12 KiB
Naxsi Matchzones
Matchzones, denoted by the prefix mz:, are crucial components of rules and whitelists. They act like filters to define specific locations where a pattern should be searched or allowed.
Here's how they function differently based on the context:
-
Rules: In this case, matchzones work with an OR logic (like
BODYORHEADERS). This means that as long as one of the specified conditions is met, the rule triggers. -
Whitelists: Here, matchzones operate under an AND logic (like
urlmust be/fooAND must occur inARGS). It requires that both conditions within a whitelist be satisfied before the pattern is allowed.
📣 Important
Naxsi decodes any
url-encodedorhexadecimalsequence, this means the string or regex to search for must be of the decoded content (this applies also to URLs).Example:
1%20UnioN%20SeLEct%201becomes1 UnioN SeLEct 1before applying rules.
Any Matchzone
This special matchzone designated by ANY allows to define rules and whitelists which matches in any area of a request.
For instance, the rule MainRule id:12345 "s:$FOO:8,$BAR:4" "str:malicious" "mz:ANY"; is equivalent of writing the following rules but in one line.
MainRule id:12345 "s:$FOO:8,$BAR:4" "str:malicious" "mz:ARGS|HEADERS|BODY|URL";
MainRule id:12345 "s:$FOO:8,$BAR:4" "str:malicious" "mz:RAW_BODY";
MainRule id:12345 "s:$FOO:8,$BAR:4" "str:malicious" "mz:FILE_EXT";
📣 Important
This can be used also for whitelists, but it is possible to disable a rule by just not declaring any matchzone (see the Whitelist matchzones notes).
Filter by HTTP Headers
HTTP headers let the client and the server pass additional information with a message in a request or response; Naxsi allows to filter rules and whitelists by headers as follows:
Filter by Any HTTP header value
This Matchzone designated by HEADERS is specifically tailored to identify only the content found within HTTP headers.
For instance:
- A rule such as
MainRule id:12345 "s:$FOO:8,$BAR:4" "str:malicious" "mz:HEADERS";detects the occurrence of the stringmaliciousexclusively within the HTTP headers values transmitted in a request. - A whitelist entry like
BasicRule wl:12345 "mz:HEADERS";negates the match of any rule with id12345if the match itself occurs in the HTTP header values.
Filter by Any HTTP header name
This Matchzone designated by HEADERS|NAME is specifically tailored to identify only the name of the header found within HTTP request.
For instance:
- A rule such as
MainRule id:12345 "s:$FOO:8" "str:x-forward-to" "mz:HEADERS|NAME";detects the occurrence of the stringX-Forward-Toexclusively within the HTTP headers names transmitted in a request. - A whitelist entry like
BasicRule wl:12345 "mz:HEADERS|NAME";negates the match of any rule with id12345if the match itself occurs in the HTTP header name.
Filter by HTTP header name
This Matchzone designated by $HEADERS_VAR:foo and $HEADERS_VAR_X:^foo$ is specifically tailored to identify only the content found within an HTTP header named foo.
$HEADERS_VAR:<string>can be used to filter by header name (case-insensitive) via a string.$HEADERS_VAR_X:<regex>can be used to filter by header name (case-insensitive) via a regex.
For instance:
- A rule such as
MainRule id:12345 "s:$FOO:8,$BAR:4" "str:curl" "mz:$HEADERS_VAR:user-agent|$HEADERS_VAR:cookie";detects the occurrence of the stringcurlexclusively within the value of the HTTP headersUser-AgentandCookie(case-insensitive). - A whitelist entry like
BasicRule wl:12345 "mz:$HEADERS_VAR_X:^cookie$";negates the match of any rule with id12345if the match occurs within the value of the HTTP headerCookievia regex.
📣 Important
This can be mixed with
|NAMEto perform the filtering at argument name instead of value. Example:mz:$HEADERS_VAR_X:^foo\d+$|NAMEmatches only the HTTP header namedfoo<number>.
Filter by GET query
HTTP GET requests can carry information, referred as queries, in the form of key=value pairs; Naxsi allows to filter rules and whitelists by these arguments as follows:
Filter by Any GET query value
This Matchzone designated by ARGS is specifically tailored to identify only the value found within HTTP GET query.
For instance:
- A rule such as
MainRule id:12345 "s:$FOO:8,$BAR:4" "str:malicious" "mz:ARGS";detects the occurrence of the stringmaliciousexclusively within the HTTP GET queries values transmitted in a request. - A whitelist entry like
BasicRule wl:12345 "mz:ARGS";negates the match of any rule with id12345if the match itself occurs in the HTTP GET queries values.
Filter by Any GET query name
This Matchzone designated by ARGS|NAME is specifically tailored to identify only the name of the GET query found within HTTP request.
For instance:
- A rule such as
MainRule id:12345 "s:$FOO:8" "str:delete_action" "mz:ARGS|NAME";detects the occurrence of the stringdelete_actionexclusively within the HTTP GET queries names transmitted in a request. - A whitelist entry like
BasicRule wl:12345 "mz:ARGS|NAME";negates the match of any rule with id12345if the match itself occurs in the HTTP GET queries names.
Filter by GET query value or name
This Matchzone designated by $ARGS_VAR:foo and $ARGS_VAR_X:^foo$ is specifically tailored to identify only the content found within an HTTP GET query named foo.
$ARGS_VAR:<string>can be used to filter by argument name (case-insensitive) via a string.$ARGS_VAR_X:<regex>can be used to filter by argument name (case-insensitive) via a regex.
For instance:
- A rule such as
MainRule id:12345 "s:$FOO:8,$BAR:4" "str:evil" "mz:$ARGS_VAR:foo|$ARGS_VAR:bar";detects the occurrence of the stringevilexclusively within the value of the GET queriesUser-Agent(case-insensitive). - A whitelist entry like
BasicRule wl:12345 "mz:$ARGS_VAR_X:^cookie$";negates the match of any rule with id12345if the match occurs within the value of the HTTP headerCookievia regex.
📣 Important
This can be mixed with
|NAMEto perform the filtering at argument name instead of value. Example:mz:$ARGS_VAR_X:^foo\d+$|NAMEmatches only the GET query namedfoo<number>.
Filter by POST Requests
HTTP POST requests carries information in the HTTP body; the request data can have multiple formats:
application/x-www-form-urlencodedcontains key=value pairs.multipart/form-datacontains boundaries with the raw data.
Naxsi allows to filter these in rules and whitelists as follows:
Filter by Any application/x-www-form-urlencoded Value
This Matchzone designated by BODY is specifically tailored to identify only the value found within HTTP POST body.
For instance:
- A rule such as
MainRule id:12345 "s:$FOO:8,$BAR:4" "str:malicious" "mz:BODY";detects the occurrence of the stringmaliciousexclusively within the HTTP POST body values (key=value format) transmitted in a request. - A whitelist entry like
BasicRule wl:12345 "mz:BODY";negates the match of any rule with id12345if the match itself occurs in the HTTP POST body values.
Filter by Any application/x-www-form-urlencoded Key
This Matchzone designated by BODY|NAME is specifically tailored to identify only the name of the header found within HTTP request.
For instance:
- A rule such as
MainRule id:12345 "s:$FOO:8" "str:delete_action" "mz:BODY|NAME";detects the occurrence of the stringdelete_actionexclusively within the HTTP POST arguments names transmitted in a request. - A whitelist entry like
BasicRule wl:12345 "mz:BODY|NAME";negates the match of any rule with id12345if the match itself occurs in the HTTP POST arguments names.
Filter by Any application/x-www-form-urlencoded Key and Value
This Matchzone designated by $BODY_VAR:foo and $BODY_VAR_X:^foo$ is specifically tailored to identify only the content found within an HTTP POST body named foo.
$BODY_VAR:<string>can be used to filter by POST form name (case-insensitive) via a string.$BODY_VAR_X:<regex>can be used to filter by POST form name (case-insensitive) via a regex.
For instance:
- A rule such as
MainRule id:12345 "s:$FOO:8,$BAR:4" "str:malicious" "mz:$BODY_VAR:foo|$BODY_VAR:bar";detects the occurrence of the stringmaliciousexclusively within the value of the POST form keysfooandbody(case-insensitive). - A whitelist entry like
BasicRule wl:12345 "mz:$BODY_VAR_X:^foo$";negates the match of any rule with id12345if the match occurs within the value of the POST form namedfoovia regex.
📣 Important
This can be mixed with
|NAMEto perform the filtering at argument name instead of value. Example:mz:$BODY_VAR_X:^foo\d+$|NAMEmatches only the POST argument namedfoo<number>.
Filter by Any multipart/form-data filename
This Matchzone designated by FILE_EXT is specifically tailored to match only the filename found within HTTP multipart POST request.
For instance:
- A rule such as
MainRule id:12345 "s:$FOO:8,$BAR:4" "str:.php" "mz:FILE_EXT";detects the occurrence of the string.phpexclusively within the filename of the HTTP multipart POST request. - A whitelist entry like
BasicRule wl:12345 "mz:FILE_EXT";negates the match of any rule with id12345if the match itself occurs in the filename of the HTTP multipart POST request.
Filter by HTTP Raw Body
This Matchzone designated by RAW_BODY is specifically tailored to match any byte sequence in an unparsed HTTP body.
For instance:
- A rule such as
BasicRule id:12345 "s:$EXECUTABLE:8" "rx:MZ\x90" "mz:RAW_BODY";detects the occurrence of a byte sequence (Windows PE magic) within the HTTP body of the request. - A whitelist entry like
BasicRule wl:12345 "mz:RAW_BODY";negates the match of any rule with id12345if the match itself occurs in the HTTP body of the request.
📣 Important
This matchzone is internally converted as
BODYzone, thus theBasicRule wl:12345 "mz:BODY";andBasicRule wl:12345 "mz:RAW_BODY";are equivalent.
Filter by HTTP URL
Naxsi supports filtering by HTTP URL as follows:
Filter by HTTP URL (global)
This Matchzone designated by URL is specifically tailored to identify only the value found within HTTP URL.
For instance:
- A rule such as
MainRule id:12345 "s:$FOO:8,$BAR:4" "str:/admin" "mz:URL";detects the occurrence of the string/adminexclusively within the HTTP URL transmitted in a request. - A whitelist entry like
BasicRule wl:12345 "mz:URL";negates the match of any rule with id12345if the match itself occurs in the HTTP URL.
📣 Important
This matchzone is globally applied, it is possible to restrict the matchzone to a specific URL or substring in the URL via
$URLor$URL_X(see below).
Filter by HTTP URL (restricted)
This Matchzone designated by $URL:/foo and $URL_X:^/foo$ is specifically tailored to identify only the URL containing the string /foo.
$URL:<string>can be used to filter by string (case-insensitive).$URL_X:<regex>can be used to filter by regex (case-insensitive).
These can be mixed with all the previous matchzones as follows:
In rules context, $URL or $URL_X must be satisfied if present. Any other condition is treated as OR (opposite to whitelists).
- The rule
BasicRule str:Y id:X "mz:ARGS|BODY";is interpreted as pattern 'Y' will be matched against any GET and POST arguements - The rule
BasicRule str:Y id:X "mz:ARGS|BODY|$URL:/foo";is interpreted as pattern 'Y' will be matched against any GET and POST arguements as long as URL is/foo
In whitelist context, all conditions must be satisfied, so a whitelist like BasicRule wl:X "mz:$ARGS_VAR:foo|$URL:/bar"; is interpreted as id X is whitelisted in GET variable foo on URL /bar
⚠️ Warning
You CANNOT mix
$URL_X:<regex>and$ARGS_VAR:<string>,$BODY_VAR:<string>and$HEADERS_VAR:<string>in a rule or whitelist.It is allowed instead to mix
$URL_X:<regex>with$ARGS_VAR_X:<regex>,$BODY_VAR_X:<regex>and$HEADERS_VAR_X:<regex>and to mix$URL:<string>with$ARGS_VAR:<string>,$BODY_VAR:<string>and$HEADERS_VAR:<string>.
ℹ️ Info
It is allowed to mix
FILE_EXTandRAW_BODYwith$URL_X:<regex>and$URL:<string>.