描述:在成功匹配时跳过一个或多个规则(或链),使用提供的ID恢复规则执行,该规则遵循规则(或SecMarker创建的标记)之后的第一个规则。


所属动作组:流动作


示例:以下规则实现与跳过示例相同的逻辑,但使用skipAfter:


#需要Accept头,但不能从localhost访问

SecRule REMOTE_ADDR "^127\.0\.0\.1$" "phase:1,id:143,skipAfter:IGNORE_LOCALHOST"


#当REMOTE_ADDR为127.0.0.1时,将跳过此规则

SecRule &REQUEST_HEADERS:Accept "@eq 0" "phase:1,deny,id:144,msg:'Request Missing an Accept Header'"

SecMarker IGNORE_LOCALHOST


OWASP ModSecurity CRS的示例:


SecMarker BEGIN_HOST_CHECK


       SecRule &REQUEST_HEADERS:Host "@eq 0" \

                   "skipAfter:END_HOST_CHECK,phase:2,rev:'2.1.3',t:none,block,msg:'Request Missing a Host Header',id:'960008',tag:'PROTOCOL_VIOLATION/MISSING_HEADER_HOST',tag:'WASCTC/WASC-21', \

tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score}, \

setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"


       SecRule REQUEST_HEADERS:Host "^$" \

                   "phase:2,rev:'2.1.3',t:none,block,msg:'Request Missing a Host Header',id:'960008',tag:'PROTOCOL_VIOLATION/MISSING_HEADER_HOST',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7', \

tag:'PCI/6.5.10',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score}, \

setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"


SecMarker END_HOST_CHECK


skipAfter操作仅在当前处理阶段内有效,而不一定是规则在配置文件中出现的顺序。如果在使用skip的阶段1规则之后放置阶段2规则,则不会跳过阶段2规则。它将跳过阶段中跟随它的下一阶段1规则。



Created with the Personal Edition of HelpNDoc: Easy EPub and documentation editor