mirror of
https://github.com/fabriziosalmi/patterns.git
synced 2025-12-29 16:15:12 +00:00
nginx generation improved
This commit is contained in:
fabriziosalmi
@@ -1,228 +1,73 @@
|
||||
# Nginx WAF rules for ENFORCEMENT
|
||||
location / {
|
||||
set $attack_detected 0;
|
||||
# Automatically generated from OWASP rules.
|
||||
# Include this file in your server or location block.
|
||||
|
||||
if ($request_uri ~* "(d+)-(d+)") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "^[^;s]+") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@contains #") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){63}") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@eq 1") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@validateByteRange 38,44-46,48-58,61,65-90,95,97-122") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@validateUtf8Encoding") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@streq POST") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "^$") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@gt %{tx.max_file_size}") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "!@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(?:s*,s*|$)){1,7}$") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "%[0-9a-fA-F]{2}") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* ".[^.~]+~(?:/.*|)$") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "x25") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "!@rx ^0?$") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "^(?:GET|HEAD)$") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@validateByteRange 32-36,38-126") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "%u[fF]{2}[0-9a-fA-F]{2}") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "!@rx ^OPTIONS$") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@within %{tx.restricted_headers_basic}") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "(?i)x5cu[0-9a-f]{4}") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@gt %{tx.combined_file_sizes}") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "!@endsWith .pdf") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@eq 0") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "!@rx ^0$") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "!@pm AppleWebKit Android Business Enterprise Entreprise") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@ge 1") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@endsWith .pdf") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@gt 0") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "!@pm AppleWebKit Android") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@validateByteRange 1-255") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@within %{tx.restricted_extensions}") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "!@rx ^(?:OPTIONS|CONNECT)$") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "charsets*=s*[\"']?([^;\"'s]+)") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "!@streq JSON") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "charset.*?charset") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){6}") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@gt 50") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@gt %{tx.total_arg_length}") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "!@rx ^d+$") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@gt 1") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@gt %{tx.arg_length}") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "b(?:keep-alive|close),s?(?:keep-alive|close)b") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "['\";=]") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* ".([^.]+)$") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@gt %{tx.max_num_args}") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@within %{tx.restricted_headers_extended}") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "(?:^|[^x5c])x5c[cdeghijklmpqwxyz123456789]") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@validateByteRange 32,34,38,42-59,61,65-90,95,97-122") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "(?:^([d.]+|[[da-f:]+]|[da-f:]+)(:[d]+)?$)") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@gt %{tx.arg_name_length}") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "!@rx ^[w/.+*-]+(?:s?;s?(?:action|boundary|charset|component|start(?:-info)?|type|version)s?=s?['\"w.()+,/:=?<>@#*-]+)*$") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@validateByteRange 9,10,13,32-126,128-255") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "^.*$") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@validateUrlEncoding") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($attack_detected = 1) {
|
||||
return 403;
|
||||
}
|
||||
map $request_uri $waf_block_enforcement {
|
||||
default 0;
|
||||
"~*!@rx ^[w/.+*-]+(?:s?;s?(?:action|boundary|charset|component|start(?:-info)?|type|version)s?=s?['\"w.()+,/:=?<>@#*-]+)*$" 1;
|
||||
"~*!@rx ^(?:OPTIONS|CONNECT)$" 1;
|
||||
"~*@eq 1" 1;
|
||||
"~*.([^.]+)$" 1;
|
||||
"~*@validateByteRange 38,44-46,48-58,61,65-90,95,97-122" 1;
|
||||
"~*@gt %{tx.total_arg_length}" 1;
|
||||
"~*!@streq JSON" 1;
|
||||
"~*^(?:GET|HEAD)$" 1;
|
||||
"~*@validateUtf8Encoding" 1;
|
||||
"~*.[^.~]+~(?:/.*|)$" 1;
|
||||
"~*@validateByteRange 32,34,38,42-59,61,65-90,95,97-122" 1;
|
||||
"~*%u[fF]{2}[0-9a-fA-F]{2}" 1;
|
||||
"~*!@pm AppleWebKit Android Business Enterprise Entreprise" 1;
|
||||
"~*@gt %{tx.max_num_args}" 1;
|
||||
"~*!@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(?:s*,s*|$)){1,7}$" 1;
|
||||
"~*^(?i)up" 1;
|
||||
"~*!@pm AppleWebKit Android" 1;
|
||||
"~*@streq POST" 1;
|
||||
"~*^.*$" 1;
|
||||
"~*!@rx ^d+$" 1;
|
||||
"~*@validateUrlEncoding" 1;
|
||||
"~*@gt %{tx.arg_length}" 1;
|
||||
"~*@gt %{tx.combined_file_sizes}" 1;
|
||||
"~*^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){63}" 1;
|
||||
"~*@ge 1" 1;
|
||||
"~*@gt %{tx.arg_name_length}" 1;
|
||||
"~*!@rx (?i)^(?:&(?:(?:[acegiln-or-suz]acut|[aeiou]grav|[ain-o]tild)e|[c-elnr-tz]caron|(?:[cgk-lnr-t]cedi|[aeiouy]um)l|[aceg-josuwy]circ|[au]ring|a(?:mp|pos)|nbsp|oslash);|[^\"';=])*$" 1;
|
||||
"~*@gt 0" 1;
|
||||
"~*b(?:keep-alive|close),s?(?:keep-alive|close)b" 1;
|
||||
"~*@validateByteRange 32-36,38-126" 1;
|
||||
"~*!@endsWith .pdf" 1;
|
||||
"~*x25" 1;
|
||||
"~*['\";=]" 1;
|
||||
"~*^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){6}" 1;
|
||||
"~*@gt 50" 1;
|
||||
"~*%[0-9a-fA-F]{2}" 1;
|
||||
"~*charset.*?charset" 1;
|
||||
"~*!@rx ^0?$" 1;
|
||||
"~*!@rx ^OPTIONS$" 1;
|
||||
"~*^(?i)multipart/form-data" 1;
|
||||
"~*(?:^|[^x5c])x5c[cdeghijklmpqwxyz123456789]" 1;
|
||||
"~*(?i)x5cu[0-9a-f]{4}" 1;
|
||||
"~*charsets*=s*[\"']?([^;\"'s]+)" 1;
|
||||
"~*@within %{tx.restricted_headers_extended}" 1;
|
||||
"~*(?:^([d.]+|[[da-f:]+]|[da-f:]+)(:[d]+)?$)" 1;
|
||||
"~*@gt %{tx.max_file_size}" 1;
|
||||
"~*@endsWith .pdf" 1;
|
||||
"~*@within %{tx.restricted_extensions}" 1;
|
||||
"~*^$" 1;
|
||||
"~*(d+)-(d+)" 1;
|
||||
"~*@gt 1" 1;
|
||||
"~*@validateByteRange 1-255" 1;
|
||||
"~*@validateByteRange 9,10,13,32-126,128-255" 1;
|
||||
"~*@within %{tx.restricted_headers_basic}" 1;
|
||||
"~*^[^;s]+" 1;
|
||||
"~*@eq 0" 1;
|
||||
"~*@contains #" 1;
|
||||
"~*!@rx ^0$" 1;
|
||||
"~*^(?i)application/x-www-form-urlencoded" 1;
|
||||
}
|
||||
|
||||
if ($waf_block_enforcement) {
|
||||
return 403;
|
||||
# Log the blocked request (optional)
|
||||
# access_log /var/log/nginx/waf_blocked.log;
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user