Flex Gateway新着情報
Governance新着情報
Monitoring API Manager[Request RuleSets (要求ルールセット)] に表示されている WAF ポリシーがデプロイされている場合、次の要求が送信されると、この要求の「scanner detected (スキャナーが検出されました)」によって WAF エラーが生成されます。textField 値の終わりの二重引用符が省略されています。
curl -v -k -X POST --resolve choice-waf14.example.com:443:192.168.2.1 https://choice-waf14.example.com:443/ -H "Content-Type: text/plain" -H "SOAPAction: 'http://example.org/soapformat/Example'" -H "User-Agent: (hydra)" -H "Content-Length: 10" -d 'hello'
応答は次のようになります。
HTTP/1.1 400 BAD REQUEST - web application firewall error
不正な要求「Scanner detected (スキャナーが検出されました)」により、ルール「920130」の検出がトリガーされます。数分待機すると、[RTF Security Policy Summary (RTF セキュリティポリシーの概要)] に次のデータが表示されます。
"wafSummary": { "ruleTriggerCounts": { "requestScannerDetection": { "913100": 3, "913101": 0, "913102": 0, "913110": 0, "913120": 0 }, "requestProtocolEnforcement": { "920100": 0, "920120": 0, "920121": 0, "920130": 0, "920140": 0, "920160": 0, "920170": 0, "920180": 0, "920190": 0, "920200": 0, "920201": 0, "920202": 0, "920210": 0, "920220": 0, "920230": 0, "920240": 0, "920250": 0, "920260": 0, "920270": 0, "920271": 0, "920272": 0, "920273": 0, "920274": 0, "920280": 0, "920290": 0, "920300": 0, "920310": 0, "920311": 0, "920320": 0, "920330": 0, "920340": 0, "920350": 0, "920360": 0, "920370": 0, "920380": 0, "920390": 0, "920400": 0, "920410": 0, "920420": 0, "920430": 0, "920440": 0, "920450": 0, "920460": 0 }, "requestProtocolAttack": { "921100": 0, "921110": 0, "921120": 0, "921130": 0, "921140": 0, "921150": 0, "921151": 0, "921160": 0, "921180": 0 }, "requestApplicationAttackLfi": { "930100": 0, "930110": 0, "930120": 0, "930130": 0 }, "requestApplicationAttackRfi": { "931100": 0, "931110": 0, "931120": 0, "931130": 0 }, "requestApplicationAttackRce": { "932100": 0, "932105": 0, "932110": 0, "932115": 0, "932120": 0, "932130": 0, "932140": 0, "932150": 0, "932160": 0, "932170": 0, "932171": 0 }, "requestApplicationAttackPhp": { "933100": 0, "933110": 0, "933111": 0, "933120": 0, "933130": 0, "933131": 0, "933140": 0, "933150": 0, "933151": 0, "933160": 0, "933161": 0, "933170": 0, "933180": 0 }, "requestApplicationAttackXss": { "941100": 0, "941101": 0, "941110": 0, "941120": 0, "941130": 0, "941140": 0, "941150": 0, "941160": 0, "941170": 0, "941180": 0, "941190": 0, "941200": 0, "941210": 0, "941220": 0, "941230": 0, "941240": 0, "941250": 0, "941260": 0, "941270": 0, "941280": 0, "941290": 0, "941300": 0, "941310": 0, "941320": 0, "941330": 0, "941340": 0, "941350": 0 }, "requestApplicationAttackSqli": { "942100": 0, "942110": 0, "942120": 0, "942130": 0, "942140": 0, "942150": 0, "942160": 0, "942170": 0, "942180": 0, "942190": 0, "942200": 0, "942210": 0, "942220": 0, "942230": 0, "942240": 0, "942250": 0, "942251": 0, "942260": 0, "942270": 0, "942280": 0, "942290": 0, "942300": 0, "942310": 0, "942320": 0, "942330": 0, "942340": 0, "942350": 0, "942360": 0, "942370": 0, "942380": 0, "942390": 0, "942400": 0, "942410": 0, "942420": 0, "942421": 0, "942430": 0, "942431": 0, "942432": 0, "942440": 0, "942450": 0, "942460": 0 }, "requestApplicationAttackSessionFixation": { "943100": 0, "943110": 0, "943120": 0 }, "responseDataLeakages": { "950100": 0, "950130": 0 }, "responseDataLeakagesSql": { "951110": 0, "951120": 0, "951130": 0, "951140": 0, "951150": 0, "951160": 0, "951170": 0, "951180": 0, "951190": 0, "951200": 0, "951210": 0, "951220": 0, "951230": 0, "951240": 0, "951250": 0, "951260": 0 }, "responseDataLeakagesJava": { "952100": 0, "952110": 0 }, "responseDataLeakagesPhp": { "953100": 0, "953110": 0, "953120": 0 }, "responseDataLeakagesIis": { "954100": 0, "954110": 0, "954120": 0, "954130": 0 } } }
wafSummary
では、ルール ID と数がルールセットごとに分類されています。
ソース IP アドレスをテストするために TRACE ログを有効にするには、ログルールを変更し、Runtime Fabric インバウンドトラフィックの [Deploy (デプロイ)] をクリックします。このケースでは、ソース IP アドレス 192.168.0.1
に IP 検索条件が追加されています。すべての IP アドレスや大量の要求がある IP アドレスに検索条件を追加しないでください。
curl
メッセージを再送すると、WAF 検出ログメッセージを見つけることができます。
<logEntry><header><time>2018-12-05T22:09:56.108387</time><node>openstackvm14.example.com</node><logType>INPUT_SERVER</logType><logLevel>INFO</logLevel><process>securityfabric-edge-runtime</process><pid>13038</pid><tid>13065</tid><file>/edge/cbrcore/src/rtc/embedded/src/ModSecTransaction.cpp</file><line>121</line><transId>517251501406932</transId></header><body><rtfWafEvent>{"requestInfo":{"timestamp":"2018-12-05T22:09:56.048Z","node":"vm14.example.com","transactionId":517251501406932,"correlationId":"616045b7-4af2-4eb5-9bd9-356119a0d7ae","clientIpAddr":"192.168.2.1","clientPort":51918,"protocol":"HTTP/1.1","method":"POST","uri":"/","serverIpAddr":"192.168.39.168","serverPort":443},"ruleMatch":[{"ruleId":913100,"ruleVersion":"OWASP_CRS/3.0.0","severity":2,"phase":1,"message":"Found User-Agent associated with security scanner","tags":["application-multi","language-multi","platform-multi","attack-reputation-scanner","OWASP_CRS/AUTOMATION/SECURITY_SCANNER","WASCTC/WASC-21","OWASP_TOP_10/A7","PCI/6.5.10"]}]}</rtfWafEvent></body></logEntry>
WAF 検出ログメッセージには、検出およびルールに関するその他の詳細が表示されます。ルールは、RAML で表示できます。次に、ルール ID 913100
を示します。
"ruleIdList": [ { "id": 913100, "ver": "OWASP_CRS/3.0.0", "rev": "2", "phase": "request", "severity": "CRITICAL", "accuracy": "9", "maturity": "9", "taglist": [ "attack-reputation-scanner", "OWASP_CRS/AUTOMATION/SECURITY_SCANNER", "WASCTC/WASC-21", "OWASP_TOP_10/A7", "PCI/6.5.10" ], "msg": "Found User-Agent associated with security scanner", "operator": "QHBtRnJvbUZpbGUgc2Nhbm5lcnMtdXNlci1hZ2VudHMuZGF0YQo=", "paranoia": 1, "chain": "no" },
正規表現を表示するには、operator
項目に対して base64 デコードを実行します。
echo "QHBtRnJvbUZpbGUgc2Nhbm5lcnMtdXNlci1hZ2VudHMuZGF0YQo=" | base64 -d @pmFromFile scanners-user-agents.data
この RAML には、ファイル scanners-user-agents.data
が含まれています。次に、ファイルの冒頭部分を示します。
# Vulnerability scanners, bruteforce password crackers and exploitation tools # password cracker # http://sectools.org/tool/hydra/ (hydra) # vuln scanner # http://virtualblueness.net/nasl.html .nasl # sql injection # https://sourceforge.net/projects/absinthe/ absinthe # email harvesting