1. 首页
  2. 问答
  3. 在IIS 10.0上运行的ModSecurity默认安装与CRS规则集生成了很多错误

在IIS 10.0上运行的ModSecurity默认安装与CRS规则集生成了很多错误

2017-03-28 66 views
0

我刚刚在Windows 10上运行的IIS 10.0上安装了ModSecurity。但是即使是“干净”安装也只会通过访问默认的IIS生成很多错误现场。在IIS 10.0上运行的ModSecurity默认安装与CRS规则集生成了很多错误

通过查看eventvwr并提出一个请求,我总共收到14个GET请求的新错误,其中包括localhost

每个事件具有以下描述:

的事件ID 1从源的ModSecurity不能 找到说明。引发此事件的组件未安装在您的本地计算机的 或安装已损坏。您可以安装 或在本地计算机上修复组件。

如果事件发生在另一台计算机上,显示信息 必须与该事件一起保存。

以下信息包括与事件:

EVENTDATA:

[client ] ModSecurity: IPmatch: bad IPv4 specification "". [hostname "HOSTNAME"] [uri "/"] [unique_id "18158513704000290822"] 

[client ] ModSecurity: Rule processing failed. [hostname "HOSTNAME"] [uri "/"] [unique_id "18158513704000290822"] 

[client ] ModSecurity: Rule 15448555590 [id "981172"][file "C:\/Program Files/ModSecurity IIS/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "157"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "HOSTNAME"] [uri "/"] [unique_id "18158513704000290822"] 

[client ] ModSecurity: Rule 154485cd4a0 [id "981243"][file "C:\/Program Files/ModSecurity IIS/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "245"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "HOSTNAME"] [uri "/"] [unique_id "18158513704000290822"] 

[client ] ModSecurity: IPmatch: bad IPv4 specification "". [hostname "HOSTNAME"] [uri "/"] [unique_id "18158513704000290822"] 

[client ] ModSecurity: Rule processing failed. [hostname "HOSTNAME"] [uri "/"] [unique_id "18158513704000290822"] 

[client ] ModSecurity: Rule 15448555590 [id "981172"][file "C:\/Program Files/ModSecurity IIS/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "157"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "HOSTNAME"] [uri "/"] [unique_id "18158513704000290822"] 

[client ] ModSecurity: Rule 154485cd4a0 [id "981243"][file "C:\/Program Files/ModSecurity IIS/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "245"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "HOSTNAME"] [uri "/"] [unique_id "18158513704000290822"] 

[client ] ModSecurity: Rule 15448555590 [id "981172"][file "C:\/Program Files/ModSecurity IIS/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "157"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "HOSTNAME"] [uri "/iisstart.htm"] [unique_id "18158513704000290822"] 

[client ] ModSecurity: Rule 154485cd4a0 [id "981243"][file "C:\/Program Files/ModSecurity IIS/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "245"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "HOSTNAME"] [uri "/iisstart.htm"] [unique_id "18158513704000290822"] 

[client ] ModSecurity: collections_remove_stale: Failed to access DBM file "C:/inetpub/temp/ip": Access is denied. [hostname "HOSTNAME"] [uri "/iisstart.htm"] [unique_id "18158513704000290822"] 

[client ] ModSecurity: collections_remove_stale: Failed to access DBM file "C:/inetpub/temp/global": Access is denied. [hostname "HOSTNAME"] [uri "/iisstart.htm"] [unique_id "18158513704000290822"] 

[client ] ModSecurity: Rule 15448555590 [id "981172"][file "C:\/Program Files/ModSecurity IIS/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "157"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "HOSTNAME"] [uri "/iisstart.png"] [unique_id "18158513704000290823"] 

[client ] ModSecurity: Rule 154485cd4a0 [id "981243"][file "C:\/Program Files/ModSecurity IIS/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "245"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "HOSTNAME"] [uri "/iisstart.png"] [unique_id "18158513704000290823"]

我做了什么:

安装ModSecurity v2.9.1 for IIS MSI Installer - 64bits和Visual Studio 2013运行时(vcredist)。

https://github.com/SpiderLabs/owasp-modsecurity-crs下载OWASP ModSecurity核心规则集(CRS),并将该文件夹放入C:\Program Files\ModSecurity IIS。将名称crs-setup.conf.example更改为crs-setup.conf

根据\rules我将REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.exampleRESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example更改为不包含.example

修改modsecurity_iis.conf以下几点:

Include modsecurity.conf 
Include modsecurity_crs_10_setup.conf 
Include owasp_crs\base_rules\*.conf 
#OWASP-Rules 
include owasp-modsecurity-crs/crs-setup.conf 
include owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf 
include owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf 
include owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf 
include owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf 
include owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf 
include owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf 
include owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf 
include owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf 
include owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf 
include owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf 
include owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf 
include owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf 
include owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf 
include owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf 
include owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf 
include owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf 
include owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf 
include owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf 
include owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf 
include owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf 
include owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf 
include owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf 
include owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf 
include owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf 
include owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

重启动IIS,然后检查事件查看器。我错过了什么或者这是正常的行为?

来源

2017-03-28 Ogglas

回答

0

关于我发现这说明:

这只是一个警告。这实际上是ModSecurity让你 知道一些给定的请求。可以忽略 事件的“窗口描述”。看内容...

https://github.com/SpiderLabs/ModSecurity/issues/877#issuecomment-267712103

1. Execution error - PCRE limits exceeded (-8): (null):

修改modsecurity.conf值以下几点:

SecPcreMatchLimit 500000 
SecPcreMatchLimitRecursion 500000

而不是从事件日志读取数据,我开始使用审核日志来代替。可以通过modsecurity.conf启用。将格式设置为JSON而不是Native以编程方式读取日志文件。请记得给用户IIS_IUSRS访问日志文件夹和文件。

# -- Audit log configuration ------------------------------------------------- 

# Log the transactions that are marked by a rule, as well as those that 
# trigger a server error (determined by a 5xx or 4xx, excluding 404, 
# level response status codes). 
# 

SecAuditLogFormat JSON 

SecAuditEngine RelevantOnly 
SecAuditLogRelevantStatus "^(?:5|4(?!04))" 

# Log everything we know about a transaction. 
SecAuditLogParts ABIJDEFHZ 

# Use a single file for logging. This is much easier to look at, but 
# assumes that you will use the audit log only ocassionally. 
# 
SecAuditLogType Serial 
SecAuditLog c:\inetpub\logs\modsec_audit.log 

# Specify the path for concurrent audit logging. 
SecAuditLogStorageDir c:\inetpub\logs\

来源

2017-03-28 11:17:29 Ogglas

相关问题

 相关问题