WAF app/service based whitelists

[GreenMatter]

Do you know where to find application based Nginx WAF whitelists? I mean tailor made set of rules for i.e. Sogo, Nextcloud and so on...
Thanks!

[GreenMatter]

I've found this: https://ownyourbits.com/2017/03/23/modsecurity-web-application-firewall-for-nextcloud/
Is there any way to translate Modsecurity rules IDs to NAXSi IDs?

Code: [Select]

<Directory /var/www/nextcloud/>
# VIDEOS
  SecRuleRemoveById 958291             # Range Header Checks
  SecRuleRemoveById 981203             # Correlated Attack Attempt


  # PDF
  SecRuleRemoveById 950109             # Check URL encodings


  # ADMIN (webdav)
  SecRuleRemoveById 960024             # Repeatative Non-Word Chars (heuristic)
  SecRuleRemoveById 981173             # SQL Injection Character Anomaly Usage
  SecRuleRemoveById 981204             # Correlated Attack Attempt
  SecRuleRemoveById 981243             # PHPIDS - Converted SQLI Filters
  SecRuleRemoveById 981245             # PHPIDS - Converted SQLI Filters
  SecRuleRemoveById 981246             # PHPIDS - Converted SQLI Filters
  SecRuleRemoveById 981318             # String Termination/Statement Ending Injection Testing
  SecRuleRemoveById 973332             # XSS Filters from IE
  SecRuleRemoveById 973338             # XSS Filters - Category 3
  SecRuleRemoveById 981143             # CSRF Protections ( TODO edit LocationMatch filter )


  # COMING BACK FROM OLD SESSION
  SecRuleRemoveById 970903             # Microsoft Office document properties leakage


  # NOTES APP
  SecRuleRemoveById 981401             # Content-Type Response Header is Missing and X-Content-Type-Options is either missing or not set to 'nosniff'
  SecRuleRemoveById 200002             # Failed to parse request body


  # UPLOADS ( 5 MB max excluding file size )
  SecRequestBodyNoFilesLimit 5242880


  # GENERAL
  SecRuleRemoveById 960017             # Host header is a numeric IP address


  # REGISTERED WARNINGS, BUT DID NOT HAVE TO DISABLE THEM
  #SecRuleRemoveById 981220 900046 981407
  #SecRuleRemoveById 981222 981405 981185 981184
</Directory>

[mimugmail]

No, it's a completely different approach. You have to tune it on your own ...

[Fright]

Is there any way to translate Modsecurity rules IDs to NAXSi IDs?

as far as I can see this is modsec whitelist. not ruleset.

the general approach is that you turn on the naxsi in the learning mode. look at the logs and collect the whitelist from the events of false positives. after that you turn off the learning mode.

[GreenMatter]

Unfortunately...
Just to clarify, while in process of setting up whitelist I check errors in log and for

Code: [Select]

/logout&learning=0&vers=0.56&total_processed=1&total_blocked=1&block=1&cscore0=$policy8caca66bc2054683b0f9dcc96d4bb44c&score0=8&zone0=ARGS&id0=1206&var_name0=requesttoken,
and
/logout&learning=0&vers=0.56&total_processed=23&total_blocked=3&block=1&cscore0=$policyeeb570a227a940a7b044aac8b8faeffc&score0=16&zone0=ARGS&id0=1009&var_name0=requesttoken,I whitelist rules 1206 and 1009. Am I making it right by simply copying respective rules,  changing name and description, setting them to whitelist and removing any arguments and values?
Basic or Main rule? For example as it is in att. screenshot.


One more thing, I can't identify correctly rule in following string:

Code: [Select]

&learning=0&vers=0.56&total_processed=62&total_blocked=1&block=1&zone0=BODY&id0=11&var_name0=,Is it Body 11? Doesn't seem to be correct ID...

[Fright]

yes. make basic rule with ID of rule you want to exclude and "Whitelist" in MatchType.
make policy with whitelist rules you want to apply to location.
attach whitelist policy to location.

Is it Body 11? Doesn't seem to be correct ID...

its just ID = 11
its internal rule. not in rulesets. but you still can whitelist it by ID

for references:
https://github.com/nbs-system/naxsi/blob/master/naxsi_config/naxsi_core.rules

[GreenMatter]

Thanks for patience and help!
Last question, By enabling only security rules and not choosing custom policies, location has all basic or main rules active? What's a difference between them (main and basic)?

[Fright]

little about rules:
https://zero.bs/naxis-rules-manual.html

By enabling only security rules and not choosing custom policies, location has all basic or main rules active?

part of. if I get you right. when you enable waf on location but not custom policies, you are left with only two main rules - ID 17 and ID 18. generic detecting of  SQL injections and cross-site scripting (xss). and try to control this rules by fileds "Block XSS Score" and "Block SQL Injection Score". other main rules not applied
(about libinjecton https://github.com/nbs-system/naxsi/wiki/libinjection-integration)
you can always see what rules/policies actually applied to location by looking at the nginx.conf

[GreenMatter]

Strange thing, once whitelist rule is enabled in location, Nginx doesn't record any new errors. I did set was whitelist policy to block, drop, allow and log (att. screenshot) and it doesn't change Nginx behavior. In rule I have set:
Description - Whitelist
ID - i.e. 1009
Rule Type - Basic
Match Type - Whitelist
Part of location block looks as following:

Code: [Select]

location  / {
    SecRulesEnabled;
    BasicRule wl:19;
    CheckRule "$policy6298af02d84e47f39f2489ec77a92aaa >= 8" BLOCK;
    CheckRule "$policy8caca66bc2054683b0f9dcc96d4bb44c >= 8" BLOCK;
    CheckRule "$policy9016671b2ac443bfaae9d74836e045af >= 8" BLOCK;
    CheckRule "$policy4c041911949f42e5a3e5c5b8d31c65fd >= 8" BLOCK;
    BasicRule wl:11;


    BasicRule wl:1009;


    BasicRule wl:1206;


    CheckRule "$policy4e07ebd58e85405e8f0b9ccaf2398aaa >= 8" LOG;
    CheckRule "$policye6a7ab1e0b6b45149022b45c2cf63345 >= 8" BLOCK;
    CheckRule "$policyeeb570a227a940a7b044aac8b8faeffc >= 8" BLOCK;
    DeniedUrl "/waf_denied.html";


And because of that, I'm not able to continue whitelisting as I don't see new NASXi errors (for example, I'm not able yet to upload a file with WAF Policies enabled)...

[GreenMatter]

For those who might have it found useful - attached are discovered IDs to be whitelisted for SOGo and Nextcloud...
If you know about other IDs, please share them!

[Fright]

for example, I'm not able yet to upload a file with WAF Policies enabled

oddly
so you get "Request Denied For Security Reasons" page and nothing in logs?
and how it works in LearningMode?

[GreenMatter]

so you get "Request Denied For Security Reasons" page and nothing in logs?
and how it works in LearningMode?

I haven't seen any Request Denied page, simply upload didn't want to commence.

In learning mode I could have seen only IDs which were already included in newly created whitelist policy - when it was not selected in location of course. Thus I thought it must be something related to browsers - I use them in and out of VPN mode (so accesing in LAN - no waf - Naxsi trusted, and from WAN - with waf on), so maybe it was something about cache. Anyway after clearing caches in Chrome and Safari it seems it works. Of course I need to monitor it because I might not have checked all options... 

[Fright]

yes, based on your answer, it has nothing to do with naxsi. it may be nginx conf but definitely not naxsi