From [email protected] on May 01, 2012 14:40:42

add options to specify nx_intercept and nx_extract tcp port from naxsi-ui.conf, instead of commandline.

ie:
[mysql]
username=naxsi
password=trivialpassword
hostname=127.0.0.1
dbname=naxsi_sig
[nx_intercept]
port=8000
[nx_extract]
port=8001

Original issue: http://code.google.com/p/naxsi/issues/detail?id=29

From [email protected] on April 23, 2012 10:10:06

naxsi-0.45 + nginx-1.0.15

if no deniedurl is provided and naxsi blocks a request, it will crash.

reported by iMil ;)

Original issue: http://code.google.com/p/naxsi/issues/detail?id=28

From [email protected] on December 26, 2011 16:50:29

Integrate a blocked / processed request counter in naxsi.

Original issue: http://code.google.com/p/naxsi/issues/detail?id=15

From [email protected] on January 16, 2012 09:52:21

Propose alternate rule set with low scoring on COOKIES headers, as 90% of false positives are coming from here, and it's - somehow - a lower zone of risk.

Original issue: http://code.google.com/p/naxsi/issues/detail?id=19

From [email protected] on May 30, 2012 23:10:41

Looks like nx_extract on 0.46-1 release cannot parse the following

2012/05/30 21:04:58 [error] 58822#0: *47 NAXSI_FMT: ip=127.0.0.1&server=domain.com&uri=/attachments/do-upload.json&total_processed=6&total_blocked=5&zone0=BODY|NAME&id0=1310&var_name0=content_data[thread_id]&zone1=BODY|NAME&id1=1311&var_name1=content_data[thread_id]&zone2=|NAME&id2=1500&var_name2=upload, client: 127.0.0.1, server: domain.com, request: "POST /attachments/do-upload.json?hash=c2f7f734bcFF3b5af4FFa31cf6cf3ac8&content_type=post HTTP/1.1", host: "domain.com"

Original issue: http://code.google.com/p/naxsi/issues/detail?id=32

From [email protected] on November 13, 2011 05:07:34

unicode encode is not Filter，for example %00, and so on...

Original issue: http://code.google.com/p/naxsi/issues/detail?id=10

From [email protected] on November 08, 2012 21:30:17

What steps will reproduce the problem? 1. confiure naxsi and nginx
2. run test
3. no exceptions in the database! What version of the product are you using? On what operating system? 0.47 Ubuntu 12.04, nginx 1.2.4 Please provide your nginx configuration any additional information below. fix by making sure the insert is commited

Index: SQLWrapper.py

--- SQLWrapper.py ( revision 498 )
+++ SQLWrapper.py (working copy)
@@ -83,8 +83,7 @@
if self.dbtype == 'sqlite':
self.__conn.execute("BEGIN")
def StopInsert(self):

•    if self.dbtype == 'sqlite':
  

•        self.__conn.commit()
  

•    self.__conn.commit()
  

  def getResults(self):
  return self.__cursor.fetchall()

Original issue: http://code.google.com/p/naxsi/issues/detail?id=49

From [email protected] on October 09, 2012 12:12:52

Steps to reproduce the problem:

1. Create website with input name with square brackets

1. Generate alerts using some forbdden string ")(;", this caused logs such as: 2012/10/09 11:12:38 [error] 19927#0: *1 NAXSI_FMT: ip=192.168.0.4&server=example.com&uri=/form&total_processed=2&total_blocked=2&zone0=BODY&id0=1010&var_name0=user%5bparam%5d&zone1=BODY&id1=1308&var_name1=user%5bparam%5d, client: 192.168.0.4, server: example.com, request: "POST /login HTTP/1.1", host: "example.com", referrer: " http://example.com/form " 2. On WEB-interface (nx_extract) "generate whitelist" gives rule whit "human-friendly" parametr name: # total_count:2 (7.39%), peer_count:1 (100.0%) | parenthesis BasicRule wl:1308 "mz:$URL:/form|$BODY_VAR:user[param]"; 3. When adding this rule to rules in nginx rules, this rule doesn't work. There are still the same alerts. 4. Rule start to work after change name of argument in rules, from shown above, to this (as is shown in error logs): BasicRule wl:1308 "mz:$URL:/form|$BODY_VAR:user%5bparam%5d"; What is the expected output? What do you see instead? I'm not sure, I see two possibilities to resolve this issue: -nx_extract (or nx_intercept) should on web-interface display rules as "user%5bparam%5d" -naxsi should interpret the record "user[param]" What version of the product are you using? On what operating system? Ubuntu precise 12.04, nginx 1.1.19 as reverse proxy, naxsi 0.48

Original issue: http://code.google.com/p/naxsi/issues/detail?id=46

From [email protected] on June 27, 2012 16:45:35

It would be nice to have the global Naxsi score when a request is being denied, for example:

2012/06/27 16:39:53 [error] 1573#0: *110052 NAXSI_FMT: ip=118.175.21.38&server=x.y.w.z&uri=/w00tw00t.at.blackhats.romanian.anti-sec:)&total_processed=6339&total_blocked=4&zone0=URL&id0=1011&var_name0=&zone1=URL&id1=1309&var_name1=, client: 118.175.21.38, server: www.myserver.net, request: "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1", host: "x.y.w.z"

Would be: (look for request_score)

2012/06/27 16:39:53 [error] 1573#0: *110052 NAXSI_FMT: ip=118.175.21.38&server=x.y.w.z&uri=/w00tw00t.at.blackhats.romanian.anti-sec:)&total_processed=6339&total_blocked=4&request_score=XX&zone0=URL&id0=1011&var_name0=&zone1=URL&id1=1309&var_name1=, client: 118.175.21.38, server: www.myserver.net, request: "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1", host: "x.y.w.z"

Original issue: http://code.google.com/p/naxsi/issues/detail?id=38

From [email protected] on November 24, 2011 03:38:54

What steps will reproduce the problem? 1.when I reload the nginx , there are some error informations 2. 3. What is the expected output? What do you see instead? 1、nginx: [emerg] unknown directive "MainRule" in /etc/nginx/naxsi_core.rules:13
2、nginx: [emerg] unknown directive " LearningMode " in /etc/nginx/web.rules:1 What version of the product are you using? On what operating system? centos 5.5 Please provide any additional information below.

Original issue: http://code.google.com/p/naxsi/issues/detail?id=13

From [email protected] on October 16, 2012 15:48:04

I will add more details if needed. Manual compilation and upgrade nginx or naxsi don't help. Files permissions loooks good. I thought about reporting the problem to the creator of nginx, but because the problem occurs only with naxsi I think this is better place. What steps will reproduce the problem? 1. Run nginx-naxsi in learning mode on Ubuntu 64bit (nginx as reverse-proxy, using ssl).
2. Send some request which will be noticed by naxsi (not "blocked" because of learning mode),
for example: http://example.com/login/?user=|"`id`"| https://example.com/sipsys/users/%f0%80%80%ae%f0%80%80%ae/%f0%80%80%ae%f0%80%80%ae/%f0%80%80%ae%f0%80%80%ae/%f0%80%80%ae%f0%80%80%ae/%f0%80%80%ae%f0%80%80%ae/%f0%80%80%ae%f0%80%80%ae/%f0%80%80%ae%f0%80%80%ae/%f0%80%80%ae%f0%80%80%ae/%f0%80%80%ae%f0%80%80%ae/%f0%80%80%ae%f0%80%80%ae/%f0%80%80%ae%f0%80%80%ae/%f0%80%80%ae%f0%80%80%ae/etc/passwd 3. Look into logs:
Sometimes it happens once in hundreds of queries, sometimes several times, nginx worker is killed, from /var/log/nginx/error.log:
2012/10/15 15:44:47 [alert] 4994 # 0: worker process 4995 exited on signal 11
2012/10/15 15:50:40 [alert] 4994 # 0: worker process 5123 exited on signal 11

Coredump gives:
#0 0x000000000040881d in ngx_hash_find (hash=, key=, name=0xa3e696c2f3c0a3e <Address 0xa3e696c2f3c0a3e out of bounds>, len=9) at src/core/ngx_hash.c:34

34 src/core/ngx_hash.c: No such file or directory.

Site error logs looks correctly:
2012/10/15 15:44:47 [error] 4995#0: *3 NAXSI_FMT: ip=10.0.0.8&server=example.com&uri=/login/&total_processed=2&total_blocked=2&zone0=ARGS&id0=1001&var_name0=user&zone1=ARGS&id1=1005&var_name1=user&zone2=ARGS&id2=1314&var_name2=user, client: 10.0.0.8, server: example.com, request: "GET /login/?user=|%22id%22| HTTP/1.1", host: "example.com"

It happens only in Learning Mode, only when queries is triggering an alert. Request the above allways is correctly blocked by naxsi, but results in an error only sometimes (but more often than for example "example.com?a=<>"). I got it several times after restarting nginx, query (example.com/login?user=|"id"|) once resulted in a error (in logs nginx: worker process exited on signal # 11, on browser: page does not return the contents), and all further work correctly (in my case, redirect to the home page, because I do not have the "login"). What is the expected output? What do you see instead? Nginx workers should not exit with error code 11 :) What version of the product are you using? On what operating system? -Ubuntu 12.03 "precise" 64bit, kernel 3.2.0-31-virtual (tested on 3 machines with similar but different system configuration)
Tested with the same result on:
nginx 1.1.19 with naxsi 0.44 (ubuntu repository)
nginx 1.1.19 with naxsi 0.48
nginx 1.2.4 with naxsi 0.48 (dotdeb repository)
currently:
nginx version: nginx/1.2.4
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-log-path=/var/log/nginx/access.log --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --lock-path=/var/lock/nginx.lock --pid-path=/var/run/nginx.pid --with-pcre-jit --with-file-aio --with-http_gzip_static_module --with-http_ssl_module --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module --without-http_uwsgi_module --without-http_scgi_module --with-ipv6 --with-http_stub_status_module --add-module=/usr/src/nginx/source/nginx-1.2.4/debian/modules/nginx-echo --add-module=/usr/src/nginx/source/nginx-1.2.4/debian/modules/nginx-upstream-fair --add-module=/usr/src/nginx/source/nginx-1.2.4/debian/modules/nginx-syslog --add-module=/usr/src/nginx/source/nginx-1.2.4/debian/modules/nginx-cache-purge --add-module=/usr/src/nginx/source/nginx-1.2.4/debian/modules/naxsi/naxsi_src Please provide your nginx configuration any additional information below. ########################################################
/etc/nginx/nginx.conf:
user application;
worker_processes 8;
pid /var/run/nginx.pid;

events {
worker_connections 768;
# multi_accept on;
}

http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;

include /etc/nginx/mime.types;
default_type application/octet-stream;

Logging Settings

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

Gzip Settings

gzip on;
gzip_disable "msie6";
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

include /etc/nginx/naxsi_core.rules;
include /etc/nginx/conf.d/.conf;
include /etc/nginx/sites-enabled/;
}

/etc/nginx/sites-enabled/site
server {
listen 10.0.0.4:443 ssl;
server_name example.com;
root /var/www/example.com/;
proxy_pass_header Server;

access_log /var/log/nginx/example_access.log;
error_log /var/log/nginx/example_error.log error;

ssl_protocols SSLv3 TLSv1;
ssl_certificate /etc/nginx/example.com.crt;
ssl_certificate_key /etc/nginx/example.com.key;
ssl_ecdh_curve secp521r1;

sendfile off;
send_timeout 360;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Url-Scheme $scheme;
proxy_redirect off;

location ~* ^/(images|javascripts|stylesheets|assets)/ {
expires max;
add_header Cache-Control public;
add_header Last-Modified "";
add_header ETag "";
break;
}

location / {
include /etc/nginx/naxsi_my.rules;
try_files $uri @upstream;
}

location @upstream {
proxy_pass http://backend;
}

location / RequestDenied {
return 418;
}
}

upstream backend {
server x.x.x.x;
}

/etc/nginx/naxsi_my.rules; LearningMode ;
SecRulesEnabled;

SecRulesDisabled; DeniedUrl "/ RequestDenied ";

include "/etc/nginx/naxsi_my.rules.d/my.rules";

check rules

CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;

/etc/nginx/naxsi_my.rules.d/my.rules BasicRule wl:1005,1309 "mz:$HEADERS_VAR:cookie"; BasicRule wl:1009 "mz:$BODY_VAR:param2"; BasicRule wl:0 "mz:$BODY_VAR:user%5bparam%5d";

Attachment: core_dump_backtrace.txt nginx_debug.log.txt

Original issue: http://code.google.com/p/naxsi/issues/detail?id=47

From [email protected] on January 03, 2012 15:49:28

Means that we have to parse SOAP/XML.
But then more people will be able to use Naxsi \o/

Original issue: http://code.google.com/p/naxsi/issues/detail?id=16

From [email protected] on October 21, 2011 14:04:36

Please describe your idea and possible way to introduce it into Naxsi

Original issue: http://code.google.com/p/naxsi/issues/detail?id=7

From [email protected] on June 27, 2012 22:25:42

hi
is there any way we can generate white rules?
i have installed python26 for centos5 - .py files just hangs for 15-20min still nothing...
maybe we can take log and parse it different way???

thank you

Original issue: http://code.google.com/p/naxsi/issues/detail?id=39

From [email protected] on February 04, 2012 08:53:51

I am running nginx with the naxsi-module enabled on FreeBSD, naxsi installed from the ports.

When I follow the how to to set up naxsi I can run http_config.py and access it on port 4242. However when I call my website there is nothing written to the whitelist. It looks like it's not requesting the DeniedUrl -location.

One side note maybe, I am using nginx as a web server so nginx is not running as a reverse proxy.

As an alternative I tried to run rules_transformer.py but it only shows me the standard output. How to run it? Also I can not see any special log entries in error.log after I include the naxsi rules.

Can somebody help?

Original issue: http://code.google.com/p/naxsi/issues/detail?id=20

From [email protected] on May 31, 2012 01:44:38

Building with CentOS 5.8 64bits, gcc 4.1.2, nginx 1.2.0
Error:
cc1: warnings being treated as errors
src/naxsi/naxsi_utils.c: In function \u2018ngx_http_dummy_create_hashtables_n\u2019:
src/naxsi/naxsi_utils.c:635: warning: dereferencing type-punned pointer will break strict-aliasing rules

See attached file for compile details.

Attachment: naxsi.log

Original issue: http://code.google.com/p/naxsi/issues/detail?id=33

From [email protected] on October 21, 2011 14:11:53

To limit disguised php shells for example

Original issue: http://code.google.com/p/naxsi/issues/detail?id=8

From [email protected] on July 09, 2012 12:57:01

error in freebsd 8.2 64 when make.

/tmp/naxsi-0.47/naxsi_src/naxsi_runtime.c: In function 'ngx_http_process_basic_rule_buffer':
/tmp/naxsi-0.47/naxsi_src/naxsi_runtime.c:165: error: 'ngx_regex_t' has no member named 'pcre'
*** Error code 1
1 error
*** Error code 2
1 error

Tried 0.46 and 0.47.

Original issue: http://code.google.com/p/naxsi/issues/detail?id=40

From [email protected] on September 14, 2012 03:29:41

I've tried to compile naxsi-0.47 on ubuntu 11.04 server and i got the following error:

naxsi_runtime.c: In function ângx_http_process_basic_rule_bufferâ:
naxsi_runtime.c:165:44: error: ângx_regex_tâ has no member named âpcreâ
make[1]: *** [objs/addon/naxsi_src/naxsi_runtime.o] Error 1
make[1]: Leaving directory `/nginx/nginx-1.2.3'
make: *** [build] Error 2

Compiled nginx 1.2.3 without naxsi and it went ok.
how do i fix that?

Original issue: http://code.google.com/p/naxsi/issues/detail?id=45

From [email protected] on July 24, 2012 03:23:21

Steps to reproduce the problem:

1. Clean your exceptions list
2. Enable learning mode
3. Launch rules generator using command like the following one:
   python2.7 naxsi-0.46-1/contrib/rules_generator/http_config.py
4. Go to a protected domain by the following url:
   http://{$your_domain}:{$nginx_port}/<script>alert(0)</script>
5. In your browser on the server go to http://localhost:4242/

Injected script is executed in your browser 4 times, 1 time for each of special characters '<', '>', '(', ')'.

Version 0.46-1 on CentOS-5.7 (x86)

Original issue: http://code.google.com/p/naxsi/issues/detail?id=43

From [email protected] on October 21, 2011 13:57:34

Some files and directory names seems to last from "old" code.

Original issue: http://code.google.com/p/naxsi/issues/detail?id=6

From [email protected] on March 02, 2012 16:58:55

block .htaccess

Original issue: http://code.google.com/p/naxsi/issues/detail?id=24

From [email protected] on July 10, 2012 20:57:45

What steps will reproduce the problem? 1. entering naxsi's web interface at :8081
2. clicking to graph What is the expected output? What do you see instead? It is too long so I put it there: http://pastebin.com/vRMcqu7d What version of the product are you using? On what operating system? latest(subversioned), debian 6.0.5

My nginx conf is same as the WIKI's

Thank you very much in advance!

Original issue: http://code.google.com/p/naxsi/issues/detail?id=41

From [email protected] on November 10, 2012 01:34:03

Will be a nice idea to have a set of rules to avoid automated queries, spammers like with modescurity (Missing/empty host header, missing/empty accept header, missing/empty user-agent header).

Cheers

Original issue: http://code.google.com/p/naxsi/issues/detail?id=50

From [email protected] on October 21, 2011 14:17:27

Self explanatory?

Original issue: http://code.google.com/p/naxsi/issues/detail?id=9

From [email protected] on January 06, 2012 10:41:00

Therefore allowing users to put Naxsi logs in another log file than vhost/global Nginx error log file.

Original issue: http://code.google.com/p/naxsi/issues/detail?id=17

From [email protected] on June 02, 2012 08:01:52

Line 142:
str(capture_id), datetime.now() if date is None else date, str(match_id)))

Original issue: http://code.google.com/p/naxsi/issues/detail?id=34

From [email protected] on June 13, 2012 10:14:58

What steps will reproduce the problem? 1. nginx-1.3.1
2. ./configure --prefix=/opt/nginx --with-http_gzip_static_module --with-http_ssl_module --with-debug --add-module=../naxsi-0.46-1/naxsi_src/
3. make

../naxsi-0.46-1/naxsi_src//naxsi_runtime.c: In function ‘ngx_http_process_basic_rule_buffer’:
../naxsi-0.46-1/naxsi_src//naxsi_runtime.c:121: error: ‘ngx_regex_t’ has no member named ‘pcre’
make[1]: *** [objs/addon/naxsi_src/naxsi_runtime.o] Error 1

Original issue: http://code.google.com/p/naxsi/issues/detail?id=35

From [email protected] on February 07, 2012 10:53:30

Counters feature has been implemented in 0.43 but yet no documentation (except within the code itself) has been done.

Original issue: http://code.google.com/p/naxsi/issues/detail?id=21

From [email protected] on September 15, 2011 14:08:13

What steps will reproduce the problem? 1. 2. 3. What is the expected output? What do you see instead? Please use labels and text to provide additional information.

Original issue: http://code.google.com/p/naxsi/issues/detail?id=3

From [email protected] on July 26, 2012 15:46:22

What steps will reproduce the problem? 1. Enter this rule in your whitelist file for a website: BasicRule wl:1311 "mz:$URL:/plugin_event/profile/update_user|$BODY_VAR|NAME";

1. make sure the whitelist file is included in your website config:
   server{
   location / {

   naxsi:

   include /etc/nginx/od-webshop.rules;
   ...
   }
   ...
   }
2. restart nginx

What is the expected output?
Restarting nginx: nginx.

What do you see instead?
Restarting nginx: nginx: [emerg] Naxsi-Config : Incorrect line BasicRule wl:1311 (../naxsi-0.47/naxsi_src/naxsi_skeleton.c/328)... in /etc/nginx/od-webshop.rules:18 What version of the product are you using? On what operating system? 0.47 compiled with nginx 1.2.1

this should be sufficient to reproduce this error...

Original issue: http://code.google.com/p/naxsi/issues/detail?id=44

From [email protected] on December 24, 2011 17:42:55

What steps will reproduce the problem? 1. install naxsi-0.41
2. upgrade Python to 3.2.1
3. python3 /tmp/naxsi-0.41/contrib/rules_generator/http_config.py --rules /usr/local/nginx/conf/naxsi_core.rules -v 3 What is the expected output? What do you see instead? [root@NGINX01 Python-3.2.1]# python3 -V
Python 3.2
[root@NGINX01 Python-3.2.1]# python3 /tmp/naxsi-0.41/contrib/rules_generator/http_config.py --rules /usr/local/nginx/conf/naxsi_core.rules -v 3
File "/tmp/naxsi-0.41/contrib/rules_generator/http_config.py", line 22
print "Exception catched."
^
SyntaxError: invalid syntax What version of the product are you using? On what operating system? naxsi-0.41
Linux NGINX01 2.6.32-220.2.1.el6.x86_64 #1 SMP Fri Dec 23 02:21:33 CST 2011 x86_64 x86_64 x86_64 GNU/Linux
nginx version: nginx/1.0.11 Please provide any additional information below. I upgraded my python from 2 to 3, then I encountered above issue, can you help?

Original issue: http://code.google.com/p/naxsi/issues/detail?id=14

From [email protected] on June 26, 2012 22:39:15

Typo on Statistics in the NAXSI-ui webpages.

Line 58 contrib/naxsi-ui/index.tpl

Original issue: http://code.google.com/p/naxsi/issues/detail?id=37

From [email protected] on November 17, 2011 10:08:08

You cannot have two named whitelist on the same URL, ie:

$URL:/bla|$ARGS_VAR:toto
$URL:/bla|$ARGS_VAR:tutu

will create hash collision.

This will be fixed in 0.42 :)

Original issue: http://code.google.com/p/naxsi/issues/detail?id=11

From [email protected] on May 08, 2012 07:17:17

The following error appear when applying this generated rules from learning mode

2012/05/08 04:46:37 [emerg] 1088#0: Naxsi-Config : Incorrect line BasicRule wl:1000 (/var/ports/local/custom-ports/nginx/work/naxsi-0.45/naxsi_src/naxsi_skeleton.c/328)... in /usr/local/etc/nginx/naxsi/domain.com.rules:21
2012/05/08 04:49:49 [emerg] 1268#0: Naxsi-Config : Incorrect line BasicRule wl:1000 (/var/ports/local/custom-ports/nginx/work/naxsi-0.45/naxsi_src/naxsi_skeleton.c/328)... in /usr/local/etc/nginx/naxsi/domain.com.rules:21
2012/05/08 04:50:06 [emerg] 1340#0: Naxsi-Config : Incorrect line BasicRule wl:1000 (/var/ports/local/custom-ports/nginx/work/naxsi-0.45/naxsi_src/naxsi_skeleton.c/328)... in /usr/local/etc/nginx/naxsi/domain.com.rules:21
2012/05/08 04:50:58 [emerg] 1351#0: Naxsi-Config : Incorrect line BasicRule wl:1000 (/var/ports/local/custom-ports/nginx/work/naxsi-0.45/naxsi_src/naxsi_skeleton.c/328)... in /usr/local/etc/nginx/naxsi/domain.com.rules:21
2012/05/08 04:51:14 [emerg] 1415#0: Naxsi-Config : Incorrect line BasicRule wl:1000 (/var/ports/local/custom-ports/nginx/work/naxsi-0.45/naxsi_src/naxsi_skeleton.c/328)... in /usr/local/etc/nginx/naxsi/domain.com.rules:22
2012/05/08 05:11:27 [emerg] 2988#0: Naxsi-Config : Incorrect line BasicRule wl:1000 (/var/ports/local/custom-ports/nginx/work/naxsi-0.45/naxsi_src/naxsi_skeleton.c/328)... in /usr/local/etc/nginx/naxsi/domain.com.rules:21

Rules : BasicRule wl:1315 "mz:$HEADERS_VAR:cookie" ; #domain.com BasicRule wl:1015 "mz:$ARGS_VAR:css" ; #domain.com BasicRule wl:1008 "mz:$BODY_VAR:selected_usr[]" ; #domain.com BasicRule wl:1016 "mz:$BODY_VAR:selected_usr[]" ; #domain.com BasicRule wl:1000 "mz:$BODY|NAME_VAR:delete" ; #domain.com BasicRule wl:1000 "mz:$BODY|NAME_VAR:selected_usr[]" ; #domain.com BasicRule wl:1100 "mz:$BODY_VAR:_xfrelativeresolver" ; #domain.com BasicRule wl:1015 "mz:$BODY_VAR:_xftoken" ; #domain.com BasicRule wl:1302 "mz:$BODY_VAR:message_html" ; #domain.com BasicRule wl:1303 "mz:$BODY_VAR:message_html" ; #domain.com BasicRule wl:1000 "mz:$BODY_VAR:a" ; #domain.com BasicRule wl:1100 "mz:$BODY_VAR:redirect" ; #domain.com BasicRule wl:1000 "mz:$BODY_VAR:save" ; #domain.com BasicRule wl:1000 "mz:$BODY|NAME_VAR:hard_delete" ; #domain.com BasicRule wl:1000 "mz:$URL:/inline-mod/post/delete|URL" ; #domain.com BasicRule wl:1000 "mz:$BODY|NAME_VAR:create_tmp_table_priv" ; #domain.com BasicRule wl:1000 "mz:$BODY|NAME_VAR:delete_priv" ; #domain.com BasicRule wl:1000 "mz:$BODY|NAME_VAR:insert_priv" ; #domain.com BasicRule wl:1000 "mz:$BODY|NAME_VAR:lock_tables_priv" ; #domain.com BasicRule wl:1000 "mz:$BODY|NAME_VAR:max_updates" ; #domain.com BasicRule wl:1000 "mz:$BODY|NAME_VAR:select_priv" ; #domain.com BasicRule wl:1000 "mz:$BODY|NAME_VAR:update_priv" ; #domain.com BasicRule wl:1000 "mz:$ARGS|NAME_VAR:recent_table" ; #domain.com BasicRule wl:1000 "mz:$ARGS|NAME_VAR:table" ; #domain.com BasicRule wl:1001 "mz:$BODY_VAR:requireddata" ; #domain.com BasicRule wl:1015 "mz:$BODY_VAR:requireddata" ; #domain.com BasicRule wl:1310 "mz:$BODY_VAR:requireddata" ; #domain.com BasicRule wl:1311 "mz:$BODY_VAR:requireddata" ; #domain.com BasicRule wl:1000 "mz:$URL:/inline-mod/thread/delete|URL" ; #domain.com BasicRule wl:1015 "mz:$ARGS_VAR:_xftoken" ; #domain.com BasicRule wl:1000 "mz:$URL:/conversations/insert|URL" ; #domain.com BasicRule wl:1015 "mz:$BODY_VAR:recipients" ; #domain.com BasicRule wl:1000 "mz:$URL:/profile-posts/1/delete|URL" ; #domain.com BasicRule wl:1013 "mz:$BODY_VAR:options[boardinactivemessage]" ; #domain.com BasicRule wl:1015 "mz:$BODY_VAR:options[boardinactivemessage]" ; #domain.com BasicRule wl:1000 "mz:$URL:/reports/1/update|URL" ; #domain.com What version of the product are you using? On what operating system? 0.45 From freebsd ports
FreeBSD 9.0-STABLE

Original issue: http://code.google.com/p/naxsi/issues/detail?id=30

From [email protected] on August 31, 2011 13:40:30

I think it would be better if naxsi only learn the traffic from "trusted" IPs.

Original issue: http://code.google.com/p/naxsi/issues/detail?id=2

From [email protected] on October 29, 2012 15:29:46

What steps will reproduce the problem? 1. configuring naxsi
2. adding rules
3. use of nx-extract an nx_intercept What is the expected output? What do you see instead? naxsi-ui-extract Traceback (most recent call last):
File "nx_extract.py", line 368, in
reactor.listenTCP(port, InterceptFactory())
File "/usr/lib/python2.7/dist-packages/twisted/internet/posixbase.py", line 476, in listenTCP
p.startListening()
File "/usr/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 969, in startListening
raise CannotListenError, (self.interface, self.port, le)
twisted.internet.error.CannotListenError: Couldn't listen on any:8081: [Errno 98] Address already in use. What version of the product are you using? On what operating system? version 1.2.2 on Ubuntu desktop 12.10 Please provide your nginx configuration any additional information below.

Attachment: nginx.conf naxsi-ui.conf naxsi.rules naxsi_core.rules

Original issue: http://code.google.com/p/naxsi/issues/detail?id=48

From [email protected] on March 26, 2012 13:55:15

When rule is not match in HEADERS zone is not redirected to deny_url
The following rule is matched by naxsi and have entry in log file but in learning mode is not redirected to http_config.py

2012/03/26 14:46:01 [error] 23330#0: _1 NAXSI_FMT: ip=xx.xx.xx.xx&server=www.xxx.xx&uri=/user/register&total_processed=1&total_blocked=1&zone0=ARGS&id0=1000&var_name0=artists.php?artist&zone1=ARGS&id1=1010&var_name1=artists.php?artist&zone2=ARGS&id2=1011&var_name2=artists.php?artist&zone3=ARGS&id3=1015&var_name3=artists.php?artist&zone4=ARGS&id4=1016&var_name4=artists.php?artist&zone5=ARGS&id5=1020&var_name5=artists.php?artist&zone6=ARGS&id6=1200&var_name6=artists.php?artist&zone7=ARGS&id7=1308&var_name7=artists.php?artist&zone8=ARGS&id8=1309&var_name8=artists.php?artist, client: xx.xx.xx.xx, server: ~._xxx.xx, request: "GET /user/register?artists.php?artist=%40%40new%20union%23sqlmapsqlmap...%0Aselect%201,2,database%23sqlmap%0A%28%29 HTTP/1.1", host: "xxxx.xxx.xx"

But when rule matched a headers zone they are redirected to http_config.py
2012/03/26 14:17:46 [error] 23171#0: _1 NAXSI_FMT: ip=xx.xx.xx.xx&server=www.xxx.xx&uri=/images/sprite.gif&total_processed=35&total_blocked=35&zone0=HEADERS&id0=1010&var_name0=cookie&zone1=HEADERS&id1=1011&var_name1=cookie, client: xx.xx.xx.xx, server: ~._one.bg, request: "GET /images/sprite.gif HTTP/1.1", host: "www.xxx.xxx", referrer: " http://www.xxx.xx/css/new.css " What version of the product are you using? On what operating system? nginx-1.0.14
naxsi-0.44
CentOS 6 x86_64 Please provide any additional information below.

Original issue: http://code.google.com/p/naxsi/issues/detail?id=27

From [email protected] on March 14, 2012 10:29:45

NX_EXTRACT :

• Having front page (/) displaying something like :
  [opt_page_hit] : Minimum number of pages triggering the same event before proposing optimisation without $URL
  [opt_rules_hit] : Minimum number of rules hitting the same event on the same page before proposing optimisation with wl:0

- Number of 'unique' exception - Number of 'unique' ip source - other funky stats

NX_INTERCEPT :

• Allowing, via database, to set srcip / exception md5 for which HTTP requests will be logged. This must be configurable from command line nx_intercept, without provoking service interruption.

Original issue: http://code.google.com/p/naxsi/issues/detail?id=26

From [email protected] on March 08, 2012 20:23:17

Following the bug in ngx_unescape_uri, we must add unit test containing '?' in uncommon places.

Original issue: http://code.google.com/p/naxsi/issues/detail?id=25

From [email protected] on February 20, 2012 20:23:18

Issuing a whitelist on ID 1 (internal rule set by naxsi on "WEIRD" requests), cannot be whitelisted.

fix expected asap - before 0.44

Original issue: http://code.google.com/p/naxsi/issues/detail?id=22

From [email protected] on May 11, 2012 13:14:17

nx_extract listens on all interfaces, so anybody can access it.
Add an option to limit to localhost only, or implement Basic Auth.

Original issue: http://code.google.com/p/naxsi/issues/detail?id=31

From [email protected] on June 19, 2012 21:01:08

What steps will reproduce the problem? 1.starting nx_intercept.py -c naxsi-ui-learning.conf
2.starting nx_extract.py naxsi-ui-learning.conf
3. checking web ui What is the expected output? What do you see instead? I see no datas/hits in my web interface What version of the product are you using? On what operating system? ubuntu 12.04- naxsi: 0.46-1

Please provide any additional informatin below.
nx_intercept seems running, but when I add -a ip:myip its just runs for a second then stops.

Also, learnign daemon nx_intercept starts when not entering ip, but doesn't populate my /tmp/naxsi_rules.tmp

Thank you for helping!

Original issue: http://code.google.com/p/naxsi/issues/detail?id=36

From [email protected] on August 07, 2011 15:23:26

Please find a logo based on the NGINX one in attachment.

Regarsd,
Clément

Attachment: naxsi-small-v2.png

Original issue: http://code.google.com/p/naxsi/issues/detail?id=1

From [email protected] on October 04, 2011 11:21:49

It would be a Php/Python/? script allowing false positive reporting from end-users, although the URL will still be denied.

In order to avoid spam/flooding it should include a CAPTCHA mechanism.

Original issue: http://code.google.com/p/naxsi/issues/detail?id=4

From [email protected] on July 16, 2012 14:56:33

It should be possible to bind the deamons to a specified (default: local) interface. http://twistedmatrix.com/documents/current/api/twisted.internet.interfaces.IReactorTCP.html Cheers,

David

Original issue: http://code.google.com/p/naxsi/issues/detail?id=42

From [email protected] on November 18, 2011 10:17:00

Create a quickstart page, specifying how to compile naxsi, as well as some hints on the configuration

Original issue: http://code.google.com/p/naxsi/issues/detail?id=12

From [email protected] on October 06, 2011 05:39:08

I have followed the instructions at Wiki-Howto yet cannot get the naxsi to block whatever identified by http_config.py server as malicious request.

I have built a small server which accepts anything, for instance,

curl weakserver.mydomain.com -d
"a=1&b=<script src=' http://virushub.com/cookie-eater.js'></script> "

Outputs:

a

1

b

<script src=' http://virushub.com/cookie-eater.js'></script> I have set nginx to reverse proxy that server, yet, malicious requests are coming through without any problem.

When I issue that curl request, on the http_config.py console I get

python http_config.py -v 3

done.
Starting server, use to stop
Exception catched.
ExUrl: server=&uri=/&ip=95.35.93.106&zone0=BODY&id0=1009&var_name0=b&zone1=BODY&id1=1013&var_name1=b&zone2=BODY&id2=1100&var_name2=b&zone3=BODY&id3=1302&var_name3=b&zone4=BODY&id4=1303&var_name4=b&zone5=BODY&id5=1306&var_name5=b
already present in tmp_rules ...
...
...
already present in tmp_rules ...

and on the curl window i get:

a

1

b

<script src=' http://virushub.com/cookie-eater.js'></script> Lynx http://localhost:4242 shows

You currently have 0.0 rules generated by naxsi.You have a total of
28.0 exceptions hit.Authorizing :

I wonder what is missing from my setup to make naxsi block those, rather than just print it out to the screen or save it in a database

---

/etc/nginx/sec-rules/nbs.rules
********************************************** LearningMode ;
SecRulesEnabled;

SecRulesDisabled; DeniedUrl "/ RequestDenied ";

include "/tmp/naxsi_rules.tmp";

check rules

CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;
-------------8<---------------8<--------------

Original issue: http://code.google.com/p/naxsi/issues/detail?id=5

From [email protected] on February 24, 2012 18:32:33

when there is a per location naxsi config enabled but that the core_rules are not included at http level, naxsi will block requests.

Original issue: http://code.google.com/p/naxsi/issues/detail?id=23

From [email protected] on January 06, 2012 10:42:54

Would allow pattern matching for:

• unwanted code/SQL errors
• Credit card numbers

Original issue: http://code.google.com/p/naxsi/issues/detail?id=18