modsecurity系列四:規則實戰2
阿新 • • 發佈:2019-02-15
There are several reasons why you might want to do apply operators to something else thanthe original variable values:
• Your input is not available in a form that is useful to you. For example, it might be base64-encoded, in which case you won’t be able to do anything useful with it. By applying the transformation function that decodes base64 data (t:base64Decode), you “open” up the data for inspection.
• Similarly, you may need a piece of data in some other form. If you have some binary data, which you need to record in a user-friendly manner, you will probably encode it as hex characters using t:hexEncode.
• Sometimes rules are difficult or impossible to write to deal with input in its original form. Take, for example, case sensitivity. Most ModSecurity operators are case sensitive,but there are many cases where case does not matter. If you attempt to matcha non-trivial string using a case sensitive matching function, you will soon discover that you will either need to write a number or rules (each with a different combination of lowercase and uppercase letters) or a rule with a very ugly and difficult to decipher regular expression. You deal with this particular problem by transforming input into lowercase before matching.
• In the majority of cases, however, you will use transformation functions to counter evasion. Evasion is a technique often used by attackers to bypass existing detection and protection mechanism. They will take advantage of the specific context in which attack payload data is processed to modify it in such a way to evade detection, but remain
effective.
• Your input is not available in a form that is useful to you. For example, it might be base64-encoded, in which case you won’t be able to do anything useful with it. By applying the transformation function that decodes base64 data (t:base64Decode), you “open” up the data for inspection.
• Similarly, you may need a piece of data in some other form. If you have some binary data, which you need to record in a user-friendly manner, you will probably encode it as hex characters using t:hexEncode.
• Sometimes rules are difficult or impossible to write to deal with input in its original form. Take, for example, case sensitivity. Most ModSecurity operators are case sensitive,but there are many cases where case does not matter. If you attempt to matcha non-trivial string using a case sensitive matching function, you will soon discover that you will either need to write a number or rules (each with a different combination of lowercase and uppercase letters) or a rule with a very ugly and difficult to decipher regular expression. You deal with this particular problem by transforming input into lowercase before matching.
• In the majority of cases, however, you will use transformation functions to counter evasion. Evasion is a technique often used by attackers to bypass existing detection and protection mechanism. They will take advantage of the specific context in which attack payload data is processed to modify it in such a way to evade detection, but remain
effective.