Add support for NAXSI web application firewall (#354)

decoders/0170-nginx_decoders.xml

@@ -17,6 +17,18 @@
   <prematch>^20\d\d/\d\d/\d\d \d\d:\d\d:\d\d [</prematch>
 </decoder>
 
+<!--
+Extract NAXSI WAF alert information https://github.com/nbs-system/naxsi/wiki/naxsilogs
+
+2013/11/10 07:36:19 [error] 8278#0: *5932 NAXSI_FMT: ip=X.X.X.X&server=Y.Y.Y.Y&uri=/phpMyAdmin-2.8.2/scripts/setup.php&learning=0&vers=0.52&total_processed=472&total_blocked=204&block=0&cscore0=$UWA&score0=8&zone0=HEADERS&id0=42000227&var_name0=user-agent, client: X.X.X.X, server: blog.memze.ro, request: "GET /phpMyAdmin-2.8.2/scripts/setup.php HTTP/1.1", host: "X.X.X.X"
+-->
+<decoder name="nginx-naxsi">
+  <parent>nginx-errorlog</parent>
+  <prematch offset="after_parent">NAXSI_FMT:</prematch>
+  <regex offset="after_parent">ip=(\S+)&server=(\S+)&uri=(\S+)&learning=(\d+)&vers=(\S+)&total_processed=(\d+)&total_blocked=(\d+)&block=(\d+)&cscore0=(\S+)&score0=(\S+)&</regex>
+  <order>srcip,server,uri,learning,vers,total_processed,total_blocked,block,attack,score</order>
+</decoder>
+
 <decoder name="nginx-errorlog-ip">
   <parent>nginx-errorlog</parent>
   <prematch offset="after_parent">, client: \S+, server: \S*, request: "\S+ </prematch>

rules/0260-nginx_rules.xml

@@ -108,4 +108,18 @@
     <group>modsecurity,gpg13_10.1,</group>
   </rule>
 
+  <rule id="31334" level="3">
+    <if_sid>31301</if_sid>
+    <match>NAXSI_FMT:</match>
+    <description>NAXSI warning</description>
+    <group>naxsi,</group>
+  </rule>
+
+  <rule id="31335" level="7">
+    <if_sid>31334</if_sid>
+    <match>&block=1&</match>
+    <description>NAXSI rejected a query</description>
+    <group>naxsi,gpg13_10.1,</group>
+  </rule>
+
 </group>