Internal rules docs (#146)

wargio · Jun 15, 2024 · 63d36b1 · 63d36b1
1 parent 3f1b6eb
commit 63d36b1
Show file tree

Hide file tree

Showing 6 changed files with 222 additions and 3 deletions.
diff --git a/docs/new/index.md b/docs/new/index.md
@@ -42,9 +42,10 @@ Contrary to most Web Application Firewalls, Naxsi doesn't rely on a signature ba
 # Configuration Options
 
 * **Directives**: [Explains all the directives that are available when the Naxsi module is enabled.](directives.md)
-* **Rules**: Understand the different types of rules you can create in Naxsi, including signature-based and anomaly-based detection.
-* **Whitelists**: Learn how to use whitelisting features in Naxsi to allow specific traffic through your firewall.
-* **Matchzones**: Describes how matchzones can be used to limit rules or whitelists.
+* **Rules**: [Understand the different types of rules you can create in Naxsi.](rules.md)
+* **Whitelists**: [Learn how to use whitelisting features in Naxsi to allow specific traffic through Naxsi.](whitelist.md)
+* **Matchzones**: [Describes how matchzones can be used to limit rules or whitelists.](matchzones.md)
+* **Logs**: [Describes the format of the logs and how to read them.](logs.md)
 
 # Integrating with Other Tools
 

diff --git a/docs/new/internal_rules.md b/docs/new/internal_rules.md
@@ -0,0 +1,178 @@
+# **Internal Rules**
+
+Naxsi has some internal rules that are hardcoded within the WAF; these rules are defined by **ids** lower than **1000**.
+
+> 📣 Important
+>
+> The internal blocking rules can be whitelisted.
+
+> ⚠️ Warning
+>
+> No rules shall be defined with **ids** lower than 1000.
+
+## Internal Rule 1 - Weird Request
+
+> ❌ **Deprecated**
+>
+> Number: **1**
+> Name: **Weird Request**
+> Action: **BLOCK**
+
+The internal rule `1` refers to any request that contains weird request which failed to be parsed by Naxsi.
+
+## Internal Rule 2 - Big Request
+
+> ℹ️ Info
+>
+> Number: **2**
+> Name: **Big Request**
+> Action: **BLOCK**
+
+The internal rule `2` refers to any request that is too big to be parsed; this only happens when NGINX has to create a temporary file on the filesystem or when the content-size mismatch with the actual body size.
+
+## Internal Rule 10 - Hex Encoded Null-Bytes
+
+> ℹ️ Info
+>
+> Number: **10**
+> Name: **Null-Byte Hex Encoding**
+> Action: **BLOCK**
+
+The internal rule `10` refers to any request that contains one or many hex encoded null-bytes (i.e. `0x00` or `\x00`).
+
+## Internal Rule 11 - Uncommon Content Type
+
+> ℹ️ Info
+>
+> Number: **11**
+> Name: **Uncommon Content Type**
+> Action: **BLOCK**
+
+The internal rule `11` refers to any request that contains uncommon content type; this happens when `Content-Type` header is missing or during a POST request, the `Content-Type` is not one of the followings:
+
+- `"application/x-www-form-urlencoded"`
+- `"multipart/form-data"`
+- `"application/json"`
+- `"application/vnd.api+json"`
+- `"application/csp-report"`
+
+## Internal Rule 12 - Invalid formatted URL
+
+> ℹ️ Info
+>
+> Number: **12**
+> Name: **Invalid formatted URL**
+> Action: **BLOCK**
+
+The internal rule `12` refers to any request that contains a badly formatted URL; this happens when the HTTP request has an invalid URL (this may be caught before-hand by NGINX which may return 400).
+
+## Internal Rule 13 - Malformed POST Format
+
+> ℹ️ Info
+>
+> Number: **13**
+> Name: **Malformed POST Format**
+> Action: **BLOCK**
+
+The internal rule `13` refers to any request that contains a malformed POST, for example missing `content-disposition`, malformed boundary line, missing name, missing `Content-Type`, etc...
+
+## Internal Rule 14 - Malformed POST Boundary
+
+> ℹ️ Info
+>
+> Number: **14**
+> Name: **Malformed POST Boundary**
+> Action: **BLOCK**
+
+The internal rule `14` refers to any request that contains a malformed POST boundary.
+
+## Internal Rule 15 - Malformed JSON
+
+> ℹ️ Info
+>
+> Number: **15**
+> Name: **Malformed JSON**
+> Action: **BLOCK**
+
+The internal rule `15` refers to any request that contains malformed JSON.
+
+## Internal Rule 16 - Empty POST Body
+
+> ℹ️ Info
+>
+> Number: **16**
+> Name: **Empty POST Body**
+> Action: **BLOCK**
+
+The internal rule `16` refers to any request that contains empty POST body.
+
+## Internal Rule 17 - libinjection SQLi
+
+> ℹ️ Info
+>
+> Number: **17**
+> Name: **libinjection SQLi**
+> Score: **$LIBINJECTION_SQL**
+
+> ⚠️ Warning
+>
+> This rule does not block a request, but increases the score `$LIBINJECTION_SQL` by **1**.
+
+The internal rule `17` refers to any request that contains sql injections detected by libinjection.
+
+See also [Directive `LibInjectionSql`](directives.md#libinjectionsql) for more details.
+
+## Internal Rule 18 - libinjection XSS
+
+> ℹ️ Info
+>
+> Number: **18**
+> Name: **libinjection Xss**
+> Score: **$LIBINJECTION_XSS**
+
+> ⚠️ Warning
+>
+> This rule does not block a request, but increases the score `$LIBINJECTION_XSS` by **1**.
+
+The internal rule `18` refers to any request that contains XSS injections detected by libinjection.
+
+See also [Directive `LibInjectionXss`](directives.md#libinjectionxss) for more details.
+
+## Internal Rule 19 - No Rules Loaded
+
+> ℹ️ Info
+>
+> Number: **19**
+> Name: **No Rules**
+> Action: **DROP**
+
+The internal rule `19` is triggered only when the WAF is enabled but no global and no location-specific rules has been loaded at the current location.
+
+## Internal Rule 20 - Malformed UTF-8
+
+> ℹ️ Info
+>
+> Number: **20**
+> Name: **Malformed UTF-8**
+> Action: **DROP**
+
+The internal rule `20` refers to any request that contains malformed UTF-8.
+
+## Internal Rule 21 - Illegal Host in Header
+
+> ℹ️ Info
+>
+> Number: **21**
+> Name: **Illegal Host in Header**
+> Action: **DROP**
+
+The internal rule `21` refers to any request that contains a host header with an illegal ip:
+
+- `0.0.0.0/8`
+- `255.255.255.255/32`
+- `0000:0000:0000:0000:0000:0000:0000:0000/128`
+- `ff00:0000:0000:0000:0000:0000:0000:0000/8`
+
+# Go Back
+
+[Rules](rules.md).
diff --git a/docs/new/logs.md b/docs/new/logs.md
@@ -0,0 +1,3 @@
+# **Naxsi Logs**
+
+This section describes the format of the logs and how to read them.
diff --git a/docs/new/matchzones.md b/docs/new/matchzones.md
@@ -0,0 +1,3 @@
+# **Naxsi Matchzones**
+
+This section describes how matchzones can be used to limit rules or whitelists.
diff --git a/docs/new/rules.md b/docs/new/rules.md
@@ -0,0 +1,31 @@
+# **Naxsi Rules**
+
+A Naxsi rule is a search pattern which is applied to a request to detect malicious behaviour.
+
+A rule is defined by `MainRule` or `BasicRule` directive, an **id**, a **search parameter** (i.e. case-insensitive string or regex), a **matchzone**, a **score** and an **optional description**.
+
+Example of rule:
+
+```bash
+MainRule id:12345 "s:$FOO:8,$BAR:4" "str:malicious" "mz:URL" "msg:string rule description";
+BasicRule id:67890 "s:$TOO:4" "rx:[a-z]{5}" "mz:ARGS" "msg:regex rule description";
+```
+
+## **Internal Rules**
+
+Naxsi has some internal rules that are hardcoded within the WAF; these rules are defined by **ids** lower than **1000**.
+
+> ⚠️ Warning
+>
+> No rules shall be defined with **ids** lower than 1000.
+
+You can read more about them here: [Internal Rules](internal_rules.md).
+
+## **`MainRule` and `BasicRule` directives**
+
+As explained in the directives chapter we can have 2 kinds of rules:
+
+- [A **global** rule defined by the `MainRule` directive](directives.md#mainrule)
+- [A **location-specific** rule defined by the `BasicRule` directive](directives.md#basicrule)
+
+These two directives are mandatory to define rule.
diff --git a/docs/new/whitelist.md b/docs/new/whitelist.md
@@ -0,0 +1,3 @@
+# **Naxsi Whitelist**
+
+This section how to use whitelisting features in Naxsi to allow specific traffic through Naxsi.