Nginx性能调优与安全加固
原创大约 14 分钟
本文介绍了Nginx的安装方式分析,包括源码安装和预编译方式,并详细说明了环境依赖的配置方法。随后指导了编译安装过程,包括安装依赖、编译安装openssl等步骤,以及下载常用module的链接。
Nginx性能调优与安全加固落地实践
一. 安装方式分析
1.1 源码安装
- 可定制,可添加第三方module扩展nginx功能
- 安装慢,由于需要编译nginx源码及module源码,耗时较长
- 跨平台, 源码编译方式跨平台性(国产linux操作系统、debian、macOS、redhat)较好
1.2 预编译方式
rpm离线安装或yum在线安装
- 不可定制, 内置模块已经确定,不可添加
- 安装快, 由于不需要编译,安装迅速但需要处理依赖(yum可自动处理依赖)
- 不跨平台, 不具备跨平台性
二. 环境依赖
2.1 配置yum源
适用于宿主机可以访问互联网
2.1.1 配置离线yum源
查看操作系统版本
cat /etc/system-release获取系统安装镜像
获取方式一:找系统运维管理员提供(推荐) , 让系统管理员帮挂载到/media或上传至 /root下
获取方式二:获取地址 http://192.168.131.211:8888/iso/
上传挂载
注意路径、文件名需要替换,以下命令相当于将CentOS-7-x86_64-DVD-1511.iso,解压到/media
mount -o loop ~/CentOS-7-x86_64-DVD-1511.iso /media删除原有yum源repo文件
rm -f /etc/yum.repos.d/*.repo新建yum repo文件
cat >> /etc/yum.repos.d/c7.repo <<EOF [c7repo] name=c7repo baseurl=file:///yum enabled=1 gpgcheck=0 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 EOF
2.1.2 配置阿里云yum源
配置DNS
echo "nameserver 114.114.114.114" >> /etc/resolv.conf删除原有yum源repo文件
rm -f /etc/yum.repos.d/*.repo下载阿里yum源文件
#CentOS 6 curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo curl -o /etc/yum.repos.d/epel-6.repo http://mirrors.aliyun.com/repo/epel-6.repo #CentOS 7 curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo curl -o /etc/yum.repos.d/epel-7.repo http://mirrors.aliyun.com/repo/epel-7.repo建立缓存
yum clean all && yum makecache
三. 编译安装
3.1 安装依赖
yum install -y gcc perl* zlib-devel pcre-devel unzip zip
3.2 编译安装openssl
3.2.1 下载最新版本openssl
3.2.2 编译安装
tar zxvf OpenSSL* && cd openssl-openssl*
./config shared --openssldir=/usr/local/openssl --prefix=/usr/local/openssl
make && make install
sed -i '/\/usr\/local\/openssl\/lib/d' /etc/ld.so.conf
echo "/usr/local/openssl/lib" >> /etc/ld.so.conf
ldconfig -v
mv /usr/bin/openssl /usr/bin/openssl.old
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
cd -openssl version
3.2.3 下载module
| module | 用途 | 链接 |
|---|---|---|
| ngx_devel_kit-0.3.0 | Nginx 开发套件 | ngx_devel_kit |
| ngx_cache_purge-2.3 | http请求缓存 | ngx_cache_purge |
| headers-more-nginx | 修改http header | headers-more |
| naxsi | 安全防护 | naxsi-0.56 |
| nginx_upstream_check | 上游服务主动健康检测 | nginx_upstream_check |
| lua | 扩展脚本 | lua-nginx-module |
3.2.4 编译安装lua
下载地址
编译安装
cd LuaJIT-2.0.5 && make -j2 && \ make install PREFIX=/usr/local/lj2 && \ export LUAJIT_LIB=/usr/local/lj2/lib && \ export LUAJIT_INC=/usr/local/lj2/include/luajit-2.0 && \ sed -i '/\/usr\/local\/lib/d' /etc/ld.so.conf && \ echo "/usr/local/lib" >> /etc/ld.so.conf && \ ldconfig && ln -s /usr/local/lj2/lib/libluajit-5.1.so.2 /lib64/libluajit-5.1.so.2 && \ ln -s /usr/local/lj2/lib/libluajit-5.1.so.2 /lib/libluajit-5.1.so.2
3.3 编译安装nginx
3.3.1 下载nginx
最新稳定版:http://nginx.org/download/nginx-1.16.1.tar.gz
3.3.2 上传源码包
目录结构如下:
nginx
├── headers-more-nginx-module-0.33.tar.gz
├── lua-nginx-module-0.10.15.tar.gz
├── naxsi-0.56.tar.gz
├── nginx-1.16.1.tar.gz
├── nginx_upstream_check_module-0.3.0.tar.gz
├── ngx_cache_purge-2.3.tar.gz
└── ngx_devel_kit-0.3.1.tar.gz
3.3.3 解压配置
ls |xargs -n1 tar zxvf
cd nginx-1.16.1
./configure --prefix=/opt/nginx --with-stream \
--with-stream_ssl_preread_module --with-stream_ssl_module \
--with-http_stub_status_module --with-http_ssl_module \
--with-http_gzip_static_module --with-pcre \
--add-module=../ngx_cache_purge-2.3 \
--add-module=../headers-more-nginx-module-0.33 \
--add-module=../naxsi-0.56/naxsi_src \
--add-module=../nginx_upstream_check_module-0.3.0 \
--add-module=../ngx_devel_kit-0.3.1 \
--add-module=../lua-nginx-module-0.10.15
3.3.4 编译安装
make -j2 && make install
3.3.5 vim语法高亮
mkdir -p ~/.vim && cp -r ./src/tmp/$ngx_version/contrib/vim/* ~/.vim/
3.3.6 配置为系统服务
cat > /usr/lib/systemd/system/nginx.service <<EOF
[Unit]
Description=The nginx HTTP and reverse proxy server
After=syslog.target network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
ExecStartPre=/opt/nginx/sbin/nginx -t
ExecStart=/opt/nginx/sbin/nginx -c /opt/nginx/conf/nginx.conf
ExecReload=/opt/nginx/sbin/nginx -s reload
ExecStop=/opt/nginx/sbin/nginx -s stop
PrivateTmp=true
[Install]
WantedBy=multi-user.target
EOF
systemctl enable nginx.service --now
四. 配置调优
4.1 nginx.conf调优
4.1.1 创建用户
useradd nginx -s /sbin/nologin -M
4.1.2 nginx.conf文件
worker_processes auto;
user nginx;
worker_rlimit_nofile 409600;
events {
use epoll;
worker_connections 10240;
}
http {
include mime.types;
client_max_body_size 10m;
client_body_buffer_size 128k;
client_header_buffer_size 512k;
large_client_header_buffers 4 512k;
default_type application/octet-stream;
#web security
include ../naxsi/naxsi_core.rules;
#waf
lua_package_path "/opt/nginx/conf/waf/?.lua";
lua_shared_dict limit 10m;
init_by_lua_file conf/waf/init.lua;
access_by_lua_file conf/waf/access.lua;
proxy_cache_path ../cache levels=1:2 keys_zone=cache:100m inactive=7d max_size=1000g;
include conf.d/*.conf;
#只记录非2xx 3xx请求
map $status $error_codes { default 1;~^[23] 0;}
log_format main '"upstream_addr":"$upstream_addr" "upstream_response_time":$upstream_response_time "remote_addr":"$remote_addr" "time_local":"$time_local" "http status":$status "http_referer":"$http_referer" "http_user_agent":"$http_user_agent" "http_x_forwarded_for":"$http_x_forwarded_for" "request":"$request_uri" "request_method":"$request_method" "sessionid":"$cookie_SESSION" "Host": "$http_host"';
#access_log logs/access.log main;
access_log logs/access.log main if=$error_codes;
log_not_found off;
#开启高效文件传输模式,sendfile 指令指定 Nginx 是否调用sendfile 函数来输出文件,
#对于普通应用设为 on,如果用来进行下载等应用磁盘 IO 重负载应用,可设置为 off,
#以平衡磁盘与网络 I/O 处理速度,降低系统的负载。
sendfile on;
#告诉 Nginx 在一个数据包里发送所有头文件,而不一个接一个的发送
tcp_nopush on;
#告诉 Nginx 不要缓存数据,而是一段一段的发送--当需要及时发送数据时
#,就应该给应用设置这个属性,这样发送一小块数据信息时就不能立即得到返回值。
#Nginx 默认会始终工作在 tcp nopush 状态下。但是当开启前面的 sendfile on; 时,
#它的工作特点是 nopush 的最后一个包会自动转转换到 nopush off。
#为了减小那200ms的延迟,开启 nodelay on; 将其很快传送出去。
#结论就是 sendfile on; 开启时,tcp_nopush 和 tcp_nodelay 都是on 是可以的。
tcp_nodelay on;
charset utf-8;
server_tokens off;
more_set_headers "Server: Unknown";
absolute_redirect off;
gzip on;
gzip_min_length 1k;
gzip_comp_level 1;
gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png application/vnd.ms-fontobject font/ttf font/opentype font/x-woff image/svg+xml;
gzip_vary on;
# 禁用客户端为 IE6 时的 gzip功能。
gzip_disable "MSIE [1-6]\.";
gzip_buffers 32 4k;
gzip_http_version 1.0;
#连接超时时间,单位是秒
keepalive_timeout 120;
#读取HTTP头部的超时时间,默认值 60。
#客户端与服务器建立连接后将开始接收HTTP头部,在这个过程中,
#如果在一个时间间隔(超时时间)内没有读取到客户端发来的字节,则认为超时,并向客户端返回408 ("Request timed out")响应。
client_header_timeout 60;
}
4.2 配置logrotate
实现日志文件切割:
echo "0 0 * * * root bash /usr/sbin/logrotate -f /etc/logrotate.d/nginx" >> /etc/crontab
cat > /etc/logrotate.d/nginx <<EOF
/opt/nginx/logs/*.log {
daily
missingok
rotate 90
compress
delaycompress
notifempty
create 644 root root
sharedscripts
minsize 500M
dateext
dateformat _%Y%m%d
postrotate
if [ -f /opt/nginx/logs/nginx.pid ]; then
kill -USR1 \`cat /opt/nginx/logs/nginx.pid\`
fi
endscript
}
EOF
五. 安全加固
5.1 waf配置
基于ngx_lua_waf修改
5.1.1 逻辑实现
/opt/nginx/conf/waf/init.lua
require 'config'
local ngx_match=ngx.re.match
local unescape=ngx.unescape_uri
open_url_filter=true
open_logging=true
-- 记录debug日志
function record_debug_log(msg)
if open_logging then
local logfile = log_path..'/'.."debug.log"
write(logfile,msg)
end
end
-- 判断table内是否含有元素
function tableFind(value, tbl)
for k,v in ipairs(tbl) do
-- 防止出现空格
re = string.find(v, value, nil)
if re ~= nil then
return true;
end
end
return false;
end
-- 读取规则
function read_rule(path,var)
local file = assert(io.open(path..var,'r'))
local result = {};
for line in file:lines() do
result[#result+1] = line;
end
file:close()
return(result)
end
-- 读取url拦截规则
local urlrules=read_rule(black_rule_path,'url')
-- 读取agetn拦截规则
local bad_agents=read_rule(black_rule_path,'user-agent')
-- 读取args拦截规则
local bad_args=read_rule(black_rule_path,'args')
-- 读取post body拦截规则
local postrules=read_rule(black_rule_path,'post')
-- 读取http method白名单
local valid_methods=read_rule(white_rule_path,'method')
-- 读取http Host白名单
local valid_hosts=read_rule(white_rule_path,'host')
-- 读取 referer 白名单
local valid_referers=read_rule(white_rule_path,'referer')
-- 获取客户端IP
function get_client_ip()
local headers=ngx.req.get_headers()
local ip=headers["X-REAL-IP"] or headers["X_FORWARDED_FOR"] or ngx.var.remote_addr or "0.0.0.0"
return ip
end
-- 写入文件
function write(file,msg)
local fd = io.open(file,"ab")
if fd == nil then return end
fd:write(msg)
fd:flush()
fd:close()
end
-- 记录waf日志
function record_attack_log(identifier)
if open_logging then
local realIP = get_client_ip()
local agent = ngx.var.http_user_agent
local time=ngx.localtime()
logformat = "-----".."\n".."ClientIP: "..realIP.."\n".."Host: "..ngx.var.http_host.."\n".."time: "..time.."\n".."uri: "..ngx.var.request_uri.."\n".."User-Agent: "..agent.."\n".."deny_rule: "..identifier.."\n".."-----".."\n"
local logfile = log_path..'/'.."waf.log"
write(logfile,logformat)
end
end
-- 检测方法合法性
function method_check(method)
record_debug_log(method)
if tableFind(method,valid_methods) == false
then
record_attack_log("BadHttpMethod")
ngx.exit(405)
end
end
function fileExtCheck(ext)
local items = Set(black_fileExt)
ext=string.lower(ext)
if ext then
for rule in pairs(items) do
if ngx.re.match(ext,rule,"isjo") then
record_attack_log("file attack with ext "..ext)
end
end
end
return false
end
function get_boundary()
local header = ngx.req.get_headers()["content-type"]
if not header then
return nil
end
if type(header) == "table" then
header = header[1]
end
local m = string.match(header, ";%s*boundary=\"([^\"]+)\"")
if m then
return m
end
return string.match(header, ";%s*boundary=([^\",;]+)")
end
-- 校验url
function url_check()
if open_url_filter then
for _,rule in pairs(urlrules) do
if rule ~="" and ngx_match(ngx.var.request_uri,rule,"isjo") then
record_attack_log("BadUrl")
-- ngx.redirect("/deny")
ngx.exit(402)
return true
end
end
end
return false
end
-- 校验Host合法性
function host_check(host)
if tableFind(host,valid_hosts) == false
then
record_attack_log("BadHost")
ngx.exit(444)
end
end
-- 校验Referer合法性
function referer_check(refer,host)
if refer ~= nil and string.find(refer,host) == nil
then
if tableFind(refer,valid_referers) == false
then
record_attack_log("BadRefer")
ngx.exit(444)
end
end
end
-- 校验Agent合法性
function agent_check(user_agent)
if user_agent ~= nil then
for _,rule in pairs(bad_agents) do
if rule ~="" and ngx_match(user_agent,rule,"isjo") then
record_attack_log("BadAgent")
ngx.exit(402)
end
end
end
end
function args_check()
for _,rule in pairs(bad_args) do
local args = ngx.req.get_uri_args()
for key, val in pairs(args) do
if type(val)=='table' then
local t={}
for k,v in pairs(val) do
if v == true then
v=""
end
table.insert(t,v)
end
data=table.concat(t, " ")
else
data=val
end
if data and type(data) ~= "boolean" and rule ~="" and ngx_match(unescape(data),rule,"isjo") then
record_attack_log("BadArgs")
ngx.exit(402)
end
end
end
end
function analysis_body()
if ngx.var.request_method =="POST" then
-- 获取body大小,为空视为攻击
local content_length=tonumber(ngx.req.get_headers()['content-length'])
if content_length == 0 then
record_attack_log("空body")
ngx.exit(402)
end
end
end
function body_check(data)
for _,rule in pairs(postrules) do
if rule ~="" and data~="" and ngx_match(unescape(data),rule,"isjo") then
record_attack_log("BadBody")
return true
end
end
return false
end
5.1.2 配置文件
/opt/nginx/conf/waf/config.lua
open_waf=true
open_check_url=true
open_check_agrs=false
open_check_host=false
open_check_referer=false
open_check_agent=false
open_check_method=false
open_check_body=false
white_rule_path="/opt/nginx/conf/waf/white/"
black_rule_path="/opt/nginx/conf/waf/black/"
log_path="/opt/nginx/logs/"
open_logging=true
5.1.3 访问控制
/opt/nginx/conf/waf/access.lua
reques_method = ngx.var.request_method
reques_uri = ngx.var.request_uri
host=ngx.var.http_host
referer=ngx.var.http_referer
user_agent=ngx.var.http_user_agent
-- 判断是否开启waf
if(open_waf == true)
then
-- host合法性检测
if(open_check_host == true)then
host_check(host)
end
-- method合法性检测
if(open_check_method == true)then
method_check(reques_method)
end
-- url合法性检测
if(open_check_url == true)then
url_check()
end
-- referer合法性检测
if(open_check_referer == true)then
referer_check(referer,host)
end
-- agent合法性检测
if(open_check_agent == true)then
agent_check(user_agent)
end
if(open_check_agrs == true)then
args_check()
end
if(open_check_body == true)then
body_check()
end
analysis_body()
end
5.2 waf黑名单
5.2.1 args黑名单
/opt/nginx/conf/black/args
\.\./
\:\$
\$\{
select.+(from|limit)
(?:(union(.*?)select))
having|rongjitest
sleep\((\s*)(\d*)(\s*)\)
benchmark\((.*)\,(.*)\)
base64_decode\(
(?:from\W+information_schema\W)
(?:(?:current_)user|database|schema|connection_id)\s*\(
(?:etc\/\W*passwd)
into(\s+)+(?:dump|out)file\s*
group\s+by.+\(
xwork.MethodAccessor
(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\(
xwork\.MethodAccessor
(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/
java\.lang
\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\[
\<(iframe|script|body|img|layer|div|meta|style|base|object|input)
(onmouseover|onerror|onload)\=
5.2.2 cookie黑名单
/opt/nginx/conf/black/cookie
\.\./
\:\$
\$\{
select.+(from|limit)
(?:(union(.*?)select))
having|rongjitest
sleep\((\s*)(\d*)(\s*)\)
benchmark\((.*)\,(.*)\)
base64_decode\(
(?:from\W+information_schema\W)
(?:(?:current_)user|database|schema|connection_id)\s*\(
(?:etc\/\W*passwd)
into(\s+)+(?:dump|out)file\s*
group\s+by.+\(
xwork.MethodAccessor
(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\(
xwork\.MethodAccessor
(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/
java\.lang
\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\[
\<(iframe|script|body|img|layer|div|meta|style|base|object|input)
(onmouseover|onerror|onload)\=
5.2.3 post黑名单
/opt/nginx/conf/black/post
select.+(from|limit)
(?:(union(.*?)select))
having|rongjitest
sleep\((\s*)(\d*)(\s*)\)
benchmark\((.*)\,(.*)\)
base64_decode\(
(?:from\W+information_schema\W)
(?:(?:current_)user|database|schema|connection_id)\s*\(
(?:etc\/\W*passwd)
into(\s+)+(?:dump|out)file\s*
group\s+by.+\(
xwork.MethodAccessor
(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\(
xwork\.MethodAccessor
(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/
java\.lang
\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\[
\<(iframe|script|body|img|layer|div|meta|style|base|object|input)
(onmouseover|onerror|onload)\=
5.2.4 url黑名单
/opt/nginx/conf/black/url
\.(git)
.(htaccess|htgroup)$
info$
(phpmyadmin|jmx-console|jmxinvokerservlet)
java\.lang
health$
5.2.5 user-agent黑名单
/opt/nginx/conf/black/user-agent
(HTTrack|harvest|audit|dirbuster|pangolin|nmap|sqln|-scan|hydra|Parser|libwww|BBBike|sqlmap|w3af|owasp|Nikto|fimap|havij|PycURL|zmeu|BabyKrokodil|netsparker|httperf|bench|YisouSpider|ApacheBench|WebBench|Jmeter|JoeDog|Havij|GetRight|TurnitinBot|GrabNet|masscan|mail2000|github|wget|curl|Java|python SF/)
5.3 naxsi配置
5.3.1 naxsi拦截规则
/opt/nginx/conf/naxsi/naxsi.rules
#LearningMode;
SecRulesEnabled;
#SecRulesDisabled;
DeniedUrl "/RequestDenied";
## check rules
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$XSS >= 8" BLOCK;
5.3.2 内置规则
/opt/nginx/conf/naxsi/naxsi_core.rules
##################################
## INTERNAL RULES IDS:1-999 ##
##################################
#@MainRule "msg:weird request, unable to parse" id:1;
#@MainRule "msg:request too big, stored on disk and not parsed" id:2;
#@MainRule "msg:invalid hex encoding, null bytes" id:10;
#@MainRule "msg:unknown content-type" id:11;
#@MainRule "msg:invalid formatted url" id:12;
#@MainRule "msg:invalid POST format" id:13;
#@MainRule "msg:invalid POST boundary" id:14;
#@MainRule "msg:invalid JSON" id:15;
#@MainRule "msg:empty POST" id:16;
#@MainRule "msg:libinjection_sql" id:17;
#@MainRule "msg:libinjection_xss" id:18;
##################################
## SQL Injections IDs:1000-1099 ##
##################################
MainRule "rx:select|union|update|delete|insert|table|from|ascii|hex|unhex|drop" "msg:sql keywords" "mz:URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1000;
MainRule "str:\"" "msg:double quote" "mz:URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8,$XSS:8" id:1001;
MainRule "str:0x" "msg:0x, possible hex encoding" "mz:URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:2" id:1002;
## Hardcore rules
MainRule "str:/*" "msg:mysql comment (/*)" "mz:URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1003;
MainRule "str:*/" "msg:mysql comment (*/)" "mz:URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1004;
MainRule "str:|" "msg:mysql keyword (|)" "mz:URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1005;
MainRule "str:&&" "msg:mysql keyword (&&)" "mz:URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1006;
## end of hardcore rules
MainRule "str:--" "msg:mysql comment (--)" "mz:URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1007;
MainRule "str:;" "msg:semicolon" "mz:URL|ARGS" "s:$SQL:4,$XSS:8" id:1008;
MainRule "str:=" "msg:equal sign in var, probable sql/xss" "mz:ARGS" "s:$SQL:2" id:1009;
MainRule "str:(" "msg:open parenthesis, probable sql/xss" "mz:ARGS|URL|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1010;
MainRule "str:)" "msg:close parenthesis, probable sql/xss" "mz:ARGS|URL|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1011;
MainRule "str:'" "msg:simple quote" "mz:ARGS|URL|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1013;
#MainRule "str:," "msg:comma" "mz:URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1015;
MainRule "str:#" "msg:mysql comment (#)" "mz:URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1016;
MainRule "str:@@" "msg:double arobase (@@)" "mz:URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1017;
###############################
## OBVIOUS RFI IDs:1100-1199 ##
###############################
MainRule "str:http://" "msg:http:// scheme" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1100;
MainRule "str:https://" "msg:https:// scheme" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1101;
MainRule "str:ftp://" "msg:ftp:// scheme" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1102;
MainRule "str:php://" "msg:php:// scheme" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1103;
MainRule "str:sftp://" "msg:sftp:// scheme" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1104;
MainRule "str:zlib://" "msg:zlib:// scheme" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1105;
MainRule "str:data://" "msg:data:// scheme" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1106;
MainRule "str:glob://" "msg:glob:// scheme" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1107;
MainRule "str:phar://" "msg:phar:// scheme" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1108;
MainRule "str:file://" "msg:file:// scheme" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1109;
MainRule "str:gopher://" "msg:gopher:// scheme" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1110;
#######################################
## Directory traversal IDs:1200-1299 ##
#######################################
MainRule "str:.." "msg:double dot" "mz:ARGS|URL|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1200;
MainRule "str:/etc/passwd" "msg:obvious probe" "mz:ARGS|URL|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1202;
MainRule "str:c:\\" "msg:obvious windows path" "mz:ARGS|URL|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1203;
MainRule "str:cmd.exe" "msg:obvious probe" "mz:ARGS|URL|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1204;
MainRule "str:\\" "msg:backslash" "mz:ARGS|URL|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1205;
#MainRule "str:/" "msg:slash in args" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:2" id:1206;
########################################
## Cross Site Scripting IDs:1300-1399 ##
########################################
MainRule "str:<" "msg:html open tag" "mz:ARGS|URL|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1302;
MainRule "str:>" "msg:html close tag" "mz:ARGS|URL|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1303;
MainRule "str:[" "msg:open square backet ([), possible js" "mz:URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1310;
MainRule "str:]" "msg:close square bracket (]), possible js" "mz:URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1311;
MainRule "str:~" "msg:tilde (~) character" "mz:URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1312;
MainRule "str:`" "msg:grave accent (`)" "mz:ARGS|URL|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1314;
MainRule "rx:%[23]." "msg:double encoding" "mz:ARGS|URL|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1315;
####################################
## Evading tricks IDs: 1400-1500 ##
####################################
MainRule "str:&#" "msg:utf7/8 encoding" "mz:ARGS|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1400;
MainRule "str:%U" "msg:M$ encoding" "mz:ARGS|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1401;
#############################
## File uploads: 1500-1600 ##
#############################
MainRule "rx:\.ph|\.asp|\.ht" "msg:asp/php file upload" "mz:FILE_EXT" "s:$UPLOAD:8" id:1500;
六. 总结
