Author Topic: Could naxsi support block empty user-agent? (Read 9500 times)

akong77 · « **Reply #15 on:** November 06, 2020, 03:48:10 pm »

Quote

and can you enable "Extensive Naxsi Log" in server properties and post NAXSI_EXLOG log for blocked request?

Where is these setup?on opnsense?or web server?

Fright · « **Reply #16 on:** November 06, 2020, 04:02:57 pm »

Quote

Code: [Select]
MainRule id:15001 "rx:^(?!\s*$).+" "msg:Empty UA" "mz:$HEADERS_VAR_X:User-Agent"

forgot to negate? now you blocking any request with non-empty UA header

Code: [Select]

MainRule negative id:15001 "rx:^(?!\s*$).+" "negative" to block request that does not satisfy non-emtpy UA

Quote

Where is these setup?on opnsense?or web server?

OPN->services->Nginx->configuration->Edit HTTP Server->advanced mode

akong77 · « **Reply #17 on:** November 06, 2020, 04:13:45 pm »

Ohh...Sorry,I miss this option.Thanks a lot.

akong77 · « **Reply #18 on:** November 06, 2020, 04:21:04 pm »

Please see follow:

Quote

MainRule id:10000 "str:gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data\:\/" "msg:URL charset" "mz:URL" "s:$policy1a275df7733e4aef813ecb4917637d
40:8"

I want block some charset on url.Could I set wrong?

Fright · « **Reply #19 on:** November 07, 2020, 07:24:49 am »

Quote

"str:gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data\:\/"

since you use regex its should be "rx:" not "str:"
what "\:\/" part for?

akong77 · « **Reply #20 on:** November 07, 2020, 10:03:08 am »

Sorry,the full rule I fix it.

Quote

MainRule id:10000 "rx:(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/" "msg:URL charset" "mz:URL" "s:$policy1a275df7733e4aef813ecb4917637d40:8";

I want block url string have like ftp:/ or ldap:/ this string.I has edit to rx.Is right?

Fright · « **Reply #21 on:** November 07, 2020, 11:30:46 am »

regex looks fine but
can you show an example of url you want to block?
URL zone contain string between server name and first "?" sign (ie if https://forum.opnsense.org/index.php?action=post requested then URL = /index.php, "action" is Argument. Arguments of POST request is in BODY zone).
so what exactly you want to block?

akong77 · « **Reply #22 on:** November 09, 2020, 01:32:06 am »

like
http://url/php:/

Fright · « **Reply #23 on:** November 09, 2020, 08:18:35 am »

hm. if the question is theoretical, then yes. rule should work.
but RFI (remote file inclusion) works by parameters (arguments), not url itself
(ie http://www.example.com/vuln_page.php?file=http://www.hacker.com/shell.php)
and naxsi have examples of obvious rfi protecion (IDs:1100-1199)

akong77 · « **Reply #24 on:** November 10, 2020, 10:47:32 am »

Hello,
Could I redirect client 403 page when rule match?

Fright · « **Reply #25 on:** November 10, 2020, 02:00:03 pm »

I did not understand the question.
you want to send 403 status? change html page?
yes you can
https://github.com/nbs-system/naxsi/wiki/directives#deniedurl

Quote

when rule match?

when access blocked.
DeniedUrl is directive in location block. you cant set it for one rule

Author Topic: Could naxsi support block empty user-agent? (Read 9500 times)

akong77

Re: Could naxsi support block empty user-agent?

Fright

Re: Could naxsi support block empty user-agent?

akong77

Re: Could naxsi support block empty user-agent?

akong77

Re: Could naxsi support block empty user-agent?

Fright

Re: Could naxsi support block empty user-agent?

akong77

Re: Could naxsi support block empty user-agent?

Fright

Re: Could naxsi support block empty user-agent?

akong77

Re: Could naxsi support block empty user-agent?

Fright

Re: Could naxsi support block empty user-agent?

akong77

Re: Could naxsi support block empty user-agent?

Fright

Re: Could naxsi support block empty user-agent?