Naxsi Versions Save

Naxsi:

• Fixed regression on FILE_EXT confusion
• Documented id 19 and 20 to rules

Debian/Ubuntu packages usage:

To enable naxsi include the following files in the configuration as follows:

# add inside http {}
include /usr/share/naxsi/naxsi_core.rules;

# add inside server {}
include /usr/share/naxsi/naxsi_denied_url.conf;

# add inside location /my/path {}
# you can't use both. choose one of the 2 modes.
include /usr/share/naxsi/naxsi_block_mode.conf; # use this to enable blocking mode
include /usr/share/naxsi/naxsi_learning_mode.conf; # use this to enable learning mode

All the BasicRules are available below and shall be added after naxsi_block_mode.conf or after naxsi_learning_mode.conf

# to use them just include them within `location /my/path {}`
/usr/share/naxsi/rules/iris.rules
/usr/share/naxsi/rules/rutorrent.rules
/usr/share/naxsi/rules/wordpress.rules
/usr/share/naxsi/rules/dokuwiki.rules
/usr/share/naxsi/rules/drupal.rules
/usr/share/naxsi/rules/etherpad-lite.rules
/usr/share/naxsi/rules/zerobin.rules

Naxsi:

• Fixed IgnoreIP and IgnoreCIDR (#534 and #532)
• Fixed non-c99 builds
• Added config=ignore mode to identify non blocked requests
• Improved core rules (#450)

Special thanks to:

• kkadosh
• noahbailey
• rickygm

Debian/Ubuntu packages usage:

To enable naxsi include the following files in the configuration as follows:

# add inside http {}
include /usr/share/naxsi/naxsi_core.rules;

# add inside server {}
include /usr/share/naxsi/naxsi_denied_url.conf;

# add inside location /my/path {}
# you can't use both. choose one of the 2 modes.
include /usr/share/naxsi/naxsi_block_mode.conf; # use this to enable blocking mode
include /usr/share/naxsi/naxsi_learning_mode.conf; # use this to enable learning mode

All the BasicRules are available below and shall be added after naxsi_block_mode.conf or after naxsi_learning_mode.conf

# to use them just include them within `location /my/path {}`
/usr/share/naxsi/rules/iris.rules
/usr/share/naxsi/rules/rutorrent.rules
/usr/share/naxsi/rules/wordpress.rules
/usr/share/naxsi/rules/dokuwiki.rules
/usr/share/naxsi/rules/drupal.rules
/usr/share/naxsi/rules/etherpad-lite.rules
/usr/share/naxsi/rules/zerobin.rules

Naxsi:

• Fixed 3 vulnerabilities related to the WAF. (#525 #527 #529)
• Fixed build on FreeBSD (#526)

Special thanks to: jltignon

Debian/Ubuntu packages usage:

To enable naxsi include the following files in the configuration as follows:

# add inside http {}
include /usr/share/naxsi/naxsi_core.rules;

# add inside server {}
include /usr/share/naxsi/naxsi_denied_url.conf;

# add inside location /my/path {}
# you can't use both. choose one of the 2 modes.
include /usr/share/naxsi/naxsi_block_mode.conf; # use this to enable blocking mode
include /usr/share/naxsi/naxsi_learning_mode.conf; # use this to enable learning mode

All the BasicRules are available below and shall be added after naxsi_block_mode.conf or after naxsi_learning_mode.conf

# to use them just include them within `location /my/path {}`
/usr/share/naxsi/rules/iris.rules
/usr/share/naxsi/rules/rutorrent.rules
/usr/share/naxsi/rules/wordpress.rules
/usr/share/naxsi/rules/dokuwiki.rules
/usr/share/naxsi/rules/drupal.rules
/usr/share/naxsi/rules/etherpad-lite.rules
/usr/share/naxsi/rules/zerobin.rules

Naxsi:

• Fixed various compilation issues (#515 #497 #491).
• Fixed valid JSON blocked by Rule ID 15 (#457).
• Fixed documentation (#505).
• Updated libinjection to 3.9.2 (commit: 991433e7 #523)
• Added Content-type: application/vnd.api+json (#513).
• Added JSON logging output for events (#488 #522).
• Implemented Whitelist for IPs and CIDRs and support for IPv4 and IPv6 (#488 #522).

Special thanks to:

• 0xflotus
• marcinguy
• squedgy

Debian/Ubuntu packages usage:

To enable naxsi include the following files in the configuration as follows:

# add inside http {}
include /usr/share/naxsi/naxsi_core.rules;

# add inside server {}
include /usr/share/naxsi/naxsi_denied_url.conf;

# add inside location /my/path {}
# you can't use both. choose one of the 2 modes.
include /usr/share/naxsi/naxsi_block_mode.conf; # use this to enable blocking mode
include /usr/share/naxsi/naxsi_learning_mode.conf; # use this to enable learning mode

All the BasicRules are available below and shall be added after naxsi_block_mode.conf or after naxsi_learning_mode.conf

# to use them just include them within `location /my/path {}`
/usr/share/naxsi/rules/iris.rules
/usr/share/naxsi/rules/rutorrent.rules
/usr/share/naxsi/rules/wordpress.rules
/usr/share/naxsi/rules/dokuwiki.rules
/usr/share/naxsi/rules/drupal.rules
/usr/share/naxsi/rules/etherpad-lite.rules
/usr/share/naxsi/rules/zerobin.rules

naxsi:

• Parse body of PATCH requests
• Scientific notation in json (Fix #437)
• Log clarification
• Fixed country code when geoip library fail to get geolocation or ip is private/local address
• Fixed issues to setup nxapi on ES5 and added country location on stats and generated whitelists

nxtool:

• replace prints with proper logging support

Special thanks to:

• chipitsine
• fernandomariano
• Kegeruneku
• z0r0
• calve
• buixor
• sabban
• he2ss
• jvoisin

This release mostly aims at integrating HTTP2 support into naxsi.

• http2 support (1289e50, 1c8ce05)
• improvement : Avoid rule collision on virtual-patching (ec4ce3e)
• fix a potential null-byte issue on form/url-encoded POST payloads
• added a new internal rule 19 to allow users to only rely on lib-injection (951123a)
• improved json parsing (this is useful if you're doing CSP) (#420)
• make naxsi more verbose in case of user-induced errors (#424 #311 )

This release mostly aims at integrating HTTP2 support into naxsi.

• http2 support (1289e50cd71fca26ae86aafdf931ecfa4232fe28, 1c8ce05c2a4ef11359223279fdb2d5e0a01d2081)
• improvement : Avoid rule collision on virtual-patching (ec4ce3ee899913ce4708b994914c953d47fbc9ca)
• fix a potential null-byte issue on form/url-encoded POST payloads

Version 0.55.3 fixed a bug where two rules in LOG and a DROP could conflict if a request was tagged as DROP but not BLOCK.

Version 0.55.2 fixed a bug where when two consecutive virtual patching rules on the same zone are checked, a mismatch of the matchzone on the first one would make the following one fail as well.

Version 0.55.1 fixes a build issue when naxsi was used with mod_lua and other modules.