例: WAF ポリシーのテスト

[Request RuleSets (要求ルールセット)] に表示されている WAF ポリシーがデプロイされている場合、次の要求が送信されると、この要求の「scanner detected (スキャナが検出されました)」によって WAF エラーが生成されます。textField 値の終わりの二重引用符が省略されています。

curl -v -k -X POST  --resolve choice-waf14.example.com:443:192.168.2.1  https://choice-waf14.example.com:443/ -H "Content-Type: text/plain" -H "SOAPAction: '​http://example.org/soapformat/Example'" -H "User-Agent: (hydra)" -H "Content-Length: 10" -d 'hello'

応答は次のようになります。

HTTP/1.1 400 BAD REQUEST - web application firewall error

不正な要求「Scanner detected (スキャナが検出されました)」により、ルール「920130」の検出がトリガされます。数分待機すると、[RTF Security Policy Summary (RTF セキュリティポリシーの概要)] に次のデータが表示されます。

"wafSummary": {
   "ruleTriggerCounts": {
     "requestScannerDetection": {
       "913100": 3,
       "913101": 0,
       "913102": 0,
       "913110": 0,
       "913120": 0
     },
     "requestProtocolEnforcement": {
       "920100": 0,
       "920120": 0,
       "920121": 0,
       "920130": 0,
       "920140": 0,
       "920160": 0,
       "920170": 0,
       "920180": 0,
       "920190": 0,
       "920200": 0,
       "920201": 0,
       "920202": 0,
       "920210": 0,
       "920220": 0,
       "920230": 0,
       "920240": 0,
       "920250": 0,
       "920260": 0,
       "920270": 0,
       "920271": 0,
       "920272": 0,
       "920273": 0,
       "920274": 0,
       "920280": 0,
       "920290": 0,
       "920300": 0,
       "920310": 0,
       "920311": 0,
       "920320": 0,
       "920330": 0,
       "920340": 0,
       "920350": 0,
       "920360": 0,
       "920370": 0,
       "920380": 0,
       "920390": 0,
       "920400": 0,
       "920410": 0,
       "920420": 0,
       "920430": 0,
       "920440": 0,
       "920450": 0,
       "920460": 0
     },
     "requestProtocolAttack": {
       "921100": 0,
       "921110": 0,
       "921120": 0,
       "921130": 0,
       "921140": 0,
       "921150": 0,
       "921151": 0,
       "921160": 0,
       "921180": 0
     },
     "requestApplicationAttackLfi": {
       "930100": 0,
       "930110": 0,
       "930120": 0,
       "930130": 0
     },
     "requestApplicationAttackRfi": {
       "931100": 0,
       "931110": 0,
       "931120": 0,
       "931130": 0
     },
     "requestApplicationAttackRce": {
       "932100": 0,
       "932105": 0,
       "932110": 0,
       "932115": 0,
       "932120": 0,
       "932130": 0,
       "932140": 0,
       "932150": 0,
       "932160": 0,
       "932170": 0,
       "932171": 0
     },
     "requestApplicationAttackPhp": {
       "933100": 0,
       "933110": 0,
       "933111": 0,
       "933120": 0,
       "933130": 0,
       "933131": 0,
       "933140": 0,
       "933150": 0,
       "933151": 0,
       "933160": 0,
       "933161": 0,
       "933170": 0,
       "933180": 0
     },
     "requestApplicationAttackXss": {
       "941100": 0,
       "941101": 0,
       "941110": 0,
       "941120": 0,
       "941130": 0,
       "941140": 0,
       "941150": 0,
       "941160": 0,
       "941170": 0,
       "941180": 0,
       "941190": 0,
       "941200": 0,
       "941210": 0,
       "941220": 0,
       "941230": 0,
       "941240": 0,
       "941250": 0,
       "941260": 0,
       "941270": 0,
       "941280": 0,
       "941290": 0,
       "941300": 0,
       "941310": 0,
       "941320": 0,
       "941330": 0,
       "941340": 0,
       "941350": 0
     },
     "requestApplicationAttackSqli": {
       "942100": 0,
       "942110": 0,
       "942120": 0,
       "942130": 0,
       "942140": 0,
       "942150": 0,
       "942160": 0,
       "942170": 0,
       "942180": 0,
       "942190": 0,
       "942200": 0,
       "942210": 0,
       "942220": 0,
       "942230": 0,
       "942240": 0,
       "942250": 0,
       "942251": 0,
       "942260": 0,
       "942270": 0,
       "942280": 0,
       "942290": 0,
       "942300": 0,
       "942310": 0,
       "942320": 0,
       "942330": 0,
       "942340": 0,
       "942350": 0,
       "942360": 0,
       "942370": 0,
       "942380": 0,
       "942390": 0,
       "942400": 0,
       "942410": 0,
       "942420": 0,
       "942421": 0,
       "942430": 0,
       "942431": 0,
       "942432": 0,
       "942440": 0,
       "942450": 0,
       "942460": 0
     },
     "requestApplicationAttackSessionFixation": {
       "943100": 0,
       "943110": 0,
       "943120": 0
     },
     "responseDataLeakages": {
       "950100": 0,
       "950130": 0
     },
     "responseDataLeakagesSql": {
       "951110": 0,
       "951120": 0,
       "951130": 0,
       "951140": 0,
       "951150": 0,
       "951160": 0,
       "951170": 0,
       "951180": 0,
       "951190": 0,
       "951200": 0,
       "951210": 0,
       "951220": 0,
       "951230": 0,
       "951240": 0,
       "951250": 0,
       "951260": 0
     },
     "responseDataLeakagesJava": {
       "952100": 0,
       "952110": 0
     },
     "responseDataLeakagesPhp": {
       "953100": 0,
       "953110": 0,
       "953120": 0
     },
     "responseDataLeakagesIis": {
       "954100": 0,
       "954110": 0,
       "954120": 0,
       "954130": 0
     }
   }
 }

wafSummary​ では、ルール ID と数がルールセットごとに分類されています。

ソース IP アドレスをテストするために TRACE ログを有効にするには、ログルールを変更し、Runtime Fabric インバウンドトラフィックの ​[Deploy (デプロイ)]​ をクリックします。このケースでは、ソース IP アドレス ​192.168.0.1​ に IP 検索条件が追加されています。すべての IP アドレスや大量の要求がある IP アドレスに検索条件を追加しないでください。

test waf rtf advanced

curl​ メッセージを再送すると、WAF 検出ログメッセージを見つけることができます。

<logEntry><header><time>2018-12-05T22:09:56.108387</time><node>openstackvm14.example.com</node><logType>INPUT_SERVER</logType><logLevel>INFO</logLevel><process>securityfabric-edge-runtime</process><pid>13038</pid><tid>13065</tid><file>/edge/cbrcore/src/rtc/embedded/src/ModSecTransaction.cpp</file><line>121</line><transId>517251501406932</transId></header><body><rtfWafEvent>{"requestInfo":{"timestamp":"2018-12-05T22:09:56.048Z","node":"vm14.example.com","transactionId":517251501406932,"correlationId":"616045b7-4af2-4eb5-9bd9-356119a0d7ae","clientIpAddr":"192.168.2.1","clientPort":51918,"protocol":"HTTP/1.1","method":"POST","uri":"/","serverIpAddr":"192.168.39.168","serverPort":443},"ruleMatch":[{"ruleId":913100,"ruleVersion":"OWASP_CRS/3.0.0","severity":2,"phase":1,"message":"Found User-Agent associated with security scanner","tags":["application-multi","language-multi","platform-multi","attack-reputation-scanner","OWASP_CRS/AUTOMATION/SECURITY_SCANNER","WASCTC/WASC-21","OWASP_TOP_10/A7","PCI/6.5.10"]}]}</rtfWafEvent></body></logEntry>

WAF 検出ログメッセージには、検出およびルールに関するその他の詳細が表示されます。ルールは、RAML で表示できます。次に、ルール ID ​913100​ を示します。

"ruleIdList": [
       {
         "id": 913100,
         "ver": "OWASP_CRS/3.0.0",
         "rev": "2",
         "phase": "request",
         "severity": "CRITICAL",
         "accuracy": "9",
         "maturity": "9",
         "taglist": [
           "attack-reputation-scanner",
           "OWASP_CRS/AUTOMATION/SECURITY_SCANNER",
           "WASCTC/WASC-21",
           "OWASP_TOP_10/A7",
           "PCI/6.5.10"
         ],
         "msg": "Found User-Agent associated with security scanner",
         "operator": "QHBtRnJvbUZpbGUgc2Nhbm5lcnMtdXNlci1hZ2VudHMuZGF0YQo=",
         "paranoia": 1,
         "chain": "no"
       },

正規表現を表示するには、​operator​ 項目に対して base64 デコードを実行します。

echo "QHBtRnJvbUZpbGUgc2Nhbm5lcnMtdXNlci1hZ2VudHMuZGF0YQo=" | base64 -d
@pmFromFile scanners-user-agents.data

この RAML には、ファイル ​scanners-user-agents.data​ が含まれています。次に、ファイルの冒頭部分を示します。

# Vulnerability scanners, bruteforce password crackers and exploitation tools

# password cracker
# http://sectools.org/tool/hydra/
(hydra)
# vuln scanner
# http://virtualblueness.net/nasl.html
.nasl
# sql injection
# https://sourceforge.net/projects/absinthe/
absinthe
# email harvesting

Was this article helpful?

💙 Thanks for your feedback!

Edit on GitHub