README.rulesets for doxi / dogtown-naxi-rules

these rulesets are now available as independent git-repo @

for tools to manage your doxi-rules you might want to install doxi-tools

to keep track of changes and ruleset-updates you could either
subscribe to the doxi-news - blog (rss-feed),
subscribe to the naxsi-mailinglist!forum/naxsi-discuss or
subscribe to the ruleset-commit-feed
or follow that project on Bitbucket

License: see License.txt

all not-mentioned files here are part of naxsi/nginx - default-configuration

configuration rules

please note: due to changes in naxsi after 0.49 this file-layout might get


  • your global includes-file; you might setup different rules.con - files,
  • maybe tuned for each virtualhost.


  • rules to configure/enable learning-mode


  • rules to configure active-mode (block)

detection rules


  • rules you might want to enable when running nginx as lb/proxy
    for app-servers like tomcat / rails etc and you're shure to
    have no php/asp/cgi - files lying around


NOTE: for a better coverage you might want to try a real ids
like snort or suricata with et-rulesets rules to detect malicious
content in- and outbound.

  • this ruleset is designed to detect malicious request that give a
    hint for hacked / misused / C&C-servers and tries to detect
    web-backdoors, webshells and other malicious access to unwanted

  • CAUTION: these rules are quite noise, so if included you might want to
    tune and create whitelists for your applications


  • detect scanners (WebAppScanners/Testing-Tools
  • detetc vuln-scanning-bots or attack-tools) by UA or by certain requests.
  • some of these rules could be included into web_[app|server].rules,
    like scanners for certain webapp/server-vulns, but when there's a
    clear sign for an automated scanning-process the sigs are include here
  • CAUTION: these rules are quite noise, so if included you might want to
    tune and create whitelists for your applications


  • detect exploit/misuse-attempts againts web-applications; please see
    scanner.rules for some details on webapp-based scanners


  • generic rules to protect a webserver from misconfiguration
    and known mistakes / exploit-vectors

misc. rules (obsolete, not maintained after jan 2014)


  • whitelistings for different webapps/actions that are known to fail
    on certain parameters