nbs-system / naxsi

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
GNU General Public License v3.0
4.8k stars 606 forks source link

blocked when not eligible #555

Closed vncloudsco closed 3 years ago

vncloudsco commented 3 years ago

I use the following default rules

https://github.com/nbs-system/naxsi/blob/0395b102b7e9b5165e89e99bb62e9ddaa0a74910/naxsi_config/naxsi_core.rules#L34

Obviously the score here is 2

my block config score

#Enable naxsi
   SecRulesEnabled;
   #Enable learning mode
   # LearningMode;
   #Define where blocked requests go
   DeniedUrl "/50x.html"; 
   #CheckRules, determining when naxsi needs to take action
   CheckRule "$SQL >= 8" BLOCK;
   CheckRule "$RFI >= 8" BLOCK;
   CheckRule "$TRAVERSAL >= 4" BLOCK;
   CheckRule "$EVADE >= 4" BLOCK;
   CheckRule "$XSS >= 8" BLOCK;
   LibInjectionXss;
   CheckRule "$LIBINJECTION_XSS >= 8" BLOCK;
   LibInjectionSql;
   CheckRule "$LIBINJECTION_SQL >= 8" BLOCK;
   CheckRule "$EVADE >= 4" BLOCK;
   CheckRule "$ATTACK >= 8" BLOCK;
   CheckRule "$UWA >= 8" BLOCK;

but we were blocked by a firewall.

2021/04/13 10:43:31 [error] 8058#8058: *306007 NAXSI_FMT: ip=x.x.x.x&server=x.x.x.x&uri=/Oauth/reveice&vers=1.3&total_processed=90&total_blocked=1&config=block&cscore0=$SQL&score0=10&zone0=ARGS&id0=1009&var_name0=redirect, client: x.x.x.x, server: x.x.x.x, request: "GET /Oauth/reveice?redirect=http%3A%2F%2Fx.x.x.x%2Fteaser%3Ffbclid%3DIwAR0SSW5Y-DLW6JUBx7yMeq8T_jhQUMGMm8mEm6y6NG2RQCXIr_oL8azlbkA%26zarsrc%3D1303%26utm_source%3Dzalo%26utm_medium%3Dzalo%26utm_campaign%3Dzalo&code=xxxxxxxxxxxxxxxxx HTTP/2.0", host: "x.x.x.x"

Why is the score in the log 10?

wargio commented 3 years ago

because it was hit 5 times in that request. 2 * 5 = 10 The redirect value contains a string with 5 = inside.