Update Naxsi rules set

joglomedia · Jan 22, 2025 · 5e5b410 · 5e5b410
1 parent 14a7a38
commit 5e5b410
Show file tree

Hide file tree

Showing 3 changed files with 137 additions and 0 deletions.
diff --git a/etc/nginx/includes/naxsi.rules b/etc/nginx/includes/naxsi.rules
@@ -0,0 +1,20 @@
+# Sample rules file for default vhost.
+
+#LearningMode;
+SecRulesEnabled;
+#SecRulesDisabled;
+LibInjectionSql;
+LibInjectionXss;
+
+DeniedUrl "/RequestDenied";
+
+## Check rules
+CheckRule "$SQL >= 8" BLOCK; # SQL injection action (unrelated to libinjection)
+CheckRule "$XSS >= 8" BLOCK; # XSS action (unrelated to libinjection)
+CheckRule "$RFI >= 8" BLOCK; # Remote File Inclusion action
+CheckRule "$UWA >= 8" BLOCK; # Unwanted Access action
+CheckRule "$EVADE >= 8" BLOCK; # Evade action (some tools may try to avoid detection).
+CheckRule "$UPLOAD >= 5" BLOCK; # Malicious upload action
+CheckRule "$TRAVERSAL >= 5" BLOCK; # Traversal access action
+CheckRule "$LIBINJECTION_XSS >= 8" BLOCK; # libinjection XSS action
+CheckRule "$LIBINJECTION_SQL >= 8" BLOCK; # libinjection SQLi action
diff --git a/etc/nginx/includes/naxsi_core.rules b/etc/nginx/includes/naxsi_core.rules
@@ -0,0 +1,101 @@
+##################################
+## INTERNAL RULES IDS:1-999     ##
+##################################
+#@MainRule "msg:weird request, unable to parse" id:1;
+#@MainRule "msg:request too big, stored on disk and not parsed" id:2;
+#@MainRule "msg:invalid hex encoding, null bytes" id:10;
+#@MainRule "msg:unknown content-type" id:11;
+#@MainRule "msg:invalid formatted url" id:12;
+#@MainRule "msg:invalid POST format" id:13;
+#@MainRule "msg:invalid POST boundary" id:14;
+#@MainRule "msg:invalid JSON" id:15;
+#@MainRule "msg:empty POST" id:16;
+#@MainRule "msg:libinjection_sql" id:17;
+#@MainRule "msg:libinjection_xss" id:18;
+#@MainRule "msg:no generic rules" id:19;
+#@MainRule "msg:bad utf8" id:20;
+#@MainRule "msg:illegal host header" id:21;
+
+##################################
+## SQL Injections IDs:1000-1099 ##
+##################################
+MainRule "rx:select|union|update|delete|insert|table|from|ascii|hex|unhex|drop|load_file|substr|group_concat|dumpfile|bigint" "msg:sql keywords" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1000;
+MainRule "str:\"" "msg:double quote" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8,$XSS:8" id:1001;
+MainRule "str:0x" "msg:0x, possible hex encoding" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:2" id:1002;
+## Hardcore rules
+MainRule "str:/*" "msg:mysql comment (/*)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1003;
+MainRule "str:*/" "msg:mysql comment (*/)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1004;
+MainRule "str:|" "msg:mysql keyword (|)"  "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1005;
+MainRule "str:&&" "msg:mysql keyword (&&)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1006;
+## end of hardcore rules
+MainRule "str:--" "msg:mysql comment (--)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1007;
+MainRule "str:;" "msg:semicolon" "mz:BODY|URL|ARGS" "s:$SQL:4,$XSS:8" id:1008;
+MainRule "str:=" "msg:equal sign in var, probable sql/xss" "mz:ARGS|BODY" "s:$SQL:2" id:1009;
+MainRule "str:(" "msg:open parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1010;
+MainRule "str:)" "msg:close parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1011;
+MainRule "str:'" "msg:simple quote" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1013;
+MainRule "str:," "msg:comma" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1015;
+MainRule "str:#" "msg:mysql comment (#)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1016;
+MainRule "str:@@" "msg:double arobase (@@)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1017;
+MainRule "rx:::json|to_json|jsonb?_build|jsonb?_object|jsonb?_each|jsonb?_extract|jsonb?_typeof|jsonb?_array|jsonb_set|json_query|json_keys" "msg:json functions and operators" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1018;
+
+###############################
+## OBVIOUS RFI IDs:1100-1199 ##
+###############################
+MainRule "str:http://" "msg:http:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1100;
+MainRule "str:https://" "msg:https:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1101;
+MainRule "str:ftp://" "msg:ftp:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1102;
+MainRule "str:php://" "msg:php:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1103;
+MainRule "str:sftp://" "msg:sftp:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1104;
+MainRule "str:zlib://" "msg:zlib:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1105;
+MainRule "str:data://" "msg:data:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1106;
+MainRule "str:glob://" "msg:glob:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1107;
+MainRule "str:phar://" "msg:phar:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1108;
+MainRule "str:file://" "msg:file:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1109;
+MainRule "str:gopher://" "msg:gopher:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1110;
+MainRule "str:zip://" "msg:zip:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1111;
+MainRule "str:expect://" "msg:expect:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1112;
+MainRule "str:input://" "msg:input:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1113;
+
+#######################################
+## Directory traversal IDs:1200-1299 ##
+#######################################                                          
+MainRule "str:.." "msg:double dot" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1200;
+MainRule "str:/etc/passwd" "msg:obvious probe" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1202;
+MainRule "str:c:\\" "msg:obvious windows path" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1203;
+MainRule "str:cmd.exe" "msg:obvious probe" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1204;
+MainRule "str:\\" "msg:backslash" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1205;
+#MainRule "str:/" "msg:slash in args" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:2" id:1206;
+MainRule "str:/..;/" "msg:dir traversal bypass" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:2" id:1207;
+MainRule "str:/.;/" "msg:dir traversal bypass" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1208;
+MainRule "str:/.%2e/" "msg:dir traversal bypass" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1209;
+MainRule "str:/%2e./" "msg:dir traversal bypass" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1210;
+
+########################################
+## Cross Site Scripting IDs:1300-1399 ##
+########################################
+MainRule "str:<" "msg:html open tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1302;
+MainRule "str:>" "msg:html close tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1303;
+MainRule "str:[" "msg:open square backet ([), possible js" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1310;
+MainRule "str:]" "msg:close square bracket (]), possible js" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1311;
+MainRule "str:~" "msg:tilde (~) character" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1312;
+MainRule "str:`"  "msg:grave accent (`)" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1314;
+MainRule "rx:%[23]."  "msg:double encoding" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1315;
+
+####################################
+## Evading tricks IDs: 1400-1500 ##
+####################################
+MainRule "str:&#" "msg:utf7/8 encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1400;
+MainRule "str:%U" "msg:M$ encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1401;
+
+#############################
+## File uploads: 1500-1600 ##
+#############################
+MainRule "rx:\.ph|\.asp|\.ht|\.jsp" "msg:asp/php/jsp/htaccess file upload" "mz:FILE_EXT" "s:$UPLOAD:8" id:1500;
+MainRule "rx:^[\.a-z0-9_\- ]+$" negative "msg:uploaded filename contains non-printable ascii chars" "mz:FILE_EXT" "s:$UPLOAD:8" id:1501;
+
+# The location where all the blocked request will be internally redirected.
+location /RequestDenied {
+	internal;
+	return 403;
+}
diff --git a/lib/lemper-create.sh b/lib/lemper-create.sh
@@ -145,6 +145,10 @@ server {
     include /etc/nginx/includes/rules_staticfiles.conf;
     include /etc/nginx/includes/rules_restriction.conf;
 
+    ## Naxsi WAF rules.
+    #set \$naxsi_json_log 1;
+	#include /etc/nginx/includes/naxsi_core.rules;
+
     ## Default vhost directives configuration.
     #include /etc/nginx/includes/rules_fastcgi_cache.conf;
     include /etc/nginx/vhost/site_${FRAMEWORK}.conf;
@@ -234,6 +238,10 @@ server {
     include /etc/nginx/includes/rules_staticfiles.conf;
     include /etc/nginx/includes/rules_restriction.conf;
 
+    ## Naxsi WAF rules.
+    #set \$naxsi_json_log 1;
+	#include /etc/nginx/includes/naxsi_core.rules;
+
     ## Default vhost directives configuration.
     #include /etc/nginx/includes/rules_fastcgi_cache.conf;
     include /etc/nginx/vhost/site_drupal.conf;
@@ -321,6 +329,10 @@ server {
     include /etc/nginx/includes/rules_staticfiles.conf;
     include /etc/nginx/includes/rules_restriction.conf;
 
+    ## Naxsi WAF rules.
+    #set \$naxsi_json_log 1;
+	#include /etc/nginx/includes/naxsi_core.rules;
+
     ## Default vhost directives configuration.
     #include /etc/nginx/includes/rules_fastcgi_cache.conf;
     include /etc/nginx/vhost/site_laravel.conf;
@@ -408,6 +420,10 @@ server {
     include /etc/nginx/includes/rules_staticfiles.conf;
     include /etc/nginx/includes/rules_restriction.conf;
 
+    ## Naxsi WAF rules.
+    #set \$naxsi_json_log 1;
+	#include /etc/nginx/includes/naxsi_core.rules;
+
     ## Default vhost directives configuration.
     #include /etc/nginx/includes/rules_fastcgi_cache.conf;
     include /etc/nginx/vhost/site_phalcon.conf;