安全:modsecurity: 配置调试日志
一,设置debug日志:
1, modsecurity的设置
注意要先创建保存调试日志的目录
SecDebugLog /opt/logs/modsecuritylogs/debug.log
SecDebugLogLevel 5 2,设置完成后重启nginx,使设置生效
systemctl restart nginx.service二,调试的等级:
1, 等级有哪些?
理论上调试日志有10个等级,但不是全部都使用。
1-3等级的消息是有意义的,并且被复制到Apache/nginx的error log中。
更高等级的消息大部分是用来解决问题和调试的。
如下:
Table 4.2. Debug log levels
Debug log level Description
0 No logging
1 Errors (e.g., fatal processing errors, blocked transactions)
2 Warnings (e.g., non-blocking rule matches)
3 Notices (e.g., non-fatal processing errors)
4 Informational
5 Detailed
9 Everything!2,选择哪一级?
如果想把调试日志的等级控制的很低, 使用等级3;
只想把它们放在error log中时,使用等级0。
因为调试日志的消息会超过50条(每一条消息都是一条I/O操作),并且平均每个交互至少有7KB的数据。
为每一个交互都记录所有的消息将会消耗大量的资源。
三,测试:
访问地址:
index.html?param='<script>alert(1);</script>'效果如图:
四,查看调试日志
记录参数:
[172915540669.796724] [/index.html?param=%27%3Cscript%3Ealert(1);%3C/script%3E%27] [4] Adding request argument (GET): name "param", value "'<script>alert(1);</script>'"Rule returned 1.表示检测到有规则匹配
[172915540669.796724] [/index.html?param=%27%3Cscript%3Ealert(1);%3C/script%3E%27] [4] (Rule: 941100) Executing operator "DetectXSS against REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/*.
[172915540669.796724] [/index.html?param=%27%3Cscript%3Ealert(1);%3C/script%3E%27] [5] detected XSS using libinjection.
[172915540669.796724] [/index.html?param=%27%3Cscript%3Ealert(1);%3C/script%3E%27] [4] Running [independent] (non-disruptive) action: setvar
[172915540669.796724] [/index.html?param=%27%3Cscript%3Ealert(1);%3C/script%3E%27] [4] Running [independent] (non-disruptive) action: setvar
[172915540669.796724] [/index.html?param=%27%3Cscript%3Ealert(1);%3C/script%3E%27] [4] Rule returned 1.检测到有规则匹配的日志
[172915540669.796724] [/index.html?param=%27%3Cscript%3Ealert(1);%3C/script%3E%27] [4] (Rule: 941390) Executing operator "Rx" with param "(?i)\b(?:eval|set(?:timeout|interval)|new[\s\x0b]+Function|a(?:lert|tob)|btoa|prompt|confirm)[\s\x0b]*\(" against REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/*.
[172915540669.796724] [/index.html?param=%27%3Cscript%3Ealert(1);%3C/script%3E%27] [4] Running [independent] (non-disruptive) action: setvar
[172915540669.796724] [/index.html?param=%27%3Cscript%3Ealert(1);%3C/script%3E%27] [4] Running [independent] (non-disruptive) action: setvar
[172915540669.796724] [/index.html?param=%27%3Cscript%3Ealert(1);%3C/script%3E%27] [4] Rule returned 1.