110 lines
2.6 KiB
Markdown
110 lines
2.6 KiB
Markdown
# Internal rules
|
|
|
|
Internal rules are rules that can be fired by naxsi, when request is incorrect or extremely unusual - or naxsi is not able to parse the request (ie. unknown content-type).
|
|
Please note that those rules do not set an internal score, but usually just set the `block` flag of the request to `1`.
|
|
|
|
You can whitelist those, but you should never have to do so.
|
|
When whitelisting an internal rule, you might be disabling naxsi at least partially, so think twice about it.
|
|
|
|
|
|
|
|
|
|
## weird_request
|
|
* id: 1
|
|
* action: block
|
|
* impact: pass-thru
|
|
|
|
A request that cannot be understood by naxsi.
|
|
When whitelisting this one, you are telling naxsi to blindly accept the request and not to parse it.
|
|
|
|
## big_request
|
|
* id: 2
|
|
* action: block
|
|
* impact : pass-thru
|
|
|
|
A request that is buffered on file system because it's too big.
|
|
Naxsi doesn't parse buffered requests. You can always increase [client_body_buffer_size](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size) in nginx's config.
|
|
|
|
## uncommon_hex_encoding
|
|
* id: 10
|
|
* action: block
|
|
* impact : partial loss of decoding
|
|
|
|
Hex encoding that is not valid, and that naxsi cannot "url decode".
|
|
|
|
## uncommon_content_type
|
|
* id: 11
|
|
* action: block
|
|
* impact : pass-thru on BODY
|
|
|
|
A content-type unknown to naxsi. Meaning naxsi cannot parse the body.
|
|
However, if id:11 is whitelisted and >= 0.55rc2, [RAW_BODY](rawbody) rules can be used.
|
|
|
|
## uncommon_url
|
|
* id: 12
|
|
* action: block
|
|
* impact: partial pass-thru on GET args
|
|
|
|
An URL that is not standard (ie. `?x=foo&z=bar`). Can lead to uncorrectly parsed arguments when whitelisted.
|
|
|
|
|
|
# uncommon_post_format
|
|
* id: 13
|
|
* action: block
|
|
* impact: pass-thru on BODY
|
|
|
|
POST body is malformed, ie.
|
|
* bad content-disposition
|
|
* no variable name
|
|
* malformed attached file content-type
|
|
|
|
## uncommon_post_boundary
|
|
* id: 14
|
|
* action: block
|
|
* impact: pass-thru on BODY
|
|
|
|
POST body is malformed, ie.
|
|
* bad content-type
|
|
* bad boundary (too short, too long, not rfc compliant)
|
|
|
|
## invalid_json
|
|
* id: 15
|
|
* action: block
|
|
* impact: pass-thru on BODY (json)
|
|
|
|
JSON is malformed (ie. missing `} ]`).
|
|
|
|
|
|
## empty_body
|
|
* id: 16
|
|
* action: block
|
|
* impact: pass-thru on BODY
|
|
|
|
Raised when body is empty and/or content-length is zero.
|
|
|
|
|
|
## libinjection_sql
|
|
* id: 17
|
|
* action: ??
|
|
|
|
See [libinjection](libinjection-integration.md).
|
|
|
|
## libinjection_xss
|
|
* id: 18
|
|
* action: ??
|
|
|
|
See [libinjection](libinjection-integration.md).
|
|
|
|
## no_rules
|
|
* id: 19
|
|
* action: drop
|
|
* impact: no rules checked
|
|
|
|
Raised when naxsi isn't configured with any MainRules.
|
|
|
|
## bad_utf8
|
|
* id: 20
|
|
* action: drop
|
|
|
|
Raised when [surrogate utf8](https://tools.ietf.org/html/rfc3629) is detected.
|