regex-manual

[Harry Tuttle]

is there some manual on how to build regexes for naxsi?

[bui]

Hello,

No there is not, naxsi regex are plain PCRE regex, with
PCRE_CASELESS|PCRE_MULTILINE flags.
If you have any specific questions, don't hesitate !

[Harry Tuttle]

hello,

i'm working on converting emerging-thread sigs and i wonder if i could rewrite:
pcre:"/SELECT.+CONCAT/Ui";

to

"rx:SELECT.+CONCAT"


etc. pp




2012/10/11, bui <ori...@gmail.com>:

[bui]

Hi,

I'm not sure to get what you want to do.
If you want "concat" sql keyword to be added to SQL keywords rule(s),
it's not the good way to do.
To do so, we could simply add "concat" to rule 1000.

[Harry Tuttle]

> I'm not sure to get what you want to do.

emerging-threat-sigs are signatures for snort/suricata ids and a nice
source for writing naxsi - signatures. there a lots of posibbly
usefull sigs using PCRE - statements; maybe i just have to try & error
:)

> If you want "concat" sql keyword to be added to SQL keywords rule(s),
> it's not the good way to do.
> To do so, we could simply add "concat" to rule 1000.

i found some other sql-statements that might be added to rule 1000

varchar(
exec(
declare(
alter

maybe for the alter - statement it would be better to wrap this in a single
rule with a pcre like:

"rx:ALTER\ +(database|procedure|table|column)"

[bui]

Hello,

>> If you want "concat" sql keyword to be added to SQL keywords rule(s),
>> it's not the good way to do.
>> To do so, we could simply add "concat" to rule 1000.
>
> i found some other sql-statements that might be added to rule 1000
>
> varchar(
> exec(
> declare(
> alter
>
> maybe for the alter - statement it would be better to wrap this in a single
> rule with a pcre like:
>
> "rx:ALTER\ +(database|procedure|table|column)"

Please don't do this !
I written naxsi exactly in order not to have to do this.
I don't want to have complex/evolved rules/patterns, but rather focus
on primitives used by attacks.

If you want to add this kind of patterns, do it this way rather :
- add "alter" to rule 1000

And then create a basic rule with another ID targetting specific
functions, and increasing SQL score.

[Harry Tuttle]

>>
>> "rx:ALTER\ +(database|procedure|table|column)"
>
> Please don't do this !
> I written naxsi exactly in order not to have to do this.
> I don't want to have complex/evolved rules/patterns, but rather focus
> on primitives used by attacks.
>
> If you want to add this kind of patterns, do it this way rather :
> - add "alter" to rule 1000
>
> And then create a basic rule with another ID targetting specific
> functions, and increasing SQL score.
>

ok, understood

i'm new to naxsi, please forgive my juvenile approach :)

[bui]

Don't worry ;)

I know it's a different approach from most firewalls, so I prefer to
make it clear, hope I didn't sound too rude !

Cheers,

[Harry Tuttle]

no problem, just added that part to my
writing_naxsi_sigs_howto :)



2012/10/11, bui <ori...@gmail.com>:

[bui]

Ho, if you plan on writting some documentation / howto, would you mind
helping us ?
So far, documentation is a weak spot in the project, and we started
rewritting a full documentation from scratch.
Would you mind adding your contributions there ?

I share it to you on google docs / google drive !

Cheers,

[Harry Tuttle]

2012/10/11, bui <ori...@gmail.com>:

> Ho, if you plan on writting some documentation / howto, would you mind
> helping us ?
> So far, documentation is a weak spot in the project, and we started
> rewritting a full documentation from scratch.
> Would you mind adding your contributions there ?
>
> I share it to you on google docs / google drive !
>

yeah, i checked it so so far, looks good!
especially that learning from a partial IP is great
for integrating naxsi with a running site.

[F F]

Hello

Sorry for jumping in such old thread, I dont understand the rule 1315

It says it is a rule about double quotes

Regex is "rx:%[23]."

I understand you want to match %22 but this regex matches also %2* and %3* ?

What am i missing ?

Thanks :)