External/patterns
1
0
Fork 0
mirror of https://github.com/fabriziosalmi/patterns.git synced 2025-12-17 17:55:48 +00:00
Code Issues Packages Projects Releases Wiki Activity
patterns/waf_patterns/nginx/attack.conf

133 lines
3.3 KiB
Plaintext
Raw Normal View History

Automated update: OWASP CRS to Caddy and Nginx WAF rules [Sat Dec 21 00:30:30 UTC 2024]
2024-12-21 00:30:30 +00:00
# Nginx WAF rules for ATTACK
location / {
set $attack_detected 0;
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)s+[^s]+s+http/d") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx [rn]W*?(?:content-(?:type|length)|set-cookie|location):s*w") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:bhttp/d|<(?:html|meta)b)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx [nr]") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx [nr]") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx [nr]+(?:s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))s*:") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx [nr]") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^[^:()&|!<>~]*)s*(?:((?:[^,()=&|!<>~]+[><~]?=|s*[&!|]s*(?:)|()?s*)|)s*(s*[&|!]s*|[&!|]s*([^()=&|!<>~]+[><~]?=[^:()&|!<>~]*)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^[^sx0b,;]+[sx0b,;].*?(?:application/(?:.++)?json|(?:application/(?:soap+)?|text/)xml)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx unix:[^|]*|") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx [nr]") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^[^sx0b,;]+[sx0b,;].*?b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([+/]))b") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx .") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (][^]]+$|][^]]+[)") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx [") {
set $attack_detected 1;
}
if ($request_uri ~* "!@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "!@within %{tx.allowed_request_content_type_charset}") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^content-types*:s*(.*)$") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^(?:(?:*|[^!") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx content-transfer-encoding:(.*)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx [^x21-x7E][x21-x39x3B-x7E]*:") {
set $attack_detected 1;
}
if ($attack_detected = 1) {
return 403;
}
}
Reference in New Issue Copy Permalink