NAXSI

Started by someone, December 23, 2025, 09:47:02 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 23, 2025, 09:47:02 PM
Can anyone tell me is the WAF NAXSI operating in the os-nginx plugin working, says it was archived.
December 24, 2025, 08:58:49 AM #1
December 24, 2025, 09:14:14 AM #2
@fastboot you posted this 3 times. If I see another one you get a temp ban because this is will be considered spam.


Cheers,
Franco
December 24, 2025, 09:42:00 AM #3 Last Edit: December 24, 2025, 09:52:32 AM by Patrick M. Hausen
Wouldn't it be more productive to temporarily ban users spamming wild completely unsubstantiated claims about how "they" hack into your OPNsense after "hijacking your browser" and similar nonsense?

Imagine a beginner stumbling on these posts and taking the advice for real.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 24, 2025, 09:51:59 AM #4
Hello Franco,

I do understand your point.
Nonetheless... that person is a troll. Floodding the forum with bullshit bingo, which potentially harm others.

It would be appreciated if you can do something against such nonsense posts. Especially as that person is proven wrong many times.
December 24, 2025, 10:04:32 AM #5
The user was warned here

https://forum.opnsense.org/index.php?topic=50200.0

The threads have also been moved to general discussion so the lower frequency of the intrusion detection board cannot be used as personal blog.

Banning right away without a warning is not nice.
Hardware:
DEC740
December 24, 2025, 10:11:23 AM #6
I did not suggest without a warning. 🙂
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 24, 2025, 10:52:06 AM #7 Last Edit: December 24, 2025, 10:53:45 AM by franco
> Nonetheless... that person is a troll. Floodding the forum with bullshit bingo, which potentially harm others.

Yeah, trolling back is not a great plan.

Just report the thread(s) and we'll deal with it.


Cheers,
Franco
December 25, 2025, 07:12:05 PM #8 Last Edit: January 07, 2026, 04:18:49 AM by someone

And thanks, I wouldnt be online if it were not for opnsense
December 25, 2025, 08:08:16 PM #9 Last Edit: December 25, 2025, 08:32:16 PM by Patrick M. Hausen
Quote from: someone on December 25, 2025, 07:12:05 PMIt can be put on opnsense

No, it cannot. OPNsense is based on FreeBSD, not Linux.

Quote from: someone on December 25, 2025, 07:12:05 PMConnected to three social media servers and browser servers, about 50 attacks per hour via browser

What exactly is this supposed to mean? When I go to e.g. bsky.app I do not see any "attacks via browser".
Show these attacks or I still call bullshit.

If you mean your browser is opening dozens of connections when you view a website? Yes, of course. That's how the web works, nowadays. It's loading static assets from some CDN, fonts from google, and finally all those wonderful ads combined with "metrics", i.e. tracking mechanisms.

None of this is an attack.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 25, 2025, 09:13:45 PM #10 Last Edit: December 25, 2025, 09:15:39 PM by someone
Plan is to use nginx to decrypt and send packets to suricata where Ill put in some keyword rules to grab the commands in the payload and log all of it and will find out what IP they are coming from, A lot of TLSv1.1 for me so it shouldnt be to difficult.
December 27, 2025, 01:50:28 AM #11 Last Edit: December 27, 2025, 01:55:57 AM by someone
You guys are great and the forum
So I want to mention something if you dont mind, i am not always watching
While you are on the forum sometimes, have a terminal open watching for connections as you go through the pages
This checks the forum for some types of malware should a bad guy do such
This is checking for embedded software in icons and photos and anything uploaded
It is undetectible by programs, takes me days with specialized hacking programs and AI to check a single small photo
cyberchef and a couple others and google AI really speeds it up
So I wanted to mention watching connections is a way faster method in one respect
Files is another thing, thought I would mention it
December 27, 2025, 02:34:13 AM #12 Last Edit: December 27, 2025, 05:06:48 AM by OPNenthu
If you're saying that legitimate websites like this forum are hosting malicious payloads, then please show us.  You have the burden of proof.
Today at 02:00:48 AM #13 Last Edit: Today at 02:19:19 AM by someone
A few things
My first opnsense instance was protected by apparmor because it was a vm, shared systems

Ok I found out more on what my attacks are
one, the blocked commands I was picking up in logs is in line with crypto malware

two, how it gets there through the browser
I didnt have a name for it but IBM and global security does. Its called zero-click attacks
Its been in cve's since the year 2000, no one can fix it yet.

IBM has a video on zero-click attacks and the first two seconds of it say, boom your hacked, just that fast
Its software of different types downloaded through the browser, two names pegasus, stagefright, thats just two,
not counting all the others and the variations of it, the amount of code varies.
They affect phones and computers, All they have to do to hack your phone is call you
You dont have to answer or even touch your phone and your hacked
There is more information on these types attacks, just some of millions of attacks
This software is sold to people, the one shown was subscription based, strange, around 700 a year
Reason its hard to see, its not just encrypted, it can be double encrypted, it can be obfuscated before encryption,
So decrypting packets doesnt pick it up, they usually skip it
Remember I was talking about the hands on tools to see and break down these embedded malware code
Anyway, these attacks, different types, come through the browser, and effect your phone
Yes I hunt them in spare time sometimes, and bug bounty
Have found a few, I didnt save then, they are dangerous around your system, Ill have to save them from now on
And the corporations didnt offer to pay me, they did ask me to help.
Today at 09:20:04 AM #14
Quote from: someone on Today at 02:00:48 AMA few things
My first opnsense instance was protected by apparmor because it was a vm, shared systems

Ok I found out more on what my attacks are
one, the blocked commands I was picking up in logs is in line with crypto malware

two, how it gets there through the browser
I didnt have a name for it but IBM and global security does. Its called zero-click attacks
Its been in cve's since the year 2000, no one can fix it yet.

IBM has a video on zero-click attacks and the first two seconds of it say, boom your hacked, just that fast
Its software of different types downloaded through the browser, two names pegasus, stagefright, thats just two,
not counting all the others and the variations of it, the amount of code varies.
They affect phones and computers, All they have to do to hack your phone is call you
You dont have to answer or even touch your phone and your hacked
There is more information on these types attacks, just some of millions of attacks
This software is sold to people, the one shown was subscription based, strange, around 700 a year
Reason its hard to see, its not just encrypted, it can be double encrypted, it can be obfuscated before encryption,
So decrypting packets doesnt pick it up, they usually skip it
Remember I was talking about the hands on tools to see and break down these embedded malware code
Anyway, these attacks, different types, come through the browser, and effect your phone
Yes I hunt them in spare time sometimes, and bug bounty
Have found a few, I didnt save then, they are dangerous around your system, Ill have to save them from now on
And the corporations didnt offer to pay me, they did ask me to help.




Your latest post contains a large number of claims, but unfortunately no verifiable technical evidence.


In detail:
To be clear and constructive, please provide concrete proof for the following statements:

1. AppArmor on OPNsense / FreeBSD
OPNsense is based on FreeBSD. AppArmor is a Linux-specific LSM and does not exist on FreeBSD.
If you claim it was "protecting" an OPNsense instance, please explain how, including:
- exact OS version
- where AppArmor was loaded
- how it was enforced on FreeBSD

2. "Crypto malware commands found in logs"
Please provide:
- example log entries
- the exact protocol and payload
- how you verified these were malware commands and not normal application traffic

3. Zero-click attacks via browser affecting OPNsense
Zero-click exploits (e.g. Pegasus, Stagefright) target end-user operating systems, not a FreeBSD-based firewall appliance.
Please explain:
- how a browser exploit compromises an OPNsense system
- which CVE applies
- how this bypasses FreeBSD's userland separation

4. "Embedded malware in forum images/icons"
This is a very strong claim. If true, it requires evidence:
- hash of a malicious file
- decoded payload
- reproduction steps
Without this, it remains an unsubstantiated allegation.

5. Traffic inspection claims
Monitoring connections alone does not prove malware. Modern web traffic includes CDNs, telemetry, ads, fonts, APIs, etc.
Please show how you distinguish malicious behavior from normal web traffic.

At the moment, your posts consist mostly of buzzwords (zero-click, Pegasus, AI, CVEs, encrypted payloads) without technical depth or reproducible data.

If you have verifiable evidence, please share it.
If not, I strongly suggest continuing these experiments complete privately with your preferred AI tools instead of posting speculative claims here, as this may confuse less experienced users.


This forum works best with facts, logs, CVEs, and reproducible results. NOT assumptions.




In short: STOP that bullshit bingo and go troll somewhere else. Preferably a useless AI.

Print
Go Up Pages1
User actions