There is a support of custom set of signatures rules (signature,
RL) and signature exception rules (exclusion rule,
WL) in Nemesida WAF and Nemesida WAF Free.
Zones, subzones and refinements
During the creation of RL/WL rules special parameters can be used:
- subzones (header field
- conditions of using the rule (zone refinements):
Using zones, subzones and refinements allows to concretize maximally the creating rule.
It’s possible to use regular expressions during the refinement. This requires to add to the refinement postfix
_X. For example:
"Z:ARGS|$URL_X:/\w+". To using the separator (as a metacharacter of a regular expression )in refinements, it is necessary to escape the character. For example: rule
... "Z:...|$URL_X:/(a\|b)/"; will be used to
URL, which contains
Several parameters (zones, subzones, refinements) in one rule must be separated the character
| , the following principle of interaction will be used:
- zones or subzones interact using the logical principle
- refinements interact using the logical principle
- zones or subzones interact with refinements using the logical principle
User-defined signature creation
The user-defined rules of detecting attack signs can be placed in the main configuration file Nemesida WAF (
nwaf.conf) or in the self-created file of the form *.conf, located in the
/etc/nginx/nwaf/conf/vhosts. User-defined signatures must be determined by the
RL parameter and must have
ID started from 50000 and take the following form:
RL ID:50000 "P:select from" "SC:SQL:12" "Z:ARGS";
RL ID:50001 domain=example.com "P:select from" "SC:SQL:12" "Z:ARGS";
RL ID:50002 domain=*.example.com "P:select from" "SC:SQL:12" "Z:ARGS";
RL ID:50003 "PX:select\s+from" "SC:SQL:12" "Z:ARGS|$URL:/admin";
RL ID:50004 "P:select from" "SC:SQL:12" "Z:ARGS|$URL:/(admin\|dev)";
For signatures in the zone it is allowed to use the
MLA value to force request sending into Nemesida AI MLA, that falls within the scope of the created signature if the
score < 12 (by default requests with a
score equal or greater than the value of the
mla_score parameter are sent into Nemesida AI MLA).
Creating a signature exclusion rule
In case the inquiry falls under action of a signature, in addition to sending the incident to the Nemesida WAF API, the following line will be displayed in the error log of the Nginx software:
Nemesida WAF: the request ххх contains a rule id 1 in zone HEADERS, ...
or, if the request contains a signature with a maximum allowable digital indicator of significance (
score = 12):
Nemesida WAF: the request ххх blocked by rule id 1 in zone HEADERS, ...
1 – attack signature ID;
HEADERS – signature entry area.
To display absolutely all occurrences of signatures in the request (if there are occurrences), including those occurrences that did not lead to the subsequent blocking of the request, activate the
nwaf_log_mr_all; parameter, in the main configuration file Nemesida WAF.
The information about current signature list is on the page rlinfo.nemesida-security.com.