最後更新: 2022-12-07

介紹

OWASP = Open Web Application Security Project

CRS = Core Rule Set            # 由 OWASP 維護

 * CRS 2.x are incompatible with CRS 3.x

The rule files are grouped by REQUEST and RESPONSE rules.

Some of the rules come with data files.

Data files are typically used when the request has to be checked against a long list of keywords,
(like unwanted user agents or php function names.)

An important rule file(Exception Setting)

• REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
• RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

This is where the anomaly score is checked against the inbound threshold and the request is blocked accordingly.

CRS Rule Files

# Rocky 8

Package: mod_security_crs

Apache Enable rules

main config: crs-setup.conf

[1] Application Specific Rule Exclusions (id:900130)

drupal, wordpress, nextcloud ...

# The CRS assumes that modsecurity.conf has been loaded.

https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended

mod_security_crs 3.3

• Introduced libinjection.
• Blocked backup files ending with ~ in filenames.
• Added new LDAP injection and HTTP splitting rules.
• Added .swp to restricted extensions.
• Added Common Attack Pattern Enumeration and Classification (CAPEC) tags for attack classification.
• Added support to detect Nuclei , WFuzz, and ffuf vulnerability scanners.
• Improved variable to lowercase (modsec3 behavior fix)
• Added support to detect Unix RCE bypass techniques through uninitialized variables, string concatenations, and globbing patterns.
• Removed outdated rule tags: WASCTC, OWASP_TOP_10, OWASP_AppSensor/RE1, and OWASP_CRS/FOO/BAR.
• OWASP_CRS and attack-type are still included in the mod_security_crs package.
• The format of crs-setup.conf variable tx.allowed_request_content_type has been changed to be in line with the other variables.
• In case the variable is overridden, please see the example in crs-setup.conf file for the new separator.

# V3 (人手安裝)

ls -1 /usr/share/coreruleset/rules/REQUEST-*

/usr/share/coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
/usr/share/coreruleset/rules/REQUEST-901-INITIALIZATION.conf
/usr/share/coreruleset/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
/usr/share/coreruleset/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
/usr/share/coreruleset/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf
/usr/share/coreruleset/rules/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf
/usr/share/coreruleset/rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf
/usr/share/coreruleset/rules/REQUEST-903.9006-XENFORO-EXCLUSION-RULES.conf
/usr/share/coreruleset/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
/usr/share/coreruleset/rules/REQUEST-910-IP-REPUTATION.conf
/usr/share/coreruleset/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
/usr/share/coreruleset/rules/REQUEST-912-DOS-PROTECTION.conf
/usr/share/coreruleset/rules/REQUEST-913-SCANNER-DETECTION.conf
/usr/share/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
/usr/share/coreruleset/rules/REQUEST-921-PROTOCOL-ATTACK.conf
/usr/share/coreruleset/rules/REQUEST-922-MULTIPART-ATTACK.conf
/usr/share/coreruleset/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
/usr/share/coreruleset/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
/usr/share/coreruleset/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
/usr/share/coreruleset/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
/usr/share/coreruleset/rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf
/usr/share/coreruleset/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
/usr/share/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
/usr/share/coreruleset/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
/usr/share/coreruleset/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf.disable
/usr/share/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf

由於係用如下方式載入, 那不用的 rule 可以加 ".disable" 到尾去停

include /usr/share/coreruleset/rules/REQUEST-*.conf

Handling false positives(false alarms)

score_threshold

The Core Rule Set works with a scoring mechanism by default.

For every rule a request violates, there is a score being raised.

The Core Rule Set comes in blocking mode by default.

If a rule is violated and the score hits the limit, the blocking will be effective immediately.

 * Rule violations score 5 points at most

# 10000 = a request is unlikely to hit the limit
SecAction "id:900110,phase:1,pass,nolog,\
  setvar:tx.inbound_anomaly_score_threshold=10000,\
  setvar:tx.outbound_anomaly_score_threshold=10000"

Paranoia

paranoia levels 1 - 4. higher the paranoia level, the more paranoid the rules
The default is paranoia level 1, where the rules are quite sane and false alarms are rare.

SecAction "id:900000,phase:1,pass,nolog,\
  setvar:tx.paranoia_level=1"

Disabling individual rules

在 REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf 設定

[1]

SecRuleRemoveById 920300
SecRuleRemoveByTag "MISSING_HEADER_ACCEPT"

[2]

SecRule REQUEST_FILENAME "@streq /index.html" \
    "phase:1,nolog,pass,id:10000,ctl:ruleRemoveById=920300"

Disabling individual rules for specific parameters

在 REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf 設定

[1]

SecRuleUpdateTargetById 942100 !ARGS:password
SecRuleUpdateTargetByTag "attack-sqli" !ARGS:password

[2]

SecRule REQUEST_HEADERS:Referer "@streq http://localhost/login/displayLogin.do" \
    "phase:1,nolog,pass,id:10000,ctl:ruleRemoveTargetById=942100;ARGS:password"

Statistic Script