Could naxsi support block empty user-agent?

Started by akong77, November 05, 2020, 02:42:39 AM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
November 06, 2020, 03:48:10 PM #15
Quoteand can you enable "Extensive Naxsi Log" in server properties and post NAXSI_EXLOG log for blocked request?

Where is these setup?on opnsense?or web server?
November 06, 2020, 04:02:57 PM #16 Last Edit: November 06, 2020, 04:05:05 PM by Fright
Quote
Code Select
MainRule id:15001 "rx:^(?!\s*$).+" "msg:Empty UA" "mz:$HEADERS_VAR_X:User-Agent"
forgot to negate? now you blocking any request with non-empty UA header
Code Select
MainRule negative id:15001 "rx:^(?!\s*$).+"
"negative" to block request that does not satisfy non-emtpy UA

QuoteWhere is these setup?on opnsense?or web server?
OPN->services->Nginx->configuration->Edit HTTP Server->advanced mode
November 06, 2020, 04:13:45 PM #17
Ohh...Sorry,I miss this option.Thanks a lot.
November 06, 2020, 04:21:04 PM #18 Last Edit: November 07, 2020, 03:02:10 AM by akong77
Please see follow:
QuoteMainRule id:10000 "str:gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data\:\/" "msg:URL charset" "mz:URL" "s:$policy1a275df7733e4aef813ecb4917637d
40:8"
I want block some charset on url.Could I set wrong?
November 07, 2020, 07:24:49 AM #19
Quote"str:gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data\:\/"
since you use regex its  should be "rx:" not "str:"
what "\:\/" part for?
November 07, 2020, 10:03:08 AM #20
Sorry,the full rule I fix it.

QuoteMainRule id:10000 "rx:(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/" "msg:URL charset" "mz:URL" "s:$policy1a275df7733e4aef813ecb4917637d40:8";

I want block url string have like ftp:/ or ldap:/ this string.I has edit to rx.Is right?
November 07, 2020, 11:30:46 AM #21
regex looks fine but
can you show an example of url you want to block?
URL zone contain string between server name and first "?" sign (ie if https://forum.opnsense.org/index.php?action=post requested then URL = /index.php, "action" is Argument. Arguments of POST request is in BODY zone). 
so what exactly you want to block?
November 09, 2020, 01:32:06 AM #22
like
http://url/php:/
November 09, 2020, 08:18:35 AM #23
hm. if the question is theoretical, then yes. rule should work.
but RFI (remote file inclusion) works by parameters (arguments), not url itself
(ie http://www.example.com/vuln_page.php?file=http://www.hacker.com/shell.php)
and naxsi have examples of obvious rfi protecion (IDs:1100-1199)
November 10, 2020, 10:47:32 AM #24
Hello,
Could I redirect client 403 page when rule match?
November 10, 2020, 02:00:03 PM #25
I did not understand the question.
you want to send 403 status? change html page?
yes you can
https://github.com/nbs-system/naxsi/wiki/directives#deniedurl

Quotewhen rule match?
when access blocked.
DeniedUrl is directive in location block. you cant set it for one rule
Print
Go Up Pages 1 2
User actions