NAXSI Whitelist Generation

Started by utahbmxer, May 06, 2020, 02:02:56 AM

Previous topic - Next topic
Hi
Been playing with OPNsense for several months and just replaced my home firewall (SophosXG) with OPNsense.  I used the NGINX (with NAXSI default rules) plugin to configure all my sites. I setup the first server with the hostname "_" so that it gets any traffic that does not match my valid site names, this "HTTP server" also has a Deny ACL of 0.0.0.0/0.  If you hit my WAF with the IP or any other SNI hostnames that don't match, you get a 403 response which is what the WAF on my XG did and while it's security through obscurity it seems to work great.

I tried to use NXAPI on another workstation but it seems like it's designed to run on the actual web servers as it seems to be trying to pull rules from a already configured list.  I don't want to dig through the error log manually and try to create whitelists, but I guess if that's all that will work here, then be it.

What are some suggestions, what are others doing here for whitelist creation?

Thanks!

Just also discovered that the error logs don't go to SYSLOG Targets like the access logs do.  I am not seeing an option in the GUI.  Seems syslog servers could be useful for errors?

NXAPI expects you to export the logs into elasticsearch database and uses it as data source:

https://github.com/nbs-system/naxsi/tree/master/nxapi
Intel(R) Xeon(R) Silver 4116 CPU @ 2.10GHz (24 cores)
256 GB RAM, 300GB RAID1, 3x4 10G Chelsio T540-CO-SR

Right, I knew that.  It looks like it was having issue with the latest version of ES.  I installed 5.6 and it's working now.  Also took the rules out of the conf file from the firewall and it appears to see everything now.

Still would be nice to see NAXSI events (error log) in the syslog servers.  Where do I add feature requests or does the github repo allow pull requests if we add some features to the plug-ins, etc.?

QuoteWhere do I add feature requests or does the github repo allow pull requests if we add some features to the plug-ins, etc.?
Can both be done on GitHub. Make sure to open the feature request issues on plug-in repository with NGINX in title.
There you can also fork and create pull requests.
Intel(R) Xeon(R) Silver 4116 CPU @ 2.10GHz (24 cores)
256 GB RAM, 300GB RAID1, 3x4 10G Chelsio T540-CO-SR