1. Lazy DogTown
  2. doxi-rules

Source

doxi-rules /

Filename Size Date modified Message
database
whitelists
31 B
ruleset-update autocommit
141 B
Credits
1.7 KB
included License.txt
3.1 KB
readme now markdown
398 B
- initial commit for doxi-rules - git-repo
16.4 KB
42000466 - Jenkins Deserialisation RCE CVE-2017-1000353 - ruleset commit
388 B
generic HOST-Header Injection 42000465 - ruleset commit
247 B
- initial commit for doxi-rules - git-repo
627 B
ruleset-update autocommit
14.9 KB
42000466 - Jenkins Deserialisation RCE CVE-2017-1000353 - ruleset commit
378 B
sig for reflected file download by oren hafif - ruleset commit
374 B
ruleset-update autocommit
8.6 KB
42000442 - Wordpress XMLRPC possible Password Brute Force - ruleset commit
437 B
ruleset-update autocommit
5.8 KB
HTTPoxy - ruleset commit
5.3 KB
- initial commit for doxi-rules - git-repo
4.0 KB
new honeypot-ruleset - ruleset commit
757 B
Rails /console and some X-Forward-For - Bypasses - ruleset commit
469 B
rules.conf has now core-ruleset included
37.5 KB
HTTPoxy - ruleset commit
11.9 KB
WordPress API Content Injection (GET/POST) - ruleset commit
30.3 KB
generic HOST-Header Injection 42000465 - ruleset commit

README.rulesets for doxi / dogtown-naxi-rules

these rulesets are now available as independent git-repo @ bitbucket.org/lazy_dogtown/doxi-rules

for tools to manage your doxi-rules you might want to install doxi-tools bitbucket.org/lazy_dogtown/doxi

to keep track of changes and ruleset-updates you could either subscribe to the doxi-news - blog (rss-feed), subscribe to the naxsi-mailinglist https://groups.google.com/forum/?fromgroups#!forum/naxsi-discuss or subscribe to the ruleset-commit-feed or follow that project on Bitbucket

License: see License.txt

all not-mentioned files here are part of naxsi/nginx - default-configuration

configuration rules

please note: due to changes in naxsi after 0.49 this file-layout might get obsolete.

rules.conf

  • your global includes-file; you might setup different rules.con - files,
  • maybe tuned for each virtualhost.

learning-mode.rules

  • rules to configure/enable learning-mode

active-mode.rules

  • rules to configure active-mode (block)

detection rules

app_server.rules

  • rules you might want to enable when running nginx as lb/proxy for app-servers like tomcat / rails etc and you're shure to have no php/asp/cgi - files lying around

malware.rules

NOTE: for a better coverage you might want to try a real ids like snort or suricata with et-rulesets rules to detect malicious content in- and outbound.

  • this ruleset is designed to detect malicious request that give a hint for hacked / misused / C&C-servers and tries to detect web-backdoors, webshells and other malicious access to unwanted files/services.

  • CAUTION: these rules are quite noise, so if included you might want to tune and create whitelists for your applications

scanner.rules

  • detect scanners (WebAppScanners/Testing-Tools
  • detetc vuln-scanning-bots or attack-tools) by UA or by certain requests.
  • some of these rules could be included into web_[app|server].rules, like scanners for certain webapp/server-vulns, but when there's a clear sign for an automated scanning-process the sigs are include here
  • CAUTION: these rules are quite noise, so if included you might want to tune and create whitelists for your applications

web_app.rules

  • detect exploit/misuse-attempts againts web-applications; please see scanner.rules for some details on webapp-based scanners

web_server.rules

  • generic rules to protect a webserver from misconfiguration and known mistakes / exploit-vectors

misc. rules (obsolete, not maintained after jan 2014)

misc_whitelisting.rules

  • whitelistings for different webapps/actions that are known to fail on certain parameters