Memahami Alur WAF CRS
Memahami diagram teks CRS + ModSecurity, dengan paranoia level dan skor threshold per kategori.
+----------------------+
| Incoming HTTP Req |
+----------------------+
|
v
+-------------------------------+
| ModSecurity Core Processing |
+-------------------------------+
|
+---------------------+---------------------+
| |
v v
+----------------------+ +----------------------+
| Protocol Checks | | Header Checks |
| - HTTP method | | - User-Agent |
| - URI length | | - Cookies |
| - HTTP version | | - Referrer |
| Paranoia Level: 1-2 | | Paranoia Level: 1-3 |
| Score per rule: 5 | | Score per rule: 5-8 |
+----------------------+ +----------------------+
| |
v v
+----------------------+ +----------------------+
| Argument Checks | | File Upload Checks |
| - Num of args | | - Extension Whitelist|
| - Arg length | | - Max File Size |
| Paranoia Level: 2-3 | | Paranoia Level: 2-4 |
| Score per rule: 7-10 | | Score per rule: 10-15|
+----------------------+ +----------------------+
| |
+--------------------+------------------------+
|
v
+--------------------------+
| Apply CRS Rules |
| Request/Response |
| - REQUEST-901 → INIT |
| - REQUEST-920 → Protocol|
| - REQUEST-932 → RCE |
| - RESPONSE-950 → Data |
| Paranoia Level: 1-4 |
| Score per rule: 5-20 |
+--------------------------+
|
v
+--------------------------+
| Calculate Anomaly Score |
| tx.inbound_anomaly_score |
| tx.outbound_anomaly_score|
+--------------------------+
|
v
+--------------------------+
| Compare Threshold |
| - inbound: 5/10/15/20 |
| - outbound: 4/8/12/16 |
| (varies per paranoia lvl)|
+--------------------------+
|
+--------------------+--------------------+
| |
v v
+----------------------+ +----------------------+
| Score < Threshold | | Score >= Threshold |
| → Allow Request | | → Block Request |
+----------------------+ +----------------------+
Penjelasan tambahan:
-
Paranoia Level (PL 1-4)
-
PL1: Rule dasar, minimal false positives
-
PL2: Rule tambahan untuk common attacks
-
PL3: Rule agresif (RCE, SQLi, LFI)
-
PL4: Semua rule, termasuk yang paling agresif
-
-
Scoring
-
Setiap rule menambah skor (
tx.inbound_anomaly_score) -
Threshold PL1-4 biasanya: 5 / 10 / 15 / 20
-
-
Request vs Response Rules
-
Request → memfilter input user
-
Response → memfilter output web server (misal data leak)
-
-
CRS Layers
-
REQUEST-901: Initialization
-
REQUEST-920: Protocol enforcement
-
REQUEST-932: RCE detection
-
RESPONSE-950: Data leakage
-
No Comments