Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for NAXSI web application firewall #354

Merged
merged 1 commit into from Aug 23, 2019
Merged

Add support for NAXSI web application firewall #354

merged 1 commit into from Aug 23, 2019

Conversation

kravietz
Copy link
Contributor

Decoder will extract key alert information fields while the alert rule
will be triggered by both warnings (level 3) and blocked request alerts
(level 7)

Add support for NAXSI web application firewall
6ce52c0 
Decoder will extract key alert information fields while the alert rule
will be triggered by both warnings (level 3) and blocked request alerts
(level 7)
@Lopuiz Lopuiz self-assigned this Jun 11, 2019
@Lopuiz Lopuiz self-requested a review June 11, 2019 07:14
Lopuiz
Lopuiz approved these changes Jun 11, 2019
View reviewed changes
Copy link
Contributor

@Lopuiz Lopuiz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @kravietz

Thank you for your contribution to the Ruleset project.
We will merge it as soon as possible.

Kind regards, Eva

@Lopuiz Lopuiz changed the base branch from master to 3.10 June 11, 2019 07:19
@Lopuiz Lopuiz changed the base branch from 3.10 to 3.9 June 12, 2019 08:48
@bah07 bah07 added this to In progress in Wazuh 3.10.0 via automation Jun 14, 2019
@bah07 bah07 added this to the 25th week milestone Jun 17, 2019
@Lopuiz Lopuiz requested a review from bah07 June 21, 2019 10:53
@Lopuiz Lopuiz changed the base branch from 3.9 to 3.10 August 6, 2019 09:29
@Lopuiz Lopuiz moved this from In progress to Done in Wazuh 3.10.0 Aug 13, 2019
@Lopuiz Lopuiz moved this from Done to Reviewer approved in Wazuh 3.10.0 Aug 13, 2019
@chemamartinez chemamartinez self-requested a review August 23, 2019 11:17
@chemamartinez
Copy link
Contributor

Hi @kravietz,

Both decoder and rules work fine.

Rule 31334

2013/11/10 07:36:19 [error] 8278#0: *5932 NAXSI_FMT: ip=X.X.X.X&server=Y.Y.Y.Y&uri=/phpMyAdmin-2.8.2/scripts/setup.php&learning=0&vers=0.52&total_processed=472&total_blocked=204&block=0&cscore0=$UWA&score0=8&zone0=HEADERS&id0=42000227&var_name0=user-agent, client: X.X.X.X, server: blog.memze.ro, request: "GET /phpMyAdmin-2.8.2/scripts/setup.php HTTP/1.1", host: "X.X.X.X"


**Phase 1: Completed pre-decoding.
       full event: '2013/11/10 07:36:19 [error] 8278#0: *5932 NAXSI_FMT: ip=X.X.X.X&server=Y.Y.Y.Y&uri=/phpMyAdmin-2.8.2/scripts/setup.php&learning=0&vers=0.52&total_processed=472&total_blocked=204&block=0&cscore0=$UWA&score0=8&zone0=HEADERS&id0=42000227&var_name0=user-agent, client: X.X.X.X, server: blog.memze.ro, request: "GET /phpMyAdmin-2.8.2/scripts/setup.php HTTP/1.1", host: "X.X.X.X"'
       timestamp: '(null)'
       hostname: 'ubuntu'
       program_name: '(null)'
       log: '2013/11/10 07:36:19 [error] 8278#0: *5932 NAXSI_FMT: ip=X.X.X.X&server=Y.Y.Y.Y&uri=/phpMyAdmin-2.8.2/scripts/setup.php&learning=0&vers=0.52&total_processed=472&total_blocked=204&block=0&cscore0=$UWA&score0=8&zone0=HEADERS&id0=42000227&var_name0=user-agent, client: X.X.X.X, server: blog.memze.ro, request: "GET /phpMyAdmin-2.8.2/scripts/setup.php HTTP/1.1", host: "X.X.X.X"'

**Phase 2: Completed decoding.
       decoder: 'nginx-errorlog'
       srcip: 'X.X.X.X'
       server: 'Y.Y.Y.Y'
       uri: '/phpMyAdmin-2.8.2/scripts/setup.php'
       learning: '0'
       vers: '0.52'
       total_processed: '472'
       total_blocked: '204'
       block: '0'
       attack: '$UWA'
       score: '8'

**Phase 3: Completed filtering (rules).
       Rule id: '31334'
       Level: '3'
       Description: 'NAXSI warning'
**Alert to be generated.

Rule 31335

2013/11/10 07:36:19 [error] 8278#0: *5932 NAXSI_FMT: ip=X.X.X.X&server=Y.Y.Y.Y&uri=/phpMyAdmin-2.8.2/scripts/setup.php&learning=0&vers=0.52&total_processed=472&total_blocked=204&block=1&cscore0=$UWA&score0=8&zone0=HEADERS&id0=42000227&var_name0=user-agent, client: X.X.X.X, server: blog.memze.ro, request: "GET /phpMyAdmin-2.8.2/scripts/setup.php HTTP/1.1", host: "X.X.X.X"


**Phase 1: Completed pre-decoding.
       full event: '2013/11/10 07:36:19 [error] 8278#0: *5932 NAXSI_FMT: ip=X.X.X.X&server=Y.Y.Y.Y&uri=/phpMyAdmin-2.8.2/scripts/setup.php&learning=0&vers=0.52&total_processed=472&total_blocked=204&block=1&cscore0=$UWA&score0=8&zone0=HEADERS&id0=42000227&var_name0=user-agent, client: X.X.X.X, server: blog.memze.ro, request: "GET /phpMyAdmin-2.8.2/scripts/setup.php HTTP/1.1", host: "X.X.X.X"'
       timestamp: '(null)'
       hostname: 'ubuntu'
       program_name: '(null)'
       log: '2013/11/10 07:36:19 [error] 8278#0: *5932 NAXSI_FMT: ip=X.X.X.X&server=Y.Y.Y.Y&uri=/phpMyAdmin-2.8.2/scripts/setup.php&learning=0&vers=0.52&total_processed=472&total_blocked=204&block=1&cscore0=$UWA&score0=8&zone0=HEADERS&id0=42000227&var_name0=user-agent, client: X.X.X.X, server: blog.memze.ro, request: "GET /phpMyAdmin-2.8.2/scripts/setup.php HTTP/1.1", host: "X.X.X.X"'

**Phase 2: Completed decoding.
       decoder: 'nginx-errorlog'
       srcip: 'X.X.X.X'
       server: 'Y.Y.Y.Y'
       uri: '/phpMyAdmin-2.8.2/scripts/setup.php'
       learning: '0'
       vers: '0.52'
       total_processed: '472'
       total_blocked: '204'
       block: '1'
       attack: '$UWA'
       score: '8'

**Phase 3: Completed filtering (rules).
       Rule id: '31335'
       Level: '7'
       Description: 'NAXSI rejected a query'
**Alert to be generated.

Thanks again for your contribution, it will be available for the next released version.

@chemamartinez chemamartinez merged commit b52a837 into wazuh:3.10 Aug 23, 2019
Wazuh 3.10.0 automation moved this from Review approved to Done Aug 23, 2019
@Lopuiz Lopuiz mentioned this pull request Aug 29, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Lopuiz Lopuiz Lopuiz approved these changes

@chemamartinez chemamartinez chemamartinez approved these changes

@bah07 bah07 Awaiting requested review from bah07

Assignees

@bah07 bah07

@Lopuiz Lopuiz

Labels
community
Projects
No open projects
Wazuh 3.10.0
  
Done
Milestone
25th week
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@kravietz @chemamartinez @Lopuiz @bah07 @Zenidd