Awesome
Name
openwaf_rule_engine是OPENWAF的规则引擎
Table of Contents
- Name
- Version
- Synopsis
- Description
- Community
- Bugs and Patches
- Changes
- Modules Configuration Directives
- Rule Directives
- Variables
- Transformation Functions
- Operators
- Others
Version
This document describes OpenWAF Rule Engine v0.0.1.161026_beta released on 26 Oct 2016.
Synopsis
Description
规则引擎的启发来自modsecurity及freewaf(lua-resty-waf),将ModSecurity的规则机制用lua实现。基于规则引擎可以进行协议规范,自动工具,注入攻击,跨站攻击,信息泄露,异常请求等安全防护,支持动态添加规则,及时修补漏洞。
Community
English Mailing List
The OpenWAF-en mailing list is for English speakers.
Chinese Mailing List
The OpenWAF-cn mailing list is for Chinese speakers.
Personal QQ Mail
Bugs and Patches
Please submit bug reports, wishlists, or patches by
- creating a ticket on the GitHub Issue Tracker,
- or posting to the TWAF community.
Changes
Modules Configuration Directives
"twaf_secrules":{
"state": true, -- 总开关
"reqbody_state": true, -- 请求体检测开关
"header_filter_state": true, -- 响应头检测开关
"body_filter_state": true, -- 响应体检测开关
"system_rules_state": true, -- 系统规则集检测开关
"reqbody_limit":134217728, -- 请求体检测阈值,大于阈值不检测
"respbody_limit":524288, -- 响应体检测阈值,大于阈值不检测
"pre_path": "/opt/OpenWAF/", -- OpenWAF安装路径
"path": "lib/twaf/inc/knowledge_db/twrules", -- 特征规则库在OpenWAF中的路径
"user_defined_rules":[ ], -- 用户自定义规则,数组
"rules_id":{ -- 特征排除
"111112": [{"REMOTE_HOST":"a.com", "URI":"^/ab"}], -- 匹配中数组中信息则对应规则失效,数组中key为变量名称,值支持正则
"111113": {}, -- 特征未被排除
"111114": [{}] -- 特征被无条件排除
}
}
state
syntax: state true|false
default: true
context: twaf_secrules
规则引擎总开关
reqbody_state
syntax: reqbody_state true|false
default: true
context: twaf_secrules
请求体检测开关
header_filter_state
syntax: header_filter_state true|false
default: true
context: twaf_secrules
响应头检测开关
body_filter_state
syntax: body_filter_state true|false
default: false
context: twaf_secrules
响应体检测开关,默认关闭,若开启需添加第三方模块[ngx_http_twaf_header_sent_filter_module暂未开源]
system_rules_state
syntax: system_rules_state true|false
default: true
context: twaf_secrules
系统规则集检测开关
lib/twaf/inc/knowledge_db/twrules 目录下的规则,都是系统规则
除了系统规则外,还有 twaf_secrules 模块下 user_defined_rules 的用户自定义规则
系统规则一般很少改动,而用户自定义规则却随着业务而增减,如动态配置缓存、压缩、时域控制和黑白名单等。
reqbody_limit
syntax: reqbody_limit number
default: 134217728
context: twaf_secrules
请求体检测大小上限,默认134217728B(128MB),若请求体超过设置上限,则不检测
PS:reqbody_limit值要小于nginx中client_body_buffer_size的值才会生效
respbody_limit
syntax: respbody_limit number
default: 134217728
context: twaf_secrules
响应体检测大小上限,默认134217728B(128MB),若响应体大小超过设置上限,则不检测
pre_path
syntax: pre_path string
default: /opt/OpenWAF/
context: twaf_secrules
OpenWAF的安装路径
path
syntax: path string
default: lib/twaf/inc/knowledge_db/twrules
context: twaf_secrules
特征规则库在OpenWAF中的路径
user_defined_rules
syntax: user_defined_rules <array>
default: []
context: twaf_secrules
策略下的用户自定义特征规则
先执行用户自定义规则,再执行系统规则
系统特征规则适用于所有的策略,在引擎启动时通过加载特征库或通过 API 加载系统特征规则,系统特征规则一般不会动态更改
用户自定义特征在策略下生效,一般用于变动较大的特征规则,如:时域控制,修改响应头等临时性规则
"user_defined_rules":[
{
"id": "1000001",
"release_version": "858",
"charactor_version": "001",
"disable": false,
"opts": {
"nolog": false
},
"phase": "access",
"action": "deny",
"meta": 403,
"severity": "high",
"rule_name": "relative time",
"desc": "周一至周五的8点至18点,禁止访问/test目录",
"match": [{
"vars": [{
"var": "URI"
}],
"operator": "begins_with",
"pattern": "/test"
},
{
"vars": [{
"var": "TIME_WDAY"
}],
"operator": "equal",
"pattern": ["1", "2", "3", "4", "5"]
},
{
"vars": [{
"var": "TIME"
}],
"operator": "str_range",
"pattern": ["08:00:00-18:00:00"]
}]
},
{
"id": "1000002",
"release_version": "858",
"charactor_version": "001",
"disable": false,
"opts": {
"nolog": false
},
"phase": "access",
"action": "deny",
"meta": 403,
"severity": "high",
"rule_name": "iputil",
"desc": "某ip段内不许访问",
"match": [{
"vars": [{
"var": "REMOTE_ADDR"
}],
"operator": "ip_utils",
"pattern": ["1.1.1.0/24","2.2.2.2-2.2.20.2"]
}]
}
]
rules_id
syntax: rules_id table
default: none
context: twaf_secrules
用于排除特征
Rule Directives
-- lua格式
{
id = "xxxxxx", -- ID标识(唯一),string类型
release_version = "858", -- 特征库版本,string类型
charactor_version = "001", -- 特征规则版本,string类型
severity = "low", -- 严重等级,OPENWAF中使用"low","medium","high"等,string类型
rule_name = "test", -- 特征名称,string类型
disable = false, -- 禁用此规则,boolean类型
opts = { -- 其余动作
nolog = false, -- 不记日志,true or false,默认false
add_resp_headers = { -- 自定义响应头
key_xxx = "value_xxx" -- 响应头名称 = 响应头值
}
setvar = {{ -- 设置变量,数组
column = "test", -- 变量的一级key,如:TX,session等,string类型
key = "test", -- 变量的二级key,如:score, id等,string类型
incr = true, -- 同modsec中的=+操作, true or false,默认false
value = 5, -- 变量值,number类型
time = 3000 -- 超时时间(ms),number类型
}}
},
phase = "test", -- 执行阶段("access","header_filter","body_filter"),支持数组和字符串
action = "test", -- 动作,ALLOW,DENY等,string类型
desc = "test", -- 描述语句
tags = {"test1", "test2"}, -- 标签
match = { -- 数组,match之间是“与”的关系,相当于modsecurity的action中chain的功能
{
vars = {{ -- 数组,或的关系,取代modsec中的"|",处理多个变量,
var = "test", -- 变量名称,string类型
parse = { -- 对变量的解析,下面的操作只能出现一种
specific = "test", -- 具体化,取代modsec中的":",支持数组,TODO:支持正则,如modsec的"/ /",支持字符串和数组
ignore = "test", -- 忽略某个值,取代modsec中的"!",TODO:支持正则,如modsec的"/ /",支持字符串和数组
keys = true, -- 取出所有的key
values = true, -- 取出所有的value
all = true -- 取出所有的key和value
}
}},
transform = "test", -- 转换操作,支持字符串和数组
operator = "test", -- 操作,string类型
pattern = "test", -- 操作参数,支持boolean、number、字符串和数组
parse_pattern = true|false, -- 是否解析pattern参数(目前不支持与pf组合),如pattern参数为"%{TX.1}"
pf = "file_path", -- 操作参数,文件路径
op_negated = true -- 操作取反,true or false,默认false
},
{match_info2},
{match_info3},
....
}
}
--json格式
{
"id": "xxxxxx",
"release_version": "858",
"charactor_version": "001",
"severity": "test",
"rule_name": "test",
"disable": false,
"opts": {
"nolog": false,
"add_resp_headers": {
"key_xxx": "value_xxx"
},
"setvar": [{
"column":"test",
"key":"test",
"incr": true,
"value": 5,
"time":3000
}]
},
"phase": "test",
"action": "test",
"desc": "test",
"tags": ["test1", "test2"]
"match": [
{
"vars": [{
"var": "test",
"storage": true,
"phase": "test",
"parse": {
"specific": "test",
"ignore": "test",
"keys": true,
"values": "test",
"all": "test"
}
}],
"transform": "test",
"operator": "test",
"pattern": "test",
"parse_pattern": true|false,
"pf": "file_path",
"op_negated": true
},
{"match_info2"},
{"match_info3"},
...
]
}
Variables
- ARGS
- ARGS_COMBINED_SIZE
- ARGS_GET
- ARGS_GET_NAMES
- ARGS_NAMES
- ARGS_POST
- ARGS_POST_NAMES
- BYTES_IN
- CONNECTION_REQUESTS
- DURATION
- FILES
- FILES_NAMES
- GEO
- GEO_CODE3
- GEO_CODE3
- GEO_ID
- GEO_CONTINENT
- GEO_NAME
- GZIP_RATIO
- HTTP_COOKIE
- HTTP_HOST
- HTTP_REFERER
- HTTP_USER_AGENT
- IP_VERSION
- MATCHED_VAR
- MATCHED_VARS
- MATCHED_VAR_NAME
- MATCHED_VARS_NAMES
- ORIGINAL_DST_ADDR
- ORIGINAL_DST_PORT
- POLICYID
- QUERY_STRING
- RAW_HEADER
- RAW_HEADER_TRUE
- REMOTE_ADDR
- REMOTE_HOST
- REMOTE_PORT
- REMOTE_USER
- REQUEST_BASENAME
- REQUEST_BODY
- REQUEST_COOKIES
- REQUEST_COOKIES_NAMES
- REQUEST_FILENAME
- REQUEST_HEADERS
- REQUEST_HEADERS_NAMES
- REQUEST_LINE
- REQUEST_METHOD
- REQUEST_PROTOCOL
- HTTP_VERSION
- URI
- URL
- REQUEST_URI
- RESPONSE_BODY
- RESPONSE_HEADERS
- RESPONSE_STATUS
- SCHEME
- SERVER_ADDR
- SERVER_NAME
- SERVER_PORT
- SESSION
- SESSION_DATA
- TIME
- TIME_DAY
- TIME_EPOCH
- TIME_HOUR
- TIME_MIN
- TIME_MON
- TIME_SEC
- TIME_WDAY
- TIME_YEAR
- TIME_LOCAL
- TX
- UNIQUE_ID
- UPSTREAM_CACHE_STATUS
- USERID
ARGS
table类型,所有的请求参数,包含ARGS_GET和ARGS_POST
例如:POST http://www.baidu.com?name=miracle&age=5
请求体为:time=123456&day=365
ARGS变量值为{"name": "miracle", "age": "5", "time": "123456", "day": "365"}
ARGS_COMBINED_SIZE
number类型,请求参数总长度,只包含key和value的长度,不包含'&'或'='等符号
例如:GET http://www.baidu.com?name=miracle&age=5
ARGS_COMBINED_SIZE变量值为15,而不是18
ARGS_GET
table类型,querystring参数
例如:GET http://www.baidu.com?name=miracle&age=5
ARGS_GET变量值为{"name": "miracle", "age": "5"}
ARGS_GET_NAMES
table类型,querystring参数key值
例如:GET http://www.baidu.com?name=miracle&age=5
ARGS_GET_NAMES变量值为["name", "age"]
ARGS_NAMES
table类型,querystring参数key值及post参数key值
例如:POST http://www.baidu.com?name=miracle&age=5
请求体为:time=123456&day=365
ARGS_NAMES变量值为["name", "age", "time", "day"]
ARGS_POST
table类型,POST参数
例如:
POST http://www.baidu.com/login.html
请求体为:time=123456&day=365
ARGS_POST变量值为{"time": "123456", "day": "365"}
ARGS_POST_NAMES
table类型,POST参数key值
例如:
POST http://www.baidu.com/login.html
请求体为:time=123456&day=365
ARGS_POST_NAMES变量值为["time", "day"]
BYTES_IN
number类型,接收信息字节数
CONNECTION_REQUESTS
number类型,当前连接中的请求数
DURATION
string类型,处理事务用时时间,单位秒(s)
FILES
table类型,从请求体中得到的原始文件名(带有文件后缀名)
FILES_NAMES
table类型,上传文件名称(不带有后缀名)
GEO
table类型,包含code3,code,id,continent,name等字段信息
GEO_CODE3
string类型,3个字母长度的国家缩写
GEO_CODE
string类型,2个字母长度的国家缩写
GEO_ID
number类型,国家ID
GEO_CONTINENT
string类型,国家所在大洲
GEO_NAME
string类型,国家全称
GZIP_RATIO
string类型,压缩比率
HTTP_COOKIE
string类型,请求头中的cookie字段
HTTP_HOST
string类型,请求头中的host字段值,既域名:端口(80缺省)
HTTP_REFERER
string类型,请求头中的referer字段
HTTP_USER_AGENT
string类型,请求头中的user-agent字段
IP_VERSION
string类型,IPv4 or IPv6
MATCHED_VAR
类型不定,当前匹配中的变量
MATCHED_VARS
table类型,单条规则匹配中的所有变量
MATCHED_VAR_NAME
string类型,当前匹配中的变量名称
MATCHED_VARS_NAMES
table类型,单条规则匹配中的所有变量名称
ORIGINAL_DST_ADDR
string类型,服务器地址,应用代理模式为WAF地址,透明模式为后端服务器地址
ORIGINAL_DST_PORT
string类型,服务器端口号,应用代理模式为WAF端口号,透明模式为后端服务器端口号
POLICYID
string类型,策略ID
QUERY_STRING
string类型,未解码的请求参数
RAW_HEADER
string类型,请求头信息,带请求行
RAW_HEADER_TRUE
string类型,请求头信息,不带请求行
REMOTE_ADDR
string类型,客户端地址
REMOTE_HOST
string类型,域名
REMOTE_PORT
number类型,端口号
REMOTE_USER
string类型,用于身份验证的用户名
REQUEST_BASENAME
string类型,请求的文件名
例如: GET http://www.baidu.com/test/login.php
REQUEST_BASENAME值为/login.php
REQUEST_BODY
类型不定,请求体
REQUEST_COOKIES
table类型,请求携带的cookie
REQUEST_COOKIES_NAMES
table类型,请求携带cookie的名称
REQUEST_FILENAME
string类型,relative request URL(相对请求路径)
例如: GET http://www.baidu.com/test/login.php
REQUEST_FILENAME值为/test/login.php
REQUEST_HEADERS
table类型,请求头信息
REQUEST_HEADERS_NAMES
table类型,请求头key值
REQUEST_LINE
string类型,请求行
REQUEST_METHOD
string类型,请求方法
REQUEST_PROTOCOL
string类型,http请求协议,如: HTTP/1.1
HTTP_VERSION
string类型,http请求协议版本,如: 1.1
URI
string类型,请求路径,既不带域名,也不带参数
例如: GET http://www.baid.com/test/login.php?name=miracle
URI变量值为/test/login.php
URL
string类型,统一资源定位符,SCHEME与HTTP_HOST与URI的拼接
例如: GET http://www.baid.com/test/login.php?name=miracle
URL变量值为http://www.baid.com/test/login.php
REQUEST_URI
string类型,请求路径,带参数,但不带有域名
例如: GET http://www.baid.com/test/login.php?name=miracle
REQUEST_URI变量值为/test/login.php?name=miracle
RESPONSE_BODY
string类型,响应体
RESPONSE_HEADERS
table类型,响应头信息
RESPONSE_STATUS
function类型,响应状态码
SCHEME
string类型,http or https
例如:GET http://www.baidu.com/
SCHEME变量值为http
SERVER_ADDR
string类型,服务器地址
SERVER_NAME
string类型,服务器名称
SERVER_PORT
number类型,服务器端口号
SESSION
table类型,第三方模块lua-resty-session提供的变量
SESSION_DATA
table类型,session信息,第三方模块lua-resty-session提供的变量
TIME
string类型,hour:minute:second
TIME_DAY
number类型,天(1-31)
TIME_EPOCH
number类型,时间戳,seconds since 1970
TIME_HOUR
number类型,小时(0-23)
TIME_MIN
number类型,分钟(0-59)
TIME_MON
number类型,月份(1-12)
TIME_SEC
number类型,秒(0-59)
TIME_WDAY
number类型,周(0-6)
TIME_YEAR
number类型,年份,four-digit,例如: 1997
TIME_LOCAL
string类型,当前时间,例如: 26/Aug/2016:01:32:16 -0400
TX
table类型,用于存储当前请求信息的变量,作用域仅仅是当前请求
UNIQUE_ID
string类型,ID标识,随机生成的字符串,可通过配置来控制随机字符串的长度
UPSTREAM_CACHE_STATUS
keeps the status of accessing a response cache (0.8.3). The status can be either “MISS”, “BYPASS”, “EXPIRED”, “STALE”, “UPDATING”, “REVALIDATED”, or “HIT”.
USERID
string类型,从接入规则配置得到的用于ID标识
Transformation Functions
- base64_decode
- sql_hex_decode
- base64_encode
- counter
- compress_whitespace
- hex_decode
- hex_encode
- html_decode
- length
- lowercase
- md5
- normalise_path
- remove_nulls
- remove_whitespace
- replace_comments
- remove_comments_char
- remove_comments
- uri_decode
- uri_encode
- sha1
- trim_left
- trim_right
- trim
base64_decode
Decodes a Base64-encoded string.
Note: 注意transform的执行顺序
例如:
{
"id": "xxxx",
...
"transform": ["base64_decode", "lowercase"],
...
}
先执行base64解码,然后字符串最小化,若顺序调换,会影响结果
sql_hex_decode
Decode sql hex data.
base64_encode
Encodes input string using Base64 encoding.
counter
计数,相当于modsecurity中的'&'符号
compress_whitespace
Converts any of the whitespace characters (0x20, \f, \t, \n, \r, \v, 0xa0) to spaces (ASCII 0x20), compressing multiple consecutive space characters into one.
hex_decode
Decodes a string that has been encoded using the same algorithm as the one used in hexEncode
hex_encode
Encodes string (possibly containing binary characters) by replacing each input byte with two hexadecimal characters.
html_decode
Decodes the characters encoded as HTML entities.
length
Looks up the length of the input string in bytes
lowercase
Converts all characters to lowercase
md5
Calculates an MD5 hash from the data in input. The computed hash is in a raw binary form and may need encoded into text to be printed (or logged). Hash functions are commonly used in combination with hex_encode (for example: "transform": ["md5", "hex_encode").
normalise_path
Removes multiple slashes, directory self-references, and directory back-references (except when at the beginning of the input) from input string.
remove_nulls
Removes all NUL bytes from input
remove_whitespace
Removes all whitespace characters from input.
移除空白字符\s,包含水平定位字符 ('\t')、归位键('\r')、换行('\n')、垂直定位字符('\v')或翻页('\f')等
replace_comments
用一个空格代替/.../注释内容
remove_comments_char
Removes common comments chars (/*, */, --, #).
remove_comments
去掉/.../注释内容
uri_decode
Unescape str as an escaped URI component.
例如:
"b%20r56+7" 使用uri_decode转换后为 b r56 7
uri_encode
Escape str as a URI component.
sha1
Calculates a SHA1 hash from the input string. The computed hash is in a raw binary form and may need encoded into text to be printed (or logged). Hash functions are commonly used in combination with hex_encode (for example, "transform": ["sha1", "hex_encode"]).
trim_left
Removes whitespace from the left side of the input string.
trim_right
Removes whitespace from the right side of the input string.
trim
Removes whitespace from both the left and right sides of the input string.
Operators
- begins_with
- contains
- contains_word
- detect_sqli
- detect_xss
- ends_with
- equal
- greater_eq
- greater
- ip_utils
- less_eq
- less
- pf
- regex
- str_match
- validate_url_encoding
- num_range
- str_range
begins_with
Returns true if the parameter string is found at the beginning of the input.
contains
Returns true if the parameter string is found anywhere in the input.
operator为contains且pattern为数组,相当于modsecurity的pm
PS: modsecurity的pm忽略大小写,OpenWAF中contains不忽略大小写
例如:
{
"id": "xxx",
...
"operator": "contains",
"pattern": ["abc", "def"],
...
}
contains_word
Returns true if the parameter string (with word boundaries) is found anywhere in the input.
detect_sqli
This operator uses LibInjection to detect SQLi attacks.
detect_xss
This operator uses LibInjection to detect XSS attacks.
ends_with
Returns true if the parameter string is found at the end of the input.
equal
Performs a string comparison and returns true if the parameter string is identical to the input string.
相当于modsecurity的eq和streq
例如:
{
"id": "xxx",
...
"operator": "equal",
"pattern": [12345, "html", "23456"]
...
}
greater_eq
Performs numerical comparison and returns true if the input value is greater than or equal to the provided parameter.
return false, if a value is provided that cannot be converted to a number.
greater
Performs numerical comparison and returns true if the input value is greater than the operator parameter.
return false, if a value is provided that cannot be converted to a number.
ip_utils
Performs a fast ipv4 or ipv6 match of REMOTE_ADDR variable data. Can handle the following formats:
Full IPv4 Address: 192.168.1.100 Network Block/CIDR Address: 192.168.1.0/24 IPv4 Address Region: 1.1.1.1-2.2.2.2
ip_utils与pf的组合相当于modsecurity中的ipMatchF和ipMatchFromFile
例如:
规则如下:
{
"id": "xxxx",
...
"operator": "ip_utils",
"pf": "/tmp/ip_blacklist.txt",
...
}
"/tmp/ip_blacklist.txt"文件内容如下:
192.168.1.100
192.168.1.0/24
1.1.1.1-2.2.2.2
less_eq
Performs numerical comparison and returns true if the input value is less than or equal to the operator parameter.
return false, if a value is provided that cannot be converted to a number.
less
Performs numerical comparison and returns true if the input value is less than to the operator parameter.
return false, if a value is provided that cannot be converted to a number.
pf
pattern是operator操作的参数
pf是指pattern from file,与pattern互斥(二者不可同时出现),目前仅支持绝对路径
pf与contains组合,相当于modsecurity的pmf或pmFromFile
pf与ip_utils组合,相当于modsecurity的ipMatchF或ipMatchFromFile
regex
Performs a regular expression match of the pattern provided as parameter.
regex还有modecurity的capture捕获功能
modsecurity有关capture的描述如下: When used together with the regular expression operator (@rx), the capture action will create copies of the regular expression captures and place them into the transaction variable collection.
OpenWAF中无capture指令,但使用regex默认开启capture功能
例如:
{
"id": "000031",
"release_version": "858",
"charactor_version": "001",
"opts": {
"nolog": false
},
"phase": "access",
"action": "deny",
"meta": 403,
"severity": "low",
"rule_name": "protocol.reqHeader.c",
"desc": "协议规范性约束,检测含有不合规Range或Request-Range值的HTTP请求",
"match": [
{
"vars": [
{
"var": "REQUEST_HEADERS",
"parse": {
"specific": "Range"
}
},
{
"var": "REQUEST_HEADERS",
"parse": {
"specific": "Request-Range"
}
}
],
"operator": "regex",
"pattern": "(\\d+)\\-(\\d+)\\,"
},
{
"vars": [{
"var": "TX",
"parse": {
"specific": "2"
}
}],
"operator": "greater_eq",
"pattern": "%{TX.1}",
"parse_pattern": true,
"op_negated": true
}
]
}
str_match
等同于contains
validate_url_encoding
Validates the URL-encoded characters in the provided input string.
num_range
判断是否在数字范围内
它与transform的length组合,相当于modsecurity的validateByteRange
{
"id": "xxx",
...
"operator": "num_range",
"pattern": [10, "13", "32-126"],
"transform": "length",
...
}
str_range
判断是否在字符串范围内
例如时间区间判断:
{
"id": "xxx",
...
"operator": "str_range",
"pattern": ["01:42:00-04:32:00"],
...
}
Others
- allow
- deny
- id
- nolog
- op_negated
- parse
- pass
- phase
- proxy_cache
- redirect
- charactor_version
- severity
- setvar
- meta
- transform
- tag
- release_version
- robot
- add_resp_headers
allow
Stops rule processing of the current phase on a successful match and allows the transaction to proceed.
"action": "allow"
deny
Stops rule processing and intercepts transaction.
"action": "deny",
"meta": 403
id
Stops rule processing and intercepts transaction.
"id": "xxxxxxx"
nolog
不记录日志
"opts": {
"nolog": true
}
op_negated
对operator结果的取反
"match": [{
"vars": [{
"var": "HTTP_USER_AGENT"
}],
"transform": "length",
"operator": "less_eq",
"pattern": 50,
"op_negated": true
}]
等价于
"match": [{
"vars": [{
"var": "HTTP_USER_AGENT"
}],
"transform": "length",
"operator": "greater",
"pattern": 50
}]
若请求头中user_agent字段长度大于50,则匹配中此条规则
parse
对变量进一步解析
若请求GET http://www.baidu.com?name=miracle&age=5
"match": [{
"vars": [{
"var": "ARGS_GET"
}],
...
}]
得到的值为{"name": "miracle", "age": "5"}
"match": [{
"vars": [{
"var": "ARGS_GET",
"parse": {
"specific": "name"
}
}]
}]
得到的值为["miracle"]
"match": [{
"vars": [{
"var": "ARGS_GET",
"parse": {
"specific": ["name", "age"]
}
}]
}]
得到的值为["miracle", "5"]
"match": [{
"vars": [{
"var": "ARGS_GET",
"parse": {
"ignore": "name"
}
}]
}]
得到的值为{"age": "5"}
"match": [{
"vars": [{
"var": "ARGS_GET",
"parse": {
"ignore": ["name", "age"]
}
}]
}]
得到的值为[]
"match": [{
"vars": [{
"var": "ARGS_GET",
"parse": {
"keys": true
}
}]
}]
得到的值为["name", "age"]
"match": [{
"vars": [{
"var": "ARGS_GET",
"parse": {
"values": true
}
}]
}]
得到的值为["miracle", "5"]
"match": [{
"vars": [{
"var": "ARGS_GET",
"parse": {
"all": true
}
}]
}]
得到的值为["name", "age", "miracle", "5"]
pass
Continues processing with the next rule in spite of a successful match.
"action": "pass"
phase
规则执行的阶段,取值可为"access","header_filter","body_filter"的组合
{
"id": "xxx_01",
"phase": "access",
...
}
"xxx_01"规则在access阶段执行
{
"id": "xxx_02",
"phase": ["access", "header_filter"],
...
}
"xxx_02规则在access阶段和"header_filter"阶段各执行一次
proxy_cache
{
...
phase = "header_filter", -- 缓存开关需在header_filter阶段配置
action = "pass", -- 无需拦截请求
opts = {
nolog = true, -- 不需记录日志
proxy_cache = {
state = true|false, -- 缓存开关
expired = 600 -- 缓存时长(单位秒),默认600秒
}
}
...
}
若state为true,且得到的缓存状态为"MISS"或"EXPIRED",则对响应内容进行缓存,同时设置缓存时长
若state为false,则清除对应缓存键的缓存(包含其缓存文件)
举例如下:
# nginx.conf 有关proxy cache 配置如下
http {
proxy_cache_path /opt/cache/OpenWAF-proxy levels=2:2 keys_zone=twaf_cache:101m max_size=100m use_temp_path=off;
proxy_cache_key $host$uri;
proxy_cache twaf_cache;
proxy_ignore_headers X-Accel-Expires Cache-Control Set-Cookie;
proxy_no_cache $twaf_cache_flag;
server {
set $twaf_cache_flag 1; #默认不缓存
}
}
# lua 格式 配置
{
id = "test_x01", -- id 全局唯一
opts = {
nolog = true,
proxy_cache = {
state = true,
expired = 300
}
},
phase = "header_filter",
action = "pass",
match = {{
vars = {{
var = "URI"
},{
var = "REQUEST_HEADERS",
parse = {
specific = "Referer"
}
}},
operator = "equal",
pattern = {"/xampp/", "%{SCHEME}://%{HTTP_HOST}/xampp/"},
parse_pattern = true
}}
}
此规则将缓存URI为'/xampp/'的页面,更新时间为300秒
若match中过滤条件为响应码,则相当于Nginx的proxy_cache_valid指令
若match中过滤条件为请求方法,则相当于Nginx的proxy_cache_methods指令
若macth中过滤条件为资源类型,则相当于Nginx的proxy_cache_content_type指令
PS: proxy_cache_content_type指令为官方指令,是miracle Qi修改Nginx源码扩展的功能
redirect
"action": "redirect",
"meta": "/index.html"
charactor_version
指定此条规则的版本,同modsecurity中Action的rev功能
"charactor_version": "001"
severity
Assigns severity to the rule in which it is used.
The data below is used by the OWASP ModSecurity Core Rule Set (CRS):
EMERGENCY: is generated from correlation of anomaly scoring data where there is an inbound attack and an outbound leakage. ALERT: is generated from correlation where there is an inbound attack and an outbound application level error. CRITICAL: Anomaly Score of 5. Is the highest severity level possible without correlation. It is normally generated by the web attack rules (40 level files). ERROR: Error - Anomaly Score of 4. Is generated mostly from outbound leakage rules (50 level files). WARNING: Anomaly Score of 3. Is generated by malicious client rules (35 level files). NOTICE: Anomaly Score of 2. Is generated by the Protocol policy and anomaly files. INFO DEBUG
也可自定义严重等级,如:low,medium,high,critical等
"severity": "high"
setvar
Creates, removes, or updates a variable.
{
"id": "xxx_01",
"opts":{
"nolog": false,
"setvar": [{
"column": "TX",
"key": "score",
"value": 5,
"incr": true
}]
},
...
}
"xxx_01"规则中,给变量TX中score成员的值加5,若TX中无score成员,则初始化为0,再加5
{
"id": "xxx_02",
"opts":{
"nolog": false,
"setvar": [{
"column": "TX",
"key": "score",
"value": 5
}]
},
...
}
"xxx_02"规则中,给变量TX中score成员的值赋为5
meta
"action"的附属信息
若"action"为"deny",则"meta"为响应码
"action": "deny",
"meta": 403
若"action"为"redirect",则"meta"为重定向地址
"action": "redirect",
"meta": "/index.html"
transform
This action is used to specify the transformation pipeline to use to transform the value of each variable used in the rule before matching.
tag
Assigns a tag (category) to a rule.
支持数组 "tag": ["xxx_1", "xxx_2"]
支持字符串 "tag": "xxx_3"
release_version
规则集版本,等同于modsecurity中Action的ver功能
"release_version": "858"
robot
人机识别
需提前配置人机识别模块配置,此功能暂未放开
"action": "robot"
add_resp_headers
增删改响应头
例如隐藏server字段:
"opts": {
"add"_resp_headers": {
"server": ""
}
}