这应该可行,所以看起来像一个错误。不能说我真的尝试匹配需要先转换的 IP 地址。
因为它不是真正的 IP 地址,您可以改用 @pmFromFile 而不是 @ipMatchFromFile。请注意,the documentation 明确警告您需要在此处正确使用边界:
Because this operator does not check for boundaries when matching, false positives are possible in some cases. For example, if you want to use @pm for IP address matching, the phrase 1.2.3.4 will potentially match more than one IP address (e.g., it will also match 1.2.3.40 or 1.2.3.41). To avoid the false positives, you can use your own boundaries in phrases. For example, use /1.2.3.4/ instead of just 1.2.3.4. Then, in your rules, also add the boundaries where appropriate. You will find a complete example in the example:
# Prepare custom REMOTE_ADDR variable SecAction "phase:1,id:168,nolog,pass,setvar:tx.REMOTE_ADDR=/%{REMOTE_ADDR}/" # Check if REMOTE_ADDR is blacklisted SecRule TX:REMOTE_ADDR "@pmFromFile blacklist.txt" "phase:1,id:169,deny,msg:'Blacklisted IP address'"The file blacklist.txt may contain:
# ip-blacklist.txt contents: # NOTE: All IPs must be prefixed/suffixed with "/" as the rules # will add in this character as a boundary to ensure # the entire IP is matched. # SecAction "phase:1,id:170,pass,nolog,setvar:tx.remote_addr='/%{REMOTE_ADDR}/'" /1.2.3.4/ /5.6.7.8/