什么是naxsi
一 、初体验-naxsi安装及使用
第一步:下载nginx(pcre)
https://nginx.org/en/download.html https://www.pcre.org/
mkdir naxsi_waf_source
cd naxsi_waf_source/
wget https://nginx.org/download/nginx-1.7.8.tar.gz
wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.36.tar.gz 或者
svn co svn://vcs.exim.org/pcre/code/trunk pcre
第二步:下载naxsi
git clone https://github.com/nbs-system/naxsi.git
第三步:安装nginx+naxsi
tar zxvf nginx-1.7.8.tar.gz
tar zxvf pcre-8.36.tar.gz
cd nginx-1.7.8/
./configure --add-module=/root/naxsi_waf_source/naxsi/naxsi_src --prefix=/opt/naxsi_waf --with-pcre=/root/naxsi_waf_source/pcre-8.36/ --with-pcre-jit --with-debug --with-http_ssl_module --without-http_fastcgi_module --without-http_uwsgi_module --without-http_scgi_module
(官方文档说为了避免不可预测的bug,要把naxsi模块放在第一位)
Configuration summary
+ using PCRE library: /root/naxsi-waf/pcre-8.36/
+ using system OpenSSL library
+ md5: using OpenSSL library
+ sha1: using OpenSSL library
+ using system zlib library
nginx path prefix: "/opt/naxsi_waf"
nginx binary file: "/opt/naxsi_waf/sbin/nginx"
nginx configuration prefix: "/opt/naxsi_waf/conf"
nginx configuration file: "/opt/naxsi_waf/conf/nginx.conf"
nginx pid file: "/opt/naxsi_waf/logs/nginx.pid"
nginx error log file: "/opt/naxsi_waf/logs/error.log"
nginx http access log file: "/opt/naxsi_waf/logs/access.log"
nginx http client request body temporary files: "client_body_temp"
nginx http proxy temporary files: "proxy_temp"
nginx http fastcgi temporary files: "fastcgi_temp"
nginx http uwsgi temporary files: "uwsgi_temp"
nginx http scgi temporary files: "scgi_temp"
make
make install
第四步:naxsi配置[普通]
配置naxsi规则
cp ~/naxsi/naxsi_config/naxsi_core.rules /opt/naxsi_waf/conf/
vim /opt/naxsi_waf/conf/my_naxsi.rules
填写
#LearningMode; #Enables learning mode 若开启该模式,不会拦截任何请求
SecRulesEnabled;
#SecRulesDisabled;
DeniedUrl "/RequestDenied";
## check rules
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;
配置nginx,与naxsi关联
vim /opt/naxsi_waf/conf/nginx.conf
填写
http {
include /opt/naxsi_waf/conf/naxsi_core.rules;#naxsi 核心规则地址
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" "$request_body" "$http_content_type"';
server {
listen 80;
server_name tanjiti;
proxy_set_header Proxy-Connection "";
access_log logs/nginx_access.log main;
error_log logs/nginx_error.log;
#dynamic modifiers for naxsi waf 见naxsi配置[高级]
#set $naxsi_flag_enable 0; #override SecRulesEnabled which 0: disable 1:enable
#set $naxsi_flag_learning 1;#override learning flag
#set $naxsi_flag_post_action 0;# 0:disable post_action in learning mode
#set $naxsi_extensive_log 1;#log the CONTENT of variable matching rules
location / {
include /opt/naxsi_waf/conf/my_naxsi.rules;
proxy_pass https://127.0.0.1:8080;
proxy_set_header Host www.tanjiti.com;
}
location /RequestDenied {
return 418;//拦截响应码
}
}
}
第五步:naxsi试用
启动nginx
sbin/nginx -c conf/nginx.conf
发送攻击请求
http "localhost:80/xss.php?name=<script>alert(1);</script>" Host:www.tanjiti.com -v
我们看看学习模式和拦截模式下的区别
(1)学习模式
学习模式只记录不拦截
编辑 /opt/naxsi_waf/conf/my_naxsi.rules
开启LearningMode;
(也可以使用 naxsi配置[高级]-动态修改naxsi配置 set $naxsi_flag_learning 1开启学习模式)
(2)拦截模式
编辑/opt/naxsi_waf/conf/my_naxsi.rules
注释掉 LearningMode;
(也可以使用 naxsi配置[高级]-动态修改naxsi配置 set $naxsi_flag_learning 0关闭学习模式)
第六步、naxsi配置[高级]
动态修改naxsi配置
#dynamic modifiers for naxsi waf
#set $naxsi_flag_enable 0; #override SecRulesEnabled which 0: disable 1:enable
#set $naxsi_flag_learning 1;#override learning flag
#set $naxsi_flag_post_action 0;# 0:disable post_action in learning mode
#set $naxsi_extensive_log 1;#log the CONTENT of variable matching rules
例如开启扩展记录,记录匹配内容
(1)学习模式 + 扩展日志格式
set $naxsi_flag_enable 0;
set $naxsi_extensive_log 1;
(2)拦截模式 + 扩展日志格式
set $naxsi_flag_enable 1;
set $naxsi_extensive_log 1;
二、WAF原理
我们从协议解析,拦截原理,规则(策略),日志四部分来分析naxsi waf原理
1. 协议解析
支持的请求方法: GET/POST/PUT
支持的POST请求实体类型: application/x-www-form-urlencoded, multipart/form-data, application/json
(注意buffer数据不解析)
支持的变量:
URL
ARGS get参数值
BODY post参数值
$HEADERS_VAR:Cookie http请求头
FILE_EXT multipart POST文件上传名
支持的操作符:
str 字符串
rx 正则匹配
均大小写不敏感
支持的动作:
记录与拦截
2. 拦截原理
严格(简单,很多都是特殊字符特征)规则(naxsi_core.rules )+ 白名单放行(白名单的生成: 手动生成与自学习生成)
规则的维护——白规则(放行规则)的维护
3.规则
(1)核心规则 (黑规则)
a.规则语法
https://github.com/nbs-system/naxsi/wiki/rulessyntax
规则实例:
MainRule "rx:select|union|update|delete|insert|table|from|ascii|hex|unhex|drop" "msg:sql keywords" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1000;
MainRule "str:\"" "msg:double quote" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8,$XSS:8" id:1001;
MainRule negative "rx:multipart/form-data|application/x-www-form-urlencoded" "msg:Content is neither mulipart/x-www-form.." "mz:$HEADERS_VAR:Content-type" "s:$EVADE:4" id:1402;
指令说明:
rx: 正则匹配
str: 字符串匹配
msg: 规则含义
mz: 匹配的HTTP协议部分
s: 规则的类型与相应的评分
id: 规则id
b.规则组成
1>内部规则1-999 协议解析中的异常问题
2>SQL注入规则1000-1099
3>OBVIOUS RFI规则1100-1100
4>Directory traversal规则1200-1299
5>XSS规则1300-1399
6>绕过规则1400-1500
7>文件上传1500-1600
(2)白名单规则语法
a.规则语法
https://github.com/nbs-system/naxsi/wiki/whitelists
规则实例:
(1) get参数
ARGS
$ARGS_VAR (字符串匹配)
BasicRule wl:1100 "mz:$ARGS_VAR:redirect_to";
$ARGS_VAR_X (正则匹配)
(2) post参数
BODY
$BODY_VAR
BasicRule wl:1000 "mz:$BODY_VAR:save";
$BODY_VAR_X
(3) 请求头
HEADERS
HEADERS_VAR
BasicRule wl:1402 "mz:$HEADERS_VAR:content-type";
HEADERS_VAR_X
(4) URL
URL (uri "?"前面的部分)
BasicRule wl:1000 "mz:URL|$URL:/wp-admin/update.php";
$URL_X
(5) 上传文件名
FILE_EXT 上传文件名
b.开源白名单规则
白名单规则集规则集-wordpress/DokuWiki/ruTorrent
git clone https://github.com/nbs-system/naxsi-rules.git
4.日志
以naxsi试用中的发包为例子
http "localhost:80/xss.php?name=<script>alert(1);</script>" Host:www.tanjiti.com -v
(1)学习模式下的WAF事件日志
nginx_error.log
2014/12/17 19:20:54 [error] 26370#0: *40842 NAXSI_FMT: ip=127.0.0.1&server=www.tanjiti.com&uri=/xss
.php&learning=1&vers=0.53-1&total_processed=1&total_blocked=1&block=1&cscore0=$SQL&score0=12&cscore
1=$XSS&score1=56&zone0=ARGS&id0=1008&var_name0=name&zone1=ARGS&id1=1010&var_name1=name&zone2=ARGS&id2=1011&var_name2=name&zone3=ARGS&id3=1302&var_name3=name&zone4=ARGS&id4=1303&var_name4=name, client: 127.0.0.1, server: tanjiti_naxsi, request: "GET /xss.php?name=%3Cscript%3Ealert(1);%3C/script%3E HTTP/1.1", host: "www.tanjiti.com"
学习模式中可以看到该条请求命中了五条规则
id0=1008
MainRule "str:;" "msg:; in stuff" "mz:BODY|URL|ARGS" "s:$SQL:4,$XSS:8" id:1008;
id1=1010
MainRule "str:(" "msg:parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1010;
id2=1011
MainRule "str:)" "msg:parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1011;
id3=1302 (命中了两次)
MainRule "str:<" "msg:html open tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1302;
id4=1303(命中了两次)
MainRule "str:>" "msg:html close tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1303;
SQL得分为12=4+4+4
XSS得分为56=8+8+8+8*2+8*2
(2)拦截模式下WAF事件日志
nginx_error.log
2014/12/17 19:26:06 [error] 396#0: *40844 NAXSI_FMT: ip=127.0.0.1&server=www.tanjiti.com&uri=/xss.p
hp&learning=0&vers=0.53-1&total_processed=1&total_blocked=1&block=1&cscore0=$SQL&score0=4&cscore1=$
XSS&score1=8&zone0=ARGS&id0=1008&var_name0=name, client: 127.0.0.1, server: tanjiti_naxsi, request:
"GET /xss.php?name=%3Cscript%3Ealert(1);%3C/script%3E HTTP/1.1", host: "www.tanjiti.com"
id0=1008
对应的源码
源码中日志格式的定义如下 naxsi_src/naxsi_runtime.c
const char *fmt_base = "ip=%.*s&server=%.*s&uri=%.*s&learning=%d&vers=%.*s&total_processed=%zu&total_blocked=%zu&block=%d";
const char *fmt_score = "&cscore%d=%.*s&score%d=%zu";
const char *fmt_rm = "&zone%d=%s&id%d=%d&var_name%d=%.*s";
需要注意的是党uri过长的时候,会出现日志截断问题,再进行下一步日志分析的时候需要注意这个情况
uri > 4k, string will be split
(3)学习模式下的WAF事件日志-EXLOG (有bug)
会纪录匹配内容
2014/12/17 19:38:31 [error] 16164#0: *40845 NAXSI_EXLOG: ip=127.0.0.1&server=www.tanjiti.com&uri=/x
ss.php&id=1008&zone=ARGS&var_name=name&content=<script>alert(1)B</script>, client: 127.0.0.1, serve
r: tanjiti_naxsi, request: "GET /xss.php?name=%3Cscript%3Ealert(1);%3C/script%3E HTTP/1.1", host: "
www.tanjiti.com"
2014/12/17 19:38:31 [error] 16164#0: *40845 NAXSI_EXLOG: ip=127.0.0.1&server=www.tanjiti.com&uri=/x
ss.php&id=1010&zone=ARGS&var_name=name&content=<script>alert(1)B</script>, client: 127.0.0.1, serve
r: tanjiti_naxsi, request: "GET /xss.php?name=%3Cscript%3Ealert(1);%3C/script%3E HTTP/1.1", host: "
www.tanjiti.com"
2014/12/17 19:38:31 [error] 16164#0: *40845 NAXSI_EXLOG: ip=127.0.0.1&server=www.tanjiti.com&uri=/x
ss.php&id=1011&zone=ARGS&var_name=name&content=<script>alert(1)B</script>, client: 127.0.0.1, serve
r: tanjiti_naxsi, request: "GET /xss.php?name=%3Cscript%3Ealert(1);%3C/script%3E HTTP/1.1", host: "
www.tanjiti.com"
2014/12/17 19:38:31 [error] 16164#0: *40845 NAXSI_EXLOG: ip=127.0.0.1&server=www.tanjiti.com&uri=/x
ss.php&id=1302&zone=ARGS&var_name=name&content=<script>alert(1)B</script>, client: 127.0.0.1, serve
r: tanjiti_naxsi, request: "GET /xss.php?name=%3Cscript%3Ealert(1);%3C/script%3E HTTP/1.1", host: "
www.tanjiti.com"
2014/12/17 19:38:31 [error] 16164#0: *40845 NAXSI_EXLOG: ip=127.0.0.1&server=www.tanjiti.com&uri=/x
ss.php&id=1303&zone=ARGS&var_name=name&content=<script>alert(1)B</script>, client: 127.0.0.1, serve
r: tanjiti_naxsi, request: "GET /xss.php?name=%3Cscript%3Ealert(1);%3C/script%3E HTTP/1.1", host: "
www.tanjiti.com"
2014/12/17 19:38:31 [error] 16164#0: *40845 NAXSI_FMT: ip=127.0.0.1&server=www.tanjiti.com&uri=/xss
.php&learning=1&vers=0.53-1&total_processed=1&total_blocked=1&block=1&cscore0=$SQL&score0=12&cscore
1=$XSS&score1=56&zone0=ARGS&id0=1008&var_name0=name&zone1=ARGS&id1=1010&var_name1=name&zone2=ARGS&id2=1011&var_name2=name&zone3=ARGS&id3=1302&var_name3=name&zone4=ARGS&id4=1303&var_name4=name, client: 127.0.0.1, server: tanjiti_naxsi, request: "GET /xss.php?name=%3Cscript%3Ealert(1);%3C/script%3E
HTTP/1.1", host: "www.tanjiti.com"
(4)拦截模式下WAF事件日志 (有bug)
2014/12/17 19:43:07 [error] 22252#0: *40847 NAXSI_EXLOG: ip=127.0.0.1&server=www.tanjiti.com&uri=/x
ss.php&id=1008&zone=ARGS&var_name=name&content=<script>alert(1)B</script>, client: 127.0.0.1, serve
r: tanjiti_naxsi, request: "GET /xss.php?name=%3Cscript%3Ealert(1);%3C/script%3E HTTP/1.1", host: "
www.tanjiti.com"
2014/12/17 19:43:07 [error] 22252#0: *40847 NAXSI_FMT: ip=127.0.0.1&server=www.tanjiti.com&uri=/xss
.php&learning=0&vers=0.53-1&total_processed=1&total_blocked=1&block=1&cscore0=$SQL&score0=4&cscore1
=$XSS&score1=8&zone0=ARGS&id0=1008&var_name0=name, client: 127.0.0.1, server: tanjiti_naxsi, reques
t: "GET /xss.php?name=%3Cscript%3Ealert(1);%3C/script%3E HTTP/1.1", host: "www.tanjiti.com"
对应的源码
扩展日志格式设置如下 naxsi_src/naxsi_utils.c
"NAXSI_EXLOG: ip=%V&server=%V&uri=%V&id=%d&zone=%s&var_name=%V&content=%V"
三、白规则生成算法
原本是modsecurity的粉丝,分析naxsi完全是因为weibo某位大牛对它的偏好,然后被“自学习”“基于网站行为的白名单建模”的标签吸引了
an intensive auto-learning phase that will automatically generate whitelisting rules regarding website's behaviour
于是我开启了源码阅读模式,发现naxis的
白名单生成方法(基于分析nginx日志,工具分析的是记录naxsi waf拦截事件的error日志)如下
(1) 手动添加
(2) 自动生成
这个卖点的更新非常缓慢,git有读者发文,作者回复也很无奈
Why do you keep radically changing learning tools ?
Because it's a not-that-easy problem, and we didn't found a satisfying solution yet ;)
1. nxutil
https://code.google.com/p/naxsi/downloads/list?can=1&q=
https://github.com/nbs-system/naxsi/wiki/configuration
https://github.com/nbs-system/naxsi/wiki/reporting
https://github.com/nbs-system/naxsi/wiki/nxutil
完全从统计的角度出发,使用c+sqlite3实现, 已不再更新
2.nxapi
python+elasticsearch(存储naxsi事件) 实现,持续更新中,我们重点分析的对象
原理
nxapi将WAF事件(学习模式下产生的NAXSI_FMT或NAXSI_EXLOG日志文件)存储在elasticsearch中,然后将自定义模板(tpl文件)转化为检索条件使用elasticsearch进行检索,最后将检索出来的内容与评分条件相比较来生成白名单。
亮点是elasticsearch的优秀检索能力,我们能轻易的按关键字查询出TOP N等统计数据,例如触发异常的server Top 10,URI Top 10,Zone(URI组件)Top 10, IP Top 10;
评分条件如下
rule_ip_count : nb of peers hitting rule
rule_uri_count : nb of uri the rule hitted on
template_ip_count : nb of peers hitting template
template_uri_count : nb of uri the rule hitted on
ip_ratio_template : ratio of peers hitting the template vs peers hitting the rule
uri_ratio_template : ratio of uri hitting the template vs uri hitting the rule
ip_ratio_global : ratio of peers hitting the rule vs all peers
uri_ratio_global : ratio of uri hitting the rule vs all uri
安装
(1) 安装elasticsearch
java环境配置
apt-get install openjdk-7-jdk
vim ~/.bashrc
export JAVA_HOME=/usr/lib/jvm/java-7-openjdk-amd64 替换成实际的java安装目录
source ~/.bashrc
以ubuntu上的安装为例wget -qO - https://packages.elasticsearch.org/GPG-KEY-elasticsearch | sudo apt-key add -
vim /etc/apt/sources.list
添加
deb https://packages.elasticsearch.org/elasticsearch/1.4/debian stable main
apt-get update
apt-get install elasticsearch
update-rc.d elasticsearch defaults 95 10 #加入到系统启动文件
安装成功后,默认的关键路径如下二进制文件 /usr/share/elasticsearch/bin
库文件 /usr/share/elasticsearch/lib/
配置文件 /etc/elasticsearch/elasticsearch.yml
日志文件 /var/log/elasticsearch/
工作目录 /tmp/elasticsearch/
配置(强迫症般的喜欢修改默认端口)vim /etc/elasticsearch/elasticsearch.yml
修改端口
http.port: 8108
启动/etc/init.d/elasticsearch start
安装管理插件marvel ,然后可以使用可视化界面进行管理https://localhost:8108/_plugin/marvel/
/usr/share/elasticsearch/bin/plugin -i elasticsearch/marvel/latest
/etc/init.d/elasticsearch restart
(2)创建索引curl -XPUT 'https://localhost:8108/nxapi?pretty'
nxapi工具的配置文件为nxapi.json,
vim nxapi.json
修改如下
"elastic" : {
"host" : "127.0.0.1:8108",
"index" : "nxapi",
"doctype" : "events",
"default_ttl" : "7200",
"max_size" : "1000"
},
"naxsi" : {
"rules_path" : "/home/work/naxsi_waf/conf/naxsi_core.rules", #naxsi waf的配置路径
"template_path" : [ "tpl/"],
"geoipdb_path" : "nx_datas/country2coords.txt"
},
pip install elasticsearch
python setup.py build
python setup.py install
安装后重要的文件如下/usr/local/nxapi/ #模板tpl文件与geo data文件
/usr/local/bin/nxtool.py #可执行文件
(5) 关键选项说明
nxtool.py -h
Usage: nxtool.py [options]
Options:
-h, --help show this help message and exit
Configuration options:
-c CFG_PATH, --config=CFG_PATH nxapi配置文件
Path to nxapi.json (config).
--colors Disable output colorz.
Input options (log acquisition):
--files=FILES_IN Path to log files to parse.
--fifo=FIFO_IN Path to a FIFO to be created & read from. [infinite]
--stdin Read from stdin.
--no-timeout Disable timeout on read operations (stdin/fifo).
--syslog Listen on tcp port for syslog logging.
Filtering options (for whitelist generation):
-s SERVER, --server=SERVER
FQDN to which we should restrict operations.
--filter=FILTER This option specify a filter for each type of filter,
filter are merge with existing templates/filters.
(--filter 'uri /foobar')关键选项,在生成白名单的时候使用能提高白名单准确度,支持‘server', 'uri', 'zone', 'var_name', 'ip', 'id', 'content', 'country', 'date', '?server', '?uri', '?var_name', '?content' 关键字
Tagging options (tag existing events in database):
-w WL_FILE, --whitelist-path=WL_FILE
A path to whitelist file, will find matching events in
DB.
-i IPS, --ip-path=IPS
A path to IP list file, will find matching events in
DB.
--tag Actually tag matching items in DB.
Whitelist Generation:
-f, --full-auto Attempt fully automatic whitelist generation process.
-t TEMPLATE, --template=TEMPLATE
Path to template to apply.
--slack Enables less strict mode.
--type Generate whitelists based on param type,参数类型包括
空,布尔类型(0,1),颜色(#[0-9a-f]),十六进制[0-9a-f],数字字符[0-9a-z],url,word,数组,文本,
Statistics Generation:
-x, --stats Generate statistics about current's db content.
统计
nxtool.py -c ./nxapi.json -x --colors
# Whitelist(ing) ratio :
# false 79.96 % (total:196902/246244)
# true 20.04 % (total:49342/246244)
# Top servers :
# www.x1.fr 21.93 % (total:43181/196915)
# www.x2.fr 15.21 % (total:29945/196915)
...
# Top URI(s) :
# /foo/bar/test 8.55 % (total:16831/196915)
# /user/register 5.62 % (total:11060/196915)
# /index.php/ 4.26 % (total:8385/196915)
...
# Top Zone(s) :
# BODY 41.29 % (total:81309/196924)
# HEADERS 23.2 % (total:45677/196924)
# BODY|NAME 16.88 % (total:33243/196924)
# ARGS 12.47 % (total:24566/196924)
# URL 5.56 % (total:10947/196924)
# ARGS|NAME 0.4 % (total:787/196924)
# FILE_EXT 0.2 % (total:395/196924)
# Top Peer(s) :
# ...
白名单生成
nxtool.py -c nxapi.json -s www.x1.fr -f --filter 'uri /foo/bar/test' --slack
...
#msg: A generic whitelist, true for the whole uri
#Rule (1303) html close tag
#total hits 126
#content : lyiuqhfnp,+<a+href="https://preemptivelove.org/">Cialis+forum</a>,+KKSXJyE,+[url=https://preemptivelove.org/]Viagra+or+cialis[/url],+XGRgnjn,+http
#content : 4ThLQ6++<a+href="https://aoeymqcqbdby.com/">aoeymqcqbdby</a>,+[url=https://ndtofuvzhpgq.com/]ndtofuvzhpgq[/url],+[link..
#peers : x.y.z.w
...
#uri : /faq/
#var_name : numcommande
#var_name : comment
...
# success : global_rule_ip_ratio is 58.82
# warnings : rule_ip is 10
BasicRule wl:1303 "mz:$URL:/foo/bar/test|BODY";
从模版生成白名单的过程
例如模版
{ "zone" : "HEADERS", "var_name" : "cookie", "id" : "?"}
生成白名单的过程:第一步:读取nxapi.json 的global_filters选项,es filter为
{ "whitelisted" : "false" }
第二步:读取nxtool.py filter命令行选项
-s SERVER, --server=SERVER
--filter=FILTER
{ "whitelisted" : "false", "server" : "www.x1.fr" }
第三步:解析tpl模版文件各个字段,合并到es filter中,{ "whitelisted" : "false", "server" : "www.x1.fr", "zone" : "HEADERS", "var_name" : "cookie" }
第四步:字段取值为?进行扩展{ "whitelisted" : "false", "server" : "www.x1.fr", "zone" : "HEADERS", "var_name" : "cookie", "id" : "1000"} { "whitelisted" : "false", "server" : "www.x1.fr", "zone" : "HEADERS", "var_name" : "cookie", "id" : "1001"}
第五步:将查询结果与全局和模版中定义的评分制度进行评判,生成如下样式的白名单
BasicRule wl:X "mz:$HEADERS_VAR:cookie"; ..
模版规则如下:
"filed" : "value" 指定 ES filter,例如"var_name" : "__utmz"
"field": "?" "value" 指定 ES filter,例如"id" : "?"
"?field": "regexp" "value" 指定 ES filter,例如
"_statics": {"filed" : "value"} 直接指定白名单的组成,例如
"_statics" : {
"id" : "1009,1010,1005,1011"
} 生成白名单 wl:1009,1010,1005,1011
"_msg": "string" 模版说明,例如"_msg" : "google analytics, __utmz var in ARGS"
"_success": { ... } 设置评分机制,与nxapi.json中的评分选项(global_warning_rules,global_success_rules,global_deny_rules)合并(覆盖/补充)使用 ,例如
"_success" : { "template_uri" : [ ">", "5"],
"rule_uri" : [ ">", "5"]}
"_warnings": {...} 设置评分机制,与nxapi.json中的评分选项合并(覆盖/补充)使用 ,例如
"_warnings" : { "rule_var_name" : [ "<=", "5" ],
"rule_uri" : [ "<=", "5" ],"template_uri" : [ ">", "5" ] ,"template_var_name" : [ ">", "5"]}
"_deny":{...}设置评分机制,与nxapi.json中的评分选项合并(覆盖/补充)使用,例如
"_deny" : { "rule_var_name" : [ "<", "10" ] }
参考:
https://pythonhackers.com/p/buixor/nxapi
https://github.com/nbs-system/naxsi/tree/master/nxapi
来源:碳基体
评论