ModSecurity(mod_security) ã® Core Rule Set(CRS)ã‚’èªã¿è§£ãã€ãã®1:global_config, config】
Apache モジュールã§ã‚ã‚‹ ModSecurity*1 ã® Core Rule Set(CRS)*2ã¨ãªã£ã¦ã„ãŸã€‚
- 確èªã—ãŸãƒãƒ¼ã‚¸ãƒ§ãƒ³
- modsecurity-crs v2.0.2(2009å¹´10月2æ—¥ç¾åœ¨ï¼‰
CRS v2.0.2 ã® tar 玉をダウンãƒãƒ¼ãƒ‰ã—展開ã™ã‚‹ã¨ã€ä»¥ä¸‹ã®ã‚ˆã†ãªæ§‹æˆã¨ãªã£ã¦ã„る。解å‡ã—ãŸãƒ‡ã‚£ãƒ¬ã‚¯ãƒˆãƒªç›´ä¸‹ã«ã‚ã‚‹ã€modsecurity_crs_10_global_config.conf 㨠modsecurity_crs_10_config.conf ã® 2 ã¤ã®ãƒ•ã‚¡ã‚¤ãƒ«ãŒã€ModSecurity全体ã®è¨å®šãƒ•ã‚¡ã‚¤ãƒ«ã¨ãªã‚‹ã€‚ã“ã®æ—¥è¨˜ã§ã¯ã€ã“ã® 2 ã¤ã® conf ファイルを ModSecurity Reference Manual*3 を基ã«èªã¿è§£ã„ã¦ã¿ã‚‹ã€‚
# tar xzvf modsecurity-crs_2.0.2.tar.gz # cd modsecurity-crs_2.0.2 # ls -1R .: CHANGELOG LICENSE README base_rules modsecurity_crs_10_config.conf modsecurity_crs_10_global_config.conf optional_rules util ./base_rules: modsecurity_40_generic_attacks.data modsecurity_41_sql_injection_attacks.data modsecurity_46_et_sql_injection.data modsecurity_46_et_web_rules.data modsecurity_50_outbound.data modsecurity_crs_20_protocol_violations.conf modsecurity_crs_21_protocol_anomalies.conf modsecurity_crs_23_request_limits.conf modsecurity_crs_30_http_policy.conf modsecurity_crs_35_bad_robots.conf modsecurity_crs_40_generic_attacks.conf modsecurity_crs_41_phpids_filters.conf modsecurity_crs_41_sql_injection_attacks.conf modsecurity_crs_41_xss_attacks.conf modsecurity_crs_45_trojans.conf modsecurity_crs_46_et_sql_injection.conf modsecurity_crs_46_et_web_rules.conf modsecurity_crs_47_common_exceptions.conf modsecurity_crs_48_local_exceptions.conf modsecurity_crs_49_enforcement.conf modsecurity_crs_50_outbound.conf modsecurity_crs_60_correlation.conf ./optional_rules: modsecurity_crs_20_protocol_violations.conf modsecurity_crs_21_protocol_anomalies.conf modsecurity_crs_40_generic_attacks.conf modsecurity_crs_42_comment_spam.conf modsecurity_crs_42_tight_security.conf modsecurity_crs_55_marketing.conf ./util: httpd-guardian.pl modsec-clamscan.pl runav.pl
modsecurity_crs_10_global_config.conf
ModSecurity 全体ã«é–¢é€£ã™ã‚‹è¨å®šãŒ 5 ã¤å®šç¾©ã•ã‚Œã¦ã„ãŸã€‚ã¡ãªã¿ã«ã“ã“ã§ã®è¨å®šå€¤ã¯ CRS ã®åˆæœŸå€¤ã§ã‚る。
### HTTP レスãƒãƒ³ã‚¹ã® Server ヘッダã®å¤‰æ›´ # åˆæœŸå€¤ã®ã¾ã¾ã ã¨ã€Server ヘッダãã®ã‚‚ã®ãŒå‡ºåŠ›ã•ã‚Œãªã„ # http://www.modsecurity.org/documentation/modsecurity-apache/2.5.10/modsecurity2-apache-reference.html#N10BEE SecServerSignature " " ### ModSecurity 検知ルールã®ã‚·ã‚°ãƒãƒãƒ£ï¼ˆãƒ‡ãƒãƒƒã‚¯ç”¨ï¼‰ # ModSecurity ã® Audit Log ã«å‡ºåŠ›ã•ã‚Œã‚‹ # http://www.modsecurity.org/documentation/modsecurity-apache/2.5.10/modsecurity2-apache-reference.html#N104DA SecComponentSignature "core ruleset/2.0.2" ### POST リクエストã§é€ä¿¡ã•ã‚ŒãŸ form データã®åˆ†å‰²æ–‡å—ã®å®šç¾© # 通常ã¯ã€Œ&ã€ãªã®ã§ã€ç‰¹ã«å¤‰æ›´ã™ã‚‹å¿…è¦ãªã— # http://www.modsecurity.org/documentation/modsecurity-apache/2.5.10/modsecurity2-apache-reference.html#N101DE SecArgumentSeparator "&" ### initcol アクションã§å®šç¾©ã—ãŸãƒ‡ãƒ¼ã‚¿ã®ä¿å˜ãƒ‡ã‚£ãƒ¬ã‚¯ãƒˆãƒªã®å®šç¾© # http://www.modsecurity.org/documentation/modsecurity-apache/2.5.10/modsecurity2-apache-reference.html#N10566 SecDataDir /tmp ### å¿…ãšå®Ÿè¡Œã•ã‚Œã‚‹ Action ã®å®šç¾© # Apache ㌠HTTP リクエストヘッダをèªã¿å–ã£ãŸæ®µéšŽã§å®Ÿè¡Œã•ã‚Œã‚‹ï¼ˆphase:1) # global, 変数 remote_addr ãŒä¿å˜ã•ã‚Œã‚‹ã‚‰ã—ã„ãŒã€ãƒ‰ã‚ュメントã«å¤§ã—ãŸæƒ…å ±ãŒãªã„㪠# initcol # http://www.modsecurity.org/documentation/modsecurity-apache/2.5.10/modsecurity2-apache-reference.html#N11847 # SecAction # http://www.modsecurity.org/documentation/modsecurity-apache/2.5.10/modsecurity2-apache-reference.html#N101AD SecAction "phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}"
modsecurity_crs_10_config.conf
詳細ãªModSecurity ã«é–¢é€£ã™ã‚‹è¨å®šãŒ 24 定義ã•ã‚Œã¦ã„ãŸã€‚ã¡ãªã¿ã«ã“ã“ã§ã®è¨å®šå€¤ã¯ CRS ã®åˆæœŸå€¤ã§ã‚る。
## -- Configuration ---------------------------------------------------------- ### ModSecurity ã® Rule エンジンã®å‹•ä½œè¨å®š # On = Rule エンジンã®æœ‰åŠ¹åŒ– # Off = Rule エンジンã®ç„¡åŠ¹åŒ– # DetectionOnly = Rule エンジンã®æœ‰åŠ¹åŒ–(Request, Response ã® intercept ãªã—) # http://www.modsecurity.org/documentation/modsecurity-apache/2.5.10/modsecurity2-apache-reference.html#N10AD4 SecRuleEngine On ### HTTP リクエスト・ボディ検査è¨å®š # ã“ã®è¨å®šã‚’有効ã«ã™ã‚‹ã“ã¨ã§ã€Rule ã«ã¦ POST_PAYLOADã€REQUEST_BODY 変数を指定ã§ãã‚‹ # http://www.modsecurity.org/documentation/modsecurity-apache/2.5.10/modsecurity2-apache-reference.html#N107D5 SecRequestBodyAccess On ### HTTP レスãƒãƒ³ã‚¹ãƒ»ãƒœãƒ‡ã‚£æ¤œæŸ»è¨å®š # ã“ã®è¨å®šã‚’有効ã«ã™ã‚‹ã“ã¨ã§ã€Rule ã«ã¦ RESPONSE_BODY 変数を指定ã§ãã‚‹ # ãŸã ã—有効ã«ã—ãŸã¨ã—ã¦ã‚‚ã€ãƒãƒƒãƒ•ã‚¡ãƒªãƒ³ã‚°å¯¾è±¡ã§ã‚ã‚‹ã€SecResponseBodyMimeType 㧠# 指定ã—㟠MIME タイプã—ã‹ã€HTTP レスãƒãƒ³ã‚¹ãƒ»ãƒœãƒ‡ã‚£ã‚’検査ã§ããªã„ # http://www.modsecurity.org/documentation/modsecurity-apache/2.5.10/modsecurity2-apache-reference.html#N1094B SecResponseBodyAccess On ### ãƒãƒƒãƒ•ã‚¡ãƒªãƒ³ã‚°ã™ã‚‹ HTTP レスãƒãƒ³ã‚¹ ã® MIME タイプã®æŒ‡å®š # http://www.modsecurity.org/documentation/modsecurity-apache/2.5.10/modsecurity2-apache-reference.html#N108E4 SecResponseBodyMimeType (null) text/html text/plain text/xml ### ãƒãƒƒãƒ•ã‚¡ãƒªãƒ³ã‚°ã™ã‚‹ HTTP レスãƒãƒ³ã‚¹ã®ä¸Šé™ãƒã‚¤ãƒˆå€¤ # ã“ã®ä¸Šé™å€¤ä»¥ä¸Šã® HTTP レスãƒãƒ³ã‚¹ã‚’ãƒãƒƒãƒ•ã‚¡ãƒªãƒ³ã‚°ã—よã†ã¨ã™ã‚‹ã¨ã€ # SecResponseBodyLimitAction ã§æŒ‡å®šã—ãŸã‚¢ã‚¯ã‚·ãƒ§ãƒ³ã‚’実行ã™ã‚‹æ¨¡æ§˜ã€‚ # ãƒãƒ¼ãƒ‰ã‚¦ã‚§ã‚¢ã‚³ãƒ¼ãƒ‡ã‚£ãƒ³ã‚°ã«ã‚ˆã‚Šã€ä¸Šé™å€¤ã¯ 1GB。 # http://www.modsecurity.org/documentation/modsecurity-apache/2.5.10/modsecurity2-apache-reference.html#N1088D SecResponseBodyLimit 524288 ### ãƒãƒƒãƒ•ã‚¡ãƒªãƒ³ã‚°ä¸Šé™å€¤ä»¥ä¸Šã® HTTP レスãƒãƒ³ã‚¹ã‚’å—ä¿¡ã—ãŸæ™‚ã®å‡¦ç† # Rejectã€ProcessPartial ã«é–¢ã—ã¦ã€ãƒ‰ã‚ュメントã«å¤§ã—ãŸè¨˜è¿°ãŒãªã„。 # SecResponseBodyLimitAction ã® description ã‚’èªã‚€é™ã‚Šã§ã¯ã€ä»¥ä¸‹ã¨æŽ¨æ¸¬ã€‚ # Reject = 500 Internal Server Error を発生ã•ã›ã€Reject ã™ã‚‹ # ProcessPartial = SecResponseBodyLimit ã§æŒ‡å®šã—ãŸå€¤ã¾ã§æ¤œæŸ»ã™ã‚‹ # http://www.modsecurity.org/documentation/modsecurity-apache/2.5.10/modsecurity2-apache-reference.html#N108B9 SecResponseBodyLimitAction ProcessPartial ### HTTP リクエスト処ç†æ™‚ã«ãŠã‘ã‚‹ XML プãƒã‚»ãƒƒã‚µã®æœ‰åŠ¹åŒ– # Content-Type: text/xml ã®å ´åˆã®ã¿ã€XML プãƒã‚»ãƒƒã‚µã‚’有効ã«ã™ã‚‹ # åˆæœŸè¨å®šã§ã¯ã‚³ãƒ¡ãƒ³ãƒˆã‚¢ã‚¦ãƒˆã•ã‚Œã¦ã„ã‚‹ãŸã‚ã€ç„¡åŠ¹ # ctl # http://www.modsecurity.org/documentation/modsecurity-apache/2.5.10/modsecurity2-apache-reference.html#N116EB #SecRule REQUEST_HEADERS:Content-Type "text/xml" \ #"phase:1,pass,nolog,ctl:requestBodyProcessor=XML" ### Rule ã®ãƒ‡ãƒ•ã‚©ãƒ«ãƒˆã‚¢ã‚¯ã‚·ãƒ§ãƒ³ã®è¨å®š # SecRule ã«ã¦ Action ãŒä½•ã‚‚定義ã•ã‚Œã¦ã„ãªã‹ã£ãŸå ´åˆã« # è¨å®šã•ã‚Œã‚‹ãƒ‡ãƒ•ã‚©ãƒ«ãƒˆã‚¢ã‚¯ã‚·ãƒ§ãƒ³ã®å®šç¾© # http://www.modsecurity.org/documentation/modsecurity-apache/2.5.10/modsecurity2-apache-reference.html#N10610 SecDefaultAction "phase:2,pass" ## -- File uploads configuration ----------------------------------------------- ### intercept ã•ã‚ŒãŸãƒ•ã‚¡ã‚¤ãƒ«ã®ä¿å˜å…ˆãƒ‡ã‚£ãƒ¬ã‚¯ãƒˆãƒªã®å®šç¾© # http://www.modsecurity.org/documentation/modsecurity-apache/2.5.10/modsecurity2-apache-reference.html#N10C3C SecUploadDir /tmp ### intercept ã—ãŸãƒ•ã‚¡ã‚¤ãƒ«å‰Šé™¤ã®å®šç¾© # ModSecurity 㧠HTTP トランザクションã®æ¤œæŸ»ãŒå®Œäº†ã—ãŸå¾Œã§ã€ # intercept ã—ãŸãƒ•ã‚¡ã‚¤ãƒ«ã‚’削除ã™ã‚‹ã‹å¦ã‹ã‚’定義ã™ã‚‹ # On = 削除ã—ãªã„ # Off = 削除ã™ã‚‹ # RelevantOnly = 関連ãªã—を判æ–ã•ã‚ŒãŸï¼ˆRule ã«ä¸€è‡´ã—ãªã„?)ファイルã®ã¿å‰Šé™¤ã™ã‚‹ # http://www.modsecurity.org/documentation/modsecurity-apache/2.5.10/modsecurity2-apache-reference.html#N10C95 SecUploadKeepFiles Off ### アップãƒãƒ¼ãƒ‰ãƒ•ã‚¡ã‚¤ãƒ«ã®æ¤œæŸ» Rule # アップãƒãƒ¼ãƒ‰ã•ã‚ŒãŸãƒ•ã‚¡ã‚¤ãƒ«ã‚’外部スクリプトã§æ¤œæŸ»ã™ã‚‹ Rule # åˆæœŸè¨å®šã§ã¯ã‚³ãƒ¡ãƒ³ãƒˆã‚¢ã‚¦ãƒˆã•ã‚Œã¦ã„ã‚‹ãŸã‚ã€ç„¡åŠ¹ # inspectFile # http://www.modsecurity.org/documentation/modsecurity-apache/2.5.10/modsecurity2-apache-reference.html#N11C5B # SecRule FILES_TMPNAMES "@inspectFile /opt/apache/bin/inspect_script.pl" \ # "t:none" ## -- Logging ---------------------------------------------------------------- ### ModSecurity audit logging engine ã®è¨å®š # audit log ã«è¨˜éŒ²ã™ã‚‹ HTTP トランザクションをè¨å®šã™ã‚‹ # On = ã™ã¹ã¦ã® HTTP トランザクションを audit log ã«è¨˜éŒ²ã™ã‚‹ # Off = ã™ã¹ã¦ã® HTTP トランザクションを audit log ã«è¨˜éŒ²ã—ãªã„ # RelevantOnly = è¦å‘Šã‚„エラーã¨ãªã£ãŸ HTTP トランザクションや # SecAuditLogRelevantStatus ã§å®šç¾©ã—㟠HTTP トランザクションã®ã¿ # audit log ã«è¨˜éŒ²ã™ã‚‹ # http://www.modsecurity.org/documentation/modsecurity-apache/2.5.10/modsecurity2-apache-reference.html#N10213 SecAuditEngine RelevantOnly ### audit log を記録ã™ã‚‹ HTTP レスãƒãƒ³ã‚¹ãƒ»ã‚¹ãƒ†ãƒ¼ã‚¿ã‚¹ã®å®šç¾© # SecAuditEngine RelevantOnly ã®å ´åˆã€ã“ã“ã§å®šç¾©ã—㟠# ステータスコードã«åˆè‡´ã™ã‚‹ HTTP トランザクションã®ã¿ # audit log ã«è¨˜éŒ²ã™ã‚‹ # åˆæœŸå€¤ï¼š404 を除ã 4xxã€ãŠã‚ˆã³ 5xx # http://www.modsecurity.org/documentation/modsecurity-apache/2.5.10/modsecurity2-apache-reference.html#N103B1 SecAuditLogRelevantStatus "^(?:5|4(?!04))" ### audit log ã®ä¿å˜å½¢å¼ã®å®šç¾© # Serial = ã™ã¹ã¦ã® audit log entry ã‚’ 1 ã¤ã®ãƒ•ã‚¡ã‚¤ãƒ«ã«ä¿å˜ã™ã‚‹ # Concurrent = audit log entry ã‚’ãã‚Œãžã‚Œåˆ¥ã®ãƒ•ã‚¡ã‚¤ãƒ«ã«ä¿å˜ã™ã‚‹ # SecAuditLogStorageDir ã«ã¦ã€ä¿å˜å…ˆãƒ‡ã‚£ãƒ¬ã‚¯ãƒˆãƒªã®æŒ‡å®šãŒå¿…è¦ # http://www.modsecurity.org/documentation/modsecurity-apache/2.5.10/modsecurity2-apache-reference.html#N1040B SecAuditLogType Serial ### audit log ã®ãƒ¡ã‚¤ãƒ³ãƒ•ã‚¡ã‚¤ãƒ«ã®å®šç¾© # SecAuditLogType Serial ã®å ´åˆã€ã™ã¹ã¦ã® audit log ã®ä¿å˜å…ˆ # SecAuditLogType Concurrent ã®å ´åˆã€å„ファイル㮠Index æƒ…å ±ãŒä¿å˜ã•ã‚Œã‚‹æ¨¡æ§˜ # http://www.modsecurity.org/documentation/modsecurity-apache/2.5.10/modsecurity2-apache-reference.html#N10260 SecAuditLog logs/modsec_audit.log ### audit log ã®ä¿å˜å…ˆãƒ‡ã‚£ãƒ¬ã‚¯ãƒˆãƒªã®å®šç¾© # SecAuditLogType Concurrent ã®å„ファイルをä¿å˜ã™ã‚‹ãƒ‡ã‚£ãƒ¬ã‚¯ãƒˆãƒª # åˆæœŸè¨å®šã§ã¯ã‚³ãƒ¡ãƒ³ãƒˆã‚¢ã‚¦ãƒˆã•ã‚Œã¦ã„ã‚‹ãŸã‚ã€ç„¡åŠ¹ # http://www.modsecurity.org/documentation/modsecurity-apache/2.5.10/modsecurity2-apache-reference.html#N103E2 # SecAuditLogStorageDir logs/modsec_audit ### audit log entry ã®å®šç¾© # audit log ã«è¨˜éŒ²ã™ã‚‹ entry を定義ã™ã‚‹ã€‚ # å„ entry ã¯ã‚¢ãƒ«ãƒ•ã‚¡ãƒ™ãƒƒãƒˆã«å¯¾å¿œã—ã¦ã„る。 # http://www.modsecurity.org/documentation/modsecurity-apache/2.5.10/modsecurity2-apache-reference.html#N1031E SecAuditLogParts "ABIFHKZ" ### パフォーマンス測定目的ã®ãƒã‚°ãƒ•ã‚¡ã‚¤ãƒ«ã®å®šç¾© # LogFormatã€CustomLog ã¯ãã‚Œãžã‚Œ Apache ã§å®šç¾©ã•ã‚Œã¦ã„るディレクティブ # http://www.modsecurity.org/documentation/modsecurity-apache/1.9.3/html-multipage/06-special_features.html # Performance measurement ã‚’å‚ç…§ # åˆæœŸè¨å®šã§ã¯ã‚³ãƒ¡ãƒ³ãƒˆã‚¢ã‚¦ãƒˆã•ã‚Œã¦ã„ã‚‹ãŸã‚ã€ç„¡åŠ¹ # # 以下ã€Apache HTTP サームãƒãƒ¼ã‚¸ãƒ§ãƒ³ 2.2 ã®ãƒ‰ã‚ュメント # LogFormat ディレクティブ # http://httpd.apache.org/docs/2.2/ja/mod/mod_log_config.html#logformat # CustomLog ディレクティブ # http://httpd.apache.org/docs/2.2/ja/mod/mod_log_config.html#customlog # # LogFormat "%V %h %t %{UNIQUE_ID}e \"%r\" %>s %X | %I %O | %<{mod_security-time1}n %<{mod_security-time2}n %<{mod_security-time3}n %D" mperformance # CustomLog logs/modsec_performance.log mperformance ## -- Tuning and debugging --------------------------------------------------- ### Cookie フォーマットã®å®šç¾© # 0: version 0 cookie(Netscape å½¢å¼) # 1: version 1(RFC2109 ã§å®šç¾©ã•ã‚Œã¦ã„ã‚‹ãƒãƒ¼ã‚¸ãƒ§ãƒ³ã¨æŽ¨æ¸¬) # http://www.modsecurity.org/documentation/modsecurity-apache/2.5.10/modsecurity2-apache-reference.html#N10530 SecCookieFormat 0 ### メモリã«ä¿å˜ã™ã‚‹ HTTP リクエストã®ä¸Šé™ãƒã‚¤ãƒˆå€¤ # http://www.modsecurity.org/documentation/modsecurity-apache/2.5.10/modsecurity2-apache-reference.html#N10861 SecRequestBodyInMemoryLimit 131072 ### ModSecurity debug log ã®å®šç¾© # http://www.modsecurity.org/documentation/modsecurity-apache/2.5.10/modsecurity2-apache-reference.html#N10589 SecDebugLog logs/modsec_debug.log ### ModSecurity debug log ã«è¨˜éŒ²ã™ã‚‹ãƒã‚°ãƒ¬ãƒ™ãƒ«ã®å®šç¾© # http://www.modsecurity.org/documentation/modsecurity-apache/2.5.10/modsecurity2-apache-reference.html#N105B0 SecDebugLogLevel 3 ### 一時ファイルã®ä¿å˜å…ˆãƒ‡ã‚£ãƒ¬ã‚¯ãƒˆãƒªã®å®šç¾© # http://www.modsecurity.org/documentation/modsecurity-apache/2.5.10/modsecurity2-apache-reference.html#N10C15 SecTmpDir /tmp
ã€åŽé›†ç”¨ãƒ¡ãƒ¼ãƒ«ã‚¢ãƒ‰ãƒ¬ã‚¹ã€‘:q1w2e3w2@gmail.com
