这是关于编写适当的ModSecurity规则。我希望有一个Maven在那里谁可以帮助我。
我有ModSecurity 2.9.3和OWASP CRS 3.3.2安全规则运行在我的新VPS（Virtualmin）上。
我启用了REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES，它似乎基本上可以工作。
WordPress主题编辑器却没有，保存时会得到403响应（“保存失败”）。
我知道这是Modsecurity，因为当我禁用它时，一切都正常。
我调查了审计日志，并在REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf中创建了相应的规则：

SecRule REQUEST_URI "@contains /wp-json/wp/v2/template-parts/" \
"id:10000002,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetById=949110;ARGS=content,\
ctl:ruleRemoveTargetById=941100;ARGS=content,\
ctl:ruleRemoveTargetById=941160;ARGS=content,\
ctl:ruleRemoveTargetById=941180;ARGS=content,\
ctl:ruleRemoveTargetById=932105;ARGS=content,\
ctl:ruleRemoveTargetById=980130;ARGS=content"

SecRule REQUEST_URI "@contains /wp-json/wp/v2/templates/<hostname>/page/" \
"id:10000003,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetById=949110;ARGS=content,\
ctl:ruleRemoveTargetById=941100;ARGS=content,\
ctl:ruleRemoveTargetById=941160;ARGS=content,\
ctl:ruleRemoveTargetById=941180;ARGS=content,\
ctl:ruleRemoveTargetById=932105;ARGS=content,\
ctl:ruleRemoveTargetById=980130"

我知道规则正在被阅读，因为当我弄乱请求URI时，我可以让WordPress完全停止工作。
然而，问题仍然存在，我不是ModSecurityMaven;我知道我的排除规则写得不正确，但我无法让它们起作用。
以下是一些由WordPress主题编辑器触发的审计日志误报的示例：

--48163009-H--
Message: Warning. Pattern match "(?:;|\\{|\\||\\|\\||&|&&|\\n|\\r|\\$\\(|\\$\\(\\(|`|\\${|<\\(|>\\(|\\(\\s*\\))\\s*(?:{|\\s*\\(\\s*|\\w+=(?:[^\\s]*|\\$.*|\\$.*|<.*|>.*|\\'.*\\'|\".*\")\\s+|!\\s*|\\$)*\\s*(?:'|\")*(?:[\\?\\*\\[\\]\\(\\)\\-\\|+\\w'\"\\./\\\\]+/)?[\\\\'\"]*(?:s[\\\\'\"]* ..." at ARGS:content. [file "/etc/modsecurity/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "158"] [id "932105"] [msg "Remote Command Execution: Unix Command Injection"] [data "Matched Data: {\x22top found within ARGS:content: <!-- wp:template-part {\x22slug\x22:\x22header\x22,\x22theme\x22:\x22<hostname>\x22,\x22tagName\x22:\x22header\x22} /-->\x0a\x0a<!-- wp:group {\x22tagName\x22:\x22main\x22,\x22style\x22:{\x22spacing\x22:{\x22padding\x22:{\x22top\x22:\x220\x22,\x22right\x22:\x220\x22,\x22bottom\x22:\x220\x22,\x22left\x22:\x220\x22},\x22blockGap\x22:\x220\x22}}} -->\x0a<main class=\x22wp-block-group\x22 style=\x22padding-top:0;padding-right:0;padding-bottom:0;padding-left:0\x2..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"]


Message: Warning. detected XSS using libinjection. [file "/etc/modsecurity/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "55"] [id "941100"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS:content: <!-- wp:template-part {\x22slug\x22:\x22header\x22,\x22theme\x22:\x22<hostname>\x22,\x22tagName\x22:\x22header\x22} /-->\x0a\x0a<!-- wp:group {\x22tagName\x22:\x22main\x22,\x22style\x22:{\x22spacing\x22:{\x22padding\x22:{\x22top\x22:\x220\x22,\x22right\x22:\x220\x22,\x22bottom\x22:\x220\x22,\x22left\x22:\x220\x22},\x22blockGap\x22:\x220\x22}}} -->\x0a<main class=\x22wp-block-group\x22 style=\x22padding-top:0;padding-right:0;padding-bottom:0;padding-left:0\x2..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"]

Apache-Error: [file "apache2_util.c"] [line 273] [level 3] ModSecurity: Warning. Matched phrase "<!--" at ARGS:content. [file "/etc/modsecurity/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "250"] [id "941180"] [msg "Node-Validator Blacklist Keywords"] [data "Matched Data: <!-- found within ARGS:content: <!-- wp:template-part {\\\\x22slug\\\\x22:\\\\x22header\\\\x22,\\\\x22theme\\\\x22:\\\\x22<hostname>\\\\x22,\\\\x22tagname\\\\x22:\\\\x22header\\\\x22} /-->\\\\x0a\\\\x0a<!-- wp:group {\\\\x22tagname\\\\x22:\\\\x22main\\\\x22,\\\\x22style\\\\x22:{\\\\x22spacing\\\\x22:{\\\\x22padding\\\\x22:{\\\\x22top\\\\x22:\\\\x220\\\\x22,\\\\x22right\\\\x22:\\\\x220\\\\x22,\\\\x22bottom\\\\x22:\\\\x220\\\\x22,\\\\x22left\\\\x22:\\\\x220\\\\x22},\\\\x22blockgap\\\\x22:\\\\x220\\\\x22}}} -->\\\\x0a<main class=\\\\x22wp-block-group\\\\x22 style=\\\\x22padding-top:0;padding-right:0;padding-bottom:0;padding-left:0\\\\x22><!..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "sit.<hostname>.com"] [uri "/wp-json/wp/v2/templates/<hostname>/page"] [unique_id "Y7-6B6WOVEBhE0cscXvdvgAAERU"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 92.46.0.178] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/modsecurity/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 20)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "<hostname>.com"] [uri "/wp-json/wp/v2/templates/<hostname>/page"] [unique_id "Y7-6B6WOVEBhE0cscXvdvgAAERU"]