jcudeveloper / naxsi

Automatically exported from code.google.com/p/naxsi
Other
0 stars 0 forks source link

multiple entries for one alert #87

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?
1. make a rule trigger -> tested via /index.php?option=com_joomla
2. every alert has 2 or 4 occurences in the logfile
3.

What is the expected output? What do you see instead?

i expected 1 occurence in the logfile, but instead **each** alert 
is written 2 or 4 times into the logfile

2013/08/22 09:27:47 [error] 32277#0: *736248 NAXSI_FMT: 
ip=xxxx&server=yyyy.corg&uri=/de/index.php&learning=1&vers=0.51&total_processed=
132260&total_blocked=23&zone0=ARGS&id0=42000062&var_name0=option&zone1=ARGS&id1=
42000062&var_name1=option&zone2=ARGS&id2=42000062&var_name2=option&zone3=ARGS&id
3=42000062&var_name3=option, client: 1.2.3.4, server: _, request: "GET 
/de/index.php?option=com_joomla HTTP/1.1", host: "yyyy.corg"

What version of the product are you using? On what operating system?

btw, i have the same nginx-build running on a different machine
w/out problems

debian/64bit, naxsi-0.51 

Please provide your nginx configuration any additional information below.

sudo /usr/sbin/nginx -V

nginx version: nginx/1.4.1
built by gcc 4.4.5 (Debian 4.4.5-8) 
TLS SNI support enabled
configure arguments: --conf-path=/etc/nginx/nginx.conf 
--sbin-path=/usr/sbin/nginx --prefix=/usr/local/nginx 
--error-log-path=/var/log/nginx/error.log 
--http-log-path=/var/log/nginx/access.log --with-file-aio 
--with-http_gzip_static_module --with-http_ssl_module 
--with-http_stub_status_module --without-mail_pop3_module 
--without-mail_smtp_module --without-mail_imap_module 
--without-http_uwsgi_module --without-http_scgi_module 
--add-module=../nginx_modules/naxsi/naxsi_src 
--add-module=../nginx_modules/ngx_devel_kit 
--add-module=../nginx_modules/echo-nginx-module 
--add-module=../nginx_modules/nginx-accesskey-2.0.3 
--add-module=../nginx_modules/ngx_http_log_request_speed 
--add-module=../nginx_modules/set-misc-nginx-module 
--add-module=../nginx_modules/nginx-sticky-module 
--add-module=../nginx_modules/ngx_cache_purge 
--add-module=../nginx_modules/headers-more-nginx-module 
--add-module=../nginx_modules/memc-nginx-module

Original issue reported on code.google.com by lazy.dog...@gmail.com on 22 Aug 2013 at 8:07

GoogleCodeExporter commented 8 years ago
oh, restart didnt helped either.

and the problem doesnt seem to exists with rule_ids < 1000

Original comment by lazy.dog...@gmail.com on 22 Aug 2013 at 8:32

GoogleCodeExporter commented 8 years ago
[deleted comment]
GoogleCodeExporter commented 8 years ago
i can narrow it down a little bit, but still have 2 alerts when one rule is met:

naxsi-rule:

MainRule "str:com_" "msg:DN WEB_SERVER Generic JOOMLA-Exploit-Attempt 
(option=com_)" "mz:$ARGS_VAR:option" "s:$UWA:8" id:42000062 ;

Request: 
GET /blah/index.php?option=com_joomla

Naxsi-Event in Logfile: 

2013/08/22 12:59:32 [error] 23027#0: *85 NAXSI_FMT: 
ip=46.142.138.57&server=blah.org&uri=/blah/index.php&learning=1&vers=0.51&total_
processed=39&total_blocked=1&zone0=ARGS&id0=42000062&var_name0=option&zone1=ARGS
&id1=42000062&var_name1=option, client: me, server: _, request: "GET 
/blah/index.php?option=com_joomla HTTP/1.1", host: "blag.org"

i can assure that the rules are included only one time and other rulres behave 
normally; the following generates a normal entry:

MainRule "str:/wp-admin" "msg:DN WEB_SERVER possible WP-Scan (wp-admin)" 
"mz:URL" "s:$UWA:8" id:42000262 ;

Original comment by lazy.dog...@gmail.com on 22 Aug 2013 at 11:06