开发工具:
文件大小: 1mb
下载次数: 0
上传时间: 2019-03-01
详细说明:较为详细的介绍了使用modsecurity rule language编写Rule。WAF Rule Writing Guide
em
Table of contents
1 Introduction
1. 1 Document Purpose
1.2 Intended Audience
5
2 ModSecurity Rule Writing
2.1 Variables
2.2 Operator
2.3 Transformation Functions
7
2.4 Actions
2.5 Rule Syntax
8
2.5.1 Rule Example 1-Cross Site Scripting(XSS)Attack
8
2.5.1.1 Variables
2.5.1.2 Operator
25.1.3 Actions
2.5.2 Rule Example 2-Whitelist IP Address
10
2.5.2.1 Variables
10
2.5.2.oPerator
10
2.5.2.3 Actions
10
2.5.3 Rule Example 3-Chaining Rules
2.5.4 Rule Example 4- Shellshock Bash Attack
2.5.4.1 First rule
2.5.4.1.1 Variables
2.5.4.1.2 Operator
12
2.5.41 3 Actions
12
2.5.4.2 Second rule
13
kemp. ax
Copyright 2002-2019, Kemp Technologies, All Rights Reserved
WAF Rule Writing Guide
kemp
2.5.4.2.1 Variable
13
2.5.4.2.20 perath
14
2.5. 4.2.3 Actions
14
2.6 Kemp WUl settin
15
2.7 Rule block function
16
3 Managing Custom WAF Rules in the LoadMaster
18
3.1 Add a custom rule
18
3.2 Delete/ Download a Custom Rule or Data File
19
4 Assigning Custom Rules to a Virtual Service
4. 1 WAF Misconfigured State
Backing Up and Restoring WAF Configuration
22
References
======,===
t Updated Date
24
kemp. ax
Copyright 2002-2019, Kemp Technologies, All Rights Reserved
WAF Rule Writing Guide
em
1 Introduction
1 Introduction
Kemp Web Application Firewall (WAF)services are natively integrated in the Kemp Load Master. This
enables secure deployment of web applications, preventing Layer 7 attacks while maintaining core
load balancing services which ensures superior application delivery and security. WAF functionality
directly augments the loadMaster's existing security features to create a layered defence for web
applications -enabling a safe, compliant and productive use of published services
If you have a Waf license and WAF Support, Kemp provides a number of commercial rules, such as
ip_reputation, which can be set to automatically download and update on a daily basis. These
commercial rules are targeted to protect against specific threats. The Kemp-provided commercial
rules are available when signed up to a WAF subscription
You can also upload other rules such as the mod security core rule set which contains generic attack
detection rules that provide a base level of protection for any web application
You can also write and upload your own custom rules, if required
With the WAF-enabled LoadMaster, you can choose whether to use Kemp-provided rules, custom
rules which can be uploaded or a combination of both
For a more detailed overview of the WAF feature, please refer to the WaF section in the Kemp
Load Master Product overview
For instructions on how to configure the various waf options in the loadmaster, refer to the Kemp
Web Application Firewall, Feature Description
1.1 Document Purpose
The purpose of this document is to provide some guidance on how to write your own custom WAF
rules. These custom rules can be uploaded to the load aster and assigned to virtual services as
neede
1.2 Intended Audience
This document is intended to be read by anyone who is interested in finding out more about how to
write custom Waf rules
kemp. ax
5
Copyright 2002-2019, Kemp Technologies, All Rights Reserved
WAF Rule Writing Guide
2 ModSecurity Rule Writing
忘kemp
2 ModSecurity Rule Writing
The ModSecurity Reference Manual should be consulted in any cases where questions arise relating
tothesyntaxofcommandshttps://github.com/spiderlabs/modsecurity/wiki/Reference-manuAl
In terms of rule writing, the main directive to know is SecRule, which is used to create rules and
thus does most of the work
Every rule defined by SecRule conforms to the same format, as below:
SecRule VARIABLES OPERATOR [TRANSFORMATION_FUNCTIONS, ACTIONS]
Where to look in the
How to process
transactional data
variable data
SecRule VARIABLES OPERATOR
ITRANSFORMATION FUNCTIONS, ACTIONSI
How to normalize data
What to do if a
before an operator is applied
rule matches
The rule consists of four parts:
VARIABLES: Tells the WaF engine where to look in the transactional data
OPERATOR: Tells the WAF engine how to process the variable data.
TRANSFORMATION_FUNCTIONS: Tells the WAF engine how to normalize data before an operator
is applied.
ACTIONS: Tells the WAF engine what to do if a rule matches
he four parts are explained in the sections below
2.1 Variables
This specifies which places to check in a Http transaction eXamples of variables include
ARGS-all arguments including the PoST payload
kemp. ax
Copyright 2002-2019, Kemp Technologies, All Rights Reserved
WAF Rule Writing Guide
2 ModSecurity Rule Writing
kemp
REQUEST METHOD-request method used in the transaction
REQUEST_HEADERS-can be used as either a collection of all of the request headers or can be
used to inspect selected headers
Etc. The full list of variables is available here:
https:/github.com/spiderlabs/modsecurity/wiki/Reference-manual#vaRiables
2.2 Operator
This specifies a regular expression, pattern or keyword to be checked in the variable(s). Operators
begin with the character. The full list of operators is available here
https://github.com/spiderlabs/Modsecurity/wiki/rEference-manuaL#operators
2.3 Transformation functions
There are a number of transformation functions that can be performed, for example
Anti-evasion(such as lowercase, normalisePath, removeNulls, replace Comments
compressWhitespace
Decoding(such as base64Decode, hex Decode, jsDecode, urlDecodeUni
Encoding(such as base64Encode, hexEncode
Hashing(such as shal, md5
2.4 Actions
This specifies what to do if the rule matches. Actions are defined in seven categories, listed below
Disruptive-used to allow ModSecurity to take an action, for example allow or block
Flow-affect the flow, for example skip
Meta-data-used to provide more information about rules
Variable-used to set, change and remove variables
Logging -used to influence the way logging takes place
Special -used to provide access to another class of functionality
Miscellaneous - contain actions that do not belong in any other groups
kemp. ax
Copyright 2002-2019, Kemp Technologies, All Rights Reserved
WAF Rule Writing Guide
2 ModSecurity Rule Writing
kemp
If no actions are provided, default actions apply as per SecDefaultAction(phase: 2, log, auditlog, pass
The full list of actions are available here
https:/github.com/spiderlabs/Modsecurity/wiki/rEference-manual#actions
When constructing the rules, you can specify at what phase the rule should run. Specifying the
correct phase can be beneficial in order to reduce CPU processing
2.5 Rule Syntax
The follow ing rule looks at the request Uniform Resource Identifier(URI) and tries to match the
regular expression pattern
