规则语言是使用9个指令实现:
语法:SecRule VARIABLES OPERATOR [TRANSFORMATION_FUNCTIONS, ACTIONS]
Variables 以下几种:
Regular variables
Contain only one piece of information, or one string. For example, REMOTE_ADDR, always
contains the IP address of the client.
Collections
Groups of regular variables. Some collections (e.g., ARGS) allow enumeration, making
it possible to use its every member in a rule. Some other collections (e.g., ENV)
are not as flexible, but there is always going to be some way to extract individual regular
variables out of them.
Read-only collections
Many of the collections point to some data that cannot be modified, in which case
the collection itself will be available only for reading.
Read/write collections
When a collection is not based on immutable data ModSecurity will allow you to
modify it. A good example of a read/write collection is TX, which a collection that
starts empty and exists only as long as the currently processed transaction exists.
Special collections
Sometimes a collection is just a handy mechanism to retrieve information from
something that is not organised as a collection but it can seem that way. This is the
case with the XML collection, which takes an XPath expression as a (mandatory) parameter
and allows you to extract values out of an XML file.
Persistent collections
Some collections can be stored and retrieved later. This feature allows you to adopt a
wider view of your systems, for example tracking access per IP address or per session,
or per user account.
1、一个简单的规则
在rule/目录下创建myruls.conf
添加规则
SecRule ARGS "(testwwd)+" "msg:'wwd22 test', id:300102, phase:request, deny, status:503"
nginx reload
测试:http://nginxip:nginxport/?test=testwwd
503拦截
2、针对struts漏洞
3、lua脚本
4、白名单、黑名单
6、自定义评分