Modsecurity 配置

Read

[root@WEB conf]# cat modsecurity.conf 
# -- Rule engine initialization ----------------------------------------------

SecRuleEngine DetectionOnly    #配置规则引擎      On：处理规则、Off：不处理规则、 DetectionOnly：处理规则，不中断业务

## -- Request body handling ---------------------------------------------------

# Allow ModSecurity to access request bodies. If you don't, ModSecurity
# won't be able to see any POST parameters, which opens a large security
# hole for attackers to exploit.
#
SecRequestBodyAccess On    #描述：配置是否让ModSecurity 默认处理或缓冲请求体    On：访问请求体、Off：不尝试访问请求体

#备注：如果你计划检查POST_PAYLOAD 就使用这个指令，这个指令必须和"phase:2"处理阶段动作和REQUEST_BODY 变量/位置一起使用，这三部分任一一个没有配置，你就无法检查请求体。

# Enable XML request body parser.
# Initiate XML Processor in case of xml content-type
#
SecRule REQUEST_HEADERS:Content-Type "(?:text|application)/xml" \
     "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"

# Enable JSON request body parser.
# Initiate JSON Processor in case of JSON content-type; change accordingly
# if your application does not use 'application/json'
#
SecRule REQUEST_HEADERS:Content-Type "application/json" \
     "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"

# Maximum request body size we will accept for buffering. If you support
# file uploads then the value given on the first line has to be as large
# as the largest file you are willing to accept. The second value refers
# to the size of data, with files excluded. You want to keep that value as
# low as practical.
#
SecRequestBodyLimit 134217728    #配置ModSecurity 允许的最大请求体的缓存区大小

#备注：默认值是131072 KB (134217728 bytes)。任何超过此限制的都会被拒绝，提示413，请求体太大。还有一个硬限制，1GB。

SecRequestBodyNoFilesLimit 131072    #：配置ModSecurity 允许的最大请求体的缓存区大小，除了请求中正在传送的文件大小。这项指令便于在受到某些使用大尺寸请求进行DoS 攻击时减少影响。提供上传文件服务的WEB 应用必须配置SecRequestBodyLimit 为一个很大的值。由于大文件直接进行磁盘文件存取，不会加大内存的消耗。但是，仍然有可能有人利用超大请求体限制和发送大量大小的非上传请求。该指令消除这一漏洞。

#备注：默认为1 MB (1048576 bytes)。这个值比较古老了，大部分应用应该到128KB或是更低，任何超过此限制的都会被拒绝，提示413，请求体太大。还有一个硬限制，1GB。

# Store up to 128 KB of request body data in memory. When the multipart
# parser reachers this limit, it will start using your hard disk for
# storage. That is slow, but unavoidable.
#
SecRequestBodyInMemoryLimit 131072    #配置ModSecurity 使用内存保存的最大请求体大小   默认的限制是128 KB，在内存中最多存储128KB

# What do do if the request body size is above our configured limit.
# Keep in mind that this setting will automatically be set to ProcessPartial
# when SecRuleEngine is set to DetectionOnly mode in order to minimize
# disruptions when initially deploying ModSecurity.
#
SecRequestBodyLimitAction Reject    #Reject：拒绝、Process Partial：呈现请求的第一部分    #当请求超过SecRequestBodyLimit策略中配置的设置时该做什么。 默认情况下拒绝大于集合的请求。

# Verify that we've correctly processed the request body.
# As a rule of thumb, when failing to process a request body
# you should reject the request (when deployed in blocking mode)
# or log a high-severity alert (when deployed in detection-only mode).
#
SecRule REQBODY_ERROR "!@eq 0" \
"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"

# By default be strict with what we accept in the multipart/form-data
# request body. If the rule below proves to be too strict for your
# environment consider changing it to detection-only. You are encouraged
# _not_ to remove it altogether.
#
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"id:'200003',phase:2,t:none,log,deny,status:400, \
msg:'Multipart request body failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_MISSING_SEMICOLON}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IP %{MULTIPART_INVALID_PART}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"

# Did we see anything that might be a boundary?
#
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"

# PCRE Tuning
# We want to avoid a potential RegEx DoS condition
#
SecPcreMatchLimit 1000    #设置PCRE库中的匹配限制。
SecPcreMatchLimitRecursion 1000    #在PCRE库中设置匹配限制递归。

# Some internal errors will set flags in TX and we will need to look for these.
# All of these are prefixed with "MSC_".  The following flags currently exist:
#
# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
#
SecRule TX:/^MSC_/ "!@streq 0" \
        "id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"


## -- Response body handling --------------------------------------------------

# Allow ModSecurity to access response bodies. 
# You should have this directive enabled in order to identify errors
# and data leakage issues.
# 
# Do keep in mind that enabling this directive does increases both
# memory consumption and response latency.
#
SecResponseBodyAccess On    #配置响应体是否被缓存并被分析   On：访问响应体仅支持使用MIME类、Off：不尝试访问响应体

#备注：如果你计划检查HTML 的响应，需要使用这个指令。这个指令必须和"phase:4"处理阶段动作和REQUEST_BODY 变量/位置一起使用，这三部分任一一个没有配置，你就无法检查请求体。

# Which response MIME types do you want to inspect? You should adjust the
# configuration below to catch documents but avoid static files
# (e.g., images and archives).
#
SecResponseBodyMimeType text/plain text/html text/xml     #为响应数据缓存配置推荐的MIME 类型

# Buffer response bodies of up to 512 KB in length.
SecResponseBodyLimit 524288    #配置允许缓存的最大响应体大小

#任何超过此限制的都会被拒绝，提示500，内部服务器错误。这一设置不影响使用MIME 类型的响应，缓存不为此做标记，有一个硬限制，1GB。

# What happens when we encounter a response body larger than the configured
# limit? By default, we process what we have and let the rest through.
# That's somewhat less secure, but does not break any legitimate pages.
#
SecResponseBodyLimitAction ProcessPartial    #配置SecResponseBodyLimit 控制碰到响应体限制的情况，默认时ModSecurity拒绝超过指定长度的响应体，然而一些WEB 站点，会产生一些非常长的响应为适当限制带来难度。这类网站不得不极大的提高关注度，把限制放到了首位（控制内存消耗）。有能力选择的是发生站点限制时，管理员能选择仅仅检查响应的第一部分，这部分可融入理想的限制，并让其通过。可以证明未经检查就允许部分响应是个漏洞，理论上这是对的，但仅适用于攻击者控制输出的案例（如它可以任意的长）。不管怎样，在这种情况下，无论如何是阻止不了漏洞的。攻击者在数据回送前可以压缩，打乱或者甚至是加密，因为可以穿越任意监控设备。


## -- Filesystem configuration ------------------------------------------------

# The location where ModSecurity stores temporary files (for example, when
# it needs to handle a file upload that is larger than the configured limit).
# 
# This default setting is chosen due to all systems have /tmp available however, 
# this is less than ideal. It is recommended that you specify a location that's private.
#
SecTmpDir /tmp/    #配置临时文件创建的路径

#需要提供apache 用户进程的可写权限，这个目录的位置也是当apache 检查数据用完内存时（比SecRequestBodyInMemoryLimit 指令指定的还多的数据）会将数据交换到磁盘上的位置。

# The location where ModSecurity will keep its persistent data.  This default setting 
# is chosen due to all systems have /tmp available however, it
# too should be updated to a place that other users can't access.
#
SecDataDir /tmp/    #指定连续数据（如ip 地址数据，session 数据等)存储的路径

#备注：initcol、setsid 和setuid 需要用到这个指令，必须让服务器用户对这个目录可写


## -- File uploads handling configuration -------------------------------------

# The location where ModSecurity stores intercepted uploaded files. This
# location must be private to ModSecurity. You don't want other users on
# the server to access the files, do you?
#
#SecUploadDir /opt/modsecurity/var/upload/    #配置拦截文件存储的目录

# By default, only keep the files that were determined to be unusual
# in some way (by an external inspection script). For this to work you
# will also need at least one file inspection rule.
#
#SecUploadKeepFiles RelevantOnly    #On：保存上载文件、Off：不保存上载文件、RelevantOnly：只保存被确认与请求有关的文件    #配置是否保存事务处理后的拦截文件

# Uploaded files are by default created with permissions that do not allow
# any other user to access them. You may need to relax that if you want to
# interface ModSecurity to an external program (e.g., an anti-virus).
#
#SecUploadFileMode 0600    #用8 进制数（和chmod 一样）配置所有上传文件的模式（权限）


## -- Debug log configuration -------------------------------------------------

# The default debug log configuration is to duplicate the error, warning
# and notice messages from the error log.
#
SecDebugLog /var/log/security/debug.log    #指定ModSecurity 调试日志文件的路径
SecDebugLogLevel 3    #配置冗长的调试日志数据

#备注：1~3 级别一直用于产生apache 的错误日志，因为你可以在产品中一直使用0 级别做为默认的日志级别，级别5 用于调试，不建议在产品中使用这么高级别的日志，过度的日志记录会显著服务器的性能。


## -- Audit log configuration -------------------------------------------------

# Log the transactions that are marked by a rule, as well as those that
# trigger a server error (determined by a 5xx or 4xx, excluding 404,  
# level response status codes).
#
SecAuditEngine RelevantOnly    #On:默认情况下记录所有事务的日志、Off：默认情况下不记录所有事务的日志、RelevantOnly：默认只记录事务中由warning 或error 触发的日志，或者记录一些特意考虑过的状态码 #配置审计日志引擎的开启与否
SecAuditLogRelevantStatus "^(?:5|4(?!04))"    #配置哪些响应状态码与审计日志的目的密切相关

#备注：必须将SecAuditEngine 设置为RelevantOnly，其参数是个正则表达式。
#这个指令最主要的目的是允许你配置审计产生特殊HTTP 响应状态码的唯一事务，这个指令通常用于减少审计日志文件的总体大小。记住一点，如果使用了这个参数，那么返回状态码是200 的成功攻击事件不会记录。

# Log everything we know about a transaction.
SecAuditLogParts ABIJDEFHZ    #定义每个事务中记录到审计日志中的部分。每部分以一个独立的字母表示，当某个字母出现在列表中，也就是指每个事务中的相同部分会被记录，全部列表见下文。

#备注：在这个时候ModSecurity 不记录apache 的见用响应内容（如404)，或者服务器和日期的响应头。
#A - 审计日志标题(强制的)
#B - 请求标题
#C - 请求体(目前仅针对请求体存在，并且ModSecurity 已经配置成拦截)
#D - 为中间人响应头保留，暂未实现
#E - 中间人响应体(目前仅对配置了拦截响应体和配置审计日志引擎记录有效)。中间人响应体和实际的响应体相同，除非ModSecurity 拦截了中间人响应体，这种情况下，实际响应体会包含出错信息（可能是apache 的默认错误信息，也可能是出错文档页面）。
#F - 最终响应头(除了日期和服务器标题以外的被apache 添加的近期内容传递信息)。
#G - 为实际响应体保留，暂未实现。
#H - 审计日志索引
#I - 这C 部分的替换，使用multipart/form-data 编码时，在所有的异常情形下会记录与
#C 相同的数据，在这种情况下，会记录假的application/x-www-form-urlencoded 内容，这包含参数的相关信息，但不是这个文件的。如果你不想用文件（通常很大）来存储你的审计日志，这是很方便的。
#J - 保留。实现后，这部分会包含文件使用multipart/form-data 编码上传的信息。
#K - 这部分包含一个完整的列表，按顺序匹配（每行一个），这些规则是完全合格的，从而表明继承默认的动作和操作，从2.5.0 开始支持。
#Z - 最终分界，意味着是条目的最后(强制的)

# Use a single file for logging. This is much easier to look at, but
# assumes that you will use the audit log only ocassionally.
#

SecAuditLogType Serial    #配置使用审计日志记录机制的类型

#Serial - 所有的审计日志条目都被存储在主审计日志记录文件中，随意使用是很方便，但是它很慢，因为任何时候只有一个文件被打开也只能写入一条审计日志条目。
#Concurrent - 审计日志条目被存储于不同的文件中，每个事务一个，如果你要把审计日志数据发送到远程ModSecurity 控制主机上就使用Concurrent 日志模式。

SecAuditLog /var/log/security/modsec_audit.log    #定义主审计日志文件路径

SecAuditLogDirMode 0777
SecAuditLogFileMode 0550
SecAuditLogStorageDir /var/log/security
SecAuditLogType Concurrent

# Specify the path for concurrent audit logging.

SecAuditLogStorageDir /var/log/security/audit/    #配置同时审计日志条目存储时的路径

## -- Miscellaneous -----------------------------------------------------------

# Use the most commonly used application/x-www-form-urlencoded parameter
# separator. There's probably only one application somewhere that uses
# something else so don't expect to change this value.
#
SecArgumentSeparator &    #指定的字符做为application/x-www-form-urlencoded 内容的分隔符，默认是&，非常少的情况下应用会使用分号(;)。

#这个指令用于后台WEB 应用在使用非标准的参数分隔符,如果没有在每一个WEB 应用中合理设置这个指令，那么ModSecurity 可能无法适当的分析所有的参数，并且规则匹配的效果可能会显著的降低。

# Settle on version 0 (zero) cookies, as that is what most applications
# use. Using an incorrect cookie version may open your installation to
# evasion attacks (against the rules that examine named cookies).
#
SecCookieFormat 0    #选择当前配置文本中使用的cookie 格式

#0 - 使用version 0 (Netscape) cookies，这是大部分应用使用的，也是默认值
#1 - 使用version 1 cookies

# Specify your Unicode Code Point.
# This mapping is used by the t:urlDecodeUni transformation function
# to properly map encoded data to your language. Properly setting
# these directives helps to reduce false positives and negatives.
#
SecUnicodeMapFile unicode.mapping 20127    #定义将由urlDecodeUni变换函数用于在规范化期间映射Unicode代码点的文件的路径，并指定要使用的代码点。

# Improve the quality of ModSecurity by sharing information about your
# current ModSecurity version and dependencies versions.
# The following information will be shared: ModSecurity version,
# Web Server version, APR version, PCRE version, Lua version, Libxml2
# version, Anonymous unique id for host.
SecStatusEngine On    #控制状态报告功能。 使用基于DNS的报告将软件版本信息发送到ModSecurity项目团队。



SecRuleEngine off

include waf/crs-setup.conf
#include waf/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
include waf/rules/REQUEST-901-INITIALIZATION.conf
include waf/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
include waf/rules/REQUEST-910-IP-REPUTATION.conf
include waf/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
include waf/rules/REQUEST-912-DOS-PROTECTION.conf
include waf/rules/REQUEST-913-SCANNER-DETECTION.conf
include waf/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
include waf/rules/REQUEST-921-PROTOCOL-ATTACK.conf
include waf/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
include waf/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
include waf/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
include waf/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
include waf/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
include waf/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
include waf/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
include waf/rules/REQUEST-949-BLOCKING-EVALUATION.conf
include waf/rules/RESPONSE-950-DATA-LEAKAGES.conf
#include waf/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
include waf/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
include waf/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
include waf/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
include waf/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
include waf/rules/RESPONSE-980-CORRELATION.conf
#include waf/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

[root@WEB conf]# cat modsecurity.conf

# -- Rule engine initialization ----------------------------------------------

SecRuleEngine DetectionOnly #配置规则引擎 On：处理规则、Off：不处理规则、 DetectionOnly：处理规则，不中断业务

## -- Request body handling ---------------------------------------------------

# Allow ModSecurity to access request bodies. If you don't, ModSecurity

# won't be able to see any POST parameters, which opens a large security

# hole for attackers to exploit.

SecRequestBodyAccess On #描述：配置是否让ModSecurity 默认处理或缓冲请求体 On：访问请求体、Off：不尝试访问请求体

#备注：如果你计划检查POST_PAYLOAD 就使用这个指令，这个指令必须和"phase:2"处理阶段动作和REQUEST_BODY 变量/位置一起使用，这三部分任一一个没有配置，你就无法检查请求体。

# Enable XML request body parser.

# Initiate XML Processor in case of xml content-type

SecRule REQUEST_HEADERS:Content-Type "(?:text|application)/xml" \

"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"

# Enable JSON request body parser.

# Initiate JSON Processor in case of JSON content-type; change accordingly

# if your application does not use 'application/json'

SecRule REQUEST_HEADERS:Content-Type "application/json" \

"id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"

# Maximum request body size we will accept for buffering. If you support

# file uploads then the value given on the first line has to be as large

# as the largest file you are willing to accept. The second value refers

# to the size of data, with files excluded. You want to keep that value as

# low as practical.

SecRequestBodyLimit 134217728 #配置ModSecurity 允许的最大请求体的缓存区大小

#备注：默认值是131072 KB (134217728 bytes)。任何超过此限制的都会被拒绝，提示413，请求体太大。还有一个硬限制，1GB。

SecRequestBodyNoFilesLimit 131072 #：配置ModSecurity 允许的最大请求体的缓存区大小，除了请求中正在传送的文件大小。这项指令便于在受到某些使用大尺寸请求进行DoS 攻击时减少影响。提供上传文件服务的WEB 应用必须配置SecRequestBodyLimit 为一个很大的值。由于大文件直接进行磁盘文件存取，不会加大内存的消耗。但是，仍然有可能有人利用超大请求体限制和发送大量大小的非上传请求。该指令消除这一漏洞。

#备注：默认为1 MB (1048576 bytes)。这个值比较古老了，大部分应用应该到128KB或是更低，任何超过此限制的都会被拒绝，提示413，请求体太大。还有一个硬限制，1GB。

# Store up to 128 KB of request body data in memory. When the multipart

# parser reachers this limit, it will start using your hard disk for

# storage. That is slow, but unavoidable.

SecRequestBodyInMemoryLimit 131072 #配置ModSecurity 使用内存保存的最大请求体大小默认的限制是128 KB，在内存中最多存储128KB

# What do do if the request body size is above our configured limit.

# Keep in mind that this setting will automatically be set to ProcessPartial

# when SecRuleEngine is set to DetectionOnly mode in order to minimize

# disruptions when initially deploying ModSecurity.

SecRequestBodyLimitAction Reject #Reject：拒绝、Process Partial：呈现请求的第一部分 #当请求超过SecRequestBodyLimit策略中配置的设置时该做什么。默认情况下拒绝大于集合的请求。

# Verify that we've correctly processed the request body.

# As a rule of thumb, when failing to process a request body

# you should reject the request (when deployed in blocking mode)

# or log a high-severity alert (when deployed in detection-only mode).

SecRule REQBODY_ERROR "!@eq 0" \

"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"

# By default be strict with what we accept in the multipart/form-data

# request body. If the rule below proves to be too strict for your

# environment consider changing it to detection-only. You are encouraged

# _not_ to remove it altogether.

SecRule MULTIPART_STRICT_ERROR "!@eq 0" \

"id:'200003',phase:2,t:none,log,deny,status:400, \

msg:'Multipart request body failed strict validation: \

PE %{REQBODY_PROCESSOR_ERROR}, \

BQ %{MULTIPART_BOUNDARY_QUOTED}, \

BW %{MULTIPART_BOUNDARY_WHITESPACE}, \

DB %{MULTIPART_DATA_BEFORE}, \

DA %{MULTIPART_DATA_AFTER}, \

HF %{MULTIPART_HEADER_FOLDING}, \

LF %{MULTIPART_LF_LINE}, \

SM %{MULTIPART_MISSING_SEMICOLON}, \

IQ %{MULTIPART_INVALID_QUOTING}, \

IP %{MULTIPART_INVALID_PART}, \

IH %{MULTIPART_INVALID_HEADER_FOLDING}, \

FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"

# Did we see anything that might be a boundary?

SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \

"id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"

# PCRE Tuning

# We want to avoid a potential RegEx DoS condition

SecPcreMatchLimit 1000 #设置PCRE库中的匹配限制。

SecPcreMatchLimitRecursion 1000 #在PCRE库中设置匹配限制递归。

# Some internal errors will set flags in TX and we will need to look for these.

# All of these are prefixed with "MSC_". The following flags currently exist:

# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.

SecRule TX:/^MSC_/ "!@streq 0" \

"id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"

## -- Response body handling --------------------------------------------------

# Allow ModSecurity to access response bodies.

# You should have this directive enabled in order to identify errors

# and data leakage issues.

# Do keep in mind that enabling this directive does increases both

# memory consumption and response latency.

SecResponseBodyAccess On #配置响应体是否被缓存并被分析 On：访问响应体仅支持使用MIME类、Off：不尝试访问响应体

#备注：如果你计划检查HTML 的响应，需要使用这个指令。这个指令必须和"phase:4"处理阶段动作和REQUEST_BODY 变量/位置一起使用，这三部分任一一个没有配置，你就无法检查请求体。

# Which response MIME types do you want to inspect? You should adjust the

# configuration below to catch documents but avoid static files

# (e.g., images and archives).

SecResponseBodyMimeType text/plain text/html text/xml #为响应数据缓存配置推荐的MIME 类型

# Buffer response bodies of up to 512 KB in length.

SecResponseBodyLimit 524288 #配置允许缓存的最大响应体大小

#任何超过此限制的都会被拒绝，提示500，内部服务器错误。这一设置不影响使用MIME 类型的响应，缓存不为此做标记，有一个硬限制，1GB。

# What happens when we encounter a response body larger than the configured

# limit? By default, we process what we have and let the rest through.

# That's somewhat less secure, but does not break any legitimate pages.

SecResponseBodyLimitAction ProcessPartial #配置SecResponseBodyLimit 控制碰到响应体限制的情况，默认时ModSecurity拒绝超过指定长度的响应体，然而一些WEB 站点，会产生一些非常长的响应为适当限制带来难度。这类网站不得不极大的提高关注度，把限制放到了首位（控制内存消耗）。有能力选择的是发生站点限制时，管理员能选择仅仅检查响应的第一部分，这部分可融入理想的限制，并让其通过。可以证明未经检查就允许部分响应是个漏洞，理论上这是对的，但仅适用于攻击者控制输出的案例（如它可以任意的长）。不管怎样，在这种情况下，无论如何是阻止不了漏洞的。攻击者在数据回送前可以压缩，打乱或者甚至是加密，因为可以穿越任意监控设备。

## -- Filesystem configuration ------------------------------------------------

# The location where ModSecurity stores temporary files (for example, when

# it needs to handle a file upload that is larger than the configured limit).

# This default setting is chosen due to all systems have /tmp available however,

# this is less than ideal. It is recommended that you specify a location that's private.

SecTmpDir /tmp/ #配置临时文件创建的路径

#需要提供apache 用户进程的可写权限，这个目录的位置也是当apache 检查数据用完内存时（比SecRequestBodyInMemoryLimit 指令指定的还多的数据）会将数据交换到磁盘上的位置。

# The location where ModSecurity will keep its persistent data. This default setting

# is chosen due to all systems have /tmp available however, it

# too should be updated to a place that other users can't access.

SecDataDir /tmp/ #指定连续数据（如ip 地址数据，session 数据等)存储的路径

#备注：initcol、setsid 和setuid 需要用到这个指令，必须让服务器用户对这个目录可写

## -- File uploads handling configuration -------------------------------------

# The location where ModSecurity stores intercepted uploaded files. This

# location must be private to ModSecurity. You don't want other users on

# the server to access the files, do you?

#SecUploadDir /opt/modsecurity/var/upload/ #配置拦截文件存储的目录

# By default, only keep the files that were determined to be unusual

# in some way (by an external inspection script). For this to work you

# will also need at least one file inspection rule.

#SecUploadKeepFiles RelevantOnly #On：保存上载文件、Off：不保存上载文件、RelevantOnly：只保存被确认与请求有关的文件 #配置是否保存事务处理后的拦截文件

# Uploaded files are by default created with permissions that do not allow

# any other user to access them. You may need to relax that if you want to

# interface ModSecurity to an external program (e.g., an anti-virus).

#SecUploadFileMode 0600 #用8 进制数（和chmod 一样）配置所有上传文件的模式（权限）

## -- Debug log configuration -------------------------------------------------

# The default debug log configuration is to duplicate the error, warning

# and notice messages from the error log.

SecDebugLog /var/log/security/debug.log #指定ModSecurity 调试日志文件的路径

SecDebugLogLevel 3 #配置冗长的调试日志数据

#备注：1~3 级别一直用于产生apache 的错误日志，因为你可以在产品中一直使用0 级别做为默认的日志级别，级别5 用于调试，不建议在产品中使用这么高级别的日志，过度的日志记录会显著服务器的性能。

## -- Audit log configuration -------------------------------------------------

# Log the transactions that are marked by a rule, as well as those that

# trigger a server error (determined by a 5xx or 4xx, excluding 404,

# level response status codes).

SecAuditEngine RelevantOnly #On:默认情况下记录所有事务的日志、Off：默认情况下不记录所有事务的日志、RelevantOnly：默认只记录事务中由warning 或error 触发的日志，或者记录一些特意考虑过的状态码 #配置审计日志引擎的开启与否

SecAuditLogRelevantStatus "^(?:5|4(?!04))" #配置哪些响应状态码与审计日志的目的密切相关

#备注：必须将SecAuditEngine 设置为RelevantOnly，其参数是个正则表达式。

#这个指令最主要的目的是允许你配置审计产生特殊HTTP 响应状态码的唯一事务，这个指令通常用于减少审计日志文件的总体大小。记住一点，如果使用了这个参数，那么返回状态码是200 的成功攻击事件不会记录。

# Log everything we know about a transaction.

SecAuditLogParts ABIJDEFHZ #定义每个事务中记录到审计日志中的部分。每部分以一个独立的字母表示，当某个字母出现在列表中，也就是指每个事务中的相同部分会被记录，全部列表见下文。

#备注：在这个时候ModSecurity 不记录apache 的见用响应内容（如404)，或者服务器和日期的响应头。

#A - 审计日志标题(强制的)

#B - 请求标题

#C - 请求体(目前仅针对请求体存在，并且ModSecurity 已经配置成拦截)

#D - 为中间人响应头保留，暂未实现

#E - 中间人响应体(目前仅对配置了拦截响应体和配置审计日志引擎记录有效)。中间人响应体和实际的响应体相同，除非ModSecurity 拦截了中间人响应体，这种情况下，实际响应体会包含出错信息（可能是apache 的默认错误信息，也可能是出错文档页面）。

#F - 最终响应头(除了日期和服务器标题以外的被apache 添加的近期内容传递信息)。

#G - 为实际响应体保留，暂未实现。

#H - 审计日志索引

#I - 这C 部分的替换，使用multipart/form-data 编码时，在所有的异常情形下会记录与

#C 相同的数据，在这种情况下，会记录假的application/x-www-form-urlencoded 内容，这包含参数的相关信息，但不是这个文件的。如果你不想用文件（通常很大）来存储你的审计日志，这是很方便的。

#J - 保留。实现后，这部分会包含文件使用multipart/form-data 编码上传的信息。

#K - 这部分包含一个完整的列表，按顺序匹配（每行一个），这些规则是完全合格的，从而表明继承默认的动作和操作，从2.5.0 开始支持。

#Z - 最终分界，意味着是条目的最后(强制的)

# Use a single file for logging. This is much easier to look at, but

# assumes that you will use the audit log only ocassionally.

SecAuditLogType Serial #配置使用审计日志记录机制的类型

#Serial - 所有的审计日志条目都被存储在主审计日志记录文件中，随意使用是很方便，但是它很慢，因为任何时候只有一个文件被打开也只能写入一条审计日志条目。

#Concurrent - 审计日志条目被存储于不同的文件中，每个事务一个，如果你要把审计日志数据发送到远程ModSecurity 控制主机上就使用Concurrent 日志模式。

SecAuditLog /var/log/security/modsec_audit.log #定义主审计日志文件路径

SecAuditLogDirMode 0777

SecAuditLogFileMode 0550

SecAuditLogStorageDir /var/log/security

SecAuditLogType Concurrent

# Specify the path for concurrent audit logging.

SecAuditLogStorageDir /var/log/security/audit/ #配置同时审计日志条目存储时的路径

## -- Miscellaneous -----------------------------------------------------------

# Use the most commonly used application/x-www-form-urlencoded parameter

# separator. There's probably only one application somewhere that uses

# something else so don't expect to change this value.

SecArgumentSeparator & #指定的字符做为application/x-www-form-urlencoded 内容的分隔符，默认是&，非常少的情况下应用会使用分号(;)。

#这个指令用于后台WEB 应用在使用非标准的参数分隔符,如果没有在每一个WEB 应用中合理设置这个指令，那么ModSecurity 可能无法适当的分析所有的参数，并且规则匹配的效果可能会显著的降低。

# Settle on version 0 (zero) cookies, as that is what most applications

# use. Using an incorrect cookie version may open your installation to

# evasion attacks (against the rules that examine named cookies).

SecCookieFormat 0 #选择当前配置文本中使用的cookie 格式

#0 - 使用version 0 (Netscape) cookies，这是大部分应用使用的，也是默认值

#1 - 使用version 1 cookies

# Specify your Unicode Code Point.

# This mapping is used by the t:urlDecodeUni transformation function

# to properly map encoded data to your language. Properly setting

# these directives helps to reduce false positives and negatives.

SecUnicodeMapFile unicode.mapping 20127 #定义将由urlDecodeUni变换函数用于在规范化期间映射Unicode代码点的文件的路径，并指定要使用的代码点。

# Improve the quality of ModSecurity by sharing information about your

# current ModSecurity version and dependencies versions.

# The following information will be shared: ModSecurity version,

# Web Server version, APR version, PCRE version, Lua version, Libxml2

# version, Anonymous unique id for host.

SecStatusEngine On #控制状态报告功能。使用基于DNS的报告将软件版本信息发送到ModSecurity项目团队。

SecRuleEngine off

include waf/crs-setup.conf

#include waf/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf

include waf/rules/REQUEST-901-INITIALIZATION.conf

include waf/rules/REQUEST-905-COMMON-EXCEPTIONS.conf

include waf/rules/REQUEST-910-IP-REPUTATION.conf

include waf/rules/REQUEST-911-METHOD-ENFORCEMENT.conf

include waf/rules/REQUEST-912-DOS-PROTECTION.conf

include waf/rules/REQUEST-913-SCANNER-DETECTION.conf

include waf/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf

include waf/rules/REQUEST-921-PROTOCOL-ATTACK.conf

include waf/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf

include waf/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf

include waf/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf

include waf/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf

include waf/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf

include waf/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf

include waf/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf

include waf/rules/REQUEST-949-BLOCKING-EVALUATION.conf

include waf/rules/RESPONSE-950-DATA-LEAKAGES.conf

#include waf/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf

include waf/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf

include waf/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf

include waf/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf

include waf/rules/RESPONSE-959-BLOCKING-EVALUATION.conf

include waf/rules/RESPONSE-980-CORRELATION.conf

#include waf/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

参考：https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual
参考文档：http://pan.baidu.com/s/1i59JQGP 密码：1ukxSourceByrd's Weblog-https://note.t4x.org/other/modsecurity-config/ SourceByrd's Weblog-https://note.t4x.org/other/modsecurity-config/

申明：除非注明Byrd's Blog内容均为原创,未经许可禁止转载!详情请阅读版权申明!

Comment

Login