nbs-system / naxsi

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
GNU General Public License v3.0
4.8k stars 606 forks source link

cant whitelist rules #413

Closed linxisp closed 6 years ago

linxisp commented 6 years ago

Hello

We are using nginx with naxsi for sometime and we find the need to whitelist a few rules. At the moment we are dealing with the following:

2018/03/11 16:02:37 [error] 21332#0: *33750 NAXSI_FMT: ip=127.0.0.1&server=blabla.com&uri=/wp-content/themes/blabla/dist/images/ads/blabla1_single.html&learning=1&vers=0.56&total_processed=4583&total_blocked=340&block=1&cscore0=$TRAVERSAL&score0=4&cscore1=$UWA&score1=8&zone0=HEADERS&id0=1200&var_name0=cookie&zone1=URL&id1=42000339&var_name1=, client: 127.0.0.1, server: www.blabla.com, request: "GET /wp-content/themes/blabla/dist/images/ads/blabla1_single.html HTTP/1.1", host: "blabla.com", referrer: "https://blabla.com/"

We are using a default config:

include /etc/nginx/naxsi/*.rules;
#Enable naxsi
SecRulesEnabled;
#Enable learning mode
LearningMode;
#Define where blocked requests go
DeniedUrl "/4xx.html";
#CheckRules, determining when naxsi needs to take action
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;
#naxsi logs goes there
error_log /var/log/nginx/naxsi.log;

I have created a new file: /etc/nginx/naxsi/basic/bla-whitelist.rules

For testing I added whitelist completely for rule 1200 and 42000339 by adding the following to the file:

BasicRule wl:1200;
BasicRule wl:42000339;

But this is not working and i keep getting the blocks on the log.

I also didnt understand why we have id0 and id1: (id0=1200&var_name0=cookie&zone1=URL&id1=42000339) on the log.

Thank you, Pedro

buixor commented 6 years ago

Hello,

In your example, /etc/nginx/naxsi/basic/bla-whitelist.rules won't be included /etc/nginx/naxsi/*.rules. That might be why the whitelist doesn't work

linxisp commented 6 years ago

Hello Buixor, I thought about that but i'm getting logs for naxsi rules included in the subfolders. How can that be possible if the rules arent included? Thank you

buixor commented 6 years ago

Please try to put all the configuration in the same file to see, but it really sounds like this. Or else, can you please provide a reproducible usecase ?

cheers,