modsecurity: 规则的体系三

一，modsecurity规则的级别:paranoia level

modsecurity根据规则可能存在的误报情况，设置了规则的级别，称之为PL(paranoia level)，
共有4个级别，分别为1/2/3/4，
级别越高，漏报越少，误报越多。
用户可以根据实际业务情况适当调整，
默认设置PL=1，可以在crs-setup.conf中设置

配置文件：

crs-setup.conf

默认的设置:

#
# -- [[ Paranoia Level Initialization ]] ---------------------------------------
#
# The Paranoia Level (PL) setting allows you to choose the desired level
# of rule checks that will add to your anomaly scores.
#
# With each paranoia level increase, the CRS enables additional rules
# giving you a higher level of security. However, higher paranoia levels
# also increase the possibility of blocking some legitimate traffic due to
# false alarms (also named false positives or FPs). If you use higher
# paranoia levels, it is likely that you will need to add some exclusion
# rules for certain requests and applications receiving complex input.
#
# - A paranoia level of 1 is default. In this level, most core rules
#   are enabled. PL1 is advised for beginners, installations
#   covering many different sites and applications, and for setups
#   with standard security requirements.
#   At PL1 you should face FPs rarely. If you encounter FPs, please
#   open an issue on the CRS GitHub site and don't forget to attach your
#   complete Audit Log record for the request with the issue.
# - Paranoia level 2 includes many extra rules, for instance enabling
#   many regexp-based SQL and XSS injection protections, and adding
#   extra keywords checked for code injections. PL2 is advised
#   for moderate to experienced users desiring more complete coverage
#   and for installations with elevated security requirements.
#   PL2 comes with some FPs which you need to handle.
# - Paranoia level 3 enables more rules and keyword lists, and tweaks
#   limits on special characters used. PL3 is aimed at users experienced
#   at the handling of FPs and at installations with a high security
#   requirement.
# - Paranoia level 4 further restricts special characters.
#   The highest level is advised for experienced users protecting
#   installations with very high security requirements. Running PL4 will
#   likely produce a very high number of FPs which have to be
#   treated before the site can go productive.
#
# All rules will log their PL to the audit log;
# example: [tag "paranoia-level/2"]. This allows you to deduct from the
# audit log how the WAF behavior is affected by paranoia level.
#
# It is important to also look into the variable
# tx.enforce_bodyproc_urlencoded (Enforce Body Processor URLENCODED)
# defined below. Enabling it closes a possible bypass of CRS.
#
# Uncomment this rule to change the default:
#
#SecAction \
#    "id:900000,\
#    phase:1,\
#    pass,\
#    t:none,\
#    nolog,\
#    tag:'OWASP_CRS',\
#    ver:'OWASP_CRS/4.8.0-dev',\
#    setvar:tx.blocking_paranoia_level=1"


# It is possible to execute rules from a higher paranoia level but not include
# them in the anomaly scoring. This allows you to take a well-tuned system on
# paranoia level 1 and add rules from paranoia level 2 without having to fear
# the new rules would lead to false positives that raise your score above the
# threshold.
# This optional feature is enabled by uncommenting the following rule and
# setting the tx.detection_paranoia_level.
# Technically, rules up to the level defined in tx.detection_paranoia_level
# will be executed, but only the rules up to tx.blocking_paranoia_level affect the
# anomaly scores.
# By default, tx.detection_paranoia_level is set to tx.blocking_paranoia_level.
# tx.detection_paranoia_level must not be lower than tx.blocking_paranoia_level.
#
# Please notice that setting tx.detection_paranoia_level to a higher paranoia
# level results in a performance impact that is equally high as setting
# tx.blocking_paranoia_level to said level.
#
#SecAction \
#    "id:900001,\
#    phase:1,\
#    pass,\
#    t:none,\
#    nolog,\
#    tag:'OWASP_CRS',\
#    ver:'OWASP_CRS/4.8.0-dev',\
#    setvar:tx.detection_paranoia_level=1" 

二，规则的级别设置方式:

其规则的分级方式也很特别，是通过在规则文件中的位置进行的分级，下面简化下分级规则设置方法

级别规则设置方法：skipAfter和SecMarker

skipAfter：条件达成，跳到下个标记点

SecMarker：规则标记点

看一下规则设置的例子:

rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf:SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.8.0-dev',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf:SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.8.0-dev',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf:SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.8.0-dev',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf:SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.8.0-dev',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf:SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.8.0-dev',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf:SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.8.0-dev',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf:SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.8.0-dev',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf:SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.8.0-dev',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf:SecMarker "END-REQUEST-920-PROTOCOL-ENFORCEMENT"