Could naxsi support block empty user-agent?

Started by akong77, November 05, 2020, 02:42:39 AM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
November 05, 2020, 02:42:39 AM
Hello,
I know nginx can use hook to add block empty user-agent.I want know naxsi could support it?
November 05, 2020, 11:08:32 AM #1
it should
may be something like:
Code Select
MainRule negative id:1700 "rx:^(?!\s*$).+" "msg:Empty_UA" "mz:$HEADERS_VAR_X:User-Agent"
not tested
November 06, 2020, 03:05:56 AM #2
OK,I will test it.Thanks a lot.
November 06, 2020, 03:16:46 AM #3
I test it.It's can't block it.
November 06, 2020, 05:17:22 AM #4
test it. works
Code Select
curl -H "User-Agent;" http://myCA_CRL_URL

Code Select
*32507 NAXSI_EXLOG: ip=some_ip&server=my_serever&uri=%2Fcrl_file&id=1700&zone=HEADERS&var_name=user-agent&content=, client: some_ip, server: my_server, request: "GET /my.crl HTTP/1.1", host: "my_server
November 06, 2020, 06:41:40 AM #5
If you try
Quotecurl -A '' -H 'User-Agent;' http://web -I
November 06, 2020, 06:49:35 AM #6
Sorry,I make mistake.It's can block it.Thanks a lot.
I want know about naxsi.It's can choose drop connection this option.What the different block request and drop connection?I test it.I feel no different.
November 06, 2020, 07:34:26 AM #7
https://github.com/nbs-system/naxsi/wiki/rules-bnf
Quotespecifiy an action such a BLOCK (blocks the request in non-learning mode) or DROP (blocks the request even in learning mode)
DROP is not "DROP connection". its block even in learning mode
November 06, 2020, 07:50:15 AM #8
So,Whatever choose block request or drop connection it's always show opnsense request denied webpage.
Right?
November 06, 2020, 08:02:49 AM #9
yep
November 06, 2020, 11:13:54 AM #10
Quote from: Fright on November 05, 2020, 11:08:32 AM
it should
may be something like:
Code Select
MainRule negative id:1700 "rx:^(?!\s*$).+" "msg:Empty_UA" "mz:$HEADERS_VAR_X:User-Agent"
not tested
Hello,I test it.
If I use browers like firefox to see http://ab.aspa.idv.tw.it's also show Request Denied.
You can check http://ab.aspa.idv.tw
November 06, 2020, 11:47:38 AM #11
and whats in the "HTTP Error logs" for this requests?
November 06, 2020, 12:39:59 PM #12
Quote*19 NAXSI_FMT: ip=219.84.34.52&server=ab.aspa.idv.tw&uri=/&learning=0&vers=0.56&total_processed=12&total_blocked=10&block=1&cscore0=$policy20906cd5e25e413f9fe6e733c38d3586&score0=16&zone0=HEADERS&id0=15001&var_name0=user-agent&zone1=HEADERS|NAME&id1=15001&var_name1=user-agent, client: 219.84.34.52, server: ab.aspa.idv.tw, request: "GET / HTTP/1.1", host: "ab.aspa.idv.tw"

Quote*19 NAXSI_FMT: ip=219.84.34.52&server=ab.aspa.idv.tw&uri=/favicon.ico&learning=0&vers=0.56&total_processed=13&total_blocked=11&block=1&cscore0=$policy20906cd5e25e413f9fe6e733c38d3586&score0=16&zone0=HEADERS&id0=15001&var_name0=user-agent&zone1=HEADERS|NAME&id1=15001&var_name1=user-agent, client: 219.84.34.52, server: ab.aspa.idv.tw, request: "GET /favicon.ico HTTP/1.1", host: "ab.aspa.idv.tw", referrer: "http://ab.aspa.idv.tw/"
November 06, 2020, 03:03:10 PM #13
Quotezone1=HEADERS|NAME
and how exactly rule 15001 looks like?
and can you enable "Extensive Naxsi Log" in server properties and post NAXSI_EXLOG log for blocked request?
November 06, 2020, 03:46:59 PM #14
QuoteMainRule id:15001 "rx:^(?!\s*$).+" "msg:Empty UA" "mz:$HEADERS_VAR_X:User-Agent" "s:$policy20906cd5e25e413f9fe6e733c38d3586:8";
Print
Go Up Pages1 2
User actions