Update: [Thu Jan 9 00:26:35 UTC 2025]

2025-12-29 16:15:12 +00:00 · 2025-01-09 00:26:35 +00:00
parent ed5a5bc855
commit 0c41e95847
40 changed files with 3268 additions and 3268 deletions
--- a/waf_patterns/nginx/attack.conf
+++ b/waf_patterns/nginx/attack.conf
@@ -2,11 +2,11 @@
 location / {
    set $attack_detected 0;

-    if ($request_uri ~* "[nr]+(?:s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))s*:") {
+    if ($request_uri ~* "TX:paramcounter_(.*)") {
        set $attack_detected 1;
    }

-    if ($request_uri ~* "TX:paramcounter_(.*)") {
+    if ($request_uri ~* ".") {
        set $attack_detected 1;
    }

@@ -14,10 +14,34 @@ location / {
        set $attack_detected 1;
    }

+    if ($request_uri ~* "(?:bhttp/d|<(?:html|meta)b)") {
+        set $attack_detected 1;
+    }
+
+    if ($request_uri ~* "(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)s+[^s]+s+http/d") {
+        set $attack_detected 1;
+    }
+
+    if ($request_uri ~* "@gt 0") {
+        set $attack_detected 1;
+    }
+
+    if ($request_uri ~* "[nr]+(?:s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))s*:") {
+        set $attack_detected 1;
+    }
+
+    if ($request_uri ~* "content-transfer-encoding:(.*)") {
+        set $attack_detected 1;
+    }
+
    if ($request_uri ~* "[rn]W*?(?:content-(?:type|length)|set-cookie|location):s*w") {
        set $attack_detected 1;
    }

+    if ($request_uri ~* "^[^sv,;]+[sv,;].*?(?:application/(?:.++)?json|(?:application/(?:soap+)?|text/)xml)") {
+        set $attack_detected 1;
+    }
+
    if ($request_uri ~* "^content-types*:s*(.*)$") {
        set $attack_detected 1;
    }
@@ -26,7 +50,7 @@ location / {
        set $attack_detected 1;
    }

-    if ($request_uri ~* "^[^sv,;]+[sv,;].*?(?:application/(?:.++)?json|(?:application/(?:soap+)?|text/)xml)") {
+    if ($request_uri ~* "unix:[^|]*|") {
        set $attack_detected 1;
    }

@@ -34,30 +58,6 @@ location / {
        set $attack_detected 1;
    }

-    if ($request_uri ~* "unix:[^|]*|") {
-        set $attack_detected 1;
-    }
-
-    if ($request_uri ~* "(?:bhttp/d|<(?:html|meta)b)") {
-        set $attack_detected 1;
-    }
-
-    if ($request_uri ~* ".") {
-        set $attack_detected 1;
-    }
-
-    if ($request_uri ~* "@gt 0") {
-        set $attack_detected 1;
-    }
-
-    if ($request_uri ~* "(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)s+[^s]+s+http/d") {
-        set $attack_detected 1;
-    }
-
-    if ($request_uri ~* "content-transfer-encoding:(.*)") {
-        set $attack_detected 1;
-    }
-
    if ($attack_detected = 1) {
        return 403;
    }