Closed CogumelosMaravilha closed 7 years ago
Can you share some sample logs?
sectx.com.error_log:2017/02/22 11:53:02 [error] 6144#6144: 18376 NAXSI_FMT: ip=10.0.100.208&server=www.sectx.com&uri=/bg.php&learning=0&vers=0.55&total_processed=5&total_blocked=1&block=1&zone0=BODY&id0=16&var_name0=, client: 10.0.100.208, server: sectx.com, request: "POST /bg.php?numid=3038800002685218114-201702-ee020b4026&idcallback=3a61e98c09ca08f45306e98eec78342b HTTP/1.1", host: "www.sectx.com" sectx.com.error_log:2017/02/22 11:54:01 [error] 27763#27763: 809 NAXSI_FMT: ip=10.0.100.208&server=www.sectx.com&uri=/bg.php&learning=0&vers=0.55&total_processed=4&total_blocked=1&block=1&zone0=BODY&id0=16&var_name0=, client: 10.0.100.208, server: sectx.com, request: "POST /bg.php?numid=3020100002935782524-201702-7423235cf9&idcallback=3a61e98c09ca08f45306e98eec78342b HTTP/1.1", host: "www.sectx.com" sectx.com.error_log:2017/02/22 11:54:08 [error] 27762#27762: 929 NAXSI_FMT: ip=10.0.100.208&server=www.sectx.com&uri=/bg.php&learning=0&vers=0.55&total_processed=5&total_blocked=1&block=1&zone0=BODY&id0=16&var_name0=, client: 10.0.100.208, server: sectx.com, request: "POST /bg.php?numid=3038800002685231055-201702-e20c99c986&idcallback=3a61e98c09ca08f45306e98eec78342b HTTP/1.1", host: "www.sectx.com" sectx.com.error_log:2017/02/22 11:54:23 [error] 27760#27760: 1199 NAXSI_FMT: ip=10.0.100.208&server=www.sectx.com&uri=/bg.php&learning=0&vers=0.55&total_processed=4&total_blocked=1&block=1&zone0=BODY&id0=16&var_name0=, client: 10.0.100.208, server: sectx.com, request: "POST /bg.php?numid=3005100003104703530-201702-e2be956bb8&idcallback=3a61e98c09ca08f45306e98eec78342b HTTP/1.1", host: "www.sectx.com" sectx.com.error_log:2017/02/22 11:54:53 [error] 27763#27763: 1707 NAXSI_FMT: ip=10.0.100.208&server=www.sectx.com&uri=/bg.php&learning=0&vers=0.55&total_processed=9&total_blocked=2&block=1&zone0=BODY&id0=16&var_name0=, client: 10.0.100.208, server: sectx.com, request: "POST /bg.php?numid=3030300002852041270-201702-e079630196&idcallback=3a61e98c09ca08f45306e98eec78342b HTTP/1.1", host: "www.sectx.com" sectx.com.error_log:2017/02/22 11:56:10 [error] 27758#27758: 3110 NAXSI_FMT: ip=10.0.100.208&server=www.sectx.com&uri=/bg.php&learning=0&vers=0.55&total_processed=6&total_blocked=1&block=1&zone0=BODY&id0=16&var_name0=, client: 10.0.100.208, server: sectx.com, request: "POST /bg.php?numid=3020100002935819029-201702-4971beb093&idcallback=3a61e98c09ca08f45306e98eec78342b HTTP/1.1", host: "www.sectx.com" sectx.com.error_log:2017/02/22 11:56:42 [error] 27752#27752: 3696 NAXSI_FMT: ip=10.0.100.208&server=www.sectx.com&uri=/bg.php&learning=0&vers=0.55&total_processed=7&total_blocked=1&block=1&zone0=BODY&id0=16&var_name0=, client: 10.0.100.208, server: sectx.com, request: "POST /bg.php?numid=3030300002852060544-201702-5cfc0bcc93&idcallback=3a61e98c09ca08f45306e98eec78342b HTTP/1.1", host: "www.sectx.com" sectx.com.error_log:2017/02/22 11:57:10 [error] 27755#27755: 4214 NAXSI_FMT: ip=10.0.100.208&server=www.sectx.com&uri=/bg.php&learning=0&vers=0.55&total_processed=5&total_blocked=1&block=1&zone0=BODY&id0=16&var_name0=, client: 10.0.100.208, server: sectx.com, request: "POST /bg.php?numid=3030300002852068642-201702-042c6edb89&idcallback=3a61e98c09ca08f45306e98eec78342b HTTP/1.1", host: "www.sectx.com" sectx.com.error_log:2017/02/22 11:58:15 [error] 27752#27752: 5389 NAXSI_FMT: ip=10.0.100.208&server=www.sectx.com&uri=/bg.php&learning=0&vers=0.55&total_processed=10&total_blocked=2&block=1&zone0=BODY&id0=16&var_name0=, client: 10.0.100.208, server: sectx.com, request: "POST /bg.php?numid=3038800002685283654-201702-7c0a7fb57b&idcallback=3a61e98c09ca08f45306e98eec78342b HTTP/1.1", host: "www.sectx.com" sectx.com.error_log:2017/02/22 11:59:21 [error] 27760#27760: 6656 NAXSI_FMT: ip=10.0.100.208&server=www.sectx.com&uri=/bg.php&learning=0&vers=0.55&total_processed=22&total_blocked=2&block=1&zone0=BODY&id0=16&var_name0=, client: 10.0.100.208, server: sectx.com, request: "POST /bg.php?numid=3030300002852095806-201702-f80f37d9c0&idcallback=3a61e98c09ca08f45306e98eec78342b HTTP/1.1", host: "www.sectx.com" sectx.com.error_log:2017/02/22 12:00:58 [error] 27764#27764: *8524 NAXSI_FMT: ip=10.0.100.208&server=www.sectx.com&uri=/bg.php&learning=0&vers=0.55&total_processed=21&total_blocked=1&block=1&zone0=BODY&id0=16&var_name0=, client: 10.0.100.208, server: sectx.com, request: "POST /bg.php?numid=3005100003104789096-201702-300bb93170&idcallback=3a61e98c09ca08f45306e98eec78342b HTTP/1.1", host: "www.sectx.com"
They all say request: "POST
They all say BODY&id0=16
And rule ID 16 is a empty post request #@MainRule "msg:empty POST" id:16;
https://github.com/nbs-system/naxsi/blob/master/naxsi_config/naxsi_core.rules#L12
So someone is making empty POST requests on those pages and Naxsi is blocking them as intended via that rule.
If you want to allow Empty / Blank POST requests then add this to your config.
BasicRule wl:16;
And if you want to turn of Naxsi then null out SecRulesEnabled;
It is logging stuff because it is still enabled.
Thanks.
Hi,
And what about these gets what can I do:
defcon.com.error_log:2017/02/23 11:03:12 [error] 30989#30989: 1645870 NAXSI_FMT: ip=10.200.23.54&server=www.defcon.com&uri=/bg.php&learning=0&vers=0.55&total_processed=1485&total_blocked=0&block=0&cscore0=$XSS&score0=8&zone0=ARGS&id0=1310&var_name0=numID&zone1=ARGS&id1=1311&var_name1=numID, client: 10.200.23.54, server: defcon.com, request: "GET /bg.php?numID=%7B[numID]%7D&idcallback=389ed07056337c5299fe188fdc96249c&event=1 HTTP/1.1", host: "www.defcon.com" defcon.com.error_log:2017/02/23 11:11:08 [error] 30993#30993: 1655467 NAXSI_FMT: ip=10.200.23.54&server=www.defcon.com&uri=/bg.php&learning=0&vers=0.55&total_processed=9344&total_blocked=0&block=0&cscore0=$XSS&score0=8&zone0=ARGS&id0=1310&var_name0=numID&zone1=ARGS&id1=1311&var_name1=numID, client: 10.200.23.54, server: defcon.com, request: "GET /bg.php?numID=%7B[numID]%7D&idcallback=389ed07056337c5299fe188fdc96249c&event=1 HTTP/1.1", host: "www.defcon.com" defcon.com.error_log:2017/02/23 11:22:52 [error] 30990#30990: 1669044 NAXSI_FMT: ip=10.200.23.54&server=www.defcon.com&uri=/bg.php&learning=0&vers=0.55&total_processed=3101&total_blocked=0&block=0&cscore0=$XSS&score0=8&zone0=ARGS&id0=1310&var_name0=numID&zone1=ARGS&id1=1311&var_name1=numID, client: 10.200.23.54, server: defcon.com, request: "GET /bg.php?numID=%7B[numID]%7D&idcallback=090105cb44ccfad719a35c45872b82cd%EF%BB%BF&event=1 HTTP/1.1", host: "www.defcon.com" defcon.com.error_log:2017/02/23 11:22:53 [error] 30991#30991: 1669067 NAXSI_FMT: ip=10.200.23.54&server=www.defcon.com&uri=/bg.php&learning=0&vers=0.55&total_processed=3389&total_blocked=0&block=0&cscore0=$XSS&score0=8&zone0=ARGS&id0=1310&var_name0=numID&zone1=ARGS&id1=1311&var_name1=numID, client: 10.200.23.54, server: defcon.com, request: "GET /bg.php?numID=%7B[numID]%7D&idcallback=090105cb44ccfad719a35c45872b82cd%EF%BB%BF&event=1 HTTP/1.1", host: "www.defcon.com"
Thanks in advance
What do you want to do ? :)
Something like: BasicRule wl:16; to not block these lines.
Just read your log and look at the ID number it says in the log.
Your logs say ARGS&id0=1310
That means its rule number 1310 what is this rule.
https://github.com/nbs-system/naxsi/blob/master/naxsi_config/naxsi_core.rules#L68
If you don't want that rule to block requests on that location then make your whitelist rule this
BasicRule wl:1310;
It is straight forward when you understand what your log is telling you. As soon as you understand and learn to read your logs you are golden.
Fantastic explanation. Thanks a lot. Problem solved (for now!).
LearningMode;
SecRulesEnabled;
SecRulesDisabled;
DeniedUrl "/RequestDenied/index.php";
Check & Blocking Rules
CheckRule "$SQL >= 8" LOG;
CheckRule "$RFI >= 8" LOG;
CheckRule "$TRAVERSAL >= 4" LOG;
CheckRule "$EVADE >= 4" LOG;
CheckRule "$XSS >= 8" LOG;
I've tried an nginx reload and also an nginx restart. The error logs files are full of naxsi lines. Why?