nbs-system / naxsi

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
GNU General Public License v3.0
4.8k stars 606 forks source link

When blocking without logs how to know what are being blocking? #353

Closed CogumelosMaravilha closed 7 years ago

CogumelosMaravilha commented 7 years ago

Rules are adjusted for each site. After changed from LOG to BLOCK and with regular code changes on the website, how to know that Naxsi is not blocking legible traffic? Blocking and logging simultaneously would be awesome.

buixor commented 7 years ago

hi @CogumelosMaravilha :)

Actually, you can do both, by using LearningMode + BLOCK & DROP :

Overall, the idea is often to turn off the learning once you feel confident :) If you use kibana+nxapi, you should see spikes if the last update of your website is triggering exceptions !

CogumelosMaravilha commented 7 years ago

Hi,

In my website I need this configuration: SecRulesEnabled; DeniedUrl "/RequestDenied";

Check & Blocking Rules

BasicRule wl:16; BasicRule wl:1310; BasicRule wl:1311;

CheckRule "$SQL >= 8" BLOCK; CheckRule "$RFI >= 8" BLOCK; CheckRule "$TRAVERSAL >= 4" BLOCK; CheckRule "$EVADE >= 4" BLOCK; CheckRule "$XSS >= 8" BLOCK;

But the web developers are always made changes to the code. I'm using kibana but if I get spikes I'm losing sales!

buixor commented 7 years ago

Yes, if you are using positive model but have no communication with developpers, it won't be easy to manage :) Best is to have naxsi on your Q&A env, so you can adjust the rules before migrating to production