NAXSI Whitelists in NGINX not generating Match Values

[KuroCyborg]

There's an issue I'm experiencing where the NGINX plugin is not generating Match Values when whitelisting a rule within NAXSI. The NAXSI config in /usr/local/etc/nginx/nginx.conf is different from the config in OPNsense. I attached a screenshot of a whitelisted rule in the OPNsense GUI to compare with it's generated counterpart below:

BasicRule wl:1010,1011 "mz:$URL:/displaynames|BODY";

The "users" Match Value in the attachment is not generated in the nginx.conf file and omitted completely. This rule is just an example, but this applies to all the whitelisted rules I have. Not sure if this is a bug, an unimplemented feature, a working as-is feature or just a layer 8 issue. Has anyone come across this?

[Fright]

hi
are you sure that Match Patterns are allowed in the WL rules? (I thought not)
https://github.com/wargio/naxsi/blob/main/docs/whitelists-bnf.md

[KuroCyborg]

Hey Fright,

Isn't the Match Value in the web gui generating the BODY_VAR:string value in the MatchZone whitelist?

Under the MatchZone whitelist example from the github URL, I see this:

BasicRule wl:4242 "mz:$ARGS_VAR:foo|$URL:/x";

foo would be the ARS_VAR variable in the Match Value portion of the NAXSI Rule. Or that's how I think I understand it....

[Fright]

No ) Match Value is the value for the Match Pattern: https://github.com/wargio/naxsi/blob/main/docs/rules-bnf.md#match-pattern
so it would be something like

Code: [Select]

MainRule id:4242 str:users "mz:$URL:/displaynames|BODY";if you generated a MainRule
but the WL rules do not contain Match Patterns AFAIK
(maybe it's worth adding this comment to the Match Value help text)
To Match Zones like

Code: [Select]

BasicRule wl:1255 "mz:$URL:/displaynames|$BODY_VAR:users";you can try to use "Search in specific GET (/POST) argument".
maybe this will help get the desired result

[KuroCyborg]

That was it. I was definitely getting the options mixed up. A comment to the Match Value would of been helpful for sure.

I appreciate your help.

I do have one last question though, can we pipe multiple arguments together like

Code: [Select]

BasicRule wl:1007,1008 "mz:$URL_X:^/displaynames$|$BODY_VAR_X:^(users|display)$";

[Fright]

Hi
sorry, i think there is some obvious limitations of using "|" in mz (https://github.com/nbs-system/naxsi/issues/400).
so you will need to do some trick to not use "|"
something like ^(users)?(display)?$ may be?

[KuroCyborg]

Yup, that trick was it. Thanks again for your help