ModSecurity SecRule用于在REQUEST_URI或QUERY_STRING中包含特定单词时阻止请求。

huangapple go评论62阅读模式
英文:

ModSecurity SecRule to block a request when it contains a given word in the REQUEST_URI or QUERY_STRING

问题

我为我的NGINX Ingress控制器创建了以下configMap

apiVersion: v1
data:
  allow-snippet-annotations: "true"
  enable-modsecurity: "true"
  enable-owasp-modsecurity-crs: "true"
  modsecurity-snippet: |-
    SecRuleEngine On
    SecRequestBodyAccess On
    SecAuditLog /dev/stdout
    SecAuditLogFormat JSON
    SecAuditEngine RelevantOnly
    SecRule REQUEST_URI|ARGS|QUERY_STRING "@contains attack" "id:100001,phase:1,t:lowercase,deny,status:403,msg:'Attack Detected'"    
kind: ConfigMap
metadata:
  annotations:
    meta.helm.sh/release-name: nginx-ingress
    meta.helm.sh/release-namespace: ingress-basic
  creationTimestamp: "2023-01-20T11:31:53Z"
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: nginx-ingress
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.5.1
    helm.sh/chart: ingress-nginx-4.4.2
  name: nginx-ingress-ingress-nginx-controller
  namespace: ingress-basic
  resourceVersion: "200257665"
  uid: e6ab9121-9a73-47e3-83ec-6c1fa19072ee

我期望以下的SecRule可以阻止包含URI或查询字符串中的attack单词的请求,例如:

https://secrule.sample.com/api?task=attack

但它并没有生效。很明显,我的NGINX Ingress控制器的configMap定义中缺少了某些内容,但我不明白是什么。有什么线索吗?谢谢!

我想使用ModSecurity与NGINX Ingress控制器来阻止包含查询字符串中特定单词的传入请求。

英文:

I created the following configMap for my NGINX ingress controller:

apiVersion: v1
data:
  allow-snippet-annotations: "true"
  enable-modsecurity: "true"
  enable-owasp-modsecurity-crs: "true"
  modsecurity-snippet: |-
    SecRuleEngine On
    SecRequestBodyAccess On
    SecAuditLog /dev/stdout
    SecAuditLogFormat JSON
    SecAuditEngine RelevantOnly
    SecRule REQUEST_URI|ARGS|QUERY_STRING "@contains attack" "id:100001,phase:1,t:lowercase,deny,status:403,msg:'Attack Detected'"
kind: ConfigMap
metadata:
  annotations:
    meta.helm.sh/release-name: nginx-ingress
    meta.helm.sh/release-namespace: ingress-basic
  creationTimestamp: "2023-01-20T11:31:53Z"
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: nginx-ingress
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.5.1
    helm.sh/chart: ingress-nginx-4.4.2
  name: nginx-ingress-ingress-nginx-controller
  namespace: ingress-basic
  resourceVersion: "200257665"
  uid: e6ab9121-9a73-47e3-83ec-6c1fa19072ee

I would expect that following SecRule

SecRule REQUEST_URI|ARGS|QUERY_STRING "@contains attack" "id:100001,phase:1,t:lowercase,deny,status:403,msg:'Attack Detected'"

would block any request containing the word attack in the URI or in the querystring, for example in:

https://secrule.sample.com/api?task=attack

But it doesn't. There is clearly something missing in the definition of the configMap of my NGINX ingress controller, but I don't understand what. Any clue? Thanks!

I'd like to use ModSecurity with an NGINX Ingress Controller to block incoming calls that contain a given word in the querystring.

答案1

得分: 1

I solved the issue by escaping quotes and double quotes of the SecRule in the configmap as follows:

SecRule REQUEST_URI|ARGS|QUERY_STRING \"@contains attack\" "id:100001,phase:1,t:lowercase,deny,status:403,msg:'Attack Detected'"
英文:

I solved the issue by escaping quotes and double quotes of the SecRule in the configmap as follows:

SecRule REQUEST_URI|ARGS|QUERY_STRING \"@contains attack\" \"id:100001,phase:1,t:lowercase,deny,status:403,msg:\'Attack Detected\'\"

huangapple
  • 本文由 发表于 2023年3月4日 00:55:19
  • 转载请务必保留本文链接:https://go.coder-hub.com/75629854.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定