mirror of
https://github.com/fabriziosalmi/patterns.git
synced 2025-12-17 17:55:48 +00:00
65 lines
1.8 KiB
Plaintext
65 lines
1.8 KiB
Plaintext
# Nginx WAF rules for ATTACK
|
|
location / {
|
|
set $attack_detected 0;
|
|
|
|
if ($request_uri ~* "content-transfer-encoding:(.*)") {
|
|
set $attack_detected 1;
|
|
}
|
|
|
|
if ($request_uri ~* "TX:paramcounter_(.*)") {
|
|
set $attack_detected 1;
|
|
}
|
|
|
|
if ($request_uri ~* ".") {
|
|
set $attack_detected 1;
|
|
}
|
|
|
|
if ($request_uri ~* "^[^sv,;]+[sv,;].*?(?:application/(?:.++)?json|(?:application/(?:soap+)?|text/)xml)") {
|
|
set $attack_detected 1;
|
|
}
|
|
|
|
if ($request_uri ~* "[rn]W*?(?:content-(?:type|length)|set-cookie|location):s*w") {
|
|
set $attack_detected 1;
|
|
}
|
|
|
|
if ($request_uri ~* "^content-types*:s*(.*)$") {
|
|
set $attack_detected 1;
|
|
}
|
|
|
|
if ($request_uri ~* "(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)s+[^s]+s+http/d") {
|
|
set $attack_detected 1;
|
|
}
|
|
|
|
if ($request_uri ~* "@gt 1") {
|
|
set $attack_detected 1;
|
|
}
|
|
|
|
if ($request_uri ~* "@gt 0") {
|
|
set $attack_detected 1;
|
|
}
|
|
|
|
if ($request_uri ~* "unix:[^|]*|") {
|
|
set $attack_detected 1;
|
|
}
|
|
|
|
if ($request_uri ~* "(?:bhttp/d|<(?:html|meta)b)") {
|
|
set $attack_detected 1;
|
|
}
|
|
|
|
if ($request_uri ~* "[nr]") {
|
|
set $attack_detected 1;
|
|
}
|
|
|
|
if ($request_uri ~* "[nr]+(?:s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))s*:") {
|
|
set $attack_detected 1;
|
|
}
|
|
|
|
if ($request_uri ~* "^[^sv,;]+[sv,;].*?b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([+/]))b") {
|
|
set $attack_detected 1;
|
|
}
|
|
|
|
if ($attack_detected = 1) {
|
|
return 403;
|
|
}
|
|
}
|