Naxsi Versions Save

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX

0.55

7 years ago

Version 0.55 brings one main improvement :

It also brings some bug-fixes :

  • Refuse to load with incoherent rules : #283
  • Fixed some matchzone bugs that could lead to rules being incorrectly triggered : #282 #279
  • Better^WLess worse Makefile

This should be the last release with nxapi/nxtool included, as it's being rewritten.

As usual, happy hacking and feedback is welcome !

0.55rc2

7 years ago

This is RC2 for naxsi 0.55 :

NEW

  • Added support for RAW_BODY (rules to be matched against the full, raw body. Can be useful to match rules against unparsed content : XML, serialized java objects etc.)
  • Confirmed support as a dynamic module (introduced in nginx 1.9.11)
  • Better libinjection integration (can be used to make virtual-patching)
# drop any request that libinjection considers as SQLi (checked only in GET variable named "id")
MainRule id:4242 "d:libinj_sql" "mz:$ARGS_VAR:id" "s:DROP";
  • Better blacklist matchzones (can now be as precise as whitelists)
# matches "test" on variable named "aa" or "ab" as long as they target url "/foo"
MainRule id:4241 "str:test" "mz:$URL:/foo|$ARGS_VAR:aa|$ARGS_VAR:ab" "s:$XSS:8";

BUGFIXES

  • Better makefile for testing & dev, increased coverage
  • Minor bug-fixes (#120, #241, #217, #231, #279, #283, #276)

0.55rc1

8 years ago

This is release candidate for naxsi 0.55 :

  • Added support for RAW_BODY (rules to be matched against the full, raw body. Can be useful to match rules against unparsed content : XML, serialized java objects etc.)
  • Confirmed support as a dynamic module (introduced in nginx 1.9.11)
  • Better makefile for testing & dev, increased coverage
  • Minor bug-fixes (#120, #241, #217, #231)

0.54

8 years ago

CHANGES - CORE (from 0.53-2 "AppleJack") :

  • increased PCRE output vector from 6 to 30 (from 2 match groups to 10)
  • removed negative rule on content-types (naxsi_core.rules) as naxsi supports json
  • Fixed broken EXLOG on |NAME match zones (issues/110)
  • Integrated libinjection (xss/sqli)

CHANGES - NXAPI (from 0.53-2 "AppleJack") :

  • NXAPI can now generate negative whitelists based on variable type (ie, it will block requests that do not match the rule).
  • Add of coordonates to ES and country
  • Refuse to tag events without server name
  • Support of global_deny_rules and deny_rules
  • Support for regex in filters

Signed release : 2685AED4

0.54rc3

8 years ago

Naxsi 0.54rc3

  • No change from RC2
  • Signed release

0.54rc2

9 years ago

CHANGES - CORE :

  • Fix a NULL pointer dereference when logging very long URIs or very long argname (Issue #178 )
  • EXLOG on libinjection no longers mixes up var_name and content
  • increased PCRE output vector from 6 to 30 (from 2 match groups to 10)
  • removed negative rule on content-types (naxsi_core.rules) as naxsi supports json
  • Fixed broken EXLOG on |NAME match zones (issues/110)
  • Integrated libinjection (xss/sqli)

CHANGES - NXAPI :

  • NXAPI can now generate negative whitelists based on variable type (ie, it will block requests that do not match the rule).
  • Add of coordonates to ES and country
  • Refuse to tag events without server name
  • Support of global_deny_rules and deny_rules
  • Support for regex in filters

0.54rc1

9 years ago

CHANGES - CORE :

  • Fix a NULL pointer dereference when logging very long URIs or very long argname (Issue #178 )

CHANGES - NXAPI :

  • NXAPI can now generate negative whitelists based on variable type (ie, it will block requests that do not match the rule).

0.54rc0

9 years ago

CHANGES - CORE :

  • increased PCRE output vector from 6 to 30 (from 2 match groups to 10)
  • removed negative rule on content-types (naxsi_core.rules) as naxsi supports json
  • Fixed broken EXLOG on |NAME match zones (issues/110)
  • Integrated libinjection (xss/sqli)

CHANGES - NXAPI :

  • Add of coordonates to ES and country
  • Refuse to tag events without server name
  • Support of global_deny_rules and deny_rules
  • Support for regex in filters

Minimal documentation for those wishing to try libinjection : Libinjection is integrated as internal rules increasing $LIBINJECTION_XSS and/or $LIBINJECTION_SQL by 4 at match. libinjection will be disabled by default, and needs to be turned on using either directives LibInjectionXss / LibInjectionSql or by using dynamic modifiers $naxsi_flag_libinjection_xss / $naxsi_flag_libinjection_sql. libinjection_sql/xss can ofc be whitelisted by their IDs (libinjection_sql = 17 / libinjection_xss = 18)

0.53-2

10 years ago

Changes from 0.53-1:

  • BUGFIX : When several BasicRule using regex-matchzones where targetting the same zone with different IDs, merge was incorrectly done. Leading to first whitelist only being effectively applied.
  • CHANGE : Internal rule id:15 is now dedicated to empty BODY in POST requests. The goal here is to reduce usage of id:11 whitelists.

0.53-1

10 years ago

Release of naxsi 0.53-1 :

Naxsi-core 0.53-1 brings a lot of important features :

  • Added support for regex matchzones (documented in wiki as well)
  • Added scores and block flags to NAXSI_FMT
  • Added support for exclusion whitelists : wl:-4242 will whitelist all user rules (>=1000) except rule 4242.

And of course, various bugfixes :

  • Fixed a bug in case sensitivity where MixedCase URLs whitelist would not work
  • Fixed a bug in NAXSI_EXLOG, that would make the line disappear if main error_log was set to debug
  • Removed a leftover #debug define in naxsi_runtime.c

Extras :

  • A lot of work was done on improving unit tests (>90% coverage), and integrating GCOV/LCOV in build/test process