Update: [Wed Jan 8 00:26:52 UTC 2025]

2025-12-29 16:15:12 +00:00 · 2025-01-08 00:26:52 +00:00
parent fe5f92f6ed
commit ed5a5bc855
40 changed files with 2586 additions and 2586 deletions
--- a/waf_patterns/nginx/attack.conf
+++ b/waf_patterns/nginx/attack.conf
@@ -2,47 +2,15 @@
 location / {
    set $attack_detected 0;

-    if ($request_uri ~* "content-transfer-encoding:(.*)") {
-        set $attack_detected 1;
-    }
-
-    if ($request_uri ~* "^[^sv,;]+[sv,;].*?(?:application/(?:.++)?json|(?:application/(?:soap+)?|text/)xml)") {
-        set $attack_detected 1;
-    }
-
-    if ($request_uri ~* "(?:bhttp/d|<(?:html|meta)b)") {
-        set $attack_detected 1;
-    }
-
    if ($request_uri ~* "[nr]+(?:s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))s*:") {
        set $attack_detected 1;
    }

-    if ($request_uri ~* ".") {
-        set $attack_detected 1;
-    }
-
-    if ($request_uri ~* "[nr]") {
-        set $attack_detected 1;
-    }
-
    if ($request_uri ~* "TX:paramcounter_(.*)") {
        set $attack_detected 1;
    }

-    if ($request_uri ~* "unix:[^|]*|") {
-        set $attack_detected 1;
-    }
-
-    if ($request_uri ~* "@gt 0") {
-        set $attack_detected 1;
-    }
-
-    if ($request_uri ~* "^content-types*:s*(.*)$") {
-        set $attack_detected 1;
-    }
-
-    if ($request_uri ~* "(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)s+[^s]+s+http/d") {
+    if ($request_uri ~* "@gt 1") {
        set $attack_detected 1;
    }

@@ -50,7 +18,15 @@ location / {
        set $attack_detected 1;
    }

-    if ($request_uri ~* "@gt 1") {
+    if ($request_uri ~* "^content-types*:s*(.*)$") {
+        set $attack_detected 1;
+    }
+
+    if ($request_uri ~* "[nr]") {
+        set $attack_detected 1;
+    }
+
+    if ($request_uri ~* "^[^sv,;]+[sv,;].*?(?:application/(?:.++)?json|(?:application/(?:soap+)?|text/)xml)") {
        set $attack_detected 1;
    }

@@ -58,6 +34,30 @@ location / {
        set $attack_detected 1;
    }

+    if ($request_uri ~* "unix:[^|]*|") {
+        set $attack_detected 1;
+    }
+
+    if ($request_uri ~* "(?:bhttp/d|<(?:html|meta)b)") {
+        set $attack_detected 1;
+    }
+
+    if ($request_uri ~* ".") {
+        set $attack_detected 1;
+    }
+
+    if ($request_uri ~* "@gt 0") {
+        set $attack_detected 1;
+    }
+
+    if ($request_uri ~* "(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)s+[^s]+s+http/d") {
+        set $attack_detected 1;
+    }
+
+    if ($request_uri ~* "content-transfer-encoding:(.*)") {
+        set $attack_detected 1;
+    }
+
    if ($attack_detected = 1) {
        return 403;
    }