search

jcudeveloper / naxsi

Automatically exported from code.google.com/p/naxsi
Other
0 stars 0 forks source link

How to use rules_transformer.py as http_config.py seems not working #20

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
I am running nginx with the naxsi-module enabled on FreeBSD, naxsi installed 
from the ports.

When I follow the how to to set up naxsi I can run http_config.py and access it 
on port 4242. However when I call my website there is nothing written to the 
whitelist. It looks like it's not requesting the DeniedUrl-location.

One side note maybe, I am using nginx as a web server so nginx is not running 
as a reverse proxy.

As an alternative I tried to run rules_transformer.py but it only shows me the 
standard output. How to run it? Also I can not see any special log entries in 
error.log after I include the naxsi rules.

Can somebody help?

Original issue reported on code.google.com by benedikt...@gmail.com on 4 Feb 2012 at 7:53

GoogleCodeExporter commented 8 years ago 
Hello,

When you are browsing your website, make sure that you enable LearningMode 
first to allow naxsi to learn about your exceptions.
When exceptions are catched, you will :
1) See them into nginx error log (written by naxsi : NAXSI_FMT...)
2) When the request is sent (as well) to DeniedUrl, you will see debug written 
in http_config.py console (launch it with debug >= 3 if you have issues)

Please provide compilation options / configuration if it doesn't help.

Original comment by ori...@gmail.com on 4 Feb 2012 at 2:50

GoogleCodeExporter commented 8 years ago 
Thanks for your reply.

The LearningMode is active, configuration is the same like in the HowTo.

I set the error_log to debug but all I can find is the notice about rewrites 
taking place. There is no information from NAXSI. I included the core-rules in 
the http-section of the nginx configuration.

nginx was compiled from the ports as follows:

configure arguments: --prefix=/usr/local/etc/nginx --with-cc-opt='-I 
/usr/local/include' --with-ld-opt='-L /usr/local/lib' 
--conf-path=/usr/local/etc/nginx/nginx.conf --sbin-path=/usr/local/sbin/nginx 
--pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx-error.log 
--user=www --group=www --with-file-aio --with-ipv6 
--http-client-body-temp-path=/var/tmp/nginx/client_body_temp 
--http-fastcgi-temp-path=/var/tmp/nginx/fastcgi_temp 
--http-proxy-temp-path=/var/tmp/nginx/proxy_temp 
--http-scgi-temp-path=/var/tmp/nginx/scgi_temp 
--http-uwsgi-temp-path=/var/tmp/nginx/uwsgi_temp 
--http-log-path=/var/log/nginx-access.log --with-http_gzip_static_module 
--with-http_realip_module 
--add-module=/var/ports/usr/ports/www/nginx/work/naxsi-0.42/naxsi_src 
--with-pcre

I followed all steps from the HowTo. I can see nginx is reading the rules but 
it seems like either no exception is raised when surfing my website (would be 
very strange as I faked a lot) or no request is reaching NAXSI.

This is the part of the vhost-configuration:

location / {
include    "/var/www/config/example.com_naxsi.conf";
  location /RequestDenied {
     proxy_pass http://127.0.0.1:4242;
  }
...
}

The configuration besides is same like in the HowTo. I switched off logging of 
404 for certain files but I don't think this would influence NAXSI, right?

Thanks for your help.

Original comment by benedikt...@gmail.com on 4 Feb 2012 at 4:44

GoogleCodeExporter commented 8 years ago 
Hi,

Seems there is an error in your configuration :
location / {
include    "/var/www/config/example.com_naxsi.conf";
  location /RequestDenied {
     proxy_pass http://127.0.0.1:4242;
  }
...
}

/RequestDenied shouldn't be a sublocation of /, but rather another one :)

As well, please provide your example.com_naxsi.conf and infos about what you're 
reading in logs !

Original comment by ori...@gmail.com on 6 Feb 2012 at 2:26

GoogleCodeExporter commented 8 years ago 
I tried that, but no use. Besides all my locations are below / which works 
perfectly for memcached for example.

This is my example.com_naxsi.conf:

LearningMode;
SecRulesEnabled;
#SecRulesDisabled;
DeniedUrl "/RequestDenied";

include "/var/www/config/example.com_naxsi.rules";

## check rules
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;

In the logs there is nothing. I get a notice at start up of nginx saying that 
the included whitelist is empty which is true. In error.log is no information 
about NAXSI.

For me it looks like the NAXSI core-rules are not applied to a request => it 
won't hit any request which should be denied => no logs => no whitelist.

Thanks for your help.

Original comment by adse...@niessen.ch on 6 Feb 2012 at 2:32

GoogleCodeExporter commented 8 years ago 
Did you include the naxsi_core.rules in the http {} block ? It might be source 
of the error. 

Else, please provide me full conf, I might have some time to check this tonight 
/ tomorrow !

Original comment by ori...@gmail.com on 6 Feb 2012 at 2:56

GoogleCodeExporter commented 8 years ago 
Yes, I included the core rules at the beginning of the http-section.

I will post the complete config tonight.

Thanks.

Original comment by adse...@niessen.ch on 6 Feb 2012 at 3:02

GoogleCodeExporter commented 8 years ago 
Thanks ! Please provide as well nginx -V :)

Original comment by ori...@gmail.com on 6 Feb 2012 at 3:04

GoogleCodeExporter commented 8 years ago 
This is nginx -V:

configure arguments: --prefix=/usr/local/etc/nginx --with-cc-opt='-I 
/usr/local/include' --with-ld-opt='-L /usr/local/lib' 
--conf-path=/usr/local/etc/nginx/nginx.conf --sbin-path=/usr/local/sbin/nginx 
--pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx-error.log 
--user=www --group=www --with-file-aio --with-ipv6 
--http-client-body-temp-path=/var/tmp/nginx/client_body_temp 
--http-fastcgi-temp-path=/var/tmp/nginx/fastcgi_temp 
--http-proxy-temp-path=/var/tmp/nginx/proxy_temp 
--http-scgi-temp-path=/var/tmp/nginx/scgi_temp 
--http-uwsgi-temp-path=/var/tmp/nginx/uwsgi_temp 
--http-log-path=/var/log/nginx-access.log --with-http_gzip_static_module 
--with-http_realip_module 
--add-module=/var/ports/usr/ports/www/nginx/work/naxsi-0.42/naxsi_src 
--with-pcre

Original comment by adse...@niessen.ch on 6 Feb 2012 at 3:08

GoogleCodeExporter commented 8 years ago 
Hi, my first tests seems to show that it's working like a charm, so I'll wait 
for full config as well as nginx version you used :)

As well, please perform a try with svn version instead of old 0.42. 0.43 is 
going to be released very soon and fix a lot of things !

Original comment by ori...@gmail.com on 6 Feb 2012 at 3:44

GoogleCodeExporter commented 8 years ago 
nginx: 1.0.11
naxsi: 0.42

Original comment by adse...@niessen.ch on 6 Feb 2012 at 3:47

GoogleCodeExporter commented 8 years ago 
[deleted comment]
GoogleCodeExporter commented 8 years ago 
Oh, I think I see the issue ...
Can you please try to include your naxi_config in each of the real locations 
(actually, sublocations here), like :

 location / {

      location ~ ^/(robots\.txt|favicon\.ico) {
        log_not_found  off;
      }

      location ^~ /\. {
        deny all;
      }

      try_files  $uri /index.php;                                                   

      location ~* \.php$ {
 include    "/var/www/config/example.com_naxsi.conf";     
   fastcgi_pass unix:/var/run/php-fpm/example.com;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        include fastcgi_params;
      }
    }  
  }

Original comment by ori...@gmail.com on 7 Feb 2012 at 8:36

GoogleCodeExporter commented 8 years ago 
I included it in every location and expected to see some log in the error.log. 
But there is nothing besides my rewrite-notices.

Shouldnt there be any NAXSI-Log?

Original comment by adse...@niessen.ch on 7 Feb 2012 at 8:54

GoogleCodeExporter commented 8 years ago 
Yes, you should see some NAXSI_FMT logs in error.log ...
Can you copy/paste an example of rewrite notice ?
I'll try to find some time to look at it today, but I'll be quite busy :)

Original comment by ori...@gmail.com on 7 Feb 2012 at 9:31

GoogleCodeExporter commented 8 years ago 
Oh actually, you should see this in your error log, but seems you don't have 
one for your actual locations.
I'm giving it a try right now :)

Original comment by ori...@gmail.com on 7 Feb 2012 at 9:36

GoogleCodeExporter commented 8 years ago 
Hi again !

I just give a try to your config, and it worked, here are my differences :

      location ~* \.php$ {
      include    "/etc/nginx/nbs.rules";
      access_log /var/log/nginx/example.com-access.log;
      error_log /var/log/nginx/example.com-error.log;

Then when I perform a request on a .php, like:
127.0.0.1/a.php?a='a'a'a'a

I get a NAXSI_FMT in the error log.

Can you please try to enable your error log, and perform a bad request on a 
.php ?

Best regards,

Original comment by ori...@gmail.com on 7 Feb 2012 at 9:58

GoogleCodeExporter commented 8 years ago 
Ok, now it works. Strange. I just added the include to the php-location as all 
others are rewrites or serving static files. Now I see the log entries.

I dont know what it didnt log them before but they were not there. I checked 
again.

Anyway, now it works.

Thanks a lot!!

Original comment by adse...@niessen.ch on 7 Feb 2012 at 10:10

GoogleCodeExporter commented 8 years ago 
You're welcome !

Feel free to let me know if you encounter any further issues :)

Original comment by ori...@gmail.com on 7 Feb 2012 at 10:12

GoogleCodeExporter commented 8 years ago

Original comment by ori...@gmail.com on 7 Feb 2012 at 10:13