一,攔截包含一個字串的訪問:
1,例子:如下:
11.89.39.11 - - [23/Oct/2024:04:47:22 +0800] "GET /.git/config HTTP/1.1" 404 548
"-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36" "-" 0.000 或:
61.227.34.19 - - [23/Oct/2024:03:55:37 +0800] "GET /.env HTTP/1.1" 404 146 "-" "Mozilla/5.0 Keydrop" "-" 0.0002,規則程式碼:
SecRule REQUEST_URI "@contains .git" "id:2001,phase:1,deny,status:403"
SecRule REQUEST_URI "@contains .env" "id:2003,phase:1,deny,status:403"也可以用一條規則同時攔截多種情況:
SecRule REQUEST_URI "@rx \.git|\.env" "id:2001,phase:1,deny,status:403".在正規表示式中表示任意字元,所以前面加了\轉義
二,攔截同時包含兩個字串的訪問
1,例子:
14.38.23.16 - - [23/Oct/2024:03:40:02 +0800] "GET /js/_system/jQuery-File-Upload/server/php/index.php?file=tf2rghf.jpg HTTP/1.1"
404 146 "-" "ALittle Client" "-" 0.000這種在php後面加引數.jpg,目的是繞過一些過濾規則
2,解決:規則程式碼:
SecRule REQUEST_URI "@rx \.php.*\.jpg" "phase:1,deny,status:403,id:2100"在正規表示式中,.表示任意字元,*表示任意多個
也可以用chain的寫法:
例子:
SecRule REQUEST_URI "@contains .php" "chain,phase:1,deny,status:403,id:2100"
SecRule REQUEST_URI "@contains .jpg"供參考