Closed vncloudsco closed 3 years ago
i would just whitelist BasicRule wl:17 "mz:$HEADERS_VAR:accept";
@wargio I used the rule generator rules with tools but tools not working. why?
[root@Nasxi nxapi]# ./nxtool.py -c nxapi.json -s x.com -f --filter 'uri /images/image-512.jpg'
GET http://127.0.0.1:9200/ [status:200 request:0.009s]
# size :1000
GET http://127.0.0.1:9200/nxapi/events/_search [status:200 request:0.013s]
GET http://127.0.0.1:9200/nxapi/events/_search [status:200 request:0.012s]
GET http://127.0.0.1:9200/nxapi/events/_search [status:200 request:0.005s]
GET http://127.0.0.1:9200/nxapi/events/_search [status:200 request:0.004s]
GET http://127.0.0.1:9200/nxapi/events/_search [status:200 request:0.004s]
GET http://127.0.0.1:9200/nxapi/events/_search [status:200 request:0.003s]
GET http://127.0.0.1:9200/nxapi/events/_search [status:200 request:0.003s]
GET http://127.0.0.1:9200/nxapi/events/_search [status:200 request:0.012s]
GET http://127.0.0.1:9200/nxapi/events/_search [status:200 request:0.005s]
GET http://127.0.0.1:9200/nxapi/events/_search [status:200 request:0.004s]
GET http://127.0.0.1:9200/nxapi/events/_search [status:200 request:0.007s]
GET http://127.0.0.1:9200/nxapi/events/_search [status:200 request:0.004s]
GET http://127.0.0.1:9200/nxapi/events/_search [status:200 request:0.011s]
GET http://127.0.0.1:9200/nxapi/events/_search [status:200 request:0.004s]
GET http://127.0.0.1:9200/nxapi/events/_search [status:200 request:0.004s]
# template :tpl/APPS/google_analytics-ARGS.tpl
Nb of hits : 0
# template :tpl/ARGS/precise-id.tpl
Nb of hits : 0
# template :tpl/ARGS/site-wide-id.tpl
Nb of hits : 0
# template :tpl/ARGS/url-wide-id-NAME.tpl
Nb of hits : 0
# template :tpl/ARGS/url-wide-id.tpl
Nb of hits : 0
# template :tpl/BODY/precise-id.tpl
Nb of hits : 0
# template :tpl/BODY/site-wide-id.tpl
Nb of hits : 0
# template :tpl/BODY/url-wide-id-BODY-NAME.tpl
Nb of hits : 0
# template :tpl/BODY/url-wide-id.tpl
Nb of hits : 0
# template :tpl/BODY/var_name-wide-id.tpl
Nb of hits : 0
# template :tpl/HEADERS/cookies.tpl
Nb of hits : 0
# template :tpl/URI/global-url-0x_in_pircutres.tpl
Nb of hits : 0
# template :tpl/URI/site-wide-id.tpl
Nb of hits : 0
# template :tpl/URI/url-wide-id.tpl
Nb of hits : 0
whether I did something wrong
[root@Nasxi nxapi]# curl -XPOST "http://localhost:9200/nxapi/events/_search?pretty" -d '{}'
{
"took" : 59,
"timed_out" : false,
"_shards" : {
"total" : 5,
"successful" : 5,
"failed" : 0
},
"hits" : {
"total" : 2,
"max_score" : 1.0,
"hits" : [
{
"_index" : "nxapi",
"_type" : "events",
"_id" : "AXivWK_NEk5NDrCyUpT7",
"_score" : 1.0,
"_source" : {
"index" : { }
}
},
{
"_index" : "nxapi",
"_type" : "events",
"_id" : "AXivWK_NEk5NDrCyUpT8",
"_score" : 1.0,
"_source" : {
"zone" : "HEADERS",
"ip" : "x.x.x.x",
"whitelisted" : "false",
"uri" : "/images/image-512.jpg",
"comments" : "import:2021-04-08 02:38:48.256569",
"server" : "x.com",
"content" : "",
"var_name" : "accept",
"country" : "",
"date" : "2021-04-07T10:00:37+00",
"id" : "17"
}
}
]
}
}
I solved the problem by making a copy HEADER tpl data
awesome
we are being ridiculously blocked by this rules.
https://github.com/nbs-system/naxsi/blob/0395b102b7e9b5165e89e99bb62e9ddaa0a74910/naxsi_config/naxsi_core.rules#L13
my log block.
I have tried to write whitelist rules for it as follows.
BasicRule wl:17 "mz:$HEADERS_VAR:accept|$URL:/images/image-512.jpg";
I noticed this whitelist rules didn't work. So how can I bypass this absurd blocking?