0

我有以下规则:

 SecRule REQUEST_HEADERS:Client-IP "@ipMatchFromFile test.txt" 
"id:210487,t:none,t:urlDecodeUni,t:removeWhitespace,drop,msg:'IP-test'"

但是当我运行它时,我得到了响应:

T (0) urlDecodeUni: "111.22.33.44 " // note the space before the "
T (0) removeWhitespace: "111.22.33.44"  // perfect! The space has been removed
Transformation completed in 4 usec.
Executing operator "ipMatchFromFile" with param "test.txt" against REQUEST_HEADERS:Client-IP.
Target value: "111.22.33.44"  // target value has no space, hooray!
IPmatchFromFile: Total tree entries: 8, ipv4 8 ipv6 0
IPmatch: bad IPv4 specification "111.22.33.44 ".  // why, oh why, is the space back!
Operator completed in 4 usec.
Operator error: IPmatch: bad IPv4 specification "111.22.33.44 ".  // that space again!
Rule returned -1.
Rule processing failed.
Rule failed, not chained -> mode NEXT_RULE.

请堆栈溢出图例;告诉我如何解决它:-)

4

1 回答 1

1

这应该工作,所以看起来像一个错误。不能说我已经诚实地尝试匹配需要首先转换的 IP 地址。

由于它不是真正的 IP 地址,您可以切换到使用@pmFromFile 而不是@ipMatchFromFile。请注意,文档明确警告您需要在此处正确使用边界:

由于此运算符在匹配时不检查边界,因此在某些情况下可能会出现误报。例如,如果您想使用@pm 进行 IP 地址匹配,则短语 1.2.3.4 可能会匹配多个 IP 地址(例如,它还将匹配 1.2.3.40 或 1.2.3.41)。为避免误报,您可以在短语中使用自己的界限。例如,使用 /1.2.3.4/ 而不仅仅是 1.2.3.4。然后,在您的规则中,还要在适当的地方添加边界。您将在示例中找到一个完整的示例:

# Prepare custom REMOTE_ADDR variable 
SecAction "phase:1,id:168,nolog,pass,setvar:tx.REMOTE_ADDR=/%{REMOTE_ADDR}/"

# Check if REMOTE_ADDR is blacklisted 
SecRule TX:REMOTE_ADDR "@pmFromFile blacklist.txt" "phase:1,id:169,deny,msg:'Blacklisted IP address'"

文件 blacklist.txt 可能包含:

# ip-blacklist.txt contents:
# NOTE: All IPs must be prefixed/suffixed with "/" as the rules
#   will add in this character as a boundary to ensure
#   the entire IP is matched.
# SecAction "phase:1,id:170,pass,nolog,setvar:tx.remote_addr='/%{REMOTE_ADDR}/'"
/1.2.3.4/ 
/5.6.7.8/
于 2017-05-30T21:22:49.790 回答