Quantcast
Channel: 碳基体
Viewing all articles
Browse latest Browse all 75

什么是naxsi

February 11, 2015, 8:59 pm
$
0
0
一 、初体验-naxsi安装及使用
第一步:下载nginx(pcre)
mkdir naxsi_waf_source
cd naxsi_waf_source/
wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.36.tar.gz 或者 
svn co svn://vcs.exim.org/pcre/code/trunk pcre

第二步:下载naxsi

第三步:安装nginx+naxsi
tar zxvf nginx-1.7.8.tar.gz
tar zxvf pcre-8.36.tar.gz
cd nginx-1.7.8/
./configure --add-module=/root/naxsi_waf_source/naxsi/naxsi_src --prefix=/opt/naxsi_waf --with-pcre=/root/naxsi_waf_source/pcre-8.36/ --with-pcre-jit --with-debug --with-http_ssl_module --without-http_fastcgi_module  --without-http_uwsgi_module --without-http_scgi_module
(官方文档说为了避免不可预测的bug,要把naxsi模块放在第一位)

Configuration summary
  + using PCRE library: /root/naxsi-waf/pcre-8.36/
  + using system OpenSSL library
  + md5: using OpenSSL library
  + sha1: using OpenSSL library
  + using system zlib library

  nginx path prefix: "/opt/naxsi_waf"
  nginx binary file: "/opt/naxsi_waf/sbin/nginx"
  nginx configuration prefix: "/opt/naxsi_waf/conf"
  nginx configuration file: "/opt/naxsi_waf/conf/nginx.conf"
  nginx pid file: "/opt/naxsi_waf/logs/nginx.pid"
  nginx error log file: "/opt/naxsi_waf/logs/error.log"
  nginx http access log file: "/opt/naxsi_waf/logs/access.log"
  nginx http client request body temporary files: "client_body_temp"
  nginx http proxy temporary files: "proxy_temp"
  nginx http fastcgi temporary files: "fastcgi_temp"
  nginx http uwsgi temporary files: "uwsgi_temp"
  nginx http scgi temporary files: "scgi_temp"

make
make install

第四步:naxsi配置[普通]
配置naxsi规则
cp ~/naxsi/naxsi_config/naxsi_core.rules /opt/naxsi_waf/conf/

vim /opt/naxsi_waf/conf/my_naxsi.rules

填写
#LearningMode; #Enables learning mode 若开启该模式,不会拦截任何请求

SecRulesEnabled;
#SecRulesDisabled;
DeniedUrl "/RequestDenied";
 
## check rules
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;

配置nginx,与naxsi关联
vim /opt/naxsi_waf/conf/nginx.conf 
填写
http {

    include       /opt/naxsi_waf/conf/naxsi_core.rules;#naxsi 核心规则地址
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '

                      '$status $body_bytes_sent "$http_referer" '

                      '"$http_user_agent" "$http_x_forwarded_for" "$request_body" "$http_content_type"';
    server {
        listen 80;
        server_name tanjiti;
        proxy_set_header  Proxy-Connection "";
        access_log logs/nginx_access.log main;
        error_log logs/nginx_error.log;

        #dynamic modifiers for naxsi waf 见naxsi配置[高级]

        #set $naxsi_flag_enable 0; #override SecRulesEnabled which 0: disable 1:enable

        #set $naxsi_flag_learning 1;#override learning flag

        #set $naxsi_flag_post_action 0;# 0:disable post_action in learning mode

        #set $naxsi_extensive_log 1;#log the CONTENT of variable matching rules

        location / {
            include /opt/naxsi_waf/conf/my_naxsi.rules;
            proxy_pass http://127.0.0.1:8080;
            proxy_set_header Host www.tanjiti.com;
        }
        location /RequestDenied {
            return 418;//拦截响应码
        }

     }
 }

第五步:naxsi试用
启动nginx
sbin/nginx -c conf/nginx.conf
发送攻击请求
http "localhost:80/xss.php?name=<script>alert(1);</script>"  Host:www.tanjiti.com -v

我们看看学习模式和拦截模式下的区别
(1)学习模式 
学习模式只记录不拦截
编辑 /opt/naxsi_waf/conf/my_naxsi.rules 
开启LearningMode; 
(也可以使用 naxsi配置[高级]-动态修改naxsi配置 set $naxsi_flag_learning 1开启学习模式)
什么是naxsi - 碳基体 - 碳基体
 
(2)拦截模式
编辑/opt/naxsi_waf/conf/my_naxsi.rules 
注释掉 LearningMode;
(也可以使用 naxsi配置[高级]-动态修改naxsi配置 set $naxsi_flag_learning 0关闭学习模式)
什么是naxsi - 碳基体 - 碳基体
 


第六步、naxsi配置[高级]
动态修改naxsi配置
        #dynamic modifiers for naxsi waf
        #set $naxsi_flag_enable 0; #override SecRulesEnabled which 0: disable 1:enable 
        #set $naxsi_flag_learning 1;#override learning flag
        #set $naxsi_flag_post_action 0;# 0:disable post_action in learning mode
        #set $naxsi_extensive_log 1;#log the CONTENT of variable matching rules
例如开启扩展记录,记录匹配内容
(1)学习模式 + 扩展日志格式
set $naxsi_flag_enable 0;
set $naxsi_extensive_log 1;
(2)拦截模式 + 扩展日志格式
set $naxsi_flag_enable 1;
set $naxsi_extensive_log 1;

二、WAF原理
我们从协议解析,拦截原理,规则(策略),日志四部分来分析naxsi waf原理
1. 协议解析
支持的请求方法: GET/POST/PUT
支持的POST请求实体类型: application/x-www-form-urlencoded, multipart/form-data, application/json
(注意buffer数据不解析)
支持的变量
URL   
ARGS get参数值
BODY post参数值
$HEADERS_VAR:Cookie  http请求头
FILE_EXT  multipart POST文件上传名

支持的操作符:
str 字符串 
rx  正则匹配
均大小写不敏感

支持的动作
记录与拦截

2. 拦截原理
严格(简单,很多都是特殊字符特征)规则(naxsi_core.rules )+ 白名单放行(白名单的生成: 手动生成与自学习生成)
规则的维护——白规则(放行规则)的维护


3.规则
(1)核心规则 (黑规则)
a.规则语法
规则实例:
MainRule "rx:select|union|update|delete|insert|table|from|ascii|hex|unhex|drop" "msg:sql keywords" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1000;

MainRule "str:\"" "msg:double quote" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8,$XSS:8" id:1001;

MainRule negative "rx:multipart/form-data|application/x-www-form-urlencoded" "msg:Content is neither mulipart/x-www-form.." "mz:$HEADERS_VAR:Content-type" "s:$EVADE:4" id:1402;

指令说明
rx: 正则匹配
str: 字符串匹配
msg: 规则含义
mz: 匹配的HTTP协议部分
s: 规则的类型与相应的评分
id: 规则id

b.规则组成
1>内部规则1-999 协议解析中的异常问题
2>SQL注入规则1000-1099
3>OBVIOUS RFI规则1100-1100
4>Directory traversal规则1200-1299
5>XSS规则1300-1399
6>绕过规则1400-1500
7>文件上传1500-1600


(2)白名单规则语法
a.规则语法

规则实例:
(1) get参数
 ARGS

 $ARGS_VAR (字符串匹配)
BasicRule wl:1100 "mz:$ARGS_VAR:redirect_to";

 $ARGS_VAR_X (正则匹配)

(2) post参数
BODY

$BODY_VAR
BasicRule wl:1000 "mz:$BODY_VAR:save";

$BODY_VAR_X

(3) 请求头
HEADERS

HEADERS_VAR
BasicRule wl:1402 "mz:$HEADERS_VAR:content-type";

HEADERS_VAR_X

(4) URL
URL    (uri "?"前面的部分)
 BasicRule wl:1000 "mz:URL|$URL:/wp-admin/update.php";

$URL_X

(5) 上传文件名
FILE_EXT 上传文件名

b.开源白名单规则
白名单规则集规则集-wordpress/DokuWiki/ruTorrent

4.日志
以naxsi试用中的发包为例子

http "localhost:80/xss.php?name=<script>alert(1);</script>"  Host:www.tanjiti.com -v

(1)学习模式下的WAF事件日志

nginx_error.log

2014/12/17 19:20:54 [error] 26370#0: *40842 NAXSI_FMT: ip=127.0.0.1&server=www.tanjiti.com&uri=/xss

.php&learning=1&vers=0.53-1&total_processed=1&total_blocked=1&block=1&cscore0=$SQL&score0=12&cscore

1=$XSS&score1=56&zone0=ARGS&id0=1008&var_name0=name&zone1=ARGS&id1=1010&var_name1=name&zone2=ARGS&id2=1011&var_name2=name&zone3=ARGS&id3=1302&var_name3=name&zone4=ARGS&id4=1303&var_name4=name, client: 127.0.0.1, server: tanjiti_naxsi, request: "GET /xss.php?name=%3Cscript%3Ealert(1);%3C/script%3E HTTP/1.1", host: "www.tanjiti.com"

学习模式中可以看到该条请求命中了五条规则
id0=1008 
MainRule "str:;" "msg:; in stuff" "mz:BODY|URL|ARGS" "s:$SQL:4,$XSS:8" id:1008;

id1=1010
MainRule "str:(" "msg:parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1010;

id2=1011
MainRule "str:)" "msg:parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1011;

id3=1302 (命中了两次)
MainRule "str:<" "msg:html open tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1302;

id4=1303(命中了两次)
MainRule "str:>" "msg:html close tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1303;

SQL得分为12=4+4+4
XSS得分为56=8+8+8+8*2+8*2

(2)拦截模式下WAF事件日志 

nginx_error.log

2014/12/17 19:26:06 [error] 396#0: *40844 NAXSI_FMT: ip=127.0.0.1&server=www.tanjiti.com&uri=/xss.p

hp&learning=0&vers=0.53-1&total_processed=1&total_blocked=1&block=1&cscore0=$SQL&score0=4&cscore1=$

XSS&score1=8&zone0=ARGS&id0=1008&var_name0=name, client: 127.0.0.1, server: tanjiti_naxsi, request:

"GET /xss.php?name=%3Cscript%3Ealert(1);%3C/script%3E HTTP/1.1", host: "www.tanjiti.com"

拦截模式中可疑看到该条请求命中了一条规则
id0=1008


对应的源码
源码中日志格式的定义如下 naxsi_src/naxsi_runtime.c

  const char      *fmt_base = "ip=%.*s&server=%.*s&uri=%.*s&learning=%d&vers=%.*s&total_processed=%zu&total_blocked=%zu&block=%d";
  const char     *fmt_score = "&cscore%d=%.*s&score%d=%zu";
  const char     *fmt_rm = "&zone%d=%s&id%d=%d&var_name%d=%.*s";
需要注意的是党uri过长的时候,会出现日志截断问题,再进行下一步日志分析的时候需要注意这个情况
uri > 4k, string will be split


(3)学习模式下的WAF事件日志-EXLOG (有bug)

会纪录匹配内容

2014/12/17 19:38:31 [error] 16164#0: *40845 NAXSI_EXLOG: ip=127.0.0.1&server=www.tanjiti.com&uri=/x

ss.php&id=1008&zone=ARGS&var_name=name&content=<script>alert(1)B</script>, client: 127.0.0.1, serve

r: tanjiti_naxsi, request: "GET /xss.php?name=%3Cscript%3Ealert(1);%3C/script%3E HTTP/1.1", host: "

www.tanjiti.com"

2014/12/17 19:38:31 [error] 16164#0: *40845 NAXSI_EXLOG: ip=127.0.0.1&server=www.tanjiti.com&uri=/x

ss.php&id=1010&zone=ARGS&var_name=name&content=<script>alert(1)B</script>, client: 127.0.0.1, serve

r: tanjiti_naxsi, request: "GET /xss.php?name=%3Cscript%3Ealert(1);%3C/script%3E HTTP/1.1", host: "

www.tanjiti.com"

2014/12/17 19:38:31 [error] 16164#0: *40845 NAXSI_EXLOG: ip=127.0.0.1&server=www.tanjiti.com&uri=/x

ss.php&id=1011&zone=ARGS&var_name=name&content=<script>alert(1)B</script>, client: 127.0.0.1, serve

r: tanjiti_naxsi, request: "GET /xss.php?name=%3Cscript%3Ealert(1);%3C/script%3E HTTP/1.1", host: "

www.tanjiti.com"

2014/12/17 19:38:31 [error] 16164#0: *40845 NAXSI_EXLOG: ip=127.0.0.1&server=www.tanjiti.com&uri=/x

ss.php&id=1302&zone=ARGS&var_name=name&content=<script>alert(1)B</script>, client: 127.0.0.1, serve

r: tanjiti_naxsi, request: "GET /xss.php?name=%3Cscript%3Ealert(1);%3C/script%3E HTTP/1.1", host: "

www.tanjiti.com"

2014/12/17 19:38:31 [error] 16164#0: *40845 NAXSI_EXLOG: ip=127.0.0.1&server=www.tanjiti.com&uri=/x

ss.php&id=1303&zone=ARGS&var_name=name&content=<script>alert(1)B</script>, client: 127.0.0.1, serve

r: tanjiti_naxsi, request: "GET /xss.php?name=%3Cscript%3Ealert(1);%3C/script%3E HTTP/1.1", host: "

www.tanjiti.com"

2014/12/17 19:38:31 [error] 16164#0: *40845 NAXSI_FMT: ip=127.0.0.1&server=www.tanjiti.com&uri=/xss

.php&learning=1&vers=0.53-1&total_processed=1&total_blocked=1&block=1&cscore0=$SQL&score0=12&cscore

1=$XSS&score1=56&zone0=ARGS&id0=1008&var_name0=name&zone1=ARGS&id1=1010&var_name1=name&zone2=ARGS&id2=1011&var_name2=name&zone3=ARGS&id3=1302&var_name3=name&zone4=ARGS&id4=1303&var_name4=name, client: 127.0.0.1, server: tanjiti_naxsi, request: "GET /xss.php?name=%3Cscript%3Ealert(1);%3C/script%3E

HTTP/1.1", host: "www.tanjiti.com"


(4)拦截模式下WAF事件日志 (有bug)

2014/12/17 19:43:07 [error] 22252#0: *40847 NAXSI_EXLOG: ip=127.0.0.1&server=www.tanjiti.com&uri=/x

ss.php&id=1008&zone=ARGS&var_name=name&content=<script>alert(1)B</script>, client: 127.0.0.1, serve

r: tanjiti_naxsi, request: "GET /xss.php?name=%3Cscript%3Ealert(1);%3C/script%3E HTTP/1.1", host: "

www.tanjiti.com"

2014/12/17 19:43:07 [error] 22252#0: *40847 NAXSI_FMT: ip=127.0.0.1&server=www.tanjiti.com&uri=/xss

.php&learning=0&vers=0.53-1&total_processed=1&total_blocked=1&block=1&cscore0=$SQL&score0=4&cscore1

=$XSS&score1=8&zone0=ARGS&id0=1008&var_name0=name, client: 127.0.0.1, server: tanjiti_naxsi, reques

t: "GET /xss.php?name=%3Cscript%3Ealert(1);%3C/script%3E HTTP/1.1", host: "www.tanjiti.com"


对应的源码
扩展日志格式设置如下 naxsi_src/naxsi_utils.c
     "NAXSI_EXLOG: ip=%V&server=%V&uri=%V&id=%d&zone=%s&var_name=%V&content=%V"



三、白规则生成算法
原本是modsecurity的粉丝,分析naxsi完全是因为weibo某位大牛对它的偏好,然后被“自学习”“基于网站行为的白名单建模”的标签吸引了

 an intensive auto-learning phase that will automatically generate whitelisting rules regarding website's behaviour

于是我开启了源码阅读模式,发现naxis的
白名单生成方法(基于分析nginx日志,工具分析的是记录naxsi waf拦截事件的error日志)如下
 (1)  手动添加
 (2)  自动生成

这个卖点的更新非常缓慢,git有读者发文,作者回复也很无奈

Why do you keep radically changing learning tools ?
Because it's a not-that-easy problem, and we didn't found a satisfying solution yet ;)

1. nxutil

完全从统计的角度出发,使用c+sqlite3实现, 已不再更新

2.nxapi
python+elasticsearch(存储naxsi事件) 实现,持续更新中,我们重点分析的对象

原理
nxapi将WAF事件(学习模式下产生的NAXSI_FMT或NAXSI_EXLOG日志文件)存储在elasticsearch中,然后将自定义模板(tpl文件)转化为检索条件使用elasticsearch进行检索,最后将检索出来的内容与评分条件相比较来生成白名单。
亮点是elasticsearch的优秀检索能力,我们能轻易的按关键字查询出TOP N等统计数据,例如触发异常的server Top 10,URI Top 10,Zone(URI组件)Top 10, IP Top 10;

评分条件如下
rule_ip_count : nb of peers hitting rule
rule_uri_count : nb of uri the rule hitted on
template_ip_count : nb of peers hitting template
template_uri_count : nb of uri the rule hitted on
ip_ratio_template : ratio of peers hitting the template vs peers hitting the rule
uri_ratio_template : ratio of uri hitting the template vs uri hitting the rule
ip_ratio_global : ratio of peers hitting the rule vs all peers
uri_ratio_global : ratio of uri hitting the rule vs all uri


安装
(1) 安装elasticsearch
java环境配置
apt-get install openjdk-7-jdk
vim ~/.bashrc
export JAVA_HOME=/usr/lib/jvm/java-7-openjdk-amd64 替换成实际的java安装目录
source ~/.bashrc
以ubuntu上的安装为例
wget -qO - https://packages.elasticsearch.org/GPG-KEY-elasticsearch | sudo apt-key add -
vim /etc/apt/sources.list
添加
deb http://packages.elasticsearch.org/elasticsearch/1.4/debian stable main
apt-get update
apt-get install elasticsearch
update-rc.d elasticsearch defaults 95 10 #加入到系统启动文件
安装成功后,默认的关键路径如下
二进制文件 /usr/share/elasticsearch/bin
库文件 /usr/share/elasticsearch/lib/
配置文件 /etc/elasticsearch/elasticsearch.yml
日志文件 /var/log/elasticsearch/
工作目录 /tmp/elasticsearch/
配置(强迫症般的喜欢修改默认端口)
vim /etc/elasticsearch/elasticsearch.yml
修改端口
http.port: 8108
启动
 /etc/init.d/elasticsearch start
安装管理插件marvel ,然后可以使用可视化界面进行管理 
http://localhost:8108/_plugin/marvel/
/usr/share/elasticsearch/bin/plugin -i elasticsearch/marvel/latest
/etc/init.d/elasticsearch restart
(2)创建索引
curl -XPUT 'http://localhost:8108/nxapi?pretty'
(3)修改nxapi全局配置
nxapi工具的配置文件为nxapi.json,
vim nxapi.json
修改如下
"elastic" : {
 "host" : "127.0.0.1:8108",
 "index" : "nxapi",
 "doctype" : "events",
 "default_ttl" : "7200",
 "max_size" : "1000"
},
"naxsi" : {
 "rules_path" : "/home/work/naxsi_waf/conf/naxsi_core.rules", #naxsi waf的配置路径
 "template_path" : [ "tpl/"],
 "geoipdb_path" : "nx_datas/country2coords.txt"
},
(4) 安装nxtool.py白名单生成工具
pip install elasticsearch
python setup.py build
python setup.py install
安装后重要的文件如下
 /usr/local/nxapi/ #模板tpl文件与geo data文件
 /usr/local/bin/nxtool.py #可执行文件
(5) 关键选项说明
nxtool.py -h
Usage: nxtool.py [options]

Options:
  -h, --help            show this help message and exit

  Configuration options:
    -c CFG_PATH, --config=CFG_PATH nxapi配置文件
                        Path to nxapi.json (config).
    --colors            Disable output colorz.

  Input options (log acquisition):
    --files=FILES_IN    Path to log files to parse.
    --fifo=FIFO_IN      Path to a FIFO to be created & read from. [infinite]
    --stdin             Read from stdin.
    --no-timeout        Disable timeout on read operations (stdin/fifo).
    --syslog            Listen on tcp port for syslog logging.

  Filtering options (for whitelist generation):
    -s SERVER, --server=SERVER
                        FQDN to which we should restrict operations.
    --filter=FILTER     This option specify a filter for each type of filter,
                        filter are merge with existing templates/filters.
                        (--filter 'uri /foobar')关键选项,在生成白名单的时候使用能提高白名单准确度,支持‘server', 'uri', 'zone', 'var_name', 'ip', 'id', 'content', 'country', 'date',  '?server', '?uri', '?var_name', '?content' 关键字

  Tagging options (tag existing events in database):
    -w WL_FILE, --whitelist-path=WL_FILE
                        A path to whitelist file, will find matching events in
                        DB.
    -i IPS, --ip-path=IPS
                        A path to IP list file, will find matching events in
                        DB.
    --tag               Actually tag matching items in DB.

  Whitelist Generation:
    -f, --full-auto     Attempt fully automatic whitelist generation process.
    -t TEMPLATE, --template=TEMPLATE
                        Path to template to apply.
    --slack             Enables less strict mode.
    --type              Generate whitelists based on param type,参数类型包括
空,布尔类型(0,1),颜色(#[0-9a-f]),十六进制[0-9a-f],数字字符[0-9a-z],url,word,数组,文本,

  Statistics Generation:
    -x, --stats         Generate statistics about current's db content.

统计
nxtool.py -c ./nxapi.json  -x --colors
# Whitelist(ing) ratio :
# false 79.96 % (total:196902/246244)
# true 20.04 % (total:49342/246244)
# Top servers :
# www.x1.fr 21.93 % (total:43181/196915)
# www.x2.fr 15.21 % (total:29945/196915)
...
# Top URI(s) :
# /foo/bar/test 8.55 % (total:16831/196915)
# /user/register 5.62 % (total:11060/196915)
# /index.php/ 4.26 % (total:8385/196915)
...
# Top Zone(s) :
# BODY 41.29 % (total:81309/196924)
# HEADERS 23.2 % (total:45677/196924)
# BODY|NAME 16.88 % (total:33243/196924)
# ARGS 12.47 % (total:24566/196924)
# URL 5.56 % (total:10947/196924)
# ARGS|NAME 0.4 % (total:787/196924)
# FILE_EXT 0.2 % (total:395/196924)
# Top Peer(s) :
# ...

白名单生成
nxtool.py -c nxapi.json -s www.x1.fr -f --filter 'uri /foo/bar/test' --slack
...
#msg: A generic whitelist, true for the whole uri
#Rule (1303) html close tag
#total hits 126
#content : lyiuqhfnp,+<a+href="http://preemptivelove.org/">Cialis+forum</a>,+KKSXJyE,+[url=http://preemptivelove.org/]Viagra+or+cialis[/url],+XGRgnjn,+http
#content : 4ThLQ6++<a+href="http://aoeymqcqbdby.com/">aoeymqcqbdby</a>,+[url=http://ndtofuvzhpgq.com/]ndtofuvzhpgq[/url],+[link..
#peers : x.y.z.w
...
#uri : /faq/
#var_name : numcommande
#var_name : comment
...
# success : global_rule_ip_ratio is 58.82
# warnings : rule_ip is 10
BasicRule  wl:1303 "mz:$URL:/foo/bar/test|BODY";

从模版生成白名单的过程
例如模版
{ "zone" : "HEADERS", "var_name" : "cookie", "id" : "?"}
生成白名单的过程:
第一步:读取nxapi.json 的global_filters选项,es filter为
{ "whitelisted" : "false" }
第二步:读取nxtool.py filter命令行选项
-s SERVER, --server=SERVER
--filter=FILTER 
 { "whitelisted" : "false", "server" : "www.x1.fr" }
第三步:解析tpl模版文件各个字段,合并到es filter中, 
 { "whitelisted" : "false", "server" : "www.x1.fr", "zone" : "HEADERS", "var_name" : "cookie" }
第四步:字段取值为?进行扩展
{ "whitelisted" : "false", "server" : "www.x1.fr", "zone" : "HEADERS", "var_name" : "cookie", "id" : "1000"} { "whitelisted" : "false", "server" : "www.x1.fr", "zone" : "HEADERS", "var_name" : "cookie", "id" : "1001"}
第五步:将查询结果与全局和模版中定义的评分制度进行评判,生成如下样式的白名单
BasicRule wl:X "mz:$HEADERS_VAR:cookie"; ..

模版规则如下:
 "filed" :  "value" 指定 ES filter,例如"var_name" : "__utmz"
  "field": "?"  "value" 指定 ES filter,例如"id" : "?"
  "?field": "regexp"  "value" 指定 ES filter,例如
  "_statics": {"filed" :  "value"} 直接指定白名单的组成,例如
 "_statics" : {
   "id" : "1009,1010,1005,1011"
  }  生成白名单 wl:1009,1010,1005,1011
  "_msg": "string"   模版说明,例如"_msg" : "google analytics, __utmz var in ARGS"
  "_success": { ... }  设置评分机制,与nxapi.json中的评分选项(global_warning_rules,global_success_rules,global_deny_rules)合并(覆盖/补充)使用 ,例如
"_success" : { "template_uri" : [ ">", "5"],
      "rule_uri" : [ ">", "5"]}
  "_warnings": {...}  设置评分机制,与nxapi.json中的评分选项合并(覆盖/补充)使用 ,例如
"_warnings" : { "rule_var_name" : [ "<=", "5" ],
      "rule_uri" : [ "<=", "5" ],"template_uri" : [ ">", "5" ] ,"template_var_name" : [ ">", "5"]}
  "_deny":{...}设置评分机制,与nxapi.json中的评分选项合并(覆盖/补充)使用,例如
"_deny" : { "rule_var_name" : [ "<", "10" ] }

参考:
http://pythonhackers.com/p/buixor/nxapi
https://github.com/nbs-system/naxsi/tree/master/nxapi



Search
Viewing all articles
Browse latest Browse all 75

Trending Articles

《沈冰自述——我和周永康的故事》全本

February 8, 2015, 9:08 pm

Moog - Subsequent 25

January 16, 2020, 12:00 am

出售: 林憶蓮•回來愛的身邊 (東芝1A1頭版)

March 9, 2013, 11:02 am

筆記 - 使用 PowerShell 清除停用 AD 帳號與 OU

July 16, 2019, 11:03 pm

df-dferh-01 中国区 Android 安装 Google Play Store 后报错 的 解决办法

April 24, 2019, 6:56 am

「一棒接一棒、棒棒強棒」108學年度家長會長交接典禮

October 28, 2019, 8:49 pm

吸烟与MBTI类型判断捷径 (豆瓣 INFJ的奇幻之旅小组)

December 28, 2017, 6:55 pm

acermark龍璿國際 展出多款包裝設備

April 18, 2016, 6:02 am

枋寮北勢寮隆山宮 睽違12年再辦迎王祭典

October 15, 2018, 6:03 am

日本女优有村千佳COS集锦:狂三&黑白岩&亚丝娜&绫波丽

September 4, 2013, 2:57 am

有遇到过这个问题么。/jsb-videoplayer.js not found, possible missing file.

June 23, 2020, 2:17 am

MAS v2.8 magicgenius 汉化版 - 11.11更新

November 10, 2024, 5:46 pm

出售: Monster Cable Interlink Reference 2

May 23, 2018, 2:00 am

福建佛教人士望云和尚(林斌)的九仙禅寺被强行收走,望云妈妈被赶出寺庙

August 17, 2015, 1:12 am

R 语言中的OpenBLAS*和英特尔® 数学核心函数库的性能比较

December 21, 2016, 9:38 pm

[转载]煞貢、直星、人專吉日\金神七煞歌

March 3, 2016, 6:37 am

HAKERS哈克士戶外 12月8~14日廠拍

December 6, 2016, 3:52 am

OBS Studio 23.2.1 免安裝中文版 - 免費網路實況廣播軟體 實況主必備軟體 取代Fraps

June 16, 2019, 8:10 am

<請教>行駛中安卓機會重新開機

August 5, 2018, 7:25 am

Udp2raw-tunnel 及其一键安装脚本

October 23, 2017, 6:46 pm
Search