modSecurity规则学习（四）——规则指令编写

规则语言是使用9个指令实现：

语法：SecRule VARIABLES OPERATOR [TRANSFORMATION_FUNCTIONS, ACTIONS]

Variables 以下几种：

Regular variables
Contain only one piece of information, or one string. For example, REMOTE_ADDR, always
contains the IP address of the client.
Collections
Groups of regular variables. Some collections (e.g., ARGS) allow enumeration, making
it possible to use its every member in a rule. Some other collections (e.g., ENV)

are not as flexible, but there is always going to be some way to extract individual regular
variables out of them.
Read-only collections
Many of the collections point to some data that cannot be modified, in which case
the collection itself will be available only for reading.
Read/write collections
When a collection is not based on immutable data ModSecurity will allow you to
modify it. A good example of a read/write collection is TX, which a collection that
starts empty and exists only as long as the currently processed transaction exists.
Special collections
Sometimes a collection is just a handy mechanism to retrieve information from
something that is not organised as a collection but it can seem that way. This is the
case with the XML collection, which takes an XPath expression as a (mandatory) parameter
and allows you to extract values out of an XML file.
Persistent collections
Some collections can be stored and retrieved later. This feature allows you to adopt a
wider view of your systems, for example tracking access per IP address or per session,
or per user account.

1、一个简单的规则

在rule/目录下创建myruls.conf

添加规则

SecRule ARGS "(testwwd)+" \
        "msg:'wwd22 test',\
        id:,\
        phase:request,\
        deny,\
        status:"

nginx reload

测试：http://nginxip:nginxport/?test=testwwd

503拦截

2、针对struts漏洞

3、lua脚本

4、白名单、黑名单

6、自定义评分