mirror of
https://github.com/fabriziosalmi/patterns.git
synced 2025-12-17 17:55:48 +00:00
85 lines
1.6 KiB
Plaintext
85 lines
1.6 KiB
Plaintext
# Nginx WAF rules for CORRELATION
|
|
location / {
|
|
set $attack_detected 0;
|
|
|
|
if ($request_uri ~* "@eq 0") {
|
|
set $attack_detected 1;
|
|
}
|
|
|
|
if ($request_uri ~* "@ge 5") {
|
|
set $attack_detected 1;
|
|
}
|
|
|
|
if ($request_uri ~* "@eq 0") {
|
|
set $attack_detected 1;
|
|
}
|
|
|
|
if ($request_uri ~* "@ge %{tx.inbound_anomaly_score_threshold}") {
|
|
set $attack_detected 1;
|
|
}
|
|
|
|
if ($request_uri ~* "@ge %{tx.outbound_anomaly_score_threshold}") {
|
|
set $attack_detected 1;
|
|
}
|
|
|
|
if ($request_uri ~* "@lt 2") {
|
|
set $attack_detected 1;
|
|
}
|
|
|
|
if ($request_uri ~* "@ge %{tx.inbound_anomaly_score_threshold}") {
|
|
set $attack_detected 1;
|
|
}
|
|
|
|
if ($request_uri ~* "@ge %{tx.outbound_anomaly_score_threshold}") {
|
|
set $attack_detected 1;
|
|
}
|
|
|
|
if ($request_uri ~* "@lt 3") {
|
|
set $attack_detected 1;
|
|
}
|
|
|
|
if ($request_uri ~* "@gt 0") {
|
|
set $attack_detected 1;
|
|
}
|
|
|
|
if ($request_uri ~* "@lt 4") {
|
|
set $attack_detected 1;
|
|
}
|
|
|
|
if ($request_uri ~* "@lt 1") {
|
|
set $attack_detected 1;
|
|
}
|
|
|
|
if ($request_uri ~* "@lt 1") {
|
|
set $attack_detected 1;
|
|
}
|
|
|
|
if ($request_uri ~* "@lt 2") {
|
|
set $attack_detected 1;
|
|
}
|
|
|
|
if ($request_uri ~* "@lt 2") {
|
|
set $attack_detected 1;
|
|
}
|
|
|
|
if ($request_uri ~* "@lt 3") {
|
|
set $attack_detected 1;
|
|
}
|
|
|
|
if ($request_uri ~* "@lt 3") {
|
|
set $attack_detected 1;
|
|
}
|
|
|
|
if ($request_uri ~* "@lt 4") {
|
|
set $attack_detected 1;
|
|
}
|
|
|
|
if ($request_uri ~* "@lt 4") {
|
|
set $attack_detected 1;
|
|
}
|
|
|
|
if ($attack_detected = 1) {
|
|
return 403;
|
|
}
|
|
}
|