update waf reg

edetmt
Commit 81c0351d authored Apr 24, 2020 by edetmt
Showing with 22 additions and 23 deletions
README.md
rule-config/args.rule
rule-config/post.rule
--- a/README.md
+++ b/README.md
 - Nginx+Lua实现自定义WAF防护（Web application firewall）
- 源项目为 https://github.com/loveshell/ngx_lua_waf 只做些许更改
+- 源项目为 http://project@git.edetmt.com:10000/project/nginx-lua.git
@@ -22,14 +22,6 @@ nginx.conf
 ```
-CC攻击拦截
-![输入图片说明](https://oscimg.oschina.net/oscnet/efaccc2866f958aa14a64426e1b2cf36066.jpg "在这里输入图片标题")
-elk日志分析
-![输入图片说明](https://images.gitee.com/uploads/images/2019/0221/204828_74e2e35f_747638.jpeg "在这里输入图片标题")
 ###########################
 更新日志:
 增加了whiteip cdip的功能,用以匹配ip段

--- a/rule-config/args.rule
+++ b/rule-config/args.rule
@@ -3,20 +3,23 @@
 \$\{
 select.+(from|limit)
 (?:(union(.*?)select))
-having|rongjitest
 sleep\((\s*)(\d*)(\s*)\)
+group\s+by.+\(
+(?:from\W+information_schema\W)
+(?:(?:current_)user|database|version|schema|connection_id)\s*\(
+\s*or\s+.*=.*
+order\s+by\s+.*--$
 benchmark\((.*)\,(.*)\)
 base64_decode\(
-(?:from\W+information_schema\W)
-(?:(?:current_)user|database|schema|connection_id)\s*\(
 (?:etc\/\W*passwd)
 into(\s+)+(?:dump|out)file\s*
-group\s+by.+\(
 xwork.MethodAccessor
 (?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\(
-xwork\.MethodAccessor
+\<(iframe|script|body|layer|meta|style|base|object|input)
+(onmouseover|onmousemove|onerror|onload)\=
+javascript:
+\|\|.*(?:ls|pwd|whoami|ll|ifconfog|ipconfig|&&|chmod|cd|mkdir|rmdir|cp|mv)
+(?:ls|pwd|whoami|ll|ifconfog|ipconfig|&&|chmod|cd|mkdir|rmdir|cp|mv).*\|\|
 (gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/
 java\.lang
 \$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\[
-\<(iframe|script|body|img|layer|div|meta|style|base|object|input)
-(onmouseover|onerror|onload)\=
--- a/rule-config/post.rule
+++ b/rule-config/post.rule
 password=123456$
+\.\./
 select.+(from|limit)
 (?:(union(.*?)select))
-having|rongjitest
 sleep\((\s*)(\d*)(\s*)\)
+group\s+by.+\(
+(?:from\W+information_schema\W)
+(?:(?:current_)user|database|version|schema|connection_id)\s*\(
+\s*or\s+.*=.*
+order\s+by\s+.*--$
 benchmark\((.*)\,(.*)\)
 base64_decode\(
-(?:from\W+information_schema\W)
-(?:(?:current_)user|database|schema|connection_id)\s*\(
 (?:etc\/\W*passwd)
 into(\s+)+(?:dump|out)file\s*
-group\s+by.+\(
 xwork.MethodAccessor
 (?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\(
-xwork\.MethodAccessor
+\<(iframe|script|body|layer|meta|style|base|object|input)
+(onmouseover|onmousemove|onerror|onload)\=
+javascript:
+\|\|.*(?:ls|pwd|whoami|ll|ifconfog|ipconfig|&&|chmod|cd|mkdir|rmdir|cp|mv)
+(?:ls|pwd|whoami|ll|ifconfog|ipconfig|&&|chmod|cd|mkdir|rmdir|cp|mv).*\|\|
 (gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/
 java\.lang
 \$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\[
-\<(iframe|script|body|img|layer|div|meta|style|base|object|input)
-(onmouseover|onerror|onload)\=