Update: [Fri Jan 10 00:27:14 UTC 2025]

2025-12-29 16:15:12 +00:00 · 2025-01-10 00:27:14 +00:00
parent 0c41e95847
commit c68f9937e8
40 changed files with 3401 additions and 3401 deletions
--- a/waf_patterns/nginx/attack.conf
+++ b/waf_patterns/nginx/attack.conf
@@ -2,19 +2,7 @@
 location / {
    set $attack_detected 0;

-    if ($request_uri ~* "TX:paramcounter_(.*)") {
-        set $attack_detected 1;
-    }
-
-    if ($request_uri ~* ".") {
-        set $attack_detected 1;
-    }
-
-    if ($request_uri ~* "@gt 1") {
-        set $attack_detected 1;
-    }
-
-    if ($request_uri ~* "(?:bhttp/d|<(?:html|meta)b)") {
+    if ($request_uri ~* "content-transfer-encoding:(.*)") {
        set $attack_detected 1;
    }

@@ -22,27 +10,19 @@ location / {
        set $attack_detected 1;
    }

+    if ($request_uri ~* "^[^sv,;]+[sv,;].*?b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([+/]))b") {
+        set $attack_detected 1;
+    }
+
+    if ($request_uri ~* "(?:bhttp/d|<(?:html|meta)b)") {
+        set $attack_detected 1;
+    }
+
    if ($request_uri ~* "@gt 0") {
        set $attack_detected 1;
    }

-    if ($request_uri ~* "[nr]+(?:s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))s*:") {
-        set $attack_detected 1;
-    }
-
-    if ($request_uri ~* "content-transfer-encoding:(.*)") {
-        set $attack_detected 1;
-    }
-
-    if ($request_uri ~* "[rn]W*?(?:content-(?:type|length)|set-cookie|location):s*w") {
-        set $attack_detected 1;
-    }
-
-    if ($request_uri ~* "^[^sv,;]+[sv,;].*?(?:application/(?:.++)?json|(?:application/(?:soap+)?|text/)xml)") {
-        set $attack_detected 1;
-    }
-
-    if ($request_uri ~* "^content-types*:s*(.*)$") {
+    if ($request_uri ~* "@gt 1") {
        set $attack_detected 1;
    }

@@ -50,11 +30,31 @@ location / {
        set $attack_detected 1;
    }

-    if ($request_uri ~* "unix:[^|]*|") {
+    if ($request_uri ~* "^content-types*:s*(.*)$") {
        set $attack_detected 1;
    }

-    if ($request_uri ~* "^[^sv,;]+[sv,;].*?b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([+/]))b") {
+    if ($request_uri ~* "[rn]W*?(?:content-(?:type|length)|set-cookie|location):s*w") {
+        set $attack_detected 1;
+    }
+
+    if ($request_uri ~* ".") {
+        set $attack_detected 1;
+    }
+
+    if ($request_uri ~* "TX:paramcounter_(.*)") {
+        set $attack_detected 1;
+    }
+
+    if ($request_uri ~* "[nr]+(?:s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))s*:") {
+        set $attack_detected 1;
+    }
+
+    if ($request_uri ~* "^[^sv,;]+[sv,;].*?(?:application/(?:.++)?json|(?:application/(?:soap+)?|text/)xml)") {
+        set $attack_detected 1;
+    }
+
+    if ($request_uri ~* "unix:[^|]*|") {
        set $attack_detected 1;
    }