开始您的搜索!

栏目站长笔记

   发布时间2024-8-9 15:15

   浏览人数1059浏览

   转载自微信公众号微信公众号原文作者作者  ← 查找 / 关注作者公众号

Cloudflare waf 规则大全
1.防止恶意请求
  • 阻止流行的不良用户代理
  • 按端口阻止连接(通常只有机器人才会这样做)
  • 阻止过时的版本 HTTP (1.0)
  • 阻止 cloudflare 标记的不良威胁
  • 阻止错误的方法请求
  • 阻止可疑的 X-Forwarded-For
  • 阻止来自 Tor 网络的请求
  • 阻止最已知的代理抓取站点的 ASN 列表
  • 阻止非标准 Cookie
(http.request.version in {"HTTP/1.0"} and not cf.client.bot) or (http.user_agent eq "") or (http.user_agent eq " ") or (http.user_agent eq "-") or (http.user_agent eq "'") or (http.user_agent contains "/x/") or (http.user_agent contains "'XOR(") or (http.user_agent contains "ALittle") or (http.user_agent contains "got (") or (http.user_agent contains "quic-go-HTTP") or (http.user_agent contains "Go-http-client") or (http.user_agent contains "fasthttp") or (http.user_agent contains "python") or (http.user_agent contains "java") or (http.user_agent contains "PHP") or (http.user_agent contains "Nmap") or (http.user_agent contains "scrapy" and not cf.client.bot) or (http.user_agent contains "spider" and not cf.client.bot) or (http.user_agent contains "crawl" and not cf.client.bot) or (http.user_agent contains "bot" and not http.user_agent contains "bing" and not http.user_agent contains "google" and not http.user_agent contains "yandex" and not http.user_agent contains "duckduckgo" and not http.user_agent contains "facebook" and not http.user_agent contains "linkedIn" and not http.user_agent contains "twitter" and not http.user_agent contains "yahoo" and not cf.client.bot) or (cf.threat_score ge 20 and not cf.client.bot) or (http.request.method in {"PURGE" "PUT" "OPTIONS" "DELETE" "PATCH"}) or (http.x_forwarded_for contains "192.0.") or (http.x_forwarded_for contains ".0.0") or (ip.geoip.country in {"T1" "XX"} and not http.request.version in {"HTTP/2" "HTTP/3" "SPDY/3.1"} and not cf.client.bot) or (http.user_agent contains "lient" and http.user_agent contains "ttp") or (http.user_agent contains "libweb") or (http.user_agent contains "libwww") or (http.user_agent contains "wrk") or (http.user_agent contains "hey/") or (ip.geoip.asnum in {14061 60631 28438 60592 30823 4134 32505 27715 22773 131090 135905 55330 16629 4755 53363 34549 135330 47285 60798 207590 203087 198651 43289 14576 207319 201978 208425 201094 18978 52000 204601 199883 8220 36351 45011 8560 23969 45629 20207 6471 8075 45899 31400 208556 12271 7552 26496 21769 6876 45102 5617 199490 35816 131293 20860 31898 131428 8881 25429 29802 4788 3326 39284 13448 46484 174 577 29286 5056 9009 63949 212708 40788 12989 11351 11426 7029 42652 18403 54538 209 62044 3269 395003 8100 4190 12874 19740 197540 45458 136258 50837 51852 4826 195 49588 57613 34248 197099 29287 29066 30083 9534 42905 35804 45012 7303 25961 61317 5610 35320 262187 263693 20552 266706 49327 47232 32098 28429 3255 28431 14117 18734 24088 263196 41096 52228 8069 398101 28725 132196 61154 58199 6877 265537 32097 62240 3329 6830 133199 12334 270110 22884 54600 213375 206092 41009 213251 36444} and not http.request.version in {"HTTP/2" "HTTP/3" "SPDY/3.1"} and not cf.client.bot) or (http.host contains ":80") or (http.host contains ":443") or (http.cookie contains "cf_use_ob=" and not http.cookie contains "0" and not http.cookie contains "80" and not http.cookie contains "443" and not cf.client.bot)
2.防止SQL XSS PHP漏洞
  • SQL注入防护
  • 命令执行防护
  • XSS防护
  • 文件包含防护
  • 特殊字符检测
  • 编码字符检测
  • 其他安全措施
  • Web Shell防护
  • Cookie和JavaScript防护
  • HTML注入防护
模拟 XSS攻击,请访问 http://<域名>/?html=<script>alert(1)</script>
(http.request.uri.query contains ")/*") or (http.request.uri.query contains ")--") or (http.request.uri.query contains "benchmark(") or (http.request.uri.query contains "'0:0:20'") or (http.request.uri.query contains "MD5(") or (http.request.uri.query contains "%20waitfor%20delay%20") or (http.request.uri.query contains "%22") or (http.request.uri.query contains "%20/*") or (http.request.uri.query contains "%20--") or (http.request.uri.query contains "%20%23") or (http.request.uri.query contains ")%23") or (http.request.uri.query contains "script>") or (http.request.uri.query contains "%40") or (http.request.uri.query contains "%00") or (http.request.uri.query contains "<?php") or (http.request.uri.query contains "0x00") or (http.request.uri.query contains "0x08") or (http.request.uri.query contains "0x09") or (http.request.uri.query contains "0x0a") or (http.request.uri.query contains "0x0d") or (http.request.uri.query contains "0x1a") or (http.request.uri.query contains "0x22") or (http.request.uri.query contains "0x25") or (http.request.uri.query contains "0x27") or (http.request.uri.query contains "0x5c") or (http.request.uri.query contains "0x5f") or (http.request.uri.query contains "SELECT") or (http.request.uri.query contains "concat") or (http.request.uri.query contains "union") or (http.request.uri.query contains "0x50") or (http.request.uri.query contains "DROP") or (http.request.uri.query contains "WHERE") or (http.request.uri.query contains "ONION") or (http.request.uri.query contains "0x3c62723e3c62723e3c62723e") or (http.request.uri.query contains "0x3c696d67207372633d22") or (http.request.uri.query contains "OR") or (http.request.uri.query contains "0x3e") or (http.request.uri.query contains "<img") or (http.request.uri.query contains "<image") or (http.request.uri.query contains "document.cookie") or (http.request.uri.query contains "onerror()") or (http.request.uri.query contains "alert(") or (http.request.uri.query contains "window.") or (http.request.uri.query contains "String.fromCharCode(") or (http.request.uri.query contains "javascript:") or (http.request.uri.query contains "onmouseover=") or (http.request.uri.query contains "<BODY onload") or (http.request.uri.query contains "<style") or (http.request.uri.query contains "svg onload")
3.检测异常攻击方法
  • 阻止我们检测到的异常攻击方法
(http.user_agent eq "109e15941c57") or (http.user_agent eq "d1b2df322c91") or (http.request.uri.query eq "--+") or (http.user_agent eq "84bd2cfee733") or (http.request.uri.query eq "d=1") or (http.user_agent eq "Mozilla/5.0 (compatible; AhrefsBot/7.0; +http://ahrefs.com/robot/)") or (http.request.uri.query eq "daksldlkdsadas=1") or (http.request.full_uri contains "\\x03\\x00\\x00/*\\xE0\\x00\\x00\\x00\\x00\\x00Cookie: mstshash=Administr") or (http.request.full_uri contains "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00") or (http.request.full_uri contains "T\\x83\\xF8\\xCCu\\x18\\xA8\\xABw*w\\xF5j\\x91\\xE4[") or (http.request.full_uri contains "-\\x11\\xBERB#:\\xE4.\\xC6\\xFFHA\\x1A\\x03\\xD7") or (http.request.full_uri contains "MGLNDD_") or (http.request.full_uri contains "\\x03\\x00\\x00\\x13\\x0E\\xE0\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x03\\x00\\x00\\x00") or (http.request.full_uri contains "fI4y") or (http.request.full_uri contains "o\\xFA\\xC0\\xBE\\xB8\\xC0\\xA4\\xC9\\x89\\xA2\\xC2\\x8F\\x83\\xAF\\x91\\x97\\xBE\\xCD\\xB9\\xCF\\xAC\\x9B\\xB0\\xAB\\xA0\\xB6\\xB1\\xAA\\x9D\\x9C\\x9F\\x96\\x8D\\x93\\xCE\\xB4\\xB3\\xB5\\x98\\xCD\\xA6\\xFA\\xFA\\xFA\\xFA\\x12\\xFD\\xD8\\xF8\\xFA\\xFA\\xC2\\xFA\\xFA\\xFA\\xFA\\x1Af\\xEC\\xF9\\xFA\\xFA\\xFA\\xFA\\xFB\\xE5q\\xF2\\xFA\\xFA\\xFA\\xFA\\xFA\\xFA\\xF9wh\\x97ui\\xBA\\xEA=E\\xF0\\x1B/\\xA7XJ\\xF11Y\\x0B\\xBF\\xB1K\\x1F\\x00\\xFA\\xF8\\xAF5Y\\xDB\\xA1\\xA2 \\xE00\\xCC\\xBAU]<\\x15\\x14\\xBA\\xC7W7c\\x02\\x98\\xC996\\x95\\x1C\\xC5\\x164yR\\xE7\\x8C\\x90\\x8E\\x06\\x92w\\xCD\\xE9\\x0E\\x14!\\x19\\x87KE\\xE1\\x86 ,)\\xEA\\x85_\\x16I(\\x86\\x8B?\\xADXx\\xD7\\xE7\\xB67\\x83\\xF1\\xFC;\\x83\\xC8\\x0F\\xAE\\xDD\\x1A\\xCA\\xBF\\xD3\\xF0\\x98\\xAA\\xD9=\\xD0\\xD0\\xD6\\xEF\\xABQZ\xBCrhc@[\x9Cz\xEA\x8AJ|\x8F\xEF\x86V\x11\xDC\xBB\x5C\xF8T\xF3=\x9B\xAF\x11\xBD8\x96\xAD\xE7e~ov\\xCC\\xB6\\xCA\\xDE\\xB78\\xDC\\xD88w9\\x91\\x8C\\xD1\\xDE/\\x98\\xCA\\x8D%\\xDC\\x85+sb\\xAE\\xE5&\\xCA\\x08\\x06\\xFF\\x9Ev\\xA5\\x96\\xED\\x0F\\xBC\\xEA2\\xFA\\x1F7\\x03\\xC9g\\x83)TF$H\\xA8\\xD2\\xA24\\x91\\x80\\xABg\\x0CF+\\xBFx*w\\x19\\x01\\x0E\\xFF\\xCF\\x1B\\xA8\\x9AJrF.\\x0B\\x9D\\x84\\xF2\\xEE\\x80Y\\x18\\xD4\\x12\\xFE\\x14\\x89\\x9B\\x8C\\x9AL6\\x17\\x09\\xF25\\x5C\\xEDb\\x02\\x89\\xCD\\xA7|\\xC9zL\\x97\\x81\\x92\\x96\\xA3\\xC4g\\xB4(\\xE3k\\x82Gk\\xC1\\x90B\\xE6][\\xE1\\x02\\x9B\\x86?Tua\\x1C\\xE0\\xFC\\x9F\\x8D\\xEB\\x01\\xAB\\xC0\\xE5\\xD6\\x98\\xD5\\xE0<\\x93\\xEA\\x00\\x8DT\\xE9\\x05\\x04y-G\\x0E\\xC5R\\x0E\\x18\\xF4\\xC1\\xD6\\x8E\\xBDi\\xBBf\\xBC1Z-\\xFD\\x90N\\x16\\x81\\x07C*mk\\x11\\xBCZ\\x02\\x85\\x95a\\xDE\\xAB\\xA8\\xB7\\xA3\\xA7;\\x19\\xDE\\xB3\\xD7") or (http.request.full_uri contains "\\x00\\x00\\x00") or (http.request.full_uri contains "\\x02") or (http.request.full_uri contains "v\\xF0m\\xB0b\\xAF\\x8F\\x883\\xE4U)8\\x99E\\x14") or (http.request.full_uri contains "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00") or (http.request.full_uri contains "!\\xFA\\xAC\\x8E\\x12^\\x87\\x1F9E\\xF8\\xBBT5\\x18\\xBF\\xE3\\x0Fc\\xB0\\xC3+!\\xB0y\\xA7\\xE0\\x1B\\xCF+!\\xB0\\xC2/c\\xB0\\xC3+\\x22\\xB8\\xC3+!\\xB0\\xC3+!\\xB0i+!\\xB0\\xC3+") or (http.request.full_uri contains "\\x00\\x0E8\\x89\\x99\\xDCZFS\\xEDM\\x00\\x00\\x00\\x00\\x00") or (http.request.full_uri contains "j\\x00\\xFD U\\x8De\\xC2G\\xB6\\x9A\\x83g\\xA3-\\xB6") or (http.request.full_uri contains "SSTP_DUPLEX_POST") or (http.request.full_uri contains "sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}")
4.威胁检测(可选)
  • 检查过时的版本 HTTP (1.1, 1.2)
  • 检查允许大量恶意流量的国家/地区
  • 检查 cloudflare 标记的不良威胁
  • 检查不安全的请求(不是 SSL 请求)
  • 检查来源不明的请求(没有 referer)
(http.request.version in {"HTTP/1.1" "HTTP/1.2"} and not http.request.version in {"HTTP/2" "HTTP/3" "SPDY/3.1"} and not ip.geoip.asnum in {13238 15169 8075 47541 32934} and not cf.client.bot) or (cf.threat_score ge 10 and not cf.client.bot) or (not ssl) or (ip.geoip.continent in {"AF" "AS" "AN" "EU" "NA" "OC" "SA"} and not ip.geoip.country in {"RU" "MD" "BY" "UA" "GB" "US" "FR" "ES" "IT" "CA" "DE" "SE" "FI" "BE" "NL"} and not ip.geoip.asnum in {13238 15169 8075 47541 32934} and not cf.client.bot) or (http.referer eq "" and not cf.client.bot)
5.Cloudflare WAF 反 DDoS
  • Cloudflare 检测到的任何机器人
  • Chrome 版本 30-109
  • 许多云 ASN
  • 火狐浏览器 30-79
  • 检测浏览器
(cf.client.bot) or (http.user_agent eq "vercel-fetch") or (ip.src in {209.251.16.230 192.140.42.83 196.0.111.194 83.221.194.199 203.81.87.186 200.29.109.112 110.235.250.155 190.53.46.11 181.209.82.154 136.228.160.250 193.35.18.0/24}) or (ip.geoip.asnum in {16509 11878 14061 46261 46664 207990 611 9009 132203 132153 136907 51852 396982 27176 14618 212238 24940 50613 12876 63199 45090 63949 16276 18779 203999 55286 21769 60781 64267 210558 45102 3462 8075 4766 31898 8151 4314 3223 2514 63473 398101 26496 397336 46562 39690 62567 135340 200130 201229 202018 202109 205301 393406 394362 2 398712 8560 398324 3352 8100 397373 13768 202425 137409 400536 10753 198953 53831 6461 394814 45102 38731 399486 136557 135377 136787 49825 400175 20454 63023 12552 47583 210644 25369 42926 394711 3462 54538 399646 206264 42831 53667 200651 25513 399646 51396 47066 1101 208323 39043 51290 4224 31200 25513 133301 36352 62282 58519 48090 208226 200000 42730 56655 140389}) or (http.user_agent contains "Chrome/7") or (http.user_agent contains "Chrome/5") or (http.user_agent contains "Chrome/8") or (http.user_agent contains "Chrome/6") or (http.user_agent contains "Chrome/9") or (http.user_agent contains "Chrome/10") or (http.user_agent contains "Chrome/3") or (http.user_agent contains "Chrome/4") or (http.user_agent contains "Firefox/3") or (http.user_agent contains "Firefox/4") or (http.user_agent contains "Firefox/5") or (http.user_agent contains "Firefox/6") or (http.user_agent contains "Firefox/7") or (ip.geoip.country eq "T1")
6.可疑访问过滤器
  • 防止机器人流量 由Cloudfare自动检测
  • X-Forwarded-For 头检测
  • 请求URI查询字符串检测
  • 地理位置排除:表示规则会排除来自中国(包括香港、澳门和台湾)的请求
  • 使用代理隐藏真实IP的请求。
  • 包含可疑查询参数的请求。
  • 来自特定地理位置的请求。
  • 使用非GET方法的请求,可能表示数据提交或修改操作。
((not cf.client.bot and ((http.x_forwarded_for contains ".") or (http.request.full_uri contains "?" and not http.request.full_uri contains ".css" and not http.request.full_uri contains ".js" and not http.request.full_uri contains "cf_chl_jschl_tk") or (not ip.geoip.country in {"CN" "HK" "TW" "MO"}) or (http.request.method ne "GET"))))
7.简单防止CC攻击或DDOS攻击
  • 速率限制:Cloudflare的速率限制功能可以自动对超出正常访问频率的IP地址进行限制。
  • 行为分析:利用Cloudflare的机器学习模型来识别和阻止恶意行为。
  • IP声誉:使用Cloudflare的IP声誉数据库来阻止来自已知恶意IP地址的流量。
  • 地理位置过滤:阻止来自已知与DDoS攻击有关的地理位置的流量。
  • HTTP特征检测:检测请求中可能表明自动化工具或脚本的特定模式或特征。
(ip.src >= 1 AND ip.src <= 4294967295) AND (http.request.method eq "GET") AND (cf.threat_score ge 1) AND (NOT (ip.src in {trusted_IP_addresses}))
#Cloudflare#waf#规则分享
返回顶部