Question

我有一个可能需要最多发送1000个POST DATA个参数的大表单。有时它会触发来自OWASP Core rulset的规则960335的误报。我在modsecurity_crs_23_request_limits.conf中查看了该规则，但我无法弄清楚如何在该特定表单上设置更高的max_num_args。

在modsecurity_crs_60_customrules.conf中，我尝试过：

<LocationMatch "/form.php"> 

  SecRuleUpdateTargetById 960335 ARGS:"@gt %1000"

</LocationMatch>

但语法检查给了我这个错误

`Updating target by ID with no ruleset in this context`

谁能告诉我如何将max_num_args设置得更高？

此处的规则960335：

SecRule &TX:MAX_NUM_ARGS "@eq 1" "chain,phase:2,t:none,block,
msg:'Too many arguments in request',id:'960335',
severity:'4',rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',
accuracy:'9',tag:'OWASP_CRS/POLICY/SIZE_LIMIT'"

SecRule &ARGS "@gt %{tx.max_num_args}" "t:none,setvar:'tx.msg=%{rule.msg}',
setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},
setvar:tx.%{rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"

Answer 1

这在modsecurity_crs_10_setup.conf文件中设置：

# -- Maximum number of arguments in request limited
SecAction \
  "id:'900006', \
  phase:1, \
  t:none, \
  setvar:tx.max_num_args=255, \
  nolog, \
  pass"

更新ModSecurity核心规则的争议

1 个答案: