Как сопоставить запрос http в журнале аудита modsecurity с запросом в журнале доступа nginx? - PullRequest
Новая
       54

Как сопоставить запрос http в журнале аудита modsecurity с запросом в журнале доступа nginx?

0 голосов
/ 29 июня 2019

Я разрабатываю ваф с использованием modsecurity для Nginx.Какой соответствующий HTTP-запрос Nginx дает подробности HTTP-запроса в журнале аудита modsecurity?Я хочу сопоставить два одинаковых запроса в Nginx и modserity соответственно.

Для ясности, HTTP-запрос в журнале modsecurity выглядит следующим образом.

----
--e1cfae75-A--
[24/Feb/2019:13:02:52 +0000] AcAcAV7cAchcAcAcAcAcOcAc 223.91.46.123 43597 127.0.0.1 80
--e1cfae75-B--
GET /?id=1%20AND%201=1 HTTP/1.1
cache-control: no-cache
Postman-Token: 0574088c-0f57-4637-b290-095b0c43cfcd
Content-Type: application/json
User-Agent: PostmanRuntime/6.4.1
Accept: */*
Host: 47.98.249.244:2018
accept-encoding: gzip, deflate
Connection: keep-alive

--e1cfae75-F--
HTTP/1.1
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

--e1cfae75-H--
Message: Access denied with code 403 (phase 1). Match of "within %{tx.allowed_http_versions}" against "REQUEST_PROTOCOL" required. [file "/usr/local/nginx    /conf/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1084"] [id "920430"] [msg "HTTP protocol version is not allowed by policy    "] [data "HTTP/1.1"] [severity "CRITICAL"] [ver "OWASP_CRS/3.1.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-pr    otocol"] [tag "OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A6"] [tag "PCI/6.5.10"]
Action: Intercepted (phase 1)
Apache-Handler: IIS
Stopwatch: 1551013372000967 967123 (- - -)
Stopwatch2: 1551013372000967 967123; combined=195, p1=143, p2=0, p3=0, p4=0, p5=52, sr=0, sw=0, l=0, gc=0
Producer: ModSecurity for nginx (STABLE)/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.1.0.
Server: ModSecurity Standalone
Engine-Mode: "ENABLED"

--e1cfae75-Z--


----

Хотя HTTP-запрос в журнале Nginx отличается: 

----
GET```403```-```-```47.98.249.244:2018```http://47.98.249.244:2018/index.html```http```/index.html```content-length: 576content-type: text/htmlconnection:     keep-alive```<html>\x0D\x0A<head><title>403 Forbidden</title></head>\x0D\x0A<body bgcolor=\x22white\x22>\x0D\x0A<center><h1>403 Forbidden</h1></center>\x    0D\x0A<hr><center>openresty/1.9.7.2</center>\x0D\x0A</body>\x0D\x0A</html>\x0D\x0A<!-- a padding to disable MSIE and Chrome friendly error page -->\x0D\x0    A<!-- a padding to disable MSIE and Chrome friendly error page -->\x0D\x0A<!-- a padding to disable MSIE and Chrome friendly error page -->\x0D\x0A<!-- a     padding to disable MSIE and Chrome friendly error page -->\x0D\x0A<!-- a padding to disable MSIE and Chrome friendly error page -->\x0D\x0A<!-- a padding     to disable MSIE and Chrome friendly error page -->\x0D\x0A```host: 47.98.249.244:2018accept-language: zh-CN,zh;q=0.8connection: keep-aliveaccept: text/htm    l,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8accept-encoding: gzip, deflateuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64    ; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36```-```28/Jun/2019:16:27:23 +0800```28/Jun/2019:16:27:23 +0800```36880```1    ```47.103.57.158
...