Azure 应用程序网关 Web 应用程序防火墙(WAF)中的 Azure 托管 的默认规则集(DRS) 可保护 Web 应用程序免受常见漏洞和攻击,包括 OWASP 前 10 种攻击类型。 默认规则集还包含 Microsoft 威胁情报收集规则。 建议始终运行 最新的规则集版本,其中包括最新的安全更新、规则增强和修补程序。
Azure 托管的默认规则集(DRS)是 Azure WAF 中最新一代的规则集,取代了以前的所有核心规则集(CRS)版本。 在 DRS 版本中,始终使用最高可用版本(例如,发布时 DRS 2.2),以确保拥有最 up-to日期保护。
本文提供了将 Azure WAF 策略升级到 DRS 2.1 的 PowerShell 示例。 虽然示例专门引用 DRS 2.1,但应始终升级到最新的可用 DRS 版本,以确保获得最大保护。
注释
PowerShell 代码片段只是示例。 将所有占位符替换为环境中的值。
先决条件
拥有有效订阅的 Azure 帐户。 创建账户。
应用了核心规则集(CRS)或默认规则集(DRS)的现有 Azure WAF 策略。 如果还没有 WAF 策略,请参阅 为应用程序网关创建 Web 应用程序防火墙策略。
升级时的重要注意事项
升级 Azure WAF 规则集版本时,请确保:
保留现有自定义项:执行规则作替代、规则状态(已启用/禁用)替代和排除项。
安全地验证新规则:确保新添加的规则最初设置为 日志模式,以便在启用阻止之前监视其影响并微调它们。
准备环境和变量
设置所选订阅、资源组和 Azure WAF 策略的上下文。
Import-Module Az.Network Set-AzContext -SubscriptionId "<subscription_id>" $resourceGroupName = "<resource_group>" $wafPolicyName = "<policy_name>"获取 WAF 策略对象并检索其定义。
$wafPolicy = Get-AzApplicationGatewayFirewallPolicy ` -Name $wafPolicyName ` -ResourceGroupName $resourceGroupName $currentExclusions = $wafPolicy.ManagedRules.Exclusions $currentManagedRuleset = $wafPolicy.ManagedRules.ManagedRuleSets | Where-Object { $_.RuleSetType -eq "OWASP" } $currentVersion = $currentManagedRuleset.RuleSetVersion
保留现有自定义项
不要复制应用于 DRS 2.1 中删除的规则的替代或排除项。 以下函数检查规则是否已删除:
function Test-RuleIsRemovedFromDRS21 { param ( [string]$RuleId, [string]$CurrentRulesetVersion ) $removedRulesByCrsVersion = @{ "3.0" = @( "200004", "913100", "913101", "913102", "913110", "913120", "920130", "920140", "920250", "921100", "800100", "800110", "800111", "800112", "800113" ) "3.1" = @( "200004", "913100", "913101", "913102", "913110", "913120", "920130", "920140", "920250", "800100", "800110", "800111", "800112", "800113", "800114" ) "3.2" = @( "200004", "913100", "913101", "913102", "913110", "913120", "920250", "800100", "800110", "800111", "800112", "800113", "800114" ) } # If the version isn't known, assume rule has not been removed if (-not $removedRulesByCrsVersion.ContainsKey($CurrentRulesetVersion)) { return $false } return $removedRulesByCrsVersion[$CurrentRulesetVersion] -contains $RuleId }创建新的替代对象时,请使用 DRS 2.1 组名称。 以下函数将旧的 CRS 组名称映射到 DRS 2.1 组:
function Get-DrsRuleGroupName { param ( [Parameter(Mandatory = $true)] [string]$SourceGroupName ) $groupMap = @{ "REQUEST-930-APPLICATION-ATTACK-LFI" = "LFI" "REQUEST-931-APPLICATION-ATTACK-RFI" = "RFI" "REQUEST-932-APPLICATION-ATTACK-RCE" = "RCE" "REQUEST-933-APPLICATION-ATTACK-PHP" = "PHP" "REQUEST-941-APPLICATION-ATTACK-XSS" = "XSS" "REQUEST-942-APPLICATION-ATTACK-SQLI" = "SQLI" "REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" = "FIX" "REQUEST-944-APPLICATION-ATTACK-JAVA" = "JAVA" "REQUEST-921-PROTOCOL-ATTACK" = "PROTOCOL-ATTACK" "REQUEST-911-METHOD-ENFORCEMENT" = "METHOD-ENFORCEMENT" "REQUEST-920-PROTOCOL-ENFORCEMENT" = "PROTOCOL-ENFORCEMENT" "REQUEST-913-SCANNER-DETECTION" = $null # No direct mapping "Known-CVEs" = "MS-ThreatIntel-CVEs" "General" = "General" } if ($groupMap.ContainsKey($SourceGroupName)) { return $groupMap[$SourceGroupName] } else { return $SourceGroupName # No known mapping } }使用以下 PowerShell 代码定义规则的替代,从现有规则集版本复制替代:
$groupOverrides = @() foreach ($group in $currentManagedRuleset.RuleGroupOverrides) { $mappedGroupName = Get-DrsRuleGroupName $group.RuleGroupName foreach ($existingRule in $group.Rules) { if (-not (Test-RuleIsRemovedFromDRS21 $existingRule.RuleId $currentVersion)) { `$existingGroup = $groupOverrides | Where-Object { $_.RuleGroupName -eq $mappedGroupName } if ($existingGroup) { if (-not ($existingGroup.Rules | Where-Object { $_.RuleId -eq $existingRule.RuleId })) { $existingGroup.Rules.Add($existingRule) } } else { $newGroup = New-AzApplicationGatewayFirewallPolicyManagedRuleGroupOverride ` -RuleGroupName $mappedGroupName ` -Rule @($existingRule) $groupOverrides += $newGroup } } } }使用以下 PowerShell 代码复制现有排除项,并将其应用于 DRS 2.1:
# Create new exclusion objects $newRuleSetExclusions = @() if ($currentExclusions -ne $null -and $currentExclusions.Count -gt 0) { foreach ($exclusion in $currentExclusions) { $newExclusion = New-AzApplicationGatewayFirewallPolicyExclusion ` -MatchVariable $exclusion.MatchVariable ` -SelectorMatchOperator $exclusion.SelectorMatchOperator ` -Selector $exclusion.Selector # Migrate scopes: RuleSet, RuleGroup, or individual Rules if ($exclusion.ExclusionManagedRuleSets) { foreach ($scope in $exclusion.ExclusionManagedRuleSets) { # Create RuleGroup objects from existing RuleGroups $ruleGroups = @() foreach ($group in $scope.RuleGroups) { $drsGroupName = Get-DrsRuleGroupName $group.RuleGroupName if ($drsGroupName) { $exclusionRules = @() foreach ($rule in $group.Rules) { if (-not (Test-RuleIsRemovedFromDRS21 $rule.RuleId "3.2")) { $exclusionRules += New-AzApplicationGatewayFirewallPolicyExclusionManagedRule ` -RuleId $rule.RuleId } } if ($exclusionRules -ne $null -and $exclusionRules.Count -gt 0) { $ruleGroups += New-AzApplicationGatewayFirewallPolicyExclusionManagedRuleGroup ` -Name $drsGroupName ` -Rule $exclusionRules } else { $ruleGroups += New-AzApplicationGatewayFirewallPolicyExclusionManagedRuleGroup ` -Name $drsGroupName } } } # Create the ManagedRuleSet scope object with the updated RuleGroups if ($ruleGroups.Count -gt 0) { $newRuleSetScope = New-AzApplicationGatewayFirewallPolicyExclusionManagedRuleSet ` -Type "Microsoft_DefaultRuleSet" ` -Version "2.1" ` -RuleGroup $ruleGroups } # Add to the new exclusion object $newExclusion.ExclusionManagedRuleSets += $newRuleSetScope } } if (-not $newExclusion.ExclusionManagedRuleSets) { $newExclusion.ExclusionManagedRuleSets = @() } $newRuleSetExclusions += $newExclusion } }
安全地验证新规则
升级时,新的 DRS 2.1 规则默认处于活动状态。 如果 WAF 处于 预防 模式,请先将新规则设置为 日志 模式。 日志模式允许在启用阻止之前查看日志。
以下 PowerShell 定义适用于 DRS 2.1 中引入的规则,与每个 CRS 版本相比:
# Added in DRS 2.1 compared to CRS 3.0 $rulesAddedInThisVersionByGroup = @{ "General" = @("200002", "200003") "PROTOCOL-ENFORCEMENT" = @("920121", "920171", "920181", "920341", "920470", "920480", "920500") "PROTOCOL-ATTACK" = @("921190", "921200") "RCE" = @("932180") "PHP" = @("933200", "933210") "NODEJS" = @("934100") "XSS" = @("941101", "941360", "941370", "941380") "SQLI" = @("942361", "942470", "942480", "942500", "942510") "JAVA" = @("944100", "944110", "944120", "944130", "944200", "944210", "944240", "944250") "MS-ThreatIntel-WebShells" = @("99005002", "99005003", "99005004", "99005005", "99005006") "MS-ThreatIntel-AppSec" = @("99030001", "99030002") "MS-ThreatIntel-SQLI" = @("99031001", "99031002", "99031003", "99031004") "MS-ThreatIntel-CVEs" = @( "99001001","99001002","99001003","99001004","99001005","99001006", "99001007","99001008","99001009","99001010","99001011","99001012", "99001013","99001014","99001015","99001016","99001017" ) }# Added in DRS 2.1 compared to CRS 3.1 $rulesAddedInThisVersionByGroup = @{ "General" = @("200002", "200003") "PROTOCOL-ENFORCEMENT" = @("920181", "920500") "PROTOCOL-ATTACK" = @("921190", "921200") "PHP" = @("933200", "933210") "NODEJS" = @("934100") "XSS" = @("941360", "941370", "941380") "SQLI" = @("942500", "942510") "MS-ThreatIntel-WebShells" = @("99005002", "99005003", "99005004", "99005005", "99005006") "MS-ThreatIntel-AppSec" = @("99030001", "99030002") "MS-ThreatIntel-SQLI" = @("99031001", "99031002", "99031003", "99031004") "MS-ThreatIntel-CVEs" = @( "99001001","99001002","99001003","99001004","99001005","99001006", "99001007","99001008","99001009","99001010","99001011","99001012", "99001013","99001014","99001015","99001016","99001017" ) }# Added in DRS 2.1 compared to CRS 3.2 $rulesAddedInThisVersionByGroup = @{ "General" = @("200002", "200003") "PROTOCOL-ENFORCEMENT" = @("920181", "920500") "PROTOCOL-ATTACK" = @("921190", "921200") "PHP" = @("933200", "933210") "NODEJS" = @("934100") "XSS" = @("941360", "941370", "941380") "SQLI" = @("942100", "942500", "942510") "MS-ThreatIntel-WebShells" = @("99005002", "99005003", "99005004", "99005005", "99005006") "MS-ThreatIntel-AppSec" = @("99030001", "99030002") "MS-ThreatIntel-SQLI" = @("99031001", "99031002", "99031003", "99031004") "MS-ThreatIntel-CVEs" = @( "99001001","99001002","99001003","99001004","99001005","99001006", "99001007","99001008","99001009","99001010","99001011","99001012", "99001013","99001014","99001015","99001016","99001017" ) }使用以下 PowerShell 代码向前面定义的现有
$groupOverrides对象添加新的规则替代:foreach ($groupName in $rulesAddedInDRS21.Keys) { $ruleOverrides = @() foreach ($ruleId in $rulesAddedInDRS21[$groupName]) { $alreadyExists = $existingOverrides | Where-Object { $_.RuleId -eq $ruleId } if (-not $alreadyExists) { $ruleOverrides += New-AzApplicationGatewayFirewallPolicyManagedRuleOverride ` -RuleId $ruleId ` -Action "Log" ` -State "Enabled" } } # Only create group override if we added rules to it if ($ruleOverrides.Count -gt 0) { $groupOverrides += New-AzApplicationGatewayFirewallPolicyManagedRuleGroupOverride ` -RuleGroupName $groupName ` -Rule $ruleOverrides } }
应用自定义和升级
定义更新的 Azure WAF 策略对象,并包含重复和更新的规则替代和排除项:
$managedRuleSet = New-AzApplicationGatewayFirewallPolicyManagedRuleSet `
-RuleSetType "Microsoft_DefaultRuleSet" `
-RuleSetVersion "2.1" `
-RuleGroupOverride $groupOverrides
for ($i = 0; $i -lt $wafPolicy.ManagedRules.ManagedRuleSets.Count; $i++) {
if ($wafPolicy.ManagedRules.ManagedRuleSets[$i].RuleSetType -eq "OWASP") {
$wafPolicy.ManagedRules.ManagedRuleSets[$i] = $managedRuleSet
break
}
}
# Assign to policy
if ($newRuleSetExclusions) {
$wafPolicy.ManagedRules.Exclusions = $currentExclusions + $newRuleSetExclusions
}
# Apply the updated WAF policy
Set-AzApplicationGatewayFirewallPolicy -InputObject $wafPolicy