mod-security - 国防部安全 : Excessive false positives

Question

我刚刚在服务器上设置了 Apache modsecurity，原则上它运行良好，但我得到了相当多的误报。

我正在使用 OWASP ModSecurity 核心规则集 (CRS)，本质上是“开箱即用”。

我在“自包含”(传统)模式而不是协作(异常)模式下运行:

SecDefaultAction "phase:1,deny,log"
SecDefaultAction "phase:2,deny,log"

特别值得关注的是 SQL 注入(inject)集。双管道 (||) 双尖括号 (>>) 和一大堆其他输入将触发规则并导致页面被阻止。其中许多很容易出现在合法的用户输入中。

是否有一种优雅的方法可以选择性地允许不一定表示注入(inject)攻击的常见输入？我知道我目前正在开箱即用，但是对于几乎每个用例来说，阻止双管和尖括号肯定会过于严格吗？

Answer 1

Kully 有一些优点，我绝对推荐 ModSecurity Handbook也。我会说切换到异常模式确实需要一些时间来适应并且在我看来需要额外的监控工作，所以我个人更喜欢在阻塞模式下运行并关闭嘈杂的规则。

您确实需要在 DetectionOnly 模式下运行并在 CRS 规则变得有用之前对其进行调整，这确实需要时间。经过几个月的迭代，我才感到足够舒服，可以将其切换到阻塞模式。

特别是 SQL 注入(inject)规则很容易出现过度警报。

以下是您可能希望关闭或调整的一些 CRS v2 通用规则——尤其是在传统警报模式下:

#Lots of browsers don't send accept header so disable rule 960015 which blocks that:
SecRuleRemoveById 960015

#ModSecurity does not handle gzip files and falsely alerts code leakage for such binary files so disable this rule
SecRuleRemoveById 970903

#Range header is set by some Android devices so ignore that rule
SecRuleRemoveById 958291

#We allow Google Tag Manager which uses small iframe so disable the rules that disallow small iframes:
SecRuleRemoveById 981000
SecRuleRemoveById 981001

#These produce many false positives as checking for things like lots of spaces and ' characters (valid in names and addresses). So disable.
SecRuleRemoveById 950109
SecRuleRemoveById 950901
SecRuleRemoveById 960024
SecRuleRemoveById 973338
SecRuleRemoveById 981172
SecRuleRemoveById 981173
SecRuleRemoveById 981231
SecRuleRemoveById 981242
SecRuleRemoveById 981243
SecRuleRemoveById 981245
SecRuleRemoveById 981246
SecRuleRemoveById 981248
SecRuleRemoveById 981257
SecRuleRemoveById 981260
SecRuleRemoveById 981318
SecRuleRemoveById 981319
SecRuleRemoveById 981320

#Allow Search argument (q) to include SQL words:
SecRuleUpdateTargetById 959071 !ARGS:'q'
SecRuleUpdateTargetById 959072 !ARGS:'q'
SecRuleUpdateTargetById 981247 !ARGS:'q'

#Passwords can (and arguable should!) contain special chars
SecRuleUpdateTargetById 950010 !ARGS:'/[pP](ass)?word/'
SecRuleUpdateTargetById 981240 !ARGS:'/[pP](ass)?word/'

#Email address can contain some SQL injection phrases
SecRuleUpdateTargetById 981241 !ARGS:'/[eE](-)?mail/'

#Remove checking of rules which checks for http calls in arguments will have URLs in them
SecRuleUpdateTargetById 950007 !ARGS:'utm_referrer'
SecRuleUpdateTargetById 950120 !ARGS:'utm_referrer'
SecRuleUpdateTargetById 973304 !ARGS:'utm_referrer'
SecRuleUpdateTargetById 981241 !ARGS:'utm_referrer'
SecRuleUpdateTargetById 981256 !ARGS:'utm_referrer'

CRS v3 进行了规则 id 重新编号，并删除了一些规则，因此上述 v3 等效项如下所示:

#Lots of browsers don't send accept header so disable rule 920300 which blocks that:
SecRuleRemoveById 920300

#These produce many false positives as checking for things like lots of spaces and ' characters (valid in names and addresses). So disable.
SecRuleRemoveById 920230
SecRuleRemoveById 942130
SecRuleRemoveById 942460
SecRuleRemoveById 941140
SecRuleRemoveById 942420
SecRuleRemoveById 942430
SecRuleRemoveById 942440
SecRuleRemoveById 942330
SecRuleRemoveById 942370
SecRuleRemoveById 942260
SecRuleRemoveById 942340
SecRuleRemoveById 942210
SecRuleRemoveById 942200
SecRuleRemoveById 942450
SecRuleRemoveById 942110
SecRuleRemoveById 942120
SecRuleRemoveById 942140

#Allow Search argument (q) to include SQL words:
SecRuleUpdateTargetById 942390 !ARGS:'q'
SecRuleUpdateTargetById 942400 !ARGS:'q'
SecRuleUpdateTargetById 942360 !ARGS:'q'

#Passwords can (and arguable should!) contain special chars
SecRuleUpdateTargetById 942300 !ARGS:'/[pP](ass)?word/'

#Email address can contain some SQL injection phrases
SecRuleUpdateTargetById 942230 !ARGS:'/[eE](-)?mail/'

#Remove checking of rules which checks for http calls in arguments will have URLs in them
SecRuleUpdateTargetById 931130 !ARGS:'utm_referrer'
SecRuleUpdateTargetById 942230 !ARGS:'utm_referrer'
SecRuleUpdateTargetById 942250 !ARGS:'utm_referrer'

当然，完全关闭这些规则(就像我在上面代码片段的前半部分所做的那样)会降低 ModSecurity 的有效性，因此您需要确定这是否适合您的网站。

关闭特定参数的规则(就像我在上面代码片段的后半部分所做的那样)通常是首选，但同样只有您可以决定这些参数是否不需要规则提供的保护。