我有以下规则:
SecRule REQUEST_HEADERS:Client-IP "@ipMatchFromFile test.txt"
"id:210487,t:none,t:urlDecodeUni,t:removeWhitespace,drop,msg:'IP-test'"
但是当我运行它时,我得到了回复:
T (0) urlDecodeUni: "111.22.33.44 " // note the space before the "
T (0) removeWhitespace: "111.22.33.44" // perfect! The space has been removed
Transformation completed in 4 usec.
Executing operator "ipMatchFromFile" with param "test.txt" against REQUEST_HEADERS:Client-IP.
Target value: "111.22.33.44" // target value has no space, hooray!
IPmatchFromFile: Total tree entries: 8, ipv4 8 ipv6 0
IPmatch: bad IPv4 specification "111.22.33.44 ". // why, oh why, is the space back!
Operator completed in 4 usec.
Operator error: IPmatch: bad IPv4 specification "111.22.33.44 ". // that space again!
Rule returned -1.
Rule processing failed.
Rule failed, not chained -> mode NEXT_RULE.
请Stack Overflow传说;告诉我如何解决它: - )
答案 0 :(得分:1)
这应该有效,所以看起来像一个bug。不能说我老老实实地试图匹配首先需要转换的IP地址。
由于它不是真正的IP地址,您可以切换到使用@pmFromFile而不是@ipMatchFromFile。请注意,the documentation明确警告您需要在此处正确使用边界:
因为此运算符在匹配时不检查边界, 在某些情况下可能存在误报。例如,如果你想要 使用@pm进行IP地址匹配,短语1.2.3.4将会 可能匹配多个IP地址(例如,它也匹配 1.2.3.40或1.2.3.41)。为了避免误报,您可以在短语中使用自己的边界。例如,使用/1.2.3.4/而不是仅使用 1.2.3.4。然后,在您的规则中,还要在适当的位置添加边界。您将在示例中找到完整的示例:
# Prepare custom REMOTE_ADDR variable SecAction "phase:1,id:168,nolog,pass,setvar:tx.REMOTE_ADDR=/%{REMOTE_ADDR}/" # Check if REMOTE_ADDR is blacklisted SecRule TX:REMOTE_ADDR "@pmFromFile blacklist.txt" "phase:1,id:169,deny,msg:'Blacklisted IP address'"文件blacklist.txt可能包含:
# ip-blacklist.txt contents: # NOTE: All IPs must be prefixed/suffixed with "/" as the rules # will add in this character as a boundary to ensure # the entire IP is matched. # SecAction "phase:1,id:170,pass,nolog,setvar:tx.remote_addr='/%{REMOTE_ADDR}/'" /1.2.3.4/ /5.6.7.8/