英文:
ModSecurity SecRule to block a request when it contains a given word in the REQUEST_URI or QUERY_STRING
问题
我为我的NGINX Ingress控制器创建了以下configMap
:
apiVersion: v1
data:
allow-snippet-annotations: "true"
enable-modsecurity: "true"
enable-owasp-modsecurity-crs: "true"
modsecurity-snippet: |-
SecRuleEngine On
SecRequestBodyAccess On
SecAuditLog /dev/stdout
SecAuditLogFormat JSON
SecAuditEngine RelevantOnly
SecRule REQUEST_URI|ARGS|QUERY_STRING "@contains attack" "id:100001,phase:1,t:lowercase,deny,status:403,msg:'Attack Detected'"
kind: ConfigMap
metadata:
annotations:
meta.helm.sh/release-name: nginx-ingress
meta.helm.sh/release-namespace: ingress-basic
creationTimestamp: "2023-01-20T11:31:53Z"
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: nginx-ingress
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.5.1
helm.sh/chart: ingress-nginx-4.4.2
name: nginx-ingress-ingress-nginx-controller
namespace: ingress-basic
resourceVersion: "200257665"
uid: e6ab9121-9a73-47e3-83ec-6c1fa19072ee
我期望以下的SecRule可以阻止包含URI或查询字符串中的attack
单词的请求,例如:
https://secrule.sample.com/api?task=attack
但它并没有生效。很明显,我的NGINX Ingress控制器的configMap定义中缺少了某些内容,但我不明白是什么。有什么线索吗?谢谢!
我想使用ModSecurity与NGINX Ingress控制器来阻止包含查询字符串中特定单词的传入请求。
英文:
I created the following configMap
for my NGINX ingress controller:
apiVersion: v1
data:
allow-snippet-annotations: "true"
enable-modsecurity: "true"
enable-owasp-modsecurity-crs: "true"
modsecurity-snippet: |-
SecRuleEngine On
SecRequestBodyAccess On
SecAuditLog /dev/stdout
SecAuditLogFormat JSON
SecAuditEngine RelevantOnly
SecRule REQUEST_URI|ARGS|QUERY_STRING "@contains attack" "id:100001,phase:1,t:lowercase,deny,status:403,msg:'Attack Detected'"
kind: ConfigMap
metadata:
annotations:
meta.helm.sh/release-name: nginx-ingress
meta.helm.sh/release-namespace: ingress-basic
creationTimestamp: "2023-01-20T11:31:53Z"
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: nginx-ingress
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.5.1
helm.sh/chart: ingress-nginx-4.4.2
name: nginx-ingress-ingress-nginx-controller
namespace: ingress-basic
resourceVersion: "200257665"
uid: e6ab9121-9a73-47e3-83ec-6c1fa19072ee
I would expect that following SecRule
SecRule REQUEST_URI|ARGS|QUERY_STRING "@contains attack" "id:100001,phase:1,t:lowercase,deny,status:403,msg:'Attack Detected'"
would block any request containing the word attack
in the URI or in the querystring, for example in:
https://secrule.sample.com/api?task=attack
But it doesn't. There is clearly something missing in the definition of the configMap of my NGINX ingress controller, but I don't understand what. Any clue? Thanks!
I'd like to use ModSecurity with an NGINX Ingress Controller to block incoming calls that contain a given word in the querystring.
答案1
得分: 1
I solved the issue by escaping quotes and double quotes of the SecRule in the configmap as follows:
SecRule REQUEST_URI|ARGS|QUERY_STRING \"@contains attack\" "id:100001,phase:1,t:lowercase,deny,status:403,msg:'Attack Detected'"
英文:
I solved the issue by escaping quotes and double quotes of the SecRule in the configmap as follows:
SecRule REQUEST_URI|ARGS|QUERY_STRING \"@contains attack\" \"id:100001,phase:1,t:lowercase,deny,status:403,msg:\'Attack Detected\'\"
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论