Welcome! Log In Create A New Profile

Advanced

Naxsi Nginx High performance WAF

Posted by c0nw0nk 
c0nw0nk
Naxsi Nginx High performance WAF
December 24, 2016 01:30AM
So I recently got hooked on Naxsi and I am loving it to bits <3 thanks to
itpp2012 :)

https://github.com/nbs-system/naxsi

I found the following Rule sets here.

http://spike.nginx-goodies.com/rules/

But I am curious does anyone have Naxsi written rules that would be the same
as/on Cloudflare's WAF ?

These to be exact :
Package:
OWASP ModSecurity Core Rule Set : Covers OWASP Top 10 vulnerabilities, and
more.
Package:
Cloudflare Rule Set : Contains rules to stop attacks commonly seen on
Cloudflare's network and attacks against popular applications.


Love to have a Naxsi version of their WAF rules to add in to the
naxsi_core.rules file.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,271695,271695#msg-271695

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Robert Paprocki
Re: Naxsi Nginx High performance WAF
December 24, 2016 06:50AM
Naxsi and ModSecurity are... very different. They have distinct (and largely incomparable) backgrounds, philosophies, goals, implementation details, and, most importantly for this context, vastly different DSLs that support their operations. A 1-1 translation of the OWASP CRS (particularly v3, just recently released) from ModSecurity's rule language to Naxsi rule syntax just isn't possible. ModSecurity provides a number of features that are either unsupported or impossible in Naxsi, and given that the CRS was written explicitly for ModSec, taking advantage of some implantation-specific features... well, good luck ;) (and at this point you might as well use libmodsecurity or an openresty alternative like lua-resty-waf, as Naxsi is probably never going to support the operators and feature sets needed for the CRS).

As for CFs rules, I'm not 100% sure, but that essentially sounds like asking for access to CFs internal data pipeline. I doubt you'll find a published version of this, as it's data that powers their commercial WAF.

> On Dec 23, 2016, at 16:26, c0nw0nk <[email protected]> wrote:
>
> So I recently got hooked on Naxsi and I am loving it to bits <3 thanks to
> itpp2012 :)
>
> https://github.com/nbs-system/naxsi
>
> I found the following Rule sets here.
>
> http://spike.nginx-goodies.com/rules/
>
> But I am curious does anyone have Naxsi written rules that would be the same
> as/on Cloudflare's WAF ?
>
> These to be exact :
> Package:
> OWASP ModSecurity Core Rule Set : Covers OWASP Top 10 vulnerabilities, and
> more.
> Package:
> Cloudflare Rule Set : Contains rules to stop attacks commonly seen on
> Cloudflare's network and attacks against popular applications.
>
>
> Love to have a Naxsi version of their WAF rules to add in to the
> naxsi_core.rules file.
>
> Posted at Nginx Forum: https://forum.nginx.org/read.php?2,271695,271695#msg-271695
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
mex
Re: Naxsi Nginx High performance WAF
December 24, 2016 09:10AM
Hi c0nw0nk,

mex here, inital creator of http://spike.nginx-goodies.com/rules/
and maintainer of Doxi-Rules
https://bitbucket.org/lazy_dogtown/doxi-rules/overview
(this us where the rules live we create with spike :)

the doxi-rules in its current state are inspired by emerging threats rules,
and not by the CRS-System because:

- mod_security can hook into any phase of a request, while naxsi only works
in access_phase
- naxsi has a very slim but yet powerfull core-ruleset
- naxsi doesnt hold state of an actor

thus, it would not be possible to re-create the CRS onto naxsi, instead, we
have a very slim but very fast core-ruleset that does not change very often,

and ontop of this, if wanted a wider ruleset that protect against common
classes of attacks like XXE or generel Object-Injections
http://spike.nginx-goodies.com/rules/view/42000341
http://spike.nginx-goodies.com/rules/view/42000343

i learned from my gurus @emerging threats ti write signatures
against vulnerabilities, not exploits

before naxsi i used mod_security with CRS as well and it was
more tha just PITA becaause of False Positives and performance-issues
as well. with naxsdi, learning mode and whitelist-creation
using a WAF is fun again.

If you have detailed questions about naxsi, there is a
naxsi-discuss-mailinglist
as well




cheers,


mex




c0nw0nk Wrote:
-------------------------------------------------------
> So I recently got hooked on Naxsi and I am loving it to bits <3 thanks
> to itpp2012 :)
>
> https://github.com/nbs-system/naxsi
>
> I found the following Rule sets here.
>
> http://spike.nginx-goodies.com/rules/
>
> But I am curious does anyone have Naxsi written rules that would be
> the same as/on Cloudflare's WAF ?
>
> These to be exact :
> Package:
> OWASP ModSecurity Core Rule Set : Covers OWASP Top 10 vulnerabilities,
> and more.
> Package:
> Cloudflare Rule Set : Contains rules to stop attacks commonly seen on
> Cloudflare's network and attacks against popular applications.
>
>
> Love to have a Naxsi version of their WAF rules to add in to the
> naxsi_core.rules file.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,271695,271697#msg-271697

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
c0nw0nk
Re: Naxsi Nginx High performance WAF
January 01, 2017 09:50AM
mex Wrote:
-------------------------------------------------------
> Hi c0nw0nk,
>
> mex here, inital creator of http://spike.nginx-goodies.com/rules/
> and maintainer of Doxi-Rules
> https://bitbucket.org/lazy_dogtown/doxi-rules/overview
> (this us where the rules live we create with spike :)
>
> the doxi-rules in its current state are inspired by emerging threats
> rules,
> and not by the CRS-System because:
>
> - mod_security can hook into any phase of a request, while naxsi only
> works in access_phase
> - naxsi has a very slim but yet powerfull core-ruleset
> - naxsi doesnt hold state of an actor
>
> thus, it would not be possible to re-create the CRS onto naxsi,
> instead, we
> have a very slim but very fast core-ruleset that does not change very
> often,
> and ontop of this, if wanted a wider ruleset that protect against
> common
> classes of attacks like XXE or generel Object-Injections
> http://spike.nginx-goodies.com/rules/view/42000341
> http://spike.nginx-goodies.com/rules/view/42000343
>
> i learned from my gurus @emerging threats ti write signatures
> against vulnerabilities, not exploits
>
> before naxsi i used mod_security with CRS as well and it was
> more tha just PITA becaause of False Positives and performance-issues
> as well. with naxsdi, learning mode and whitelist-creation
> using a WAF is fun again.
>
> If you have detailed questions about naxsi, there is a
> naxsi-discuss-mailinglist
> as well
>
>
>
>
> cheers,
>
>
> mex
>
>
>
>
> c0nw0nk Wrote:
> -------------------------------------------------------
> > So I recently got hooked on Naxsi and I am loving it to bits <3
> thanks
> > to itpp2012 :)
> >
> > https://github.com/nbs-system/naxsi
> >
> > I found the following Rule sets here.
> >
> > http://spike.nginx-goodies.com/rules/
> >
> > But I am curious does anyone have Naxsi written rules that would be
> > the same as/on Cloudflare's WAF ?
> >
> > These to be exact :
> > Package:
> > OWASP ModSecurity Core Rule Set : Covers OWASP Top 10
> vulnerabilities,
> > and more.
> > Package:
> > Cloudflare Rule Set : Contains rules to stop attacks commonly seen
> on
> > Cloudflare's network and attacks against popular applications.
> >
> >
> > Love to have a Naxsi version of their WAF rules to add in to the
> > naxsi_core.rules file.


Hey mex thats awesome :) I love your work too with spike. I have a question
about this rule here.

http://spike.nginx-goodies.com/rules/view/42000039

In the site list here http://spike.nginx-goodies.com/rules/ Why is that rule
ID number completely "Greyed" out what does that mean ?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,271695,271790#msg-271790

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
mex
Re: Naxsi Nginx High performance WAF
January 06, 2017 10:20AM
grey rules means they are deactivated


i'm gonna write a blog on how we use spike + doxi-rules in our
setup, but it will take some time.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,271695,271844#msg-271844

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
c0nw0nk
Re: Naxsi Nginx High performance WAF
January 06, 2017 10:30AM
mex Wrote:
-------------------------------------------------------
> grey rules means they are deactivated
>
>
> i'm gonna write a blog on how we use spike + doxi-rules in our
> setup, but it will take some time.

That's cool look forward to it also the rules on spike I think need updating
with the bitbucket page since the rules are the same but allot on the
bitbucket changed to now be case insensitive matches.

As you see here :
https://bitbucket.org/lazy_dogtown/doxi-rules/commits/e00016cc8bf7bb93c44afaf78fdd9b279290adcb#Lscanner.rulesT18

All lower case.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,271695,271845#msg-271845

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Sorry, only registered users may post in this forum.

Click here to login