Blogroll
AMol NAik Andrew Case Andre M. DiMino Attila Axt Bruce Schneier Didier Stevens Eric Romang Francois Ropert Gal Badishi Gianluca Brindisi Haroon Meer Krzysztof Kotowicz Lvdeijk Michael Ligh Mila Parkour Miroslav Stampar Pedro Vilaca Rich Lundeen Rob Fuller
Best view with Chromium devel without JavaScript enabled
Naxsi Rules for Blocking User Agent Used by Pentest Tools
Here to make penetration little harder
BasicRule “str:w3af.sourceforge.net” “mz:$HEADERS_VAR:user-agent” “s:BLOCK”;
BasicRule “str:dirbuster” “mz:$HEADERS_VAR:user-agent” “s:BLOCK”;
BasicRule “str:nikto” “mz:$HEADERS_VAR:user-agent” “s:BLOCK”;
BasicRule “str:sqlmap” “mz:$HEADERS_VAR:user-agent” “s:BLOCK”;
BasicRule “str:fimap” “mz:$HEADERS_VAR:user-agent” “s:BLOCK”;
BasicRule “str:nessus” “mz:$HEADERS_VAR:user-agent” “s:BLOCK”;
BasicRule “str:whatweb” “mz:$HEADERS_VAR:user-agent” “s:BLOCK”;
BasicRule “str:openvas” “mz:$HEADERS_VAR:user-agent” “s:BLOCK”;
BasicRule “str:httrack” “mz:$HEADERS_VAR:user-agent” “s:BLOCK”;
BasicRule “str:jbrofuzz” “mz:$HEADERS_VAR:user-agent” “s:BLOCK”;
BasicRule “str:libwhisker” “mz:$HEADERS_VAR:user-agent” “s:BLOCK”;
BasicRule “str:webshag” “mz:$HEADERS_VAR:user-agent” “s:BLOCK”;
only uniques coz i don’t want any trouble
test
% curl -A “Mozilla/4.75 [en] (X11, U; Nessus)” -i localhost
HTTP/1.1 200 OK
Server: nginx/1.3.5
Date: Tue, 21 Aug 2012 00:02:02 GMT
Content-Type: text/plain
Content-Length: 13
Last-Modified: Mon, 20 Aug 2012 22:21:23 GMT
Connection: keep-alive
ETag: “5032b863-d”
Accept-Ranges: bytes
try harder !
log
—*snip*—
4183#0: *71 NAXSI_FMT: ip=127.0.0.1&server=localhost&uri=/&total_processed=27&total_blocked=10&zone0=HEADERS&id0=0&var_name0=user-agent, client: 127.0.0.1, server: localhost, request: “GET / HTTP/1.1”, host: “localhost”
*—snip*—
Note from Thibault Koechlin (author of naxsi)
mail 1
As well, using “rx:DirBuster*” can be replaced by “str:dirbuster”. Naxsi does case insensitive matching on strings if your string is lowercase !
mail 2
string match is *way* faster than regex
Regex should be kept for some specific cases, like :
MainRule negative “rx:multipart/form-data|application/x-www-form-urlencoded” “msg:Content is neither mulipart/x-www-form..” “mz:$HEADERS_VAR:Content-typz” “s:BLOCK” id:1402;
where we truely need regular expressions to achieve our goal ;)
ABOUT THE AUTHOR
Teguh is an idealist pwner living encrypted in Indonesia.
He is passionate about security and currently defeating the CWE top 25.
He also can be found on Google+, Twitter, GitHub, Shelfari and your libc.
