我在使用mod security 3.0和CRS规则的nginx 1.13.1的审计日志中遇到以下错误:
---CKA3HSfa---A-- [21/Sep/2017:23:54:24 -0400] 150605246494.910012 10.43.136.22 4311 10.43.136.22 80 ---CKA3HSfa---B-- POST /sp-portal/user_login.html HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36 Upgrade-Insecure-Requests: 1 Referer: http://sib/ Origin: http://sib Content-Length: 43 Connection: keep-alive Host: sib Accept-Encoding: gzip, deflate Cookie: JSESSIONID=2C689169F4870B5C0ADCBD0B08C807EA Accept-Language: en-US,en;q=0.8,zh-CN;q=0.6,zh;q=0.4 ---CKA3HSfa---D-- ---CKA3HSfa---F-- HTTP/1.1 403 Server: nginx/1.13.1 Date: Fri, 22 Sep 2017 03:54:24 GMT Content-Length: 571 Content-Type: text/html Connection: keep-alive ---CKA3HSfa---H-- ModSecurity: Warning. Matched "Operator `Rx' with parameter `^%{tx.allowed_request_content_type}$' against variable `TX:0' (Value: `application/x-www-form-urlencoded' ) [file "/etc/nginx/modsec/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "928"] [id "920420"] [rev "2"] [msg "Request content type is not allowed by policy"] [data "application/x-www-form-urlencoded"] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED"] [tag "WASCTC/WASC-20"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"] [ref "v0,4o0,33o0,33v302,33"] ModSecurity: Warning. Matched "Operator `Ge' with parameter `%{tx.inbound_anomaly_score_threshold}' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/modsec/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "36"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [ref ""] ModSecurity: Warning. Matched "Operator `Ge' with parameter `%{tx.inbound_anomaly_score_threshold}' against variable `TX:INBOUND_ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/modsec/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "61"] [id "980130"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): Request content type is not allowed by policy"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "event-correlation"] [ref ""]
我检查了文件crs-setup.conf,配置显示应该允许:
331 # Content-Types that a client is allowed to send in a request. 332 # Default: application/x-www-form-urlencoded|multipart/form-data|text/xml|\ 333 # application/xml|application/soap+xml|application/x-amf|application/json|\ 334 # application/octet-stream|text/plain 335 # Uncomment this rule to change the default. 336 SecAction \ 337 "id:900220,\ 338 phase:1,\ 339 nolog,\ 340 pass,\ 341 t:none,\ 342 setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xm l|application/xml|application/soap+xml|application/x-amf|application/json|application/octet-stream|text /plain'"
有人可以帮忙吗?