IT博客汇
  • 首页
  • 精华
  • 技术
  • 设计
  • 资讯
  • 扯淡
  • 权利声明
    • 登录 注册

    Nginx 的 WAF 规则 LuaJIT 严重版本

    Teacher Du发表于 2023-12-25 16:39:49
    love 0

    前段时间杜老师发表了一篇《自建 CDN 服务器思路》其中介绍南墙 Web 应用防火墙,有些小伙伴们对其名字很感兴趣,而杜老师注意到了它的防护规则,感觉非常实用,顺手整理了下,分享给需要的小伙伴们。此篇为严重风险的防护规则!

    fastjson漏洞拦截

    过滤阶段:请求阶段

    规则描述:拦截fastjson漏洞漏洞攻击

    规则内容:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    local jsonFilter = waf.jsonFilter

    local function rMatch(v)
        if v == "@type" then
            return true, v
        end
        return false
    end

    local form = waf.form
    if form then
        local raw = form["RAW"]
        local m = jsonFilter(raw, rMatch, false)
        if m then
            return m, raw, true
        end
    end

    return false

    json格式校验

    过滤阶段:请求阶段

    规则描述:高级攻击者会构造一些异常json绕过WAF检测,该规则对json格式进行安全校验,可以拦截异常json请求。

    规则内容:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    local form = waf.form
    local rct = waf.reqContentType
    local rgx = waf.rgxMatch

    if rct and waf.contains(waf.toLower(rct), "application/json") and form then
        local raw = form["RAW"]
        if raw then
            if rgx(raw, "^\\s*$", "jos") then
                return false
            end
            local err = waf.checkJson(raw)
            if err then
                return true, err .. ":" .. raw, true
            end
        end
    end

    return false

    XSS跨站脚本攻击

    过滤阶段:请求阶段

    规则描述:攻击者通常会在有漏洞的程序中插入 JavaScript、VBScript、 ActiveX或Flash以欺骗用户。一旦得手,他们可以盗取用户帐户,修改用户设置,盗取/污染cookie,做虚假广告等。

    规则内容:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    local kvFilter = waf.kvFilter
    local checkXSS = waf.checkXSS


    local function sMatch(v)
        if v then
            local m = checkXSS(v)
            if m then
                return m, v
            end
        end
        return false
    end

    local form = waf.form
    if form then
        local m, d = kvFilter(form["FORM"], sMatch)
        if m then
            return m, d, true
        end
    end

    local queryString = waf.queryString
    if queryString then
        local m, d = kvFilter(queryString, sMatch)
        if m then
            return m, d, true
        end
    end

    local cookies = waf.cookies
    if cookies then
        local m, d = kvFilter(cookies, sMatch)
        if m then
            return m, d, true
        end
    end

    local m, d = sMatch(waf.userAgent)
    if m then
        return m, d, true
    end

    local m, d = sMatch(waf.referer)
    if m then
        return m, d, true
    end

    return false

    java安全规则集

    过滤阶段:请求阶段

    规则描述:检测spring、struts、java序列化等相关安全漏洞

    规则内容:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    local kvFilter = waf.kvFilter
    local rgx = waf.rgxMatch
    local urlDecode = waf.urlDecode
    local requestLine = waf.requestLine
    local check = waf.plugins.javaClassDetection.check

    local function sMatch(v)
        local m = rgx(v, "(?:\\$\\{)+(?:j(?:n|\\$\\{)|\\$\\{(?:\\w*:)+)", "joi")
        if m then
            return m, "Potential Log4j / Log4shell Attack: " .. v
        end
        m = rgx(v, "\\xac\\xed\\x00\\x05|rO0ABQ|KztAAU|Cs7QAF", "jo")
        if m then
            return m, "Magic bytes Detected, probable java serialization Attack: " .. v
        end
        m = rgx(v, "classLoader\\s*\\.\\s*resources\\s*\\.\\s*context\\s*\\.\\s*parent\\s*\\.\\s*pipeline|springframework\\s*\\.\\s*context\\s*\\.\\s*support\\s*\\.\\s*FileSystemXmlApplicationContext", "jos")
        if m then
            return m, "Spring Framework RCE(CVE-2022-22965): " .. v
        end
        m = check(v)
        if m then
            return m, "Potential dangerous java class: " .. v
        end
        return false
    end

    local form = waf.form
    if form then
        local m, d = kvFilter(form["FORM"], sMatch)
        if m then
            return m, d, true
        end
        local raw = form["RAW"]
        m = rgx(raw, "\\xac\\xed\\x00\\x05|rO0ABQ|KztAAU|Cs7QAF", "jo")
        if m then
            return m, raw, true
        end
        m = check(raw)
        if m then
            return m, raw, true
        end
    end

    local queryString = waf.queryString
    if queryString then
        local m, d = kvFilter(queryString, sMatch)
        if m then
            return m, d, true
        end
    end

    local cookies = waf.cookies
    if cookies then
        local m, d = kvFilter(cookies, sMatch)
        if m then
            return m, d, true
        end
    end

    local m, d = kvFilter(waf.reqHeaders, sMatch)
    if m then
        return m, d, true
    end

    local m = rgx(urlDecode(requestLine), "(?:\\$\\{)+(?:j(?:n|\\$\\{)|\\$\\{(?:\\w*:)+)", "joi")
    if m then
        return m, requestLine, true
    end

    return false

    Shellshock漏洞

    过滤阶段:请求阶段

    规则描述:检测对“Shellshock”(CVE-2014-6271和CVE-2014-7169) GNU Bash RCE漏洞的攻击。

    规则内容:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    local kvFilter = waf.kvFilter
    local rgx = waf.rgxMatch
    local requestLine = waf.requestLine
    local urlDecode = waf.urlDecode

    local function rMatch(v)
        local m = rgx(urlDecode(v), "\\(\\s*\\)\\s+{", "jos")
        if m then
            return m, v
        end
        return false
    end

    local m, d = kvFilter(waf.reqHeaders, rMatch)
    if m then
        return m, d, true
    end

    local m, d = rMatch(requestLine)
    if m then
        return m, d, true
    end

    return false

    远程文件包含 (RFI)

    过滤阶段:请求阶段

    规则描述:该规则寻找常见类型的远程文件包含(RFI)攻击方法。 #-PHP“include()”函数 #-JSP <jsp:include page= 或 <c:import url= #-RFI主机与本地主机不匹配

    规则内容:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    local kvFilter = waf.kvFilter
    local rgx = waf.rgxMatch
    local host = waf.host
    local counter = waf.strCounter
    local str_find = string.find
    local str_sub = string.sub

    local function rMatch(v)
        local m = rgx(v, "^(?:url:)?file|ftps?|https?)://(?:[^@]+@)?([^/]+", "joi")
        if m then
            local i, j = str_find(v, host, 1, true)
            if i then
                if counter(str_sub(v, 1, j), "/") == 2 then
                    return false
                end
            end
        end
        return m, v
    end

    local form = waf.form
    if form then
        local m, d = kvFilter(form["FORM"], rMatch)
        if m then
            return m, d, true
        end
    end

    local queryString = waf.queryString
    if queryString then
        local m, d = kvFilter(queryString, rMatch)
        if m then
            return m, d, true
        end
    end

    return false

    json 命令注入检测

    过滤阶段:请求阶段

    规则描述:解析请求body中的json内容,并检测命令注入攻击。采用RCE语义检测引擎可以检查各种变形,如:cat$IFS/etc/os-release或c$()at /e??/p???等

    规则内容:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    local checkRCE = waf.checkRCE
    local jsonFilter = waf.jsonFilter

    local function rMatch(v)
        local m = checkRCE(v)
        if m then
            return m, v
        end
        return false
    end

    local form = waf.form
    if form then
        local m, d = jsonFilter(form["RAW"], rMatch, false, true)
        if m then
            return m, d, true
        end
    end

    return false

    常规命令注入检测

    过滤阶段:请求阶段

    规则描述:检测url、cookie、form中的shell命令注入攻击,采用RCE语义检测引擎可以检查各种变形,如:cat$IFS/etc/os-release或c$()at /e??/p???等

    规则内容:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    local checkRCE = waf.checkRCE
    local kvFilter = waf.kvFilter

    local function rMatch(v)
        local m = checkRCE(v)
        if m then
            return m, v
        end
        return false
    end

    local form = waf.form
    if form then
        local m, d = kvFilter(form["FORM"], rMatch, true)
        if m then
            return m, d, true
        end
    end

    local queryString = waf.queryString
    if queryString then
        local m, d = kvFilter(queryString, rMatch, true)
        if m then
            return m, d, true
        end
    end

    local cookies = waf.cookies
    if cookies then
        local m, d = kvFilter(cookies, rMatch, true)
        if m then
            return m, d, true
        end
    end
    return false

    json sql注入检测

    过滤阶段:请求阶段

    规则描述:解析请求body中的json内容,并检测sql注入攻击。采用SQL语义检测引擎,可以降低误报。

    规则内容:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    local checkSQLI = waf.checkSQLI
    local jsonFilter = waf.jsonFilter

    local function rMatch(v)
        local m = checkSQLI(v)
        if m then
            return m, v
        end
        return false
    end

    local form = waf.form
    if form then
        local m, d = jsonFilter(form["RAW"], rMatch, false)
        if m then
            return m, d, true
        end
    end

    return false

    常规sql注入检测

    过滤阶段:请求阶段

    规则描述:检测url、cookie、form中的sql注入攻击。采用SQL语义检测引擎,可以降低误报。

    规则内容:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    local checkSQLI = waf.checkSQLI
    local kvFilter = waf.kvFilter

    local function sMatch(v)
        local m = checkSQLI(v)
        if m then
            return m, v
        end
        return false
    end

    local form = waf.form
    if form then
        local m, d = kvFilter(form["FORM"], sMatch)
        if m then
            return m, d, true
        end
    end

    local queryString = waf.queryString
    if queryString then
        local m, d = kvFilter(queryString, sMatch)
        if m then
            return m, d, true
        end
    end

    local cookies = waf.cookies
    if cookies then
        local m, d = kvFilter(cookies, sMatch)
        if m then
            return m, d, true
        end
    end

    local m, d = kvFilter(waf.reqHeaders, sMatch)
    if m then
        return m, d, true
    end

    return false

    Invalid protocol

    过滤阶段:请求阶段

    规则描述:请求header数过多,超过64个。

    规则内容:

    1
    2
    3
    4
    if waf.hErr and waf.hErr=="truncated" then
         return true,waf.hErr,true
    end
    return false

    XXE漏洞

    过滤阶段:请求阶段

    规则描述:XML外部实体注入(XML External Entity)漏洞简称XXE漏洞。当允许引用外部实体时,通过构造恶意内容,可导致读取任意文件、执行系统命令、探测内网端口、攻击内网网站等危害。

    规则内容:

    1
    2
    3
    4
    5
    6
    7
    if waf.form and waf.form["RAW"] then
        local m = waf.rgxMatch(waf.form["RAW"], "<!(?:DOCTYPE|ENTITY)[^>]+?\\bSYSTEM\\b", "jos")
        if m then
            return m, waf.form["RAW"], true
        end
    end
    return false

    ImageMagick漏洞

    过滤阶段:请求阶段

    规则描述:ImageMagick是一个功能强大的开源图形处理软件,该漏洞可以执行任意命令和读写文件

    规则内容:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    local rgx = waf.rgxMatch
    local function imgContentMatch(v)
        local m = rgx(v, "\\bpush\\s+graphic-context\\b|\\<\\s*image\\b", "joi")
        if m then
            return m, v
        end
        return false
    end
    if waf.form then
        local m, d = waf.knFilter(waf.form["FILES"], imgContentMatch, 0)
        return m, d, true
    end
    return false

    header头漏洞

    过滤阶段:请求阶段

    规则描述:httpoxy漏洞可被用来针对CGI环境设置非法代理,从而窃取服务器敏感数据。在CVE-2017-7269(IIS 6.0 WebDAV远程代码执行漏洞)中if和lock_token http头会造成溢出攻击。

    规则内容:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    if waf.reqHeaders.proxy ~= nil then
        return true, "Proxy: " .. waf.reqHeaders.proxy, true
    end

    if waf.reqHeaders.lock_token ~= nil then
        return true, "Lock-Token: " .. waf.reqHeaders.lock_token, true
    end

    if waf.reqHeaders["If"] ~= nil then
        return true, "If: " .. waf.reqHeaders["If"], true
    end

    return false

    LDAP Injection

    过滤阶段:请求阶段

    规则描述:拦截LDAP注入攻击

    规则内容:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    local kvFilter = waf.kvFilter
    local rgx = waf.rgxMatch
    local htmlEntityDecode = waf.htmlEntityDecode

    local function rMatch(v)
        local m = rgx(htmlEntityDecode(v), "^[^:\\(\\)\\&\\|\\!\\<\\>\\~]*\\)\\s*(?:\\((?:[^,\\(\\)\\=\\&\\|\\!\\<\\>\\~]+[><~]?=|\\s*[&!|]\\s*(?:\\)|\\()?\\s*)|\\)\\s*\\(\\s*[\\&\\|\\!]\\s*|[&!|]\\s*\\([^\\(\\)\\=\\&\\|\\!\\<\\>\\~]+[><~]?=[^:\\(\\)\\&\\|\\!\\<\\>\\~]*)", "jos")
        if m then
            return m, v
        end
        return false
    end

    local form = waf.form
    if form then
        local m, d = kvFilter(form["FORM"], rMatch)
        if m then
            return m, d, true
        end
    end

    local queryString = waf.queryString
    if queryString then
        local m, d = kvFilter(queryString, rMatch)
        if m then
            return m, d, true
        end
    end

    local cookies = waf.cookies
    if cookies then
        local m, d = kvFilter(cookies, rMatch)
        if m then
            return m, d, true
        end
    end
    return false

    HTTP Splitting

    过滤阶段:请求阶段

    规则描述:此规则检测请求文件名中的\n或\r。

    规则内容:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    local rgx = waf.rgxMatch
    local function fMatch(v)
        local m = rgx(v, "[\\n\\r]", "jo")
        if m then
            return m, v
        end
        return false
    end
    local m, d = fMatch(waf.uri)
    if m then
        return m, d, true
    end
    return false

    HTTP Header Injection

    过滤阶段:请求阶段

    规则描述:HTTP头注入查找回车符(CR)%0d和换行符(LF)%0a字符,单独或与header字段名称组合使用。如果数据在响应头中返回并由客户端解释,这些字符可能会导致问题。

    规则内容:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    local rgx = waf.rgxMatch
    local htmlEntityDecode = waf.htmlEntityDecode
    local concat = table.concat

    local function hMatch(v)
        local m = rgx(htmlEntityDecode(v), "[\\n\\r]", "jo")
        if m then
            return m, v
        end
        return false
    end

    local function vMatch(v)
        local m = rgx(htmlEntityDecode(v), "[\\n\\r]+(?:\\s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))\\s*:", "josi")
        if m then
            return m, v
        end
        return false
    end

    local m, d = waf.kvFilter(waf.reqHeaders, hMatch)
    if m then
        return m, d, true
    end

    local queryString = waf.queryString
    if queryString then
        for k, v in pairs(waf.queryString) do
            m, d = hMatch(k)
            if m then
                return m, d, true
            end
            if type(v)=="table" then
                v = concat(v,",")
            end
            m, d = vMatch(v)
            if m then
                return m, d, true
            end
        end
    end

    local form = waf.form
    if form then
        for k, _ in pairs(form["FORM"]) do
            m, d = hMatch(k)
            if m then
                return m, d, true
            end
        end
    end

    return false

    boundary异常拦截

    过滤阶段:请求阶段

    规则描述:拦截请求content type头中multipart/form-data的异常boundary,如php在上传解析boundary时没有符合rfc规范,对逗号产生了错误解析。

    规则内容:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    local ct = waf.reqContentType

    if ct then
        if type(ct) ~= "string" then
            return true, "Malform Content-Type", true
        elseif waf.contains(ct, "boundary") and (waf.strCounter(ct, "boundary") > 1 or not waf.rgxMatch(ct, "boundary=[\\w\\-]+$", "jo")) then
            return true, ct, true
        end
    end

    return false

    asp畸形编码过滤

    过滤阶段:请求阶段

    规则描述:asp中unicode畸形编码会造成waf绕过危害

    规则内容:

    1
    2
    3
    4
    if waf.rgxMatch(waf.reqUri,"%u00(?:aa|ba|d0|de|e2|f0|fe)","i") then
     return true,waf.reqUri,true
    end
    return false

    HTTP Response Splitting

    过滤阶段:请求阶段

    规则描述:该规则查找回车符(CR)%0d和换行符(LF)%0a字符。如果在响应报头中返回数据,这些字符可能会导致问题,并且可能会被中间代理服务器解释并被视为两个单独的响应。

    规则内容:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    local kvFilter = waf.kvFilter
    local rgx = waf.rgxMatch
    local htmlEntityDecode = waf.htmlEntityDecode

    local function rMatch(v)
        local m = rgx(v, "[\\r\\n]\\W*?(?:content-(?:type|length)|set-cookie|location):\\s*\\w", "josi")
        if m then
            return m, v
        end
        return false
    end

    local function hMatch(v)
        local m = rgx(htmlEntityDecode(v), "(?:\\bhttp/\\d|<(?:html|meta)\\b)", "josi")
        if m then
            return m, v
        end
        return false
    end

    local form = waf.form
    if form then
        local m, d = kvFilter(form["FORM"], rMatch)
        if m then
            return m, d, true
        end
        m, d = kvFilter(form["FORM"], hMatch)
        if m then
            return m, d, true
        end
    end

    local queryString = waf.queryString
    if queryString then
        local m, d = kvFilter(queryString, rMatch)
        if m then
            return m, d, true
        end
        m, d = kvFilter(queryString, hMatch)
        if m then
            return m, d, true
        end
    end

    local cookies = waf.cookies
    if cookies then
        local m, d = kvFilter(cookies, rMatch)
        if m then
            return m, d, true
        end
        m, d = kvFilter(cookies, hMatch)
        if m then
            return m, d, true
        end
    end
    return false

    HTTP Request Smuggling

    过滤阶段:请求阶段

    规则描述:此规则查找与单词HTTP/\d或CR/LF字符组合的HTTP/WEBDAV方法名。这将指向试图将第二个请求注入到请求中,从而绕过对主请求执行的测试,如CVE-2019-20372(Nginx<1.17.7 请求走私漏洞)。

    规则内容:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    local kvFilter = waf.kvFilter
    local rgx = waf.rgxMatch
    local htmlEntityDecode = waf.htmlEntityDecode

    local function rMatch(v)
        local m = rgx(htmlEntityDecode(v), "(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\\s+[^\\s]+\\s+http/\\d", "josi")
        if m then
            return m, v
        end
        return false
    end

    local form = waf.form
    if form then
        local m, d = kvFilter(form["FORM"], rMatch)
        if m then
            return m, d, true
        end
        m, d = rMatch(form["RAW"])
        if m then
            return m, d, true
        end
    end

    local queryString = waf.queryString
    if queryString then
        local m, d = kvFilter(queryString, rMatch)
        if m then
            return m, d, true
        end
    end

    local cookies = waf.cookies
    if cookies then
        local m, d = kvFilter(cookies, rMatch)
        if m then
            return m, d, true
        end
    end
    return false

    上传文件内容过滤

    过滤阶段:请求阶段

    规则描述:过滤上传的文件内容,拦截webshell上传

    规则内容:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    local rgx = waf.rgxMatch
    local function fileContentMatch(v)
        local m = rgx(v, "<\\?.+?\\$(?:GLOBALS|_(?:GET|POST|COOKIE|REQUEST|SERVER|FILES|SESSION|ENV))|<\\?php|<jsp:|<%(?i:!|\\s*@|.*?\\brequest\\s*(?:\\.|\\())", "jos")
        if m then
            return m, v
        end
        return false
    end
    if waf.form then
        local m, d = waf.knFilter(waf.form["FILES"], fileContentMatch, 0)
        return m, d, true
    end
    return false

    上传文件名过滤

    过滤阶段:请求阶段

    规则描述:过滤上传文件名中的网页脚本扩展名,拦截webshell上传

    规则内容:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    local rgx = waf.rgxMatch

    local function fileNameMatch(v)
        local m = rgx(v, "\\.(?:as|cer\\b|cdx|ph|jsp|war|class|exe|ht|env|user\\.ini)|php\\.ini", "joi")
        if m then
            return m, v
        end
        return false
    end
    if waf.form then
        local m, d = waf.knFilter(waf.form["FILES"], fileNameMatch, 1)
        return m, d, true
    end

    return false

    防持续攻击

    过滤阶段:请求阶段

    规则描述:累计攻击超过100次,则在10分钟内拦截该ip访问

    规则内容:

    1
    2
    3
    4
    5
    6
    7
    local ib = waf.ipBlock
    local c = ib:get(waf.ip)
    if c and c >= 100 then
        ib:set(waf.ip, c, 600, 1)
        return true, "ip blocked for continue attack: " .. waf.ip, true
    end
    return false

    Invalid protocol

    过滤阶段:请求阶段

    规则描述:非法post协议

    规则内容:

    1
    2
    3
    4
    5
    6
    7
    if waf.form == nil then
        if waf.contains(waf.fErr, "content_type") then
            return true, waf.fErr .. ": " .. waf.reqContentType, true
        end
        return true, waf.fErr, true
    end
    return false


沪ICP备19023445号-2号
友情链接