search

ReJeCtAll / naxsi

Automatically exported from code.google.com/p/naxsi
Other
0 stars 0 forks source link

how to cause naxsi to block identified malicious requests #5

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
I have followed the instructions at Wiki-Howto yet cannot get the naxsi to 
block whatever identified by http_config.py server as malicious request.

I have built a small server which accepts anything, for instance,

curl weakserver.mydomain.com -d \
 "a=1&b=<script src='http://virushub.com/cookie-eater.js'></script>"

Outputs:

<h1>a</h1>1
<h1>b</h1>
<script src='http://virushub.com/cookie-eater.js'></script>

I have set nginx to reverse proxy that server, yet, malicious requests are 
coming through without any problem.

When I issue that curl request, on the http_config.py console I get

# python http_config.py -v 3
done.
Starting server, use <Ctrl-C> to stop
Exception catched.
ExUrl: 
server=&uri=/&ip=95.35.93.106&zone0=BODY&id0=1009&var_name0=b&zone1=BODY&id1=101
3&var_name1=b&zone2=BODY&id2=1100&var_name2=b&zone3=BODY&id3=1302&var_name3=b&zo
ne4=BODY&id4=1303&var_name4=b&zone5=BODY&id5=1306&var_name5=b
already present in tmp_rules ...
...
...
already present in tmp_rules ...

and on the curl window i get:

<h1>a</h1>1
<h1>b</h1>
<script src='http://virushub.com/cookie-eater.js'></script>

Lynx http://localhost:4242 shows

   You currently have 0.0 rules generated by naxsi.You have a total of
   28.0 exceptions hit.Authorizing :

I wonder what is missing from my setup to make naxsi block those, rather than 
just print it out to the screen or save it in a database

**********************************************
/etc/nginx/sec-rules/nbs.rules 
**********************************************
LearningMode;
SecRulesEnabled;
#SecRulesDisabled;
DeniedUrl "/RequestDenied";

include "/tmp/naxsi_rules.tmp";

## check rules
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;
-------------8<---------------8<--------------

Original issue reported on code.google.com by tzury...@reguluslabs.com on 6 Oct 2011 at 3:39

GoogleCodeExporter commented 8 years ago 
Hello,

I'm not sure if I correctly identified your issue.
http_config.py & LearningMode should be used to make naxsi learn the false 
positives of your site.
So, if while in learning mode, you emit 'evil' requests (like the one above), 
you are telling naxsi to allow this kind of requests. While using 
http_config.py & learning mode, you should only emit legit requests.

If you want naxsi to block the requests, you must disable LearningMode. (cf. 
http://code.google.com/p/naxsi/wiki/LearningMode).

"""As explained earlier, while in LearningMode, naxsi won't block any requests, 
but it will as well post them (using nginx's post_action mechanism) to the 
DeniedUrl location.""" If you make your DeniedUrl point to your http_config.py, 
blocked requests will then be forwarded to http_config.py to generate the 
appropriate whitelists.

Original comment by ori...@gmail.com on 6 Oct 2011 at 9:23

GoogleCodeExporter commented 8 years ago 
that is my fault in understanding the innovative concept.
disabled the learning mode and now all is fine!

thanks a lot.

Original comment by tzury...@reguluslabs.com on 6 Oct 2011 at 11:45

GoogleCodeExporter commented 8 years ago

Original comment by didier.c...@googlemail.com on 7 Oct 2011 at 9:01