apache 如何在modsecurity SecRule中使用'TIME'来匹配精确时间?

dba5bblo  于 2022-11-16  发布在  Apache
关注(0)|答案(1)|浏览(123)

我正在尝试为Apache配置modsecurity来限制一个给定资源的访问次数。我写了这段代码,它工作了(我得到了一个429拒绝),但是我不能在某个时间点重新启动ip.counter(最后一行)。

SecAction initcol:ip=%{REMOTE_ADDRESS},pass,nolog,id:132
         SecAction "phase:2,setvar:ip.counter=+1,pass,nolog,id:332"
         SecRule IP:COUNTER "@ge 1" "phase:3,id:'9000080007',pause:10,deny,status:429,setenv:RATELIMITED,skip:1,nolog,id:232"
         SecRule TIME "^10:37:00$" "phase:2,id:'9000080008',setvar:!ip.counter"

但是,如果我将最后一行改为使用TIME_HOUR,则SecRule确实可以正确应用:SecRule TIME_HOUR“@eq 10”“phase:2,id:'9000080008',setvar:!ip.counter”有关在SecRule中使用TIME变量来匹配准确时间,请提供帮助?

qgzx9mmu

qgzx9mmu1#

恭喜你得到了一个非常先进的食谱来正常工作。这真的很酷。
现在你的规则不起作用了,因为在线参考中关于TIME变量的格式是错误的(尽管手册是正确的)。
以下是如何在ModSec调试日志级别9上调试此问题:

SecRule TIME "@unconditionalMatch" "id:1000,phase:2,pass,log,msg:'Key : Value : |%{MATCHED_VAR_NAME}| : |%{MATCHED_VAR}|'"

Leads to:

...4c20][/][5] Rule 562b28db5420: SecRule "TIME" "@unconditionalMatch " "phase:2,auditlog,id:1007,pass,log,msg:'Key : Value : |%{MATCHED_VAR_NAME}| : |%{MATCHED_VAR}|'"
...4c20][/][4] Transformation completed in 0 usec.
...4c20][/][4] Executing operator "unconditionalMatch" with param "" against TIME.
...4c20][/][9] Target value: "20220829070111"
...4c20][/][4] Operator completed in 0 usec.
...4c20][/][9] Resolved macro %{MATCHED_VAR_NAME} to: TIME
...4c20][/][9] Resolved macro %{MATCHED_VAR} to: 20220829070111
...4c20][/][2] Warning. Unconditional match in SecAction. [file "/apache/conf/httpd.conf_pod_2022-08-29_06:58"] [line "209"] [id "1007"] [msg "Key : Value : |TIME| : |20220829070111|"]
...4c20][/][4] Rule returned 1.
...4c20][/][9] Match -> mode NEXT_RULE.

相关问题