makefile, not war

Version 0.55 brings one main improvement :

• Support of libinjection as a virtual patching method
• Support more precise virtual patching rules
• Support for RAW_BODY match-zone : Allow rule creation on unknown content-type(s)

It also brings some bug-fixes :

• Refuse to load with incoherent rules : #283
• Fixed some matchzone bugs that could lead to rules being incorrectly triggered : #282 #279
• Better^WLess worse Makefile

This should be the last release with nxapi/nxtool included, as it's being rewritten.

As usual, happy hacking and feedback is welcome !

makefile, not war

This is RC2 for naxsi 0.55 :

NEW

• Added support for RAW_BODY (rules to be matched against the full, raw body. Can be useful to match rules against unparsed content : XML, serialized java objects etc.)
• Confirmed support as a dynamic module (introduced in nginx 1.9.11)
• Better libinjection integration (can be used to make virtual-patching)

# drop any request that libinjection considers as SQLi (checked only in GET variable named "id")
MainRule id:4242 "d:libinj_sql" "mz:$ARGS_VAR:id" "s:DROP";

• Better blacklist matchzones (can now be as precise as whitelists)

# matches "test" on variable named "aa" or "ab" as long as they target url "/foo"
MainRule id:4241 "str:test" "mz:$URL:/foo|$ARGS_VAR:aa|$ARGS_VAR:ab" "s:$XSS:8";

BUGFIXES

• Better makefile for testing & dev, increased coverage
• Minor bug-fixes (#120, #241, #217, #231, #279, #283, #276)

makefile, not war

This is release candidate for naxsi 0.55 :

• Added support for RAW_BODY (rules to be matched against the full, raw body. Can be useful to match rules against unparsed content : XML, serialized java objects etc.)
• Confirmed support as a dynamic module (introduced in nginx 1.9.11)
• Better makefile for testing & dev, increased coverage
• Minor bug-fixes (#120, #241, #217, #231)

gin-rodjeur

CHANGES - CORE (from 0.53-2 "AppleJack") :

• increased PCRE output vector from 6 to 30 (from 2 match groups to 10)
• removed negative rule on content-types (naxsi_core.rules) as naxsi supports json
• Fixed broken EXLOG on |NAME match zones (issues/110)
• Integrated libinjection (xss/sqli)

CHANGES - NXAPI (from 0.53-2 "AppleJack") :

• NXAPI can now generate negative whitelists based on variable type (ie, it will block requests that do not match the rule).
• Add of coordonates to ES and country
• Refuse to tag events without server name
• Support of global_deny_rules and deny_rules
• Support for regex in filters

Signed release : 2685AED4

naxsi-0.54rc3

Naxsi 0.54rc3

• No change from RC2
• Signed release

0.54rc2

CHANGES - CORE :

• Fix a NULL pointer dereference when logging very long URIs or very long argname (Issue #178 )
• EXLOG on libinjection no longers mixes up var_name and content
• increased PCRE output vector from 6 to 30 (from 2 match groups to 10)
• removed negative rule on content-types (naxsi_core.rules) as naxsi supports json
• Fixed broken EXLOG on |NAME match zones (issues/110)
• Integrated libinjection (xss/sqli)

CHANGES - NXAPI :

• NXAPI can now generate negative whitelists based on variable type (ie, it will block requests that do not match the rule).
• Add of coordonates to ES and country
• Refuse to tag events without server name
• Support of global_deny_rules and deny_rules
• Support for regex in filters

RC1 for naxsi 0.54

CHANGES - CORE :

• Fix a NULL pointer dereference when logging very long URIs or very long argname (Issue #178 )

CHANGES - NXAPI :

• NXAPI can now generate negative whitelists based on variable type (ie, it will block requests that do not match the rule).

RC0 for naxsi 0.54

CHANGES - CORE :

• increased PCRE output vector from 6 to 30 (from 2 match groups to 10)
• removed negative rule on content-types (naxsi_core.rules) as naxsi supports json
• Fixed broken EXLOG on |NAME match zones (issues/110)
• Integrated libinjection (xss/sqli)

CHANGES - NXAPI :

• Add of coordonates to ES and country
• Refuse to tag events without server name
• Support of global_deny_rules and deny_rules
• Support for regex in filters

Minimal documentation for those wishing to try libinjection :
Libinjection is integrated as internal rules increasing $LIBINJECTION_XSS and/or $LIBINJECTION_SQL by 4 at match. libinjection will be disabled by default, and needs to be turned on using either directives LibInjectionXss / LibInjectionSql or by using dynamic modifiers $naxsi_flag_libinjection_xss / $naxsi_flag_libinjection_sql. libinjection_sql/xss can ofc be whitelisted by their IDs (libinjection_sql = 17 / libinjection_xss = 18)

AppleJack

Changes from 0.53-1:

• BUGFIX : When several BasicRule using regex-matchzones where targetting the same zone with different IDs, merge was incorrectly done. Leading to first whitelist only being effectively applied.
• CHANGE : Internal rule id:15 is now dedicated to empty BODY in POST requests. The goal here is to reduce usage of id:11 whitelists.

AppleJack

Release of naxsi 0.53-1 :

Naxsi-core 0.53-1 brings a lot of important features :

• Added support for regex matchzones (documented in wiki as well)
• Added scores and block flags to NAXSI_FMT
• Added support for exclusion whitelists : wl:-4242 will whitelist all user rules (>=1000) except rule 4242.

And of course, various bugfixes :

• Fixed a bug in case sensitivity where MixedCase URLs whitelist would not work
• Fixed a bug in NAXSI_EXLOG, that would make the line disappear if main error_log was set to debug
• Removed a leftover #debug define in naxsi_runtime.c

Extras :

• A lot of work was done on improving unit tests (>90% coverage), and integrating GCOV/LCOV in build/test process