There is a support of custom set of signatures rules (signature,
RL) and signature exception rules (exclusion rule,
WL) in Nemesida WAF and Nemesida WAF Free.
Zones, subzones and refinements
During the creation of RL/WL rules special parameters can be used:
- subzones (header field
- conditions of using the rule (zone refinements):
Using zones, subzones and refinements allows to concretize maximally the creating rule.
It’s possible to use regular expressions during the refinement. This requires to add to the refinement postfix
_X. For example:
"Z:ARGS|$URL_X:/\w+". To using the separator (as a metacharacter of a regular expression )in refinements, it is necessary to escape the character. For example: rule
... "Z:...|$URL_X:/(a\|b)/"; will be used to
URL, which contains
Several parameters (zones, subzones, refinements) in one rule must be separated the character
| , the following principle of interaction will be used:
- zones or subzones interact using the logical principle
- refinements interact using the logical principle
- zones or subzones interact with refinements using the logical principle
The rules for determining the sign of an attack can be placed in the main configuration file Nemesida WAF (
nwaf.conf) or in a self-created file of the form * .conf located in the
/etc/nginx/nwaf/conf/vhosts directory. The signature rule is determined by the
RL parameter and can take the following form:
RL ID:50000 "P:select from" "SC:SQL:12" "Z:ARGS";
RL ID:50001 domain=example.com "P:select from" "SC:SQL:12" "Z:ARGS";
RL ID:50002 domain=*.example.com "P:select from" "SC:SQL:12" "Z:ARGS";
RL ID:50003 "PX:select\s+from" "SC:SQL:12" "Z:ARGS|$URL:/admin";
RL ID:50004 "P:select from" "SC:SQL:12" "Z:ARGS|$URL:/(admin\|dev)";
Creating a signature exclusion rule
In case the inquiry falls under action of a signature, in addition to sending the incident to the Nemesida WAF API, the following line will be displayed in the error log of the «nginx» software:
Nemesida WAF: the request ххх contains a rule id 1 in zone HEADERS, ...
or, if the request contains a signature with a maximum allowable digital indicator of significance (
score = 12):
Nemesida WAF: the request ххх blocked by rule id 1 in zone HEADERS, ...
1 – attack signature ID;
HEADERS – signature entry area.
To display absolutely all occurrences of signatures in the request (if there are occurrences), including those occurrences that did not lead to the subsequent blocking of the request, activate the
nwaf_log_mr_all; parameter, in the main configuration file Nemesida WAF.