반응형
mod_security 작업
2014/11/21
* ip로 url 접속 시 로그
======================================
--791ac16f-H--
Message: Access denied with code 403 (phase 2). Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/usr/local/apache/modsecurity-crs/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "98"] [id "960017"] [rev "2"] [msg "Host header is a numeric IP address"] [data "221.141.3.7"] [severity "WARNING"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx"]
Action: Intercepted (phase 2)
Stopwatch: 1416557483968900 811 (- - -)
Stopwatch2: 1416557483968900 811; combined=346, p1=211, p2=98, p3=0, p4=0, p5=37, sr=46, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/); OWASP_CRS/2.2.9.
Server: Apache/2.4.7 (Unix) PHP/5.5.9
Engine-Mode: "ENABLED"
Message: Access denied with code 403 (phase 2). Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/usr/local/apache/modsecurity-crs/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "98"] [id "960017"] [rev "2"] [msg "Host header is a numeric IP address"] [data "221.141.3.7"] [severity "WARNING"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx"]
Action: Intercepted (phase 2)
Stopwatch: 1416557483968900 811 (- - -)
Stopwatch2: 1416557483968900 811; combined=346, p1=211, p2=98, p3=0, p4=0, p5=37, sr=46, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/); OWASP_CRS/2.2.9.
Server: Apache/2.4.7 (Unix) PHP/5.5.9
Engine-Mode: "ENABLED"
====================================
# vi /usr/local/apache/modsecurity-crs/base_rules/modsecurity_crs_21_protocol_anomalies.conf
98번 라인 -> block -> allow 로 변경
=======================================
2015/01/20
/usr/local/apache/modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
159라인 주석처리
#SecRule ARGS_NAMES|ARGS|XML:/* "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){4,}" "phase:2,t:none,t:urlDecodeUni,block,id:'981173',rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'8',msg:'Restricted
SQL Character Anomaly Detection Alert - Total # of special characters exceeded',capture,logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',setvar:tx.ano
maly_score=+%{tx.warning_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"
SQL Character Anomaly Detection Alert - Total # of special characters exceeded',capture,logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',setvar:tx.ano
maly_score=+%{tx.warning_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"
반응형
'OS' 카테고리의 다른 글
| 리눅스에서 디스크 HDD / SSD 인지 확인 하는 방법 (0) | 2017.01.13 |
|---|---|
| ldf 로그 파일 축소 - 용량 정리 (0) | 2016.07.05 |
| sfc - 시스템 검색 명령어 (0) | 2016.06.27 |
| apache mod_unique_id module 추가 (0) | 2016.01.02 |
| [에러메세지] - ModSecurity requires mod_unique_id to be installed (0) | 2016.01.02 |