Update: [Sun Jan 12 00:29:42 UTC 2025]

2025-12-29 16:15:12 +00:00 · 2025-01-12 00:29:42 +00:00
parent 6eff0f9666
commit c59456bd3e
38 changed files with 3257 additions and 3257 deletions
--- a/waf_patterns/nginx/attack.conf
+++ b/waf_patterns/nginx/attack.conf
@@ -2,7 +2,15 @@
 location / {
    set $attack_detected 0;

-    if ($request_uri ~* "@gt 1") {
+    if ($request_uri ~* "content-transfer-encoding:(.*)") {
+        set $attack_detected 1;
+    }
+
+    if ($request_uri ~* "TX:paramcounter_(.*)") {
+        set $attack_detected 1;
+    }
+
+    if ($request_uri ~* ".") {
        set $attack_detected 1;
    }

@@ -10,6 +18,10 @@ location / {
        set $attack_detected 1;
    }

+    if ($request_uri ~* "[rn]W*?(?:content-(?:type|length)|set-cookie|location):s*w") {
+        set $attack_detected 1;
+    }
+
    if ($request_uri ~* "^content-types*:s*(.*)$") {
        set $attack_detected 1;
    }
@@ -18,23 +30,7 @@ location / {
        set $attack_detected 1;
    }

-    if ($request_uri ~* "(?:bhttp/d|<(?:html|meta)b)") {
-        set $attack_detected 1;
-    }
-
-    if ($request_uri ~* ".") {
-        set $attack_detected 1;
-    }
-
-    if ($request_uri ~* "unix:[^|]*|") {
-        set $attack_detected 1;
-    }
-
-    if ($request_uri ~* "[nr]") {
-        set $attack_detected 1;
-    }
-
-    if ($request_uri ~* "TX:paramcounter_(.*)") {
+    if ($request_uri ~* "@gt 1") {
        set $attack_detected 1;
    }

@@ -42,7 +38,15 @@ location / {
        set $attack_detected 1;
    }

-    if ($request_uri ~* "^[^sv,;]+[sv,;].*?b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([+/]))b") {
+    if ($request_uri ~* "unix:[^|]*|") {
+        set $attack_detected 1;
+    }
+
+    if ($request_uri ~* "(?:bhttp/d|<(?:html|meta)b)") {
+        set $attack_detected 1;
+    }
+
+    if ($request_uri ~* "[nr]") {
        set $attack_detected 1;
    }

@@ -50,11 +54,7 @@ location / {
        set $attack_detected 1;
    }

-    if ($request_uri ~* "content-transfer-encoding:(.*)") {
-        set $attack_detected 1;
-    }
-
-    if ($request_uri ~* "[rn]W*?(?:content-(?:type|length)|set-cookie|location):s*w") {
+    if ($request_uri ~* "^[^sv,;]+[sv,;].*?b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([+/]))b") {
        set $attack_detected 1;
    }