«Nemesida WAF» and «Nemesida WAF Free» featured support for a custom signature set for detecting attacks (signature,
RL), as well as creating signature exception rules (exclusion rule,
The rules for determining the sign of an attack can be placed in the main configuration file «Nemesida WAF» (
nwaf.conf) or in a self-created file of the form * .conf located in the
/etc/nginx/nwaf/conf/vhosts directory. The signature rule is determined by the
RL parameter and can take the following form:
RL ID:50000 "P:select from" "SC:SQL:12" "Z:ARGS";
RL ID:50001 domain=example.com "P:select from" "SC:SQL:12" "Z:ARGS";
RL ID:50002 domain=*.example.com "P:select from" "SC:SQL:12" "Z:ARGS";
RL ID:50003 "PX:select\s+from" "SC:SQL:12" "Z:ARGS|$URL:/admin";
RL ID:50004 "P:select from" "SC:SQL:12" "Z:ARGS|$URL:/(admin\|dev)";
Creating a signature exclusion rule
In case the inquiry falls under action of a signature, in addition to sending the incident to the «Nemesida WAF API», the following line will be displayed in the error log of the «nginx» software:
Nemesida WAF: the request ххх contains a rule id 1 in zone HEADERS, ...
or, if the request contains a signature with a maximum allowable digital indicator of significance (
score = 12):
Nemesida WAF: the request ххх blocked by rule id 1 in zone HEADERS, ...
1 – attack signature ID;
HEADERS – signature entry area;
... – other information about the request.
To display absolutely all occurrences of signatures in the request (if there are occurrences), including those occurrences that did not lead to the subsequent blocking of the request, activate the
nwaf_log_mr_all; parameter, in the main configuration file «Nemesida WAF».