ModSecurity（仅检测模式）没有提供有用的日志/警告

Question

我已经在 Kubernetes Nginx 控制器上配置了 modsecurity-nginx 连接器。

\n

目前，我使用 ModSecurity WAF 的目标是在DetectionOnly模式下实施，因为我不想立即开始阻止所有内容。因此，为了实现这一点，我在控制器 ConfigMap 中使用了以下配置。

\n

enable-modsecurity: "true"\n  modsecurity-snippet: |\n    SecRuleEngine DetectionOnly\n    SecAuditEngine On\n    SecAuditLogParts ABIJDEFHZ\n    SecAuditLogFormat JSON\n    SecAuditLogType Serial\n    SecAuditLog /dev/stdout\n

\n

为了测试这一点，我尝试了 SQL 注入攻击，将 SQL 查询从客户端插入到我的测试应用程序中。但 ModSecurity 没有在日志中给出任何警告或任何有用的信息来表明 SQL 查询已插入到应用程序中。以下是我分别发送和获取日志的请求：

\n

$ curl -ks -o /dev/null -w \xe2\x80\x98%{http_code}\xe2\x80\x99 \xe2\x80\x9chttps://test-ingress-nginx.example.com/foo?username=1'%20or%20'1'%20=%20'\xe2\x80\x9d\n

\n

输出：404

\n

Logs :\n----    \n{\xe2\x80\x9ctransaction\xe2\x80\x9d:{\xe2\x80\x9cclient_ip\xe2\x80\x9d:\xe2\x80\x9c192.xxx.xxx.xx",\xe2\x80\x9ctime_stamp\xe2\x80\x9d:\xe2\x80\x9cTue Feb 16 07:44:10 2021",\xe2\x80\x9cserver_id\xe2\x80\x9d:\xe2\x80\x9c995f188ad543e6fcbcdbfb4c7a2c67327xxxxx",\xe2\x80\x9cclient_port\xe2\x80\x9d:59455,\xe2\x80\x9chost_ip\xe2\x80\x9d:\xe2\x80\x9c10.x.xxx.xxx\xe2\x80\x9d,\xe2\x80\x9chost_port\xe2\x80\x9d:443,\xe2\x80\x9cunique_id\xe2\x80\x9d:\xe2\x80\x9c161346145098.924xxx",\xe2\x80\x9crequest\xe2\x80\x9d:{\xe2\x80\x9cmethod\xe2\x80\x9d:\xe2\x80\x9cGET\xe2\x80\x9d,\xe2\x80\x9chttp_version\xe2\x80\x9d:2.0,\xe2\x80\x9curi\xe2\x80\x9d:\xe2\x80\x9c/foo?username=1'%20or%20'1'%20=%20'\xe2\x80\x9c,\xe2\x80\x9dheaders\xe2\x80\x9d:{\xe2\x80\x9chost\xe2\x80\x9d:\xe2\x80\x9ctest-ingress-nginx.example.com\xe2\x80\x9d,\xe2\x80\x9cuser-agent\xe2\x80\x9d:\xe2\x80\x9ccurl/7.64.1",\xe2\x80\x9caccept\xe2\x80\x9d:\xe2\x80\x9c*/*\xe2\x80\x9c}},\xe2\x80\x9cresponse\xe2\x80\x9d:{\xe2\x80\x9cbody\xe2\x80\x9d:\xe2\x80\x9c<!DOCTYPE HTML PUBLIC \\\xe2\x80\x9c-//IETF//DTD HTML 2.0//EN\\\xe2\x80\x9c>\\n<html><head>\\n<title>404 Not Found</title>\\n</head><body>\\n<h1>Not Found</h1>\\n<p>The requested URL /foo was not found on this server.</p>\\n<hr>\\n<address>Apache/2.4.25 (Debian) Server at test-ingress-nginx.example.com Port 80</address>\\n</body></html>\\n\xe2\x80\x9d,\xe2\x80\x9chttp_code\xe2\x80\x9d:404,\xe2\x80\x9cheaders\xe2\x80\x9d:{\xe2\x80\x9cServer\xe2\x80\x9d:\xe2\x80\x9c\xe2\x80\x9d,\xe2\x80\x9cServer\xe2\x80\x9d:\xe2\x80\x9c\xe2\x80\x9d,\xe2\x80\x9cDate\xe2\x80\x9d:\xe2\x80\x9cTue, 16 Feb 2021 07:44:10 GMT\xe2\x80\x9d,\xe2\x80\x9cContent-Length\xe2\x80\x9d:\xe2\x80\x9c306\xe2\x80\x9d,\xe2\x80\x9cContent-Type\xe2\x80\x9d:\xe2\x80\x9ctext/html; charset=iso-8859-1\xe2\x80\x9d,\xe2\x80\x9cConnection\xe2\x80\x9d:\xe2\x80\x9cclose\xe2\x80\x9d,\xe2\x80\x9cStrict-Transport-Security\xe2\x80\x9d:\xe2\x80\x9cmax-age=15724800; includeSubDomains\xe2\x80\x9d}},\xe2\x80\x9cproducer\xe2\x80\x9d:{\xe2\x80\x9cmodsecurity\xe2\x80\x9d:\xe2\x80\x9cModSecurity v3.0.4 (Linux)\xe2\x80\x9c,\xe2\x80\x9dconnector\xe2\x80\x9d:\xe2\x80\x9cModSecurity-nginx v1.0.1\xe2\x80\x9d,\xe2\x80\x9csecrules_engine\xe2\x80\x9d:\xe2\x80\x9cDetectionOnly\xe2\x80\x9d,\xe2\x80\x9ccomponents\xe2\x80\x9d:[]},\xe2\x80\x9cmessages\xe2\x80\x9d:[]}}\n

\n

如果我更改SecRuleEngine DetectionOnly为SecRuleEngine On ，则错误代码会更改，日志会显示请求被阻止的原因：

\n

$ curl -ks -o /dev/null -w \xe2\x80\x98%{http_code}\xe2\x80\x99 \xe2\x80\x9chttps://test-ingress-nginx.example.com/foo?username=1'%20or%20'1'%20=%20'\xe2\x80\x9d\n

\n

输出：403

\n

Logs :\n----\n2021/02/16 07:35:11 [error] 8100#8100: *25411553 [client 192.xxx.xxx.xx] ModSecurity: Access denied with code 403 (phase 2). Matched \xe2\x80\x9cOperator `Ge\xe2\x80\x99 with parameter `5' against variable `TX:ANOMALY_SCORE\xe2\x80\x99 (Value: `5' ) [file \xe2\x80\x9c/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf\xe2\x80\x9d] [line \xe2\x80\x9c80"] [id \xe2\x80\x9c949110\xe2\x80\x9d] [rev \xe2\x80\x9c\xe2\x80\x9d] [msg \xe2\x80\x9cInbound Anomaly Score Exceeded (Total Score: 5)\xe2\x80\x9c] [data \xe2\x80\x9c\xe2\x80\x9d] [severity \xe2\x80\x9c2"] [ver \xe2\x80\x9cOWASP_CRS/3.3.0\xe2\x80\x9d] [maturity \xe2\x80\x9c0"] [accuracy \xe2\x80\x9c0\xe2\x80\x9d] [tag \xe2\x80\x9capplication-multi\xe2\x80\x9d] [tag \xe2\x80\x9clanguage-multi\xe2\x80\x9d] [tag \xe2\x80\x9cplatform-multi\xe2\x80\x9d] [tag \xe2\x80\x9cattack-generic\xe2\x80\x9d] [hostname \xe2\x80\x9c10.x.xxx.xxx"] [uri \xe2\x80\x9c/foo\xe2\x80\x9d] [unique_id \xe2\x80\x9c16134609114.611xxx"] [ref \xe2\x80\x9c\xe2\x80\x9d], client: 192.xxx.xx.xx, server: test-ingress-nginx.example.com, request: \xe2\x80\x9cGET /foo?username=1'%20or%20'1'%20=%20' HTTP/2.0", host: \xe2\x80\x9ctest-ingress-nginx.example.com\xe2\x80\x9d\n

\n

问题：当我在模式下启用 ModSecurity 时，有没有办法可以在 ModSecurity 日志中获取一些有用的信息Detection Only，以便我可以识别我的应用程序收到的请求/威胁类型，从而开始为它们编写阻止规则。

\n

Answer 1

我认为你应该得到另一个相关日志：

例如，要查看我的情况下的 modsecurity 日志，请在此处 /var/log/modsec_audit.log

test.example.com.com XX.XX.XX.XX - [19/Jan/2022:15:21:55 +0000] "GET /?username=%27%20or%20%271%27%20=%20%27 HTTP/2.0" 302 34 - "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36" 164260571591.117736 - /var/log/audit//20220119/20220119-1521/20220119-152155-164260571591.117736 0 2445.000000 md5:ce36eaa04f4b030ca311b4a99c8595ef

如果你检查这个日志 /var/log/audit//20220119/20220119-1521/20220119-152155-164260571591.117736，你会看到解释：

---OgrdNLAz---A--
[19/Jan/2022:15:21:55 +0000] 164260571591.117736 XX.XX.XX.XX 48250 XX.XX.XX.XX 443
---OgrdNLAz---B--
GET /?username=%27%20or%20%271%27%20=%20%27 HTTP/2.0
sec-fetch-user: ?1
sec-ch-ua: " Not;A Brand";v="99", "Google Chrome";v="97", "Chromium";v="97"
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
sec-fetch-site: none
sec-ch-ua-platform: "Windows"
upgrade-insecure-requests: 1
sec-ch-ua-mobile: ?0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-dest: document
sec-fetch-mode: navigate
host: test.example.com
accept-encoding: gzip, deflate, br
cookie: R_PCS=light; R_LOCALE=en-us; R_REDIRECTED=true; CSRF=4ae16bab4b; R_SESS=token-8tbxk:fbsq7zll8455gmbnlwkngcxvlztp2887j548cnkshc9q5vc9k5hb9r
accept-language: es-AR,es;q=0.9,pt-BR;q=0.8,pt;q=0.7,en-US;q=0.6,en;q=0.5,es-419;q=0.4

---OgrdNLAz---D--

---OgrdNLAz---E--
<a href="/dashboard/">Found</a>.\x0a\x0a

---OgrdNLAz---F--
HTTP/2.0 302
Server:
Server:
Date: Wed, 19 Jan 2022 15:21:55 GMT
Content-Length: 34
Content-Type: text/html; charset=utf-8
X-Content-Type-Options: nosniff
Connection: close
Location: /dashboard/
X-Api-Cattle-Auth: true
Strict-Transport-Security: max-age=15724800; includeSubDomains

---OgrdNLAz---H--
ModSecurity: Warning. detected SQLi using libinjection. [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "45"] [id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: s&sos found within ARGS:username: ' or '1' = '"] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [hostname "XX.XX.XX.XX"] [uri "/"] [unique_id "164260571591.117736"] [ref "v15,12"]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "XX.XX.XX.XX"] [uri "/"] [unique_id "164260571591.117736"] [ref ""]

---OgrdNLAz---I--

---OgrdNLAz---J--

---OgrdNLAz---Z--