Я только что установил ModSecurity на IIS 10.0, работающий в Windows 10. Однако даже «чистая» установка генерирует много ошибок только при посещении сайта IIS по умолчанию.
Просматривая eventvwr
и делая один запрос, я получаю в общей сложности 14 новых ошибок для запроса GET к localhost
.
Каждое событие имеет следующее описание:
Не удается найти описание события с идентификатором 1 из источника ModSecurity. Либо компонент, вызывающий это событие, не установлен на вашем локальном компьютере, либо установка повреждена. Вы можете установить или восстановить компонент на локальном компьютере.
Если событие возникло на другом компьютере, отображаемая информация должна была быть сохранена вместе с событием.
К мероприятию была приложена следующая информация:
Данные события:
[client ] ModSecurity: IPmatch: bad IPv4 specification "". [hostname "HOSTNAME"] [uri "/"] [unique_id "18158513704000290822"]
[client ] ModSecurity: Rule processing failed. [hostname "HOSTNAME"] [uri "/"] [unique_id "18158513704000290822"]
[client ] ModSecurity: Rule 15448555590 [id "981172"][file "C:\/Program Files/ModSecurity IIS/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "157"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "HOSTNAME"] [uri "/"] [unique_id "18158513704000290822"]
[client ] ModSecurity: Rule 154485cd4a0 [id "981243"][file "C:\/Program Files/ModSecurity IIS/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "245"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "HOSTNAME"] [uri "/"] [unique_id "18158513704000290822"]
[client ] ModSecurity: IPmatch: bad IPv4 specification "". [hostname "HOSTNAME"] [uri "/"] [unique_id "18158513704000290822"]
[client ] ModSecurity: Rule processing failed. [hostname "HOSTNAME"] [uri "/"] [unique_id "18158513704000290822"]
[client ] ModSecurity: Rule 15448555590 [id "981172"][file "C:\/Program Files/ModSecurity IIS/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "157"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "HOSTNAME"] [uri "/"] [unique_id "18158513704000290822"]
[client ] ModSecurity: Rule 154485cd4a0 [id "981243"][file "C:\/Program Files/ModSecurity IIS/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "245"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "HOSTNAME"] [uri "/"] [unique_id "18158513704000290822"]
[client ] ModSecurity: Rule 15448555590 [id "981172"][file "C:\/Program Files/ModSecurity IIS/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "157"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "HOSTNAME"] [uri "/iisstart.htm"] [unique_id "18158513704000290822"]
[client ] ModSecurity: Rule 154485cd4a0 [id "981243"][file "C:\/Program Files/ModSecurity IIS/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "245"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "HOSTNAME"] [uri "/iisstart.htm"] [unique_id "18158513704000290822"]
[client ] ModSecurity: collections_remove_stale: Failed to access DBM file "C:/inetpub/temp/ip": Access is denied. [hostname "HOSTNAME"] [uri "/iisstart.htm"] [unique_id "18158513704000290822"]
[client ] ModSecurity: collections_remove_stale: Failed to access DBM file "C:/inetpub/temp/global": Access is denied. [hostname "HOSTNAME"] [uri "/iisstart.htm"] [unique_id "18158513704000290822"]
[client ] ModSecurity: Rule 15448555590 [id "981172"][file "C:\/Program Files/ModSecurity IIS/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "157"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "HOSTNAME"] [uri "/iisstart.png"] [unique_id "18158513704000290823"]
[client ] ModSecurity: Rule 154485cd4a0 [id "981243"][file "C:\/Program Files/ModSecurity IIS/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "245"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "HOSTNAME"] [uri "/iisstart.png"] [unique_id "18158513704000290823"]
Что я сделал:
Установлены ModSecurity v2.9.1 для установщика MSI IIS — 64 бита и среда выполнения Visual Studio 2013 (vcredist).
Загружен базовый набор правил OWASP ModSecurity (CRS) с https://github.com/SpiderLabs/owasp-modsecurity-crs и поместите папку в C:\Program Files\ModSecurity IIS
. Изменено имя crs-setup.conf.example
на crs-setup.conf
.
Под \rules
я изменил REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example
и RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example
, чтобы они не содержали .example
.
Изменено modsecurity_iis.conf
на следующее:
Include modsecurity.conf
Include modsecurity_crs_10_setup.conf
Include owasp_crs\base_rules\*.conf
#OWASP-Rules
include owasp-modsecurity-crs/crs-setup.conf
include owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
include owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf
include owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
include owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf
include owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
include owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf
include owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf
include owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
include owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
include owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
include owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
include owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
include owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
include owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
include owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
include owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
include owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf
include owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf
include owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
include owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
include owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
include owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
include owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
include owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf
include owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
Перезапустил IIS, а затем проверил средство просмотра событий. Что я пропустил или это нормальное поведение?