README.md

2018-05-22 10:55 更新

Name

OpenWAF

第一個(gè)全方位開(kāi)源的Web應(yīng)用防護(hù)系統(tǒng)(WAF),更全面的防護(hù)功能,更多樣的防護(hù)策略

Table of Contents

Version

This document describes OpenWAF v0.0.3.170103_beta released on 03 Jan 2017.

Docker Version

  1. titansec/openwaf:0.0.1.161130_beta
    ??SHA: 596dee9d2b9ce44d59dc445141f72b3607f9fbe6
    ??https://github.com/titansec/OpenWAF/tree/596dee9d2b9ce44d59dc445141f72b3607f9fbe6
  2. titansec/openwaf:0.0.3.170103_beta(titansec/openwaf:latest)
    ??SHA: 28ce1556250301f26f31b46d9cd9dde5a3b3f03f
    ??https://github.com/titansec/OpenWAF/tree/28ce1556250301f26f31b46d9cd9dde5a3b3f03f

Synopsis

    #nginx.conf
    lua_package_path '/twaf/?.lua;;';

    
    init_by_lua_file /twaf/app/twaf_init.lua;

    
    lua_shared_dict twaf_shm 50m;

    
    upstream test {
        server 0.0.0.1; #just an invalid address as a place holder
        balancer_by_lua_file twaf_balancer.lua;
    }

    
    server {
        listen 443 ssl;
        server_name _;

        
        ssl_certificate_by_lua_file  twaf_ssl_cert.lua;
        rewrite_by_lua_file          /twaf/app/twaf_rewrite.lua;
        access_by_lua_file           /twaf/app/twaf_access.lua;
        header_filter_by_lua_file    /twaf/app/twaf_header_filter.lua;
        body_filter_by_lua_file      /twaf/app/twaf_body_filter.lua
        log_by_lua_file              /twaf/app/twaf_log.lua;

        
        set $twaf_https 1;
        set $twaf_upstream_server "";

        
        ssl_certificate nginx.crt;
        ssl_certificate_key nginx.key;

        
        location / {
            lua_need_request_body on;
            proxy_pass $twaf_upstream_server;
        }
    }

    
    server {
        listen      80;
        server_name  _;

        
        rewrite_by_lua_file       /twaf/app/twaf_rewrite.lua;
        access_by_lua_file        /twaf/app/twaf_access.lua;
        header_filter_by_lua_file /twaf/app/twaf_header_filter.lua;
        body_filter_by_lua_file   /twaf/app/twaf_body_filter.lua
        log_by_lua_file           /twaf/app/twaf_log.lua;

        
        set $twaf_upstream_server "";

        
        location / {
            lua_need_request_body on;
            proxy_pass $twaf_upstream_server;
        }
    }

    #default_config-json


    #main_safe_policy-json

Back to TOC

Description

OpenWAF是第一個(gè)全方位開(kāi)源的Web應(yīng)用防護(hù)系統(tǒng)(WAF),他基于nginx_lua API分析HTTP請(qǐng)求信息。OpenWAF由行為分析引擎和規(guī)則引擎兩大功能引擎構(gòu)成。其中規(guī)則引擎主要對(duì)單個(gè)請(qǐng)求進(jìn)行分析,行為分析引擎主要負(fù)責(zé)跨請(qǐng)求信息追蹤。

規(guī)則引擎的啟發(fā)來(lái)自modsecurityfreewaf(lua-resty-waf),將ModSecurity的規(guī)則機(jī)制用lua實(shí)現(xiàn)。基于規(guī)則引擎可以進(jìn)行協(xié)議規(guī)范,自動(dòng)工具,注入攻擊,跨站攻擊,信息泄露,異常請(qǐng)求等安全防護(hù),支持動(dòng)態(tài)添加規(guī)則,及時(shí)修補(bǔ)漏洞。

行為分析引擎包含基于頻率的模糊識(shí)別,防惡意爬蟲(chóng),人機(jī)識(shí)別等防探測(cè)模塊,防CSRF,防CC,防提權(quán),文件上傳防護(hù)等防攻擊模塊,cookie防篡改,防盜鏈,自定義響應(yīng)頭,攻擊響應(yīng)頁(yè)面等防信息泄露模塊。

除了兩大引擎之外,還包含統(tǒng)計(jì),日志,攻擊響應(yīng)頁(yè)面,接入規(guī)則等基礎(chǔ)模塊。除了已有的功能模塊,OpenWAF還支持動(dòng)態(tài)修改配置, 動(dòng)態(tài)添加第三方模塊,使得在不重啟引擎中斷業(yè)務(wù)的條件下,升級(jí)防護(hù)。

OpenWAF支持將上述功能封裝為策略,不同的web application應(yīng)用不同的策略來(lái)防護(hù)。將來(lái)還會(huì)打造云平臺(tái),策略還可分享供他人參考。

基礎(chǔ)模塊如下:

功能模塊如下:

詳細(xì)配置文檔及示例請(qǐng)看上述各模塊文檔

Back to TOC

Installation

若用docker安裝,可省略步驟1-3

1. 下載openresty
   詳見(jiàn) https://openresty.org/en/installation.html

   
   1.1 cd /opt
   1.2 wget -c https://openresty.org/download/openresty-1.11.2.1.tar.gz
   1.3 tar -xzvf openresty-1.11.2.1.tar.gz


2. 安裝OpenWAF
   2.1 cd /opt
   2.2 獲取OpenWAF源文件
       git clone https://github.com/titansec/OpenWAF.git
   2.3 移動(dòng)配置文件
       mv /opt/OpenWAF/lib/openresty/ngx_openwaf.conf /etc
   2.4 覆蓋openresty的configure文件
       mv /opt/OpenWAF/lib/openresty/configure /opt/openresty-1.11.2.1
   2.5 移動(dòng)第三方模塊至openresty中
       mv /opt/OpenWAF/lib/openresty/* /opt/openresty-1.11.2.1/bundle/
   2.6 刪除OpenWAF/lib/openresty目錄
       rm -rf /opt/OpenWAF/lib/openresty

       
3. 編譯openresty
   3.1 cd /opt/openresty-1.11.2.1/
   3.2 ./configure --with-pcre-jit --with-ipv6 \
                   --with-http_stub_status_module \
                   --with-http_ssl_module \
                   --with-http_realip_module \
                   --with-http_sub_module
   3.3 make && make install

   
4. 編輯配置文件
   4.1 接入規(guī)則
       vi /opt/OpenWAF/conf/twaf_access_rule.json
       編輯域名,后端服務(wù)器地址等信息
   4.2 日志服務(wù)器
       vi /opt/OpenWAF/conf/twaf_default_conf.json
       配置twaf_log日志接收服務(wù)器地址

   
5. 啟動(dòng)引擎
   /usr/local/openresty/nginx/sbin/nginx -c /etc/ngx_openwaf.conf

       
Problems
1. nginx:[emerg] at least OpenSSL 1.0.2e required but found OpenSSL xxx
   更新OpenSSL版本至1.0.2e以上即可

   
   如:wget -c http://www.openssl.org/source/openssl-1.0.2h.tar.gz
      ./config
      make && make install

      
   PS: 
      1. 查看當(dāng)前openssl版本命令: openssl version
      2. 若更新openssl后,版本未變,請(qǐng)?jiān)斂磆ttp://www.cnblogs.com/songqingbo/p/5464620.html
      3. 若依然提示版本問(wèn)題,編譯openresty時(shí)帶上--with-openssl=/path/to/openssl-xxx/

      
2. 提示找不到GeoIP.h

   
   apt-get install libgeoip-dev

   
3. 提示找不到swig


   apt-get install swig

   
4. 提示PCRE不支持JIT 

   
   編譯pcre時(shí),帶上--enable-jit參數(shù)

Back to TOC

Docker

1. pull docker images from repository
   docker pull titansec/openwaf


2. start-up docker
   2.1 docker run, named openwaf
       docker run -d -p 22:22 -p 80:80 -p 443:443 --name openwaf titansec/openwaf
   2.2 enter openwaf
       docker exec -it openwaf /bin/bash


3. edit config
   3.1 edit access rule
       vi /opt/OpenWAF/conf/twaf_access_rule.json
   3.2 edit log server addr
       vi /opt/OpenWAF/conf/twaf_default_conf.json


4. start-up OpenWAF
    /usr/local/openresty/nginx/sbin/nginx -c /etc/ngx_openwaf.conf

    
PS:
#add bridge address, e.g. 192.168.39.12
    pipework br0 ContainerName ip/gateway
    如:
    pipework br0 openwaf 192.168.39.12/24@192.168.39.253


Problems
1. pipework: command not found


   git clone https://github.com/jpetazzo/pipework.git
   cp pipework/pipework /usr/local/bin/

   
2. Warning: arping not found; interface may not be immediately reachable


   apt-get install arping

Back to TOC

Community

English Mailing List

The OpenWAF-en mailing list is for English speakers.

Chinese Mailing List

The OpenWAF-cn mailing list is for Chinese speakers.

Personal QQ Mail

290557551@qq.com

QQ Group

579790127

Back to TOC

Bugs and Patches

Please submit bug reports, wishlists, or patches by

  1. creating a ticket on the GitHub Issue Tracker,
  2. or posting to the OpenWAF community.

Back to TOC

TODO

    1. 上傳人機(jī)識(shí)別模塊
    1. 上傳防盜鏈模塊
    1. 上傳防CC模塊
    1. 上傳cookie防篡改模塊
    1. 上傳基于頻率的模糊識(shí)別防探測(cè)模塊
    1. 上傳WebShell上傳防護(hù)模塊
    1. 上傳防CSRF模塊
    1. 提供頁(yè)面體驗(yàn)OpenWAF防護(hù)功能
    1. 放開(kāi)動(dòng)態(tài)配置規(guī)則引擎API
    1. 放開(kāi)動(dòng)態(tài)配置行為分析引擎API

Back to TOC

Changes

Time: 2016/12/05
Version: v0.0.2.161205_beta
??1. New Module - twaf_attack_response
????Return Custom response page When the request is rejected by OpenWAF
??2. Api - api/stat[/policy_uuid]
????Show statistical infomation

Time: 2016/12/05
Version: v0.0.1.161130_beta
??1. Docker
????build OpenWAF with docker

Time: 2016/12/05
Version: v0.0.1.161012_beta
??1. log module
????Send tcp/udp log
??2. reqstat module
????Statistics of request infomation
??3. access rule
????Publish applications
??4. rule engine
????Access Control

Back to TOC

Copyright and License

This module is licensed under the BSD license.

Copyright (C) 2016-2016, by Jian "Miracle" Qi (齊健) , Titan Co.Ltd.

All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  • Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

  • Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Back to TOC

Modules Configuration Directives

Back to TOC

twaf_access_rule

{
    "twaf_access_rule": [
        "rules": [                                 -- 注意先后順序
            {                                      
                "client_ssl": false,               -- 客戶端認(rèn)證的開(kāi)關(guān),與ngx_ssl組成雙向認(rèn)證
                "client_ssl_cert": "path",         -- 客戶端認(rèn)證所需PEM證書(shū)地址
                "ngx_ssl": false,                  -- nginx認(rèn)證的開(kāi)關(guān)
                "ngx_ssl_cert": "path",            -- nginx認(rèn)證所需PEM證書(shū)地址
                "ngx_ssl_key": "path",             -- nginx認(rèn)證所需PEM私鑰地址
                "host": "^1\\.1\\.1\\.1$",         -- 域名,正則匹配
                "port": 80,                        -- 端口號(hào)(缺省80)
                "path": "\/",                      -- 路徑,正則匹配
                "server_ssl": false,               -- 后端服務(wù)器ssl開(kāi)關(guān)
                "forward": "server_5",             -- 后端服務(wù)器upstream名稱
                "forward_addr": "1.1.1.2",         -- 后端服務(wù)器ip地址
                "forward_port": "8080",            -- 后端服務(wù)器端口號(hào)(缺省80)
                "uuid": "access_567b067ff2060",    -- 用來(lái)標(biāo)記此規(guī)則的uuid
                "policy": "policy_uuid"            -- 安全策略ID
            }
        ]
    }
}

rules

syntax: "rules": table

default: none

context: twaf_access_rule

table類型,接入規(guī)則,順序匹配

client_ssl

syntax: "client_ssl": true|false

default: false

context: twaf_access_rule

客戶端認(rèn)證開(kāi)關(guān),與ngx_ssl組成雙向認(rèn)證,默認(rèn)false

client_ssl_cert

syntax: "client_ssl_cert": "path"

default: none

context: twaf_access_rule

string類型,客戶端認(rèn)證所需PEM證書(shū)地址,目前僅支持絕對(duì)地址

ngx_ssl

syntax: "ngx_ssl": true|false

default: false

context: twaf_access_rule

boolean類型,服務(wù)器端(nginx)認(rèn)證開(kāi)關(guān),與client_ssl組成雙向認(rèn)證,默認(rèn)關(guān)閉

ngx_ssl_cert

syntax: "ngx_ssl_cert": "path"

default: none

context: twaf_access_rule

string類型,服務(wù)器端(nginx)認(rèn)證所需PEM證書(shū)地址,目前僅支持絕對(duì)地址

ngx_ssl_key

syntax: "ngx_ssl_key": "path"

default: none

context: twaf_access_rule

string類型,服務(wù)器端(nginx)認(rèn)證所需PEM私鑰地址,目前僅支持絕對(duì)地址

host

syntax: "host": "ip|domain name regex"

default: none

context: twaf_access_rule

string類型,域名,正則匹配

例如:

    "host": "^1\\.1\\.1\\.1$"
    "host": "test\\.com"
    "host": "^.*\\.com$"
    "host": "www.baidu.com"

port

syntax: "port": number

default: 80

context: twaf_access_rule

number類型,端口號(hào)

path

syntax: "path": "regex"

default: none

context: twaf_access_rule

string類型,路徑,正則匹配

例如:

    "path": "/"
    "path": "/images"
    "path": "/[a|b]test"

server_ssl

syntax: "server_ssl": true|false

default: false

context: twaf_access_rule

boolean類型,OpenWAF向后端服務(wù)器連接的ssl開(kāi)關(guān)

例如:

    upstream test {
        server 1.1.1.1;
    }

    
    http {
        server {
            listen 80;
            server_name _;

            
            location / {
                #server_ssl為true,相當(dāng)于proxy_pass后為https
                proxy_pass https://test;
                #server_ssl為false,相當(dāng)于proxy_pass后為http
                #proxy_pass http://test;
            }
        }
    }

forward

syntax: "forward": "upstream_uuid"

default: none

context: twaf_access_rule

string類型,forward表示后端服務(wù)器的uuid,即upstream的名稱

    #如:forward值為test
    upstream test {
        server 1.1.1.1;
    }

forward_addr

syntax: "forward_addr": "ip"

default: none

context: twaf_access_rule

string類型,forward_addr表示后端服務(wù)器的ip地址(TODO:支持域名)

    upstream test {
        #如:forward_addr值為1.1.1.1
        server 1.1.1.1;
    }

forward_port

syntax: "forward_port": port

default: 80

context: twaf_access_rule

number類型,forward_port表示后端服務(wù)器端口號(hào),默認(rèn)80

    upstream test {
        #如:forward_port值為50001
        server 1.1.1.1:50001;
    }

uuid

syntax: "uuid": "string"

default: none

context: twaf_access_rule

string類型,接入規(guī)則的唯一標(biāo)識(shí)

policy

syntax: "policy": "policy_uuid"

default: none

context: twaf_access_rule

string類型,滿足此接入規(guī)則的請(qǐng)求,所使用安全策略的uuid

Back to twaf_access_rule

Back to TOC

twaf_anti_hotlink

{
    "twaf_anti_hotlink":{
        "state":false,
        "log_state":true,
        "event_id":"110001",
        "event_severity":"medium",
        "ct_state":false,
        "action_meta":403,
        "action":"DENY",
        "mode":"referer",
        "allow_noreferer":true,
        "cookie_name":"TWAF_AH",
        "uri_ext":["javascript", "css", "html", ""]
    }
}

state

syntax: "state": true|false|"$dynamic_state"

default: false

context: twaf_anti_hotlink

log_state

syntax: "log_state": true|false|"$dynamic_state"

default: true

context: twaf_anti_hotlink

ct_state

syntax: "ct_state": true|false|"$dynamic_state"

default: false

context: twaf_anti_hotlink

event_id

syntax: "event_id": "string"

default: "110001"

context: twaf_anti_hotlink

event_severity

syntax: "event_severity": "string"

default: "medium"

context: twaf_anti_hotlink

action

syntax: "action": "string"

default: "DENY"

context: twaf_anti_hotlink

action_meta

syntax: "action_meta": "string"|number

default: 403

context: twaf_anti_hotlink

mode

syntax: "mode": "string"

default: "referer"

context: twaf_anti_hotlink

allow_noreferer

syntax: "allow_noreferer": true|false

default: true

context: twaf_anti_hotlink

cookie_name

syntax: "cookie_name": "string"

default: TWAF_AH

context: twaf_anti_hotlink

cookie_name表示盜鏈模塊發(fā)送COOKIE的名稱,默認(rèn)"TWAF_AH"

此配置只有mode為cookie模式下生效

uri_ext

syntax: "uri_ext": array|exten|"all"

default: none

context: twaf_anti_hotlink

uri_ext表示對(duì)哪些資源進(jìn)行盜鏈防護(hù)

     #對(duì)html類型資源進(jìn)行盜鏈防護(hù)
     "uri_ext": "html"

     
     #對(duì)未知類型資源進(jìn)行盜鏈防護(hù),nginx無(wú)法解析出資源類型時(shí)為空字符串
     "uri_ext": ""

     
     #對(duì)html、css及未知類型資源進(jìn)行盜鏈防護(hù)
     "uri_ext": ["html", "css", ""]

     
     #對(duì)所有資源進(jìn)行盜鏈防護(hù)
     "uri_ext": "all"

Back to twaf_anti_hotlink

Back to TOC

twaf_anti_mal_crawler

{
    "state":false,
    "cookie_state":true,
    "log_state":true,
    "event_id":"710001",
    "event_severity":"high",
    "force_scan_robots_state":false,
    "shared_dict_key":["remote_addr", "http_user_agent"],
    "timeout":300,
    "crawler_cookie_name":"crawler",
    "mal_cookie_name":"mcrawler",
    "trap_uri":"/abc/abc.html",
    "trap_args":"id=1",
    "action":"DENY",
    "action_meta":403
}

state

syntax: state true|false|$dynamic_state

default: false

context: twaf_anti_mal_crawler

模塊開(kāi)關(guān),默認(rèn)false(關(guān)閉),支持動(dòng)態(tài)開(kāi)關(guān)

Back to MCD

cookie_state

syntax: cookie_state true|false|$dynamic_state

default: true

context: twaf_anti_mal_crawler

是否發(fā)送cookie,默認(rèn)true(發(fā)送),支持動(dòng)態(tài)開(kāi)關(guān)

Back to MCD

log_state

syntax: log_state true|false|$dynamic_state

default: true

context: twaf_anti_mal_crawler

安全日志開(kāi)關(guān), 默認(rèn)true(記錄),支持動(dòng)態(tài)開(kāi)關(guān)

Back to MCD

event_id

syntax: event_id

default: "710001"

context: twaf_anti_mal_crawler

記錄安全日志時(shí),顯示的事件ID

Back to MCD

event_severity

syntax: event_severity critical|high|medium|low

default: high

context: twaf_anti_mal_crawler

記錄安全日志時(shí),顯示的事件等級(jí)

Back to twaf_anti_mal_crawler

Back to TOC

twaf_reqstat

    "twaf_reqstat": {
        "state":true,
        "safe_state":true,
        "access_state":true,
        "upstream_state":true,
        "shared_dict_name":"twaf_reqshm"
    }

state

syntax: state true|false|$dynamic_state

default: true

context: twaf_reqstat

統(tǒng)計(jì)模塊開(kāi)關(guān),支持動(dòng)態(tài)開(kāi)關(guān),默認(rèn)開(kāi)啟

access_state

syntax: access_state true|false|$dynamic_state

default: true

context: twaf_reqstat

訪問(wèn)信息統(tǒng)計(jì)開(kāi)關(guān),支持動(dòng)態(tài)開(kāi)關(guān),默認(rèn)開(kāi)啟

safe_state

syntax: safe_state true|false|$dynamic_state

default: true

context: twaf_reqstat

安全信息統(tǒng)計(jì)開(kāi)關(guān),支持動(dòng)態(tài)開(kāi)關(guān),默認(rèn)開(kāi)啟

upstream_state

syntax: upstream_state true|false|$dynamic_state

default: true

context: twaf_reqstat

轉(zhuǎn)發(fā)信息統(tǒng)計(jì)開(kāi)關(guān),支持動(dòng)態(tài)開(kāi)關(guān),默認(rèn)開(kāi)啟

shared_dict_name

syntax: shared_dict_name string

default: openwaf_reqshm

context: twaf_reqstat

指定shared_dict名稱,在這之前需在nginx配置文件中配置lua_shared_dict

默認(rèn)shared_dict名稱為openwaf_reqshm

Back to twaf_reqstat

Back to TOC

twaf_log

"twaf_log": {
        "access_log_state":false,     -- 訪問(wèn)日志開(kāi)關(guān)
        "security_log_state":true,    -- 安全日志開(kāi)關(guān)
        "sock_type":"udp",            -- 支持tcp和udp兩種協(xié)議
        "content_type":"JSON",        -- 支持JSON和INFLUXDB兩種日志格式
        "host":"127.0.0.1",           -- 日志服務(wù)器地址
        "port":60055,                 -- 日志服務(wù)器端口號(hào)
        "flush_limit":0,              -- 緩沖,當(dāng)存儲(chǔ)的日志大于閾值才發(fā)送
        "drop_limit":1048576,
        "max_retry_times":5,          -- 最大容錯(cuò)次數(shù)
        "ssl":false,                  -- 是否開(kāi)啟ssl協(xié)議
        "access_log":{}               -- 訪問(wèn)日志格式
        "security_log":{}             -- 安全日志格式
}

access_log_state

syntax: "access_log_state": true|false

default: false

context: twaf_log

訪問(wèn)日志開(kāi)關(guān),默認(rèn)關(guān)閉

security_log_state

syntax: "security_log_state": true|false

default: true

context: twaf_log

安全事件日志開(kāi)關(guān),默認(rèn)開(kāi)啟

sock_type

syntax: "sock_type": tcp|udp

default: udp

context: twaf_log

日志傳輸協(xié)議,默認(rèn)udp

content_type

syntax: "content_type": JSON|INFLUXDB

default: JSON

context: twaf_log

日志格式,默認(rèn)JSON

host

syntax: "host": string

default: "127.0.0.1"

context: twaf_log

日志接收服務(wù)器的ip地址

port

syntax: "port": number

default: 60055

context: twaf_log

日志接收服務(wù)器的端口號(hào)

flush_limit

syntax: "flush_limit": number

default: 0

context: twaf_log

緩沖區(qū)大小,當(dāng)存儲(chǔ)的日志大于閾值才發(fā)送,默認(rèn)值為0,即立即發(fā)送日志

drop_limit

syntax: "drop_limit": number

default: 1048576

context: twaf_log

max_retry_times

syntax: "max_retry_times": number

default: 5

context: twaf_log

最大容錯(cuò)次數(shù)

ssl

syntax: "ssl": true|false

default: false

context: twaf_log

是否開(kāi)啟ssl協(xié)議,默認(rèn)false

access_log

syntax: "access_log": table

default: false

context: twaf_log

訪問(wèn)日志格式

security_log

syntax: "security_log": table

default: false

context: twaf_log

安全事件日志格式

若content_type為JSON,則日志格式為

[
    variable_key_1, 
    variable_key_2, 
    ...
]

若content_type為INFLUXDB,則日志格式為

{
    "db":MEASUREMENT名稱, 
    "tags":[variable_key_1, variable_key_2, ...], 
    "fileds"[variable_key_1, variable_key_2, ...],
    "time":true|false
}

變量名稱詳見(jiàn)規(guī)則引擎模塊twaf_secrules

    #日志格式舉例
        #JSON格式
        "security_log": [
            "remote_addr",
            "remote_port",
            "userid",
            "dev_uuid",
            "original_dst_addr",
            "original_dst_port",
            "remote_user",
            "time_local",
            "msec",
            "request_method",
            "request_uri",
            "request_protocol",
            "status",
            "bytes_sent",
            "http_referer",
            "http_user_agent",
            "gzip_ratio",
            "http_host",
            "raw_header"
        ]


        #INFLUXDB格式
        "security_log": {
            "db":"test",                  -- MEASUREMENT名稱
            "tags":[],                    -- tags keys
            "fileds":[                    -- fileds keys
                "remote_addr",
                "remote_port",
                "userid",
                "dev_uuid",
                "original_dst_addr",
                "original_dst_port",
                "remote_user",
                "time_local",
                "msec",
                "request_method",
                "request_uri",
                "request_protocol",
                "status",
                "bytes_sent",
                "http_referer",
                "http_user_agent",
                "gzip_ratio",
                "http_host",
                "raw_header"
            ],
            "time":true                   -- 日志是否攜帶時(shí)間戳
        }

Back to twaf_log

Back to TOC

twaf_secrules

    "twaf_secrules":{
        "state": true,                                              -- 總開(kāi)關(guān)
        "reqbody_state": true,                                      -- 請(qǐng)求體檢測(cè)開(kāi)關(guān)
        "header_filter_state": true,                                -- 響應(yīng)頭檢測(cè)開(kāi)關(guān)
        "body_filter_state": true,                                  -- 響應(yīng)體檢測(cè)開(kāi)關(guān)
        "reqbody_limit":134217728,                                  -- 請(qǐng)求體檢測(cè)閾值,大于閾值不檢測(cè)
        "respbody_limit":524288,                                    -- 響應(yīng)體檢測(cè)閾值,大于閾值不檢測(cè)
        "pre_path": "/opt/OpenWAF/",                                -- OpenWAF安裝路徑
        "path": "lib/twaf/inc/knowledge_db/twrules",                -- 特征規(guī)則庫(kù)在OpenWAF中的路徑
        "rules_id":{                                                -- 特征排除
            "111112": [{"REMOTE_HOST":"a.com", "URI":"^/ab"}]       -- 匹配中數(shù)組中信息則對(duì)應(yīng)規(guī)則失效,數(shù)組中key為變量名稱,值支持正則
            "111113": {}                                            -- 特征未被排除
            "111114": [{}]                                          -- 特征被無(wú)條件排除
        }
    }

state

syntax: state true|false

default: true

context: twaf_secrules

規(guī)則引擎總開(kāi)關(guān)

reqbody_state

syntax: reqbody_state true|false

default: true

context: twaf_secrules

請(qǐng)求體檢測(cè)開(kāi)關(guān)

header_filter_state

syntax: header_filter_state true|false

default: true

context: twaf_secrules

響應(yīng)頭檢測(cè)開(kāi)關(guān)

body_filter_state

syntax: body_filter_state true|false

default: false

context: twaf_secrules

響應(yīng)體檢測(cè)開(kāi)關(guān),默認(rèn)關(guān)閉,若開(kāi)啟需添加第三方模塊[ngx_http_twaf_header_sent_filter_module暫未開(kāi)源]

reqbody_limit

syntax: reqbody_limit number

default: 134217728

context: twaf_secrules

請(qǐng)求體檢測(cè)大小上限,默認(rèn)134217728B(128MB),若請(qǐng)求體超過(guò)設(shè)置上限,則不檢測(cè)

PS:reqbody_limit值要小于nginx中client_body_buffer_size的值才會(huì)生效

respbody_limit

syntax: respbody_limit number

default: 134217728

context: twaf_secrules

響應(yīng)體檢測(cè)大小上限,默認(rèn)134217728B(128MB),若響應(yīng)體大小超過(guò)設(shè)置上限,則不檢測(cè)

pre_path

syntax: pre_path string

default: /opt/OpenWAF/

context: twaf_secrules

OpenWAF的安裝路徑

path

syntax: path string

default: lib/twaf/inc/knowledge_db/twrules

context: twaf_secrules

特征規(guī)則庫(kù)在OpenWAF中的路徑

rules_id

syntax: rules_id table

default: none

context: twaf_secrules

用于排除特征

Back to twaf_secrules

Back to TOC

Nginx Variables

$twaf_https

syntax: set $twaf_https 0|1

default: 0

context: server

用于標(biāo)記請(qǐng)求是否通過(guò)ssl加密

"set $twaf_https 1",則表示請(qǐng)求通過(guò)ssl加密

"set $twaf_https 1",則表示請(qǐng)求未通過(guò)ssl加密

server {
    listen 443 ssl;
    set $twaf_https 1;
    ...
}


server {
    listen 80;
    set $twaf_https 0;
    ...
}

$twaf_upstream_server

syntax: set $twaf_upstream_server ""

default: none

context: server

用于指定后端服務(wù)器地址,只需初始化為空字符串即可,其值由"server_ssl"和"forward"確定

upstream server_1 {
    ...
}


upstream server_2 {
    ...
}


server {
    ...

    
    set $twaf_upstream_server "";
    location / {
        ...
        proxy_pass $twaf_upstream_server;
    }
}


若"server_ssl"值為true, "forward"值為"server_1"
等價(jià)于proxy_pass https://server_1;


若"server_ssl"值為false, "forward"值為"server_2"
等價(jià)于proxy_pass http://server_2;

Back to TOC

SecRules

Variables

Back to Var

Back to TOC

ARGS

table類型,所有的請(qǐng)求參數(shù),包含ARGS_GET和ARGS_POST

例如:POST http://www.baidu.com?name=miracle&age=5


請(qǐng)求體為:time=123456&day=365


ARGS變量值為{"name": "miracle", "age": "5", "time": "123456", "day": "365"}

Back to Var

Back to TOC

ARGS_COMBINED_SIZE

number類型,請(qǐng)求參數(shù)總長(zhǎng)度,只包含key和value的長(zhǎng)度,不包含'&'或'='等符號(hào)

例如:GET http://www.baidu.com?name=miracle&age=5


ARGS_COMBINED_SIZE變量值為15,而不是18

Back to Var

Back to TOC

ARGS_GET

table類型,querystring參數(shù)

例如:GET http://www.baidu.com?name=miracle&age=5


ARGS_GET變量值為{"name": "miracle", "age": "5"}

Back to Var

Back to TOC

ARGS_GET_NAMES

table類型,querystring參數(shù)key值

例如:GET http://www.baidu.com?name=miracle&age=5


ARGS_GET_NAMES變量值為["name", "age"]

Back to Var

Back to TOC

ARGS_NAMES

table類型,querystring參數(shù)key值及post參數(shù)key值

例如:POST http://www.baidu.com?name=miracle&age=5


請(qǐng)求體為:time=123456&day=365


ARGS_NAMES變量值為["name", "age", "time", "day"]

Back to Var

Back to TOC

ARGS_POST

table類型,POST參數(shù)

例如:


POST http://www.baidu.com/login.html


請(qǐng)求體為:time=123456&day=365


ARGS_POST變量值為{"time": "123456", "day": "365"}

Back to Var

Back to TOC

ARGS_POST_NAMES

table類型,POST參數(shù)key值

例如:


POST http://www.baidu.com/login.html


請(qǐng)求體為:time=123456&day=365


ARGS_POST_NAMES變量值為["time", "day"]

Back to Var

Back to TOC

BYTES_IN

number類型,接收信息字節(jié)數(shù)

Back to Var

Back to TOC

CONNECTION_REQUESTS

number類型,當(dāng)前連接中的請(qǐng)求數(shù)

Back to Var

Back to TOC

DURATION

string類型,處理事務(wù)用時(shí)時(shí)間,單位:微秒(μs)

Back to Var

Back to TOC

FILES

table類型,從請(qǐng)求體中得到的原始文件名(帶有文件后綴名)

Back to Var

Back to TOC

FILES_NAMES

table類型,上傳文件名稱(不帶有后綴名)

Back to Var

Back to TOC

GEO

table類型,包含code3,code,id,continent,name等字段信息

Back to Var

Back to TOC

GEO_CODE3

string類型,3個(gè)字母長(zhǎng)度的國(guó)家縮寫(xiě)

Back to Var

Back to TOC

GEO_CODE

string類型,2個(gè)字母長(zhǎng)度的國(guó)家縮寫(xiě)

Back to Var

Back to TOC

GEO_ID

number類型,國(guó)家ID

Back to Var

Back to TOC

GEO_CONTINENT

string類型,國(guó)家所在大洲

Back to Var

Back to TOC

GEO_NAME

string類型,國(guó)家全稱

Back to Var

Back to TOC

GZIP_RATIO

string類型,壓縮比率

Back to Var

Back to TOC

HTTP_COOKIE

string類型,請(qǐng)求頭中的cookie字段

Back to Var

Back to TOC

HTTP_HOST

string類型,請(qǐng)求頭中的host字段值,既域名:端口(80缺省)

Back to Var

Back to TOC

HTTP_REFERER

string類型,請(qǐng)求頭中的referer字段

Back to Var

Back to TOC

HTTP_USER_AGENT

string類型,請(qǐng)求頭中的user-agent字段

Back to Var

Back to TOC

IP_VERSION

string類型,IPv4 or IPv6

Back to Var

Back to TOC

MATCHED_VAR

類型不定,當(dāng)前匹配中的變量

Back to Var

Back to TOC

MATCHED_VARS

table類型,單條規(guī)則匹配中的所有變量

Back to Var

Back to TOC

MATCHED_VAR_NAME

string類型,當(dāng)前匹配中的變量名稱

Back to Var

Back to TOC

MATCHED_VARS_NAMES

table類型,單條規(guī)則匹配中的所有變量名稱

Back to Var

Back to TOC

ORIGINAL_DST_ADDR

string類型,服務(wù)器地址,應(yīng)用代理模式為WAF地址,透明模式為后端服務(wù)器地址

Back to Var

Back to TOC

ORIGINAL_DST_PORT

string類型,服務(wù)器端口號(hào),應(yīng)用代理模式為WAF端口號(hào),透明模式為后端服務(wù)器端口號(hào)

Back to Var

Back to TOC

POLICYID

string類型,策略ID

Back to Var

Back to TOC

QUERY_STRING

string類型,未解碼的請(qǐng)求參數(shù)

Back to Var

Back to TOC

RAW_HEADER

string類型,請(qǐng)求頭信息,帶請(qǐng)求行

Back to Var

Back to TOC

RAW_HEADER_TRUE

string類型,請(qǐng)求頭信息,不帶請(qǐng)求行

Back to Var

Back to TOC

REMOTE_ADDR

string類型,客戶端地址

Back to Var

Back to TOC

REMOTE_HOST

string類型,域名

Back to Var

Back to TOC

REMOTE_PORT

number類型,端口號(hào)

Back to Var

Back to TOC

REMOTE_USER

string類型,用于身份驗(yàn)證的用戶名

Back to Var

Back to TOC

REQUEST_BASENAME

string類型,請(qǐng)求的文件名

例如: GET http://www.baidu.com/test/login.php


REQUEST_BASENAME值為/login.php

Back to Var

Back to TOC

REQUEST_BODY

類型不定,請(qǐng)求體

Back to Var

Back to TOC

REQUEST_COOKIES

table類型,請(qǐng)求攜帶的cookie

Back to Var

Back to TOC

REQUEST_COOKIES_NAMES

table類型,請(qǐng)求攜帶cookie的名稱

Back to Var

Back to TOC

REQUEST_FILENAME

string類型,relative request URL(相對(duì)請(qǐng)求路徑)

例如: GET http://www.baidu.com/test/login.php


REQUEST_FILENAME值為/test/login.php

Back to Var

Back to TOC

REQUEST_HEADERS

table類型,請(qǐng)求頭信息

Back to Var

Back to TOC

REQUEST_HEADERS_NAMES

table類型,請(qǐng)求頭key值

Back to Var

Back to TOC

REQUEST_LINE

string類型,請(qǐng)求行

Back to Var

Back to TOC

REQUEST_METHOD

string類型,請(qǐng)求方法

Back to Var

Back to TOC

REQUEST_PROTOCOL

string類型,http請(qǐng)求協(xié)議,如: HTTP/1.1

Back to Var

Back to TOC

HTTP_VERSION

string類型,http請(qǐng)求協(xié)議版本,如: 1.1

Back to Var

Back to TOC

URI

string類型,請(qǐng)求路徑,既不帶域名,也不帶參數(shù)

例如: GET http://www.baid.com/test/login.php?name=miracle


URI變量值為/test/login.php

Back to Var

Back to TOC

URL

string類型,統(tǒng)一資源定位符,SCHEME與HTTP_HOST與URI的拼接

例如: GET http://www.baid.com/test/login.php?name=miracle


URL變量值為http://www.baid.com/test/login.php

Back to Var

Back to TOC

REQUEST_URI

string類型,請(qǐng)求路徑,帶參數(shù),但不帶有域名

例如: GET http://www.baid.com/test/login.php?name=miracle


REQUEST_URI變量值為/test/login.php?name=miracle

Back to Var

Back to TOC

RESPONSE_BODY

string類型,響應(yīng)體

Back to Var

Back to TOC

RESPONSE_HEADERS

table類型,響應(yīng)頭信息

Back to Var

Back to TOC

RESPONSE_STATUS

function類型,響應(yīng)狀態(tài)碼

Back to Var

Back to TOC

SCHEME

string類型,http or https

例如:GET http://www.baidu.com/


SCHEME變量值為http

Back to Var

Back to TOC

SERVER_ADDR

string類型,服務(wù)器地址

Back to Var

Back to TOC

SERVER_NAME

string類型,服務(wù)器名稱

Back to Var

Back to TOC

SERVER_PORT

number類型,服務(wù)器端口號(hào)

Back to Var

Back to TOC

SESSION

table類型,第三方模塊lua-resty-session提供的變量

Back to Var

Back to TOC

SESSION_DATA

table類型,session信息,第三方模塊lua-resty-session提供的變量

Back to Var

Back to TOC

TIME

string類型,hour:minute:second

Back to Var

Back to TOC

TIME_DAY

number類型,天(1-31)

Back to Var

Back to TOC

TIME_EPOCH

number類型,時(shí)間戳,seconds since 1970

Back to Var

Back to TOC

TIME_HOUR

number類型,小時(shí)(0-23)

Back to Var

Back to TOC

TIME_MIN

number類型,分鐘(0-59)

Back to Var

Back to TOC

TIME_MON

number類型,月份(1-12)

Back to Var

Back to TOC

TIME_SEC

number類型,秒(0-59)

Back to Var

Back to TOC

TIME_WDAY

number類型,周(0-6)

Back to Var

Back to TOC

TIME_YEAR

number類型,年份,four-digit,例如: 1997

Back to Var

Back to TOC

TIME_LOCAL

string類型,當(dāng)前時(shí)間,例如: 26/Aug/2016:01:32:16 -0400

Back to Var

Back to TOC

TX

table類型,用于存儲(chǔ)當(dāng)前請(qǐng)求信息的變量,作用域僅僅是當(dāng)前請(qǐng)求

Back to Var

Back to TOC

UNIQUE_ID

string類型,ID標(biāo)識(shí),隨機(jī)生成的字符串,可通過(guò)配置來(lái)控制隨機(jī)字符串的長(zhǎng)度

Back to Var

Back to TOC

UPSTREAM_CACHE_STATUS

keeps the status of accessing a response cache (0.8.3). The status can be either “MISS”, “BYPASS”, “EXPIRED”, “STALE”, “UPDATING”, “REVALIDATED”, or “HIT”.

Back to Var

Back to TOC

USERID

string類型,從接入規(guī)則配置得到的用于ID標(biāo)識(shí)

Back to Var

Back to TOC

Transformation Functions

Back to TFF

Back to TOC

base64_decode

Decodes a Base64-encoded string.

Note: 注意transform的執(zhí)行順序

例如:
{
   "id": "xxxx",
   ...
   "transform": ["base64_decode", "lowercase"],
   ...
}


先執(zhí)行base64解碼,然后字符串最小化,若順序調(diào)換,會(huì)影響結(jié)果

Back to TFF

Back to TOC

sql_hex_decode

Decode sql hex data.

Back to TFF

Back to TOC

base64_encode

Encodes input string using Base64 encoding.

Back to TFF

Back to TOC

counter

計(jì)數(shù),相當(dāng)于modsecurity中的'&'符號(hào)

Back to TFF

Back to TOC

compress_whitespace

Converts any of the whitespace characters (0x20, \f, \t, \n, \r, \v, 0xa0) to spaces (ASCII 0x20), compressing multiple consecutive space characters into one.

Back to TFF

Back to TOC

hex_decode

Decodes a string that has been encoded using the same algorithm as the one used in hexEncode

Back to TFF

Back to TOC

hex_encode

Encodes string (possibly containing binary characters) by replacing each input byte with two hexadecimal characters.

Back to TFF

Back to TOC

html_decode

Decodes the characters encoded as HTML entities.

Back to TFF

Back to TOC

length

Looks up the length of the input string in bytes

Back to TFF

Back to TOC

lowercase

Converts all characters to lowercase

Back to TFF

Back to TOC

md5

Calculates an MD5 hash from the data in input. The computed hash is in a raw binary form and may need encoded into text to be printed (or logged). Hash functions are commonly used in combination with hex_encode (for example: "transform": ["md5", "hex_encode").

Back to TFF

Back to TOC

normalise_path

Removes multiple slashes, directory self-references, and directory back-references (except when at the beginning of the input) from input string.

Back to TFF

Back to TOC

remove_nulls

Removes all NUL bytes from input

Back to TFF

Back to TOC

remove_whitespace

Removes all whitespace characters from input.

移除空白字符\s,包含水平定位字符 ('\t')、歸位鍵('\r')、換行('\n')、垂直定位字符('\v')或翻頁(yè)('\f')等

Back to TFF

Back to TOC

replace_comments

用一個(gè)空格代替/.../注釋內(nèi)容

Back to TFF

Back to TOC

remove_comments_char

Removes common comments chars (/, /, --, #).

Back to TFF

Back to TOC

remove_comments

去掉/.../注釋內(nèi)容

Back to TFF

Back to TOC

uri_decode

Unescape str as an escaped URI component.

例如: 
"b%20r56+7" 使用uri_decode轉(zhuǎn)換后為 b r56 7

Back to TFF

Back to TOC

uri_encode

Escape str as a URI component.

Back to TFF

Back to TOC

sha1

Calculates a SHA1 hash from the input string. The computed hash is in a raw binary form and may need encoded into text to be printed (or logged). Hash functions are commonly used in combination with hex_encode (for example, "transform": ["sha1", "hex_encode"]).

Back to TFF

Back to TOC

trim_left

Removes whitespace from the left side of the input string.

Back to TFF

Back to TOC

trim_right

Removes whitespace from the right side of the input string.

Back to TFF

Back to TOC

trim

Removes whitespace from both the left and right sides of the input string.

Back to TFF

Back to TOC

Operators

Back to OPERATORS

Back to TOC

begins_with

Returns true if the parameter string is found at the beginning of the input.

Back to OPERATORS

Back to TOC

contains

Returns true if the parameter string is found anywhere in the input.

operator為contains且pattern為數(shù)組,相當(dāng)于modsecurity的pm

PS: modsecurity的pm忽略大小寫(xiě),OpenWAF中contains不忽略大小寫(xiě)

例如:
{
    "id": "xxx",
    ...
    "operator": "contains",
    "pattern": ["abc", "def"],
    ...
}

Back to OPERATORS

Back to TOC

contains_word

Returns true if the parameter string (with word boundaries) is found anywhere in the input.

Back to OPERATORS

Back to TOC

detect_sqli

This operator uses LibInjection to detect SQLi attacks.

Back to OPERATORS

Back to TOC

detect_xss

This operator uses LibInjection to detect XSS attacks.

Back to OPERATORS

Back to TOC

ends_with

Returns true if the parameter string is found at the end of the input.

Back to OPERATORS

Back to TOC

equal

Performs a string comparison and returns true if the parameter string is identical to the input string.

相當(dāng)于modsecurity的eq和streq

例如:
{
    "id": "xxx",
    ...
    "operator": "equal",
    "pattern": [12345, "html", "23456"]
    ...
}

Back to OPERATORS

Back to TOC

greater_eq

Performs numerical comparison and returns true if the input value is greater than or equal to the provided parameter.

return false, if a value is provided that cannot be converted to a number.

Back to OPERATORS

Back to TOC

greater

Performs numerical comparison and returns true if the input value is greater than the operator parameter.

return false, if a value is provided that cannot be converted to a number.

Back to OPERATORS

Back to TOC

ip_utils

Performs a fast ipv4 or ipv6 match of REMOTE_ADDR variable data. Can handle the following formats:

Full IPv4 Address: 192.168.1.100 Network Block/CIDR Address: 192.168.1.0/24 IPv4 Address Region: 1.1.1.1-2.2.2.2

ip_utils與pf的組合相當(dāng)于modsecurity中的ipMatchF和ipMatchFromFile

例如:
規(guī)則如下:
{
    "id": "xxxx",
    ...
    "operator": "ip_utils",
    "pf": "/tmp/ip_blacklist.txt",
    ...
}
"/tmp/ip_blacklist.txt"文件內(nèi)容如下:
192.168.1.100
192.168.1.0/24
1.1.1.1-2.2.2.2

Back to OPERATORS

Back to TOC

less_eq

Performs numerical comparison and returns true if the input value is less than or equal to the operator parameter.

return false, if a value is provided that cannot be converted to a number.

Back to OPERATORS

Back to TOC

less

Performs numerical comparison and returns true if the input value is less than to the operator parameter.

return false, if a value is provided that cannot be converted to a number.

Back to OPERATORS

Back to TOC

pf

pattern是operator操作的參數(shù)

pf是指pattern from file,與pattern互斥(二者不可同時(shí)出現(xiàn)),目前僅支持絕對(duì)路徑

pf與contains組合,相當(dāng)于modsecurity的pmf或pmFromFile

pf與ip_utils組合,相當(dāng)于modsecurity的ipMatchF或ipMatchFromFile

Back to OPERATORS

Back to TOC

regex

Performs a regular expression match of the pattern provided as parameter.

regex還有modecurity的capture捕獲功能

modsecurity有關(guān)capture的描述如下: When used together with the regular expression operator (@rx), the capture action will create copies of the regular expression captures and place them into the transaction variable collection.

OpenWAF中無(wú)capture指令,但使用regex默認(rèn)開(kāi)啟capture功能

例如:
{
    "id": "000031",
    "release_version": "858",
    "charactor_version": "001",
    "opts": {
        "nolog": false
    },
    "phase": "access",
    "action": "deny",
    "meta": 403,
    "severity": "low",
    "rule_name": "protocol.reqHeader.c",
    "desc": "協(xié)議規(guī)范性約束,檢測(cè)含有不合規(guī)Range或Request-Range值的HTTP請(qǐng)求",
    "match": [
        {
            "vars": [
                {
                    "var": "REQUEST_HEADERS",
                    "parse": {
                        "specific": "Range"
                    }
                },
                {
                    "var": "REQUEST_HEADERS",
                    "parse": {
                        "specific": "Request-Range"
                    }
                }
            ],
            "operator": "regex",
            "pattern": "(\\d+)\\-(\\d+)\\,"
        },
        {
            "vars": [{
                "var": "TX",
                "parse": {
                    "specific": "2"
                }
            }],
            "operator": "greater_eq",
            "pattern": "%{TX.1}",
            "parse_pattern": true,
            "op_negated": true
        }
    ]
}

Back to OPERATORS

Back to TOC

str_match

等同于contains

Back to OPERATORS

Back to TOC

validate_url_encoding

Validates the URL-encoded characters in the provided input string.

Back to OPERATORS

Back to TOC

num_range

判斷是否在數(shù)字范圍內(nèi)

它與transform的length組合,相當(dāng)于modsecurity的validateByteRange

{
    "id": "xxx",
    ...
    "operator": "num_range",
    "pattern": [10, "13", "32-126"],
    "transform": "length",
    ...
}

Back to OPERATORS

Back to TOC

str_range

判斷是否在字符串范圍內(nèi)

例如時(shí)間區(qū)間判斷:
{
    "id": "xxx",
    ...
    "operator": "str_range",
    "pattern": ["01:42:00-04:32:00"],
    ...
}

Back to OPERATORS

Back to TOC

Others

Back to OTHERS

Back to TOC

allow

Stops rule processing of the current phase on a successful match and allows the transaction to proceed.

"action": "allow"

Back to OTHERS

Back to TOC

deny

Stops rule processing and intercepts transaction.

"action": "deny",
"meta": 403

Back to OTHERS

Back to TOC

id

Stops rule processing and intercepts transaction.

"id": "xxxxxxx"

Back to OTHERS

Back to TOC

nolog

不記錄日志

"opts": {
    "nolog": true
}

Back to OTHERS

Back to TOC

op_negated

對(duì)operator結(jié)果的取反

"match": [{
    "vars": [{
        "var": "HTTP_USER_AGENT"
    }],
    "transform": "length",
    "operator": "less_eq",
    "pattern": 50,
    "op_negated": true
}]


等價(jià)于


"match": [{
    "vars": [{
        "var": "HTTP_USER_AGENT"
    }],
    "transform": "length",
    "operator": "greater",
    "pattern": 50
}]


若請(qǐng)求頭中user_agent字段長(zhǎng)度大于50,則匹配中此條規(guī)則

Back to OTHERS

Back to TOC

parse

對(duì)變量進(jìn)一步解析

若請(qǐng)求GET http://www.baidu.com?name=miracle&age=5


"match": [{
    "vars": [{
        "var": "ARGS_GET"
    }],
    ...
}]
得到的值為{"name": "miracle", "age": "5"}




"match": [{
    "vars": [{
        "var": "ARGS_GET",
        "parse": {
            "specific": "name"
        }
    }]
}]
得到的值為["miracle"]




"match": [{
    "vars": [{
        "var": "ARGS_GET",
        "parse": {
            "specific": ["name", "age"]
        }
    }]
}]
得到的值為["miracle", "5"]




"match": [{
    "vars": [{
        "var": "ARGS_GET",
        "parse": {
            "ignore": "name"
        }
    }]
}]
得到的值為{"age": "5"}




"match": [{
    "vars": [{
        "var": "ARGS_GET",
        "parse": {
            "ignore": ["name", "age"]
        }
    }]
}]
得到的值為[]




"match": [{
    "vars": [{
        "var": "ARGS_GET",
        "parse": {
            "keys": true
        }
    }]
}]
得到的值為["name", "age"]




"match": [{
    "vars": [{
        "var": "ARGS_GET",
        "parse": {
            "values": true
        }
    }]
}]
得到的值為["miracle", "5"]




"match": [{
    "vars": [{
        "var": "ARGS_GET",
        "parse": {
            "all": true
        }
    }]
}]
得到的值為["name", "age", "miracle", "5"]

Back to OTHERS

Back to TOC

pass

Continues processing with the next rule in spite of a successful match.

"action": "pass"

Back to OTHERS

Back to TOC

phase

規(guī)則執(zhí)行的階段,取值可為"access","header_filter","body_filter"的組合

{
    "id": "xxx_01",
    "phase": "access",
    ...
}
"xxx_01"規(guī)則在access階段執(zhí)行


{
    "id": "xxx_02",
    "phase": ["access", "header_filter"],
    ...
}
"xxx_02規(guī)則在access階段和"header_filter"階段各執(zhí)行一次

Back to OTHERS

Back to TOC

proxy_cache

{
    ...
    phase = "header_filter",         -- 緩存開(kāi)關(guān)需在header_filter階段配置
    action = "pass",                 -- 無(wú)需攔截請(qǐng)求
    opts = {
        nolog = true,                -- 不需記錄日志
        proxy_cache = {
            state = true|false,      -- 緩存開(kāi)關(guān)
            expired = 600            -- 緩存時(shí)長(zhǎng)(單位秒),默認(rèn)600秒
        }
    }
    ...
}


若state為true,且得到的緩存狀態(tài)為"MISS"或"EXPIRED",則對(duì)響應(yīng)內(nèi)容進(jìn)行緩存,同時(shí)設(shè)置緩存時(shí)長(zhǎng)
若state為false,則清除對(duì)應(yīng)緩存鍵的緩存(包含其緩存文件)

舉例如下:

## nginx.conf 有關(guān)proxy cache 配置如下
http {
    proxy_cache_path  /opt/cache/OpenWAF-proxy levels=2:2 keys_zone=twaf_cache:101m max_size=100m use_temp_path=off;
    proxy_cache_key $host$uri;
    proxy_cache twaf_cache;
    proxy_ignore_headers X-Accel-Expires Cache-Control Set-Cookie;
    proxy_no_cache $twaf_cache_flag;

    
    server {
        set $twaf_cache_flag 1;         #默認(rèn)不緩存
    }
}


## lua 格式 配置
{ 
    id = "test_x01",                      -- id 全局唯一
    opts = {
        nolog = true,
        proxy_cache = {
            state = true,
            expired = 300
        }
    },
    phase = "header_filter", 
    action = "pass",
    match = {{
        vars = {{
            var = "URI"
        },{
            var = "REQUEST_HEADERS",
            parse = {
                specific = "Referer"
            }
        }},
        operator = "equal",
        pattern = {"/xampp/", "%{SCHEME}://%{HTTP_HOST}/xampp/"},
        parse_pattern = true
    }}
}
此規(guī)則將緩存URI為'/xampp/'的頁(yè)面,更新時(shí)間為300秒


若match中過(guò)濾條件為響應(yīng)碼,則相當(dāng)于Nginx的proxy_cache_valid指令
若match中過(guò)濾條件為請(qǐng)求方法,則相當(dāng)于Nginx的proxy_cache_methods指令
若macth中過(guò)濾條件為資源類型,則相當(dāng)于Nginx的proxy_cache_content_type指令


PS: proxy_cache_content_type指令為官方指令,是miracle Qi修改Nginx源碼擴(kuò)展的功能

Back to OTHERS

Back to TOC

redirect

"action": "redirect",
"meta": "/index.html"

Back to OTHERS

Back to TOC

charactor_version

指定此條規(guī)則的版本,同modsecurity中Action的rev功能

"charactor_version": "001"

Back to OTHERS

Back to TOC

severity

Assigns severity to the rule in which it is used.

The data below is used by the OWASP ModSecurity Core Rule Set (CRS):

EMERGENCY: is generated from correlation of anomaly scoring data where there is an inbound attack and an outbound leakage. ALERT: is generated from correlation where there is an inbound attack and an outbound application level error. CRITICAL: Anomaly Score of 5. Is the highest severity level possible without correlation. It is normally generated by the web attack rules (40 level files). ERROR: Error - Anomaly Score of 4. Is generated mostly from outbound leakage rules (50 level files). WARNING: Anomaly Score of 3. Is generated by malicious client rules (35 level files). NOTICE: Anomaly Score of 2. Is generated by the Protocol policy and anomaly files. INFO DEBUG

也可自定義嚴(yán)重等級(jí),如:low,medium,high,critical等

"severity": "high"

Back to OTHERS

Back to TOC

setvar

Creates, removes, or updates a variable. 

{
    "id": "xxx_01",
    "opts":{
        "nolog": false,
        "setvar": [{
            "column": "TX",
            "key": "score",
            "value": 5,
            "incr": true
        }]
    },
    ...
}
"xxx_01"規(guī)則中,給變量TX中score成員的值加5,若TX中無(wú)score成員,則初始化為0,再加5


{
    "id": "xxx_02",
    "opts":{
        "nolog": false,
        "setvar": [{
            "column": "TX",
            "key": "score",
            "value": 5
        }]
    },
    ...
}


"xxx_02"規(guī)則中,給變量TX中score成員的值賦為5

Back to OTHERS

Back to TOC

meta

"action"的附屬信息

若"action"為"deny",則"meta"為響應(yīng)碼
"action": "deny",
"meta": 403


若"action"為"redirect",則"meta"為重定向地址
"action": "redirect",
"meta": "/index.html"

Back to OTHERS

Back to TOC

transform

This action is used to specify the transformation pipeline to use to transform the value of each variable used in the rule before matching.

Back to OTHERS

Back to TOC

tag

Assigns a tag (category) to a rule.

支持?jǐn)?shù)組    "tag": ["xxx_1", "xxx_2"]
支持字符串  "tag": "xxx_3"

Back to OTHERS

Back to TOC

release_version

規(guī)則集版本,等同于modsecurity中Action的ver功能

"release_version": "858"

Back to OTHERS

Back to TOC

robot

人機(jī)識(shí)別

需提前配置人機(jī)識(shí)別模塊配置,此功能暫未放開(kāi)

"action": "robot"

Back to OTHERS

Back to TOC

add_resp_headers

增刪改響應(yīng)頭

例如隱藏server字段:
"opts": {
    "add"_resp_headers": {
        "server": ""
    }
}

Back to OTHERS

Back to TOC

以上內(nèi)容是否對(duì)您有幫助:
在線筆記
App下載
App下載

掃描二維碼

下載編程獅App

公眾號(hào)
微信公眾號(hào)

編程獅公眾號(hào)