NAXSI Whitelists in NGINX not generating Match Values

Started by KuroCyborg, November 09, 2023, 06:32:07 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 09, 2023, 06:32:07 AM
There's an issue I'm experiencing where the NGINX plugin is not generating Match Values when whitelisting a rule within NAXSI. The NAXSI config in /usr/local/etc/nginx/nginx.conf is different from the config in OPNsense. I attached a screenshot of a whitelisted rule in the OPNsense GUI to compare with it's generated counterpart below:

BasicRule wl:1010,1011 "mz:$URL:/displaynames|BODY";

The "users" Match Value in the attachment is not generated in the nginx.conf file and omitted completely. This rule is just an example, but this applies to all the whitelisted rules I have. Not sure if this is a bug, an unimplemented feature, a working as-is feature or just a layer 8 issue. Has anyone come across this?
November 09, 2023, 05:37:48 PM #1
hi
are you sure that Match Patterns are allowed in the WL rules? (I thought not)
https://github.com/wargio/naxsi/blob/main/docs/whitelists-bnf.md
November 09, 2023, 07:29:16 PM #2
Hey Fright,

Isn't the Match Value in the web gui generating the BODY_VAR:string value in the MatchZone whitelist?

Under the MatchZone whitelist example from the github URL, I see this:

BasicRule wl:4242 "mz:$ARGS_VAR:foo|$URL:/x";

foo would be the ARS_VAR variable in the Match Value portion of the NAXSI Rule. Or that's how I think I understand it....
November 09, 2023, 07:59:03 PM #3
No ) Match Value is the value for the Match Pattern: https://github.com/wargio/naxsi/blob/main/docs/rules-bnf.md#match-pattern
so it would be something like
Code Select
MainRule id:4242 str:users "mz:$URL:/displaynames|BODY";
if you generated a MainRule
but the WL rules do not contain Match Patterns AFAIK
(maybe it's worth adding this comment to the Match Value help text)
To Match Zones like
Code Select
BasicRule wl:1255 "mz:$URL:/displaynames|$BODY_VAR:users";
you can try to use "Search in specific GET (/POST) argument".
maybe this will help get the desired result
November 09, 2023, 11:29:53 PM #4
That was it. I was definitely getting the options mixed up. A comment to the Match Value would of been helpful for sure.

I appreciate your help.

I do have one last question though, can we pipe multiple arguments together like

Code Select
BasicRule wl:1007,1008 "mz:$URL_X:^/displaynames$|$BODY_VAR_X:^(users|display)$";
November 10, 2023, 07:21:02 PM #5
Hi
sorry, i think there is some obvious limitations of using "|" in mz (https://github.com/nbs-system/naxsi/issues/400).
so you will need to do some trick to not use "|"
something like ^(users)?(display)?$ may be?
November 11, 2023, 07:22:08 PM #6
Yup, that trick was it. Thanks again for your help :D
Print
Go Up Pages1
User actions