nbs-system / naxsi

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
GNU General Public License v3.0
4.8k stars 606 forks source link

Support $request_id in naxsi to correlate logs. #571

Closed cayirburak closed 1 year ago

cayirburak commented 3 years ago

I use naxsi with nginx. I want to add request id which is used by nginx to nginx error logs when blocked by naxsi. Is it possible ? Thanks for help.

wargio commented 3 years ago

i'm sorry i do not understand this issue. can you make an example? are you referring to the ids that are defined by naxsi?

cayirburak commented 3 years ago

i'm sorry i do not understand this issue. can you make an example? are you referring to the ids that are defined by naxsi?

Thanks for your quick reply.

Nginx can generate unique identifier for every request ($request_id) . I want to use this in error log which is generated by naxsi.

Example nginx access log : 200 [27/Sep/2021:12:12:39 +0300] ..101.24-- ..101.24 GET /?fname=%22+or+%22%22%3D%22&lname= HTTP/1.1 - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36 c85f0187b2cf1b15c24b6133b671f431

Example naxsi error log : 2021/09/27 12:12:39 [error] 24029#0: *27151 NAXSI_FMT: ip=..101.24&server=..........&uri=/&learning=0&vers=0.56&total_processed=1&total_blocked=1&block=1&cscore0=$XSS&score0=64&cscore1=$SQL&score1=32&zone0=HEADERS&id0=1315&var_name0=cookie&zone1=ARGS&id1=1001&var_name1=fname, client: ..101.24, server: ......., request: "GET /?fname=%22+or+%22%22%3D%22&lname= HTTP/1.1", host: "****..:9090"

Customized log which i want : 2021/09/27 12:12:39 [error] 24029#0: *27151 NAXSI_FMT: ip=..101.24&server=..........&uri=/&learning=0&vers=0.56&total_processed=1&total_blocked=1&block=1&cscore0=$XSS&score0=64&cscore1=$SQL&score1=32&zone0=HEADERS&id0=1315&var_name0=cookie&zone1=ARGS&id1=1001&var_name1=fname, client: ..101.24, server: ......., request: "GET /?fname=%22+or+%22%22%3D%22&lname= HTTP/1.1", host: "****..:9090" c85f0187b2cf1b15c24b6133b671f431

wargio commented 3 years ago

oh. i do not think that naxsi supports this. it could definitely be useful. let me change this request into a feature request.

cayirburak commented 3 years ago

I'm looking forward to this feature. Thank you.

cagatayozata commented 3 years ago

I'm so glad to read this development topic. I also need this development. I tried to do this for a long time, but I couldn't.

This feature is available in ModSecurity, the unique id generated by nginx can be transferred by editing in nginx.conf. I added the example as I thought it might be helpful.

https://github.com/SpiderLabs/ModSecurity-nginx#modsecurity_transaction_id

Thanks @wargio @cayirburak