diff --git a/docs/new/index.md b/docs/new/index.md index b573242..c664aed 100644 --- a/docs/new/index.md +++ b/docs/new/index.md @@ -42,9 +42,10 @@ Contrary to most Web Application Firewalls, Naxsi doesn't rely on a signature ba # Configuration Options * **Directives**: [Explains all the directives that are available when the Naxsi module is enabled.](directives.md) -* **Rules**: Understand the different types of rules you can create in Naxsi, including signature-based and anomaly-based detection. -* **Whitelists**: Learn how to use whitelisting features in Naxsi to allow specific traffic through your firewall. -* **Matchzones**: Describes how matchzones can be used to limit rules or whitelists. +* **Rules**: [Understand the different types of rules you can create in Naxsi.](rules.md) +* **Whitelists**: [Learn how to use whitelisting features in Naxsi to allow specific traffic through Naxsi.](whitelist.md) +* **Matchzones**: [Describes how matchzones can be used to limit rules or whitelists.](matchzones.md) +* **Logs**: [Describes the format of the logs and how to read them.](logs.md) # Integrating with Other Tools diff --git a/docs/new/internal_rules.md b/docs/new/internal_rules.md new file mode 100644 index 0000000..f19f142 --- /dev/null +++ b/docs/new/internal_rules.md @@ -0,0 +1,178 @@ +# **Internal Rules** + +Naxsi has some internal rules that are hardcoded within the WAF; these rules are defined by **ids** lower than **1000**. + +> 📣 Important +> +> The internal blocking rules can be whitelisted. + +> ⚠️ Warning +> +> No rules shall be defined with **ids** lower than 1000. + +## Internal Rule 1 - Weird Request + +> ❌ **Deprecated** +> +> Number: **1** +> Name: **Weird Request** +> Action: **BLOCK** + +The internal rule `1` refers to any request that contains weird request which failed to be parsed by Naxsi. + +## Internal Rule 2 - Big Request + +> ℹ️ Info +> +> Number: **2** +> Name: **Big Request** +> Action: **BLOCK** + +The internal rule `2` refers to any request that is too big to be parsed; this only happens when NGINX has to create a temporary file on the filesystem or when the content-size mismatch with the actual body size. + +## Internal Rule 10 - Hex Encoded Null-Bytes + +> ℹ️ Info +> +> Number: **10** +> Name: **Null-Byte Hex Encoding** +> Action: **BLOCK** + +The internal rule `10` refers to any request that contains one or many hex encoded null-bytes (i.e. `0x00` or `\x00`). + +## Internal Rule 11 - Uncommon Content Type + +> ℹ️ Info +> +> Number: **11** +> Name: **Uncommon Content Type** +> Action: **BLOCK** + +The internal rule `11` refers to any request that contains uncommon content type; this happens when `Content-Type` header is missing or during a POST request, the `Content-Type` is not one of the followings: + +- `"application/x-www-form-urlencoded"` +- `"multipart/form-data"` +- `"application/json"` +- `"application/vnd.api+json"` +- `"application/csp-report"` + +## Internal Rule 12 - Invalid formatted URL + +> ℹ️ Info +> +> Number: **12** +> Name: **Invalid formatted URL** +> Action: **BLOCK** + +The internal rule `12` refers to any request that contains a badly formatted URL; this happens when the HTTP request has an invalid URL (this may be caught before-hand by NGINX which may return 400). + +## Internal Rule 13 - Malformed POST Format + +> ℹ️ Info +> +> Number: **13** +> Name: **Malformed POST Format** +> Action: **BLOCK** + +The internal rule `13` refers to any request that contains a malformed POST, for example missing `content-disposition`, malformed boundary line, missing name, missing `Content-Type`, etc... + +## Internal Rule 14 - Malformed POST Boundary + +> ℹ️ Info +> +> Number: **14** +> Name: **Malformed POST Boundary** +> Action: **BLOCK** + +The internal rule `14` refers to any request that contains a malformed POST boundary. + +## Internal Rule 15 - Malformed JSON + +> ℹ️ Info +> +> Number: **15** +> Name: **Malformed JSON** +> Action: **BLOCK** + +The internal rule `15` refers to any request that contains malformed JSON. + +## Internal Rule 16 - Empty POST Body + +> ℹ️ Info +> +> Number: **16** +> Name: **Empty POST Body** +> Action: **BLOCK** + +The internal rule `16` refers to any request that contains empty POST body. + +## Internal Rule 17 - libinjection SQLi + +> ℹ️ Info +> +> Number: **17** +> Name: **libinjection SQLi** +> Score: **$LIBINJECTION_SQL** + +> ⚠️ Warning +> +> This rule does not block a request, but increases the score `$LIBINJECTION_SQL` by **1**. + +The internal rule `17` refers to any request that contains sql injections detected by libinjection. + +See also [Directive `LibInjectionSql`](directives.md#libinjectionsql) for more details. + +## Internal Rule 18 - libinjection XSS + +> ℹ️ Info +> +> Number: **18** +> Name: **libinjection Xss** +> Score: **$LIBINJECTION_XSS** + +> ⚠️ Warning +> +> This rule does not block a request, but increases the score `$LIBINJECTION_XSS` by **1**. + +The internal rule `18` refers to any request that contains XSS injections detected by libinjection. + +See also [Directive `LibInjectionXss`](directives.md#libinjectionxss) for more details. + +## Internal Rule 19 - No Rules Loaded + +> ℹ️ Info +> +> Number: **19** +> Name: **No Rules** +> Action: **DROP** + +The internal rule `19` is triggered only when the WAF is enabled but no global and no location-specific rules has been loaded at the current location. + +## Internal Rule 20 - Malformed UTF-8 + +> ℹ️ Info +> +> Number: **20** +> Name: **Malformed UTF-8** +> Action: **DROP** + +The internal rule `20` refers to any request that contains malformed UTF-8. + +## Internal Rule 21 - Illegal Host in Header + +> ℹ️ Info +> +> Number: **21** +> Name: **Illegal Host in Header** +> Action: **DROP** + +The internal rule `21` refers to any request that contains a host header with an illegal ip: + +- `0.0.0.0/8` +- `255.255.255.255/32` +- `0000:0000:0000:0000:0000:0000:0000:0000/128` +- `ff00:0000:0000:0000:0000:0000:0000:0000/8` + +# Go Back + +[Rules](rules.md). diff --git a/docs/new/logs.md b/docs/new/logs.md new file mode 100644 index 0000000..1fce2ee --- /dev/null +++ b/docs/new/logs.md @@ -0,0 +1,3 @@ +# **Naxsi Logs** + +This section describes the format of the logs and how to read them. diff --git a/docs/new/matchzones.md b/docs/new/matchzones.md new file mode 100644 index 0000000..a7ceaef --- /dev/null +++ b/docs/new/matchzones.md @@ -0,0 +1,3 @@ +# **Naxsi Matchzones** + +This section describes how matchzones can be used to limit rules or whitelists. diff --git a/docs/new/rules.md b/docs/new/rules.md new file mode 100644 index 0000000..fa08d5c --- /dev/null +++ b/docs/new/rules.md @@ -0,0 +1,31 @@ +# **Naxsi Rules** + +A Naxsi rule is a search pattern which is applied to a request to detect malicious behaviour. + +A rule is defined by `MainRule` or `BasicRule` directive, an **id**, a **search parameter** (i.e. case-insensitive string or regex), a **matchzone**, a **score** and an **optional description**. + +Example of rule: + +```bash +MainRule id:12345 "s:$FOO:8,$BAR:4" "str:malicious" "mz:URL" "msg:string rule description"; +BasicRule id:67890 "s:$TOO:4" "rx:[a-z]{5}" "mz:ARGS" "msg:regex rule description"; +``` + +## **Internal Rules** + +Naxsi has some internal rules that are hardcoded within the WAF; these rules are defined by **ids** lower than **1000**. + +> ⚠️ Warning +> +> No rules shall be defined with **ids** lower than 1000. + +You can read more about them here: [Internal Rules](internal_rules.md). + +## **`MainRule` and `BasicRule` directives** + +As explained in the directives chapter we can have 2 kinds of rules: + +- [A **global** rule defined by the `MainRule` directive](directives.md#mainrule) +- [A **location-specific** rule defined by the `BasicRule` directive](directives.md#basicrule) + +These two directives are mandatory to define rule. \ No newline at end of file diff --git a/docs/new/whitelist.md b/docs/new/whitelist.md new file mode 100644 index 0000000..aee1ef3 --- /dev/null +++ b/docs/new/whitelist.md @@ -0,0 +1,3 @@ +# **Naxsi Whitelist** + +This section how to use whitelisting features in Naxsi to allow specific traffic through Naxsi.