我在使用mod security 3.0和CRS规则的nginx 1.13.1的审计日志中遇到以下错误:
---CKA3HSfa---A--
[21/Sep/2017:23:54:24 -0400] 150605246494.910012 10.43.136.22 4311 10.43.136.22 80
---CKA3HSfa---B--
POST /sp-portal/user_login.html HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
Upgrade-Insecure-Requests: 1
Referer: http://sib/
Origin: http://sib
Content-Length: 43
Connection: keep-alive
Host: sib
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=2C689169F4870B5C0ADCBD0B08C807EA
Accept-Language: en-US,en;q=0.8,zh-CN;q=0.6,zh;q=0.4
---CKA3HSfa---D--
---CKA3HSfa---F--
HTTP/1.1 403
Server: nginx/1.13.1
Date: Fri, 22 Sep 2017 03:54:24 GMT
Content-Length: 571
Content-Type: text/html
Connection: keep-alive
---CKA3HSfa---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `^%{tx.allowed_request_content_type}$' against variable `TX:0' (Value: `application/x-www-form-urlencoded' ) [file "/etc/nginx/modsec/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "928"] [id "920420"] [rev "2"] [msg "Request content type is not allowed by policy"] [data "application/x-www-form-urlencoded"] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED"] [tag "WASCTC/WASC-20"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"] [ref "v0,4o0,33o0,33v302,33"]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `%{tx.inbound_anomaly_score_threshold}' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/modsec/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "36"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [ref ""]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `%{tx.inbound_anomaly_score_threshold}' against variable `TX:INBOUND_ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/modsec/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "61"] [id "980130"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): Request content type is not allowed by policy"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "event-correlation"] [ref ""]
我检查了文件crs-setup.conf,配置显示应该允许:
331 # Content-Types that a client is allowed to send in a request.
332 # Default: application/x-www-form-urlencoded|multipart/form-data|text/xml|\
333 # application/xml|application/soap+xml|application/x-amf|application/json|\
334 # application/octet-stream|text/plain
335 # Uncomment this rule to change the default.
336 SecAction \
337 "id:900220,\
338 phase:1,\
339 nolog,\
340 pass,\
341 t:none,\
342 setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xm
l|application/xml|application/soap+xml|application/x-amf|application/json|application/octet-stream|text
/plain'"
有人可以帮忙吗?