OPNsense Forum

English Forums => Web Proxy Filtering and Caching => Topic started by: akong77 on November 05, 2020, 02:42:39 am

Title: Could naxsi support block empty user-agent?
Post by: akong77 on November 05, 2020, 02:42:39 am

Hello,
I know nginx can use hook to add block empty user-agent.I want know naxsi could support it?

Title: Re: Could naxsi support block empty user-agent?
Post by: Fright on November 05, 2020, 11:08:32 am

it should
may be something like:

Code: [Select]

MainRule negative id:1700 "rx:^(?!\s*$).+" "msg:Empty_UA" "mz:$HEADERS_VAR_X:User-Agent"not tested

Title: Re: Could naxsi support block empty user-agent?
Post by: akong77 on November 06, 2020, 03:05:56 am

OK,I will test it.Thanks a lot.

Title: Re: Could naxsi support block empty user-agent?
Post by: akong77 on November 06, 2020, 03:16:46 am

I test it.It's can't block it.

Title: Re: Could naxsi support block empty user-agent?
Post by: Fright on November 06, 2020, 05:17:22 am

test it. works

Code: [Select]

curl -H "User-Agent;" http://myCA_CRL_URL

Code: [Select]

*32507 NAXSI_EXLOG: ip=some_ip&server=my_serever&uri=%2Fcrl_file&id=1700&zone=HEADERS&var_name=user-agent&content=, client: some_ip, server: my_server, request: "GET /my.crl HTTP/1.1", host: "my_server

Title: Re: Could naxsi support block empty user-agent?
Post by: akong77 on November 06, 2020, 06:41:40 am

If you try

Quote

curl -A '' -H 'User-Agent;' http://web -I

Title: Re: Could naxsi support block empty user-agent?
Post by: akong77 on November 06, 2020, 06:49:35 am

Sorry,I make mistake.It's can block it.Thanks a lot.
I want know about naxsi.It's can choose drop connection this option.What the different block request and drop connection?I test it.I feel no different.

Title: Re: Could naxsi support block empty user-agent?
Post by: Fright on November 06, 2020, 07:34:26 am

https://github.com/nbs-system/naxsi/wiki/rules-bnf

Quote

specifiy an action such a BLOCK (blocks the request in non-learning mode) or DROP (blocks the request even in learning mode)

DROP is not "DROP connection". its block even in learning mode

Title: Re: Could naxsi support block empty user-agent?
Post by: akong77 on November 06, 2020, 07:50:15 am

So,Whatever choose block request or drop connection it's always show opnsense request denied webpage.
Right?

Title: Re: Could naxsi support block empty user-agent?
Post by: Fright on November 06, 2020, 08:02:49 am

yep

Title: Re: Could naxsi support block empty user-agent?
Post by: akong77 on November 06, 2020, 11:13:54 am

Quote from: Fright on November 05, 2020, 11:08:32 am

it should
may be something like:

Code: [Select]

MainRule negative id:1700 "rx:^(?!\s*$).+" "msg:Empty_UA" "mz:$HEADERS_VAR_X:User-Agent"not tested

Hello,I test it.
If I use browers like firefox to see http://ab.aspa.idv.tw.It's also show Request Denied.
You can check http://ab.aspa.idv.tw

Title: Re: Could naxsi support block empty user-agent?
Post by: Fright on November 06, 2020, 11:47:38 am

and whats in the "HTTP Error logs" for this requests?

Title: Re: Could naxsi support block empty user-agent?
Post by: akong77 on November 06, 2020, 12:39:59 pm

Quote

*19 NAXSI_FMT: ip=219.84.34.52&server=ab.aspa.idv.tw&uri=/&learning=0&vers=0.56&total_processed=12&total_blocked=10&block=1&cscore0=$policy20906cd5e25e413f9fe6e733c38d3586&score0=16&zone0=HEADERS&id0=15001&var_name0=user-agent&zone1=HEADERS|NAME&id1=15001&var_name1=user-agent, client: 219.84.34.52, server: ab.aspa.idv.tw, request: "GET / HTTP/1.1", host: "ab.aspa.idv.tw"

Quote

*19 NAXSI_FMT: ip=219.84.34.52&server=ab.aspa.idv.tw&uri=/favicon.ico&learning=0&vers=0.56&total_processed=13&total_blocked=11&block=1&cscore0=$policy20906cd5e25e413f9fe6e733c38d3586&score0=16&zone0=HEADERS&id0=15001&var_name0=user-agent&zone1=HEADERS|NAME&id1=15001&var_name1=user-agent, client: 219.84.34.52, server: ab.aspa.idv.tw, request: "GET /favicon.ico HTTP/1.1", host: "ab.aspa.idv.tw", referrer: "http://ab.aspa.idv.tw/"

Title: Re: Could naxsi support block empty user-agent?
Post by: Fright on November 06, 2020, 03:03:10 pm

Quote

zone1=HEADERS|NAME

and how exactly rule 15001 looks like?
and can you enable "Extensive Naxsi Log" in server properties and post NAXSI_EXLOG log for blocked request?

Title: Re: Could naxsi support block empty user-agent?
Post by: akong77 on November 06, 2020, 03:46:59 pm

Quote

MainRule id:15001 "rx:^(?!\s*$).+" "msg:Empty UA" "mz:$HEADERS_VAR_X:User-Agent" "s:$policy20906cd5e25e413f9fe6e733c38d3586:8";

Title: Re: Could naxsi support block empty user-agent?
Post by: akong77 on November 06, 2020, 03:48:10 pm

Quote

and can you enable "Extensive Naxsi Log" in server properties and post NAXSI_EXLOG log for blocked request?

Where is these setup?on opnsense?or web server?

Title: Re: Could naxsi support block empty user-agent?
Post by: Fright on November 06, 2020, 04:02:57 pm

Quote

Code: [Select]

MainRule id:15001 "rx:^(?!\s*$).+" "msg:Empty UA" "mz:$HEADERS_VAR_X:User-Agent"

forgot to negate? now you blocking any request with non-empty UA header

Code: [Select]

MainRule negative id:15001 "rx:^(?!\s*$).+" "negative" to block request that does not satisfy non-emtpy UA

Quote

Where is these setup?on opnsense?or web server?

OPN->services->Nginx->configuration->Edit HTTP Server->advanced mode

Title: Re: Could naxsi support block empty user-agent?
Post by: akong77 on November 06, 2020, 04:13:45 pm

Ohh...Sorry,I miss this option.Thanks a lot.

Title: Re: Could naxsi support block empty user-agent?
Post by: akong77 on November 06, 2020, 04:21:04 pm

Please see follow:

Quote

MainRule id:10000 "str:gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data\:\/" "msg:URL charset" "mz:URL" "s:$policy1a275df7733e4aef813ecb4917637d
40:8"

I want block some charset on url.Could I set wrong?

Title: Re: Could naxsi support block empty user-agent?
Post by: Fright on November 07, 2020, 07:24:49 am

Quote

"str:gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data\:\/"

since you use regex its  should be "rx:" not "str:"
what "\:\/" part for?

Title: Re: Could naxsi support block empty user-agent?
Post by: akong77 on November 07, 2020, 10:03:08 am

Sorry,the full rule I fix it.

Quote

MainRule id:10000 "rx:(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/" "msg:URL charset" "mz:URL" "s:$policy1a275df7733e4aef813ecb4917637d40:8";

I want block url string have like ftp:/ or ldap:/ this string.I has edit to rx.Is right?

Title: Re: Could naxsi support block empty user-agent?
Post by: Fright on November 07, 2020, 11:30:46 am

regex looks fine but
can you show an example of url you want to block?
URL zone contain string between server name and first "?" sign (ie if https://forum.opnsense.org/index.php?action=post requested then URL = /index.php, "action" is Argument. Arguments of POST request is in BODY zone). 
so what exactly you want to block?

Title: Re: Could naxsi support block empty user-agent?
Post by: akong77 on November 09, 2020, 01:32:06 am

like
http://url/php:/

Title: Re: Could naxsi support block empty user-agent?
Post by: Fright on November 09, 2020, 08:18:35 am

hm. if the question is theoretical, then yes. rule should work.
but RFI (remote file inclusion) works by parameters (arguments), not url itself
(ie http://www.example.com/vuln_page.php?file=http://www.hacker.com/shell.php)
and naxsi have examples of obvious rfi protecion (IDs:1100-1199)

Title: Re: Could naxsi support block empty user-agent?
Post by: akong77 on November 10, 2020, 10:47:32 am

Hello,
Could I redirect client 403 page when rule match?

Title: Re: Could naxsi support block empty user-agent?
Post by: Fright on November 10, 2020, 02:00:03 pm

I did not understand the question.
you want to send 403 status? change html page?
yes you can
https://github.com/nbs-system/naxsi/wiki/directives#deniedurl

Quote

when rule match?

when access blocked.
DeniedUrl is directive in location block. you cant set it for one rule