QuickDefence WAF - Nginx and Lua based first open source WAF, still in Pre-Alpha stage.

jaydipdave · 2014-01-17T13:54:29+00:00

I am looking for a module to allow TCP load balancing for a while as well. Have you taken a look at the following:https://github.com/yaoweibin/nginx_tcp...

QuickDefence WAF - Nginx and Lua based first open source WAF, still in Pre-Alpha stage.

jaydipdave

Hello Friends,

Making my QuickDefence WAF (Web Application Firewall) open source to make it useful for small and medium size online business owners. Easy to setup and very good for setting up website security without having much knowledge of Rules and Regexes.

https://github.com/jaydipdave/quickdefencewaf

Please help the WAF and make it more mature.

Thank You,

Jaydeep

lazy.dogtown

hi jaydeep,

do you know about naxsi https://github.com/nbs-system/naxsi? it's quite mature, has a good default-set and updated rules against actual threats

http://blog.dorvakt.org/

https://bitbucket.org/lazy_dogtown/doxi-rules/src

what i'd suggest on a lua-level is

- anonamly detection (sensitive topic, lots of tuning and false positives)

- unusual behavior (scanners usually dont deliver the full set of headers like a browser and are detectable)

- output_body_filtering

- enforcing blocks for "known bad" ips

regards,

mex

2014/1/17 Jaydeep Dave <jayd...@gmail.com>

Hello Friends,

Making my QuickDefence WAF (Web Application Firewall) open source to make it useful for small and medium size online business owners. Easy to setup and very good for setting up website security without having much knowledge of Rules and Regexes.

https://github.com/jaydipdave/quickdefencewaf

Please help the WAF and make it more mature.

Thank You,

Jaydeep

.

jaydipdave

Hi Mex,

Thanks for taking time in writing your feedback.

Naxsi is a full fledged low level WAF, very similar to mod_security. I would rather use mod_security as it has a long range of rules available as well.

I am trying to build here a high-level WAF, very brief but very effective. We can say an immediate pain pain reliever for small and medium e-business owners.

I am also experimenting with some "whitelisting approach" in QuickDefence, I will commit the changes once it is done.

Actually, I dont like writing rules. The rule writing facility is only for Virtual Patching of vulnerabilities and false positive removals.

Please feel free to argue/discuss/query anything, it will be appreciated.

Thanks,

Jaydeep

On Fri, Jan 17, 2014 at 2:39 PM, mex <lazy....@gmail.com> wrote:

hi jaydeep,

do you know about naxsi https://github.com/nbs-system/naxsi? it's quite mature, has a good default-set and updated rules against actual threats

http://blog.dorvakt.org/
https://bitbucket.org/lazy_dogtown/doxi-rules/src

what i'd suggest on a lua-level is
- anonamly detection (sensitive topic, lots of tuning and false positives)
- unusual behavior (scanners usually dont deliver the full set of headers like a browser and are detectable)

- output_body_filtering
- enforcing blocks for "known bad" ips

regards,

mex

2014/1/17 Jaydeep Dave <jayd...@gmail.com>

Hello Friends,

Making my QuickDefence WAF (Web Application Firewall) open source to make it useful for small and medium size online business owners. Easy to setup and very good for setting up website security without having much knowledge of Rules and Regexes.

https://github.com/jaydipdave/quickdefencewaf

Please help the WAF and make it more mature.

Thank You,

Jaydeep

.

--
Regards,

Jaydeep Dave
Mobile: +919898456445

lazy.dogtown

2014/1/17 Jaydeep Dave <jayd...@gmail.com>

Hi Mex,

Thanks for taking time in writing your feedback.

Naxsi is a full fledged low level WAF, very similar to mod_security. I would rather use mod_security

i completely disagree. mod_security is PITA when it comes to

implementation, cost-of-ownership, performance and rules_writing; and

i think it is only useful for netowners that have a 24/7 netsec-monitoring,

read BIG.

mod_security is as dead as apache in the field of

application_server_infrastructure and fast reverse_proxies like nginx,

/me thinx

> as it has a long range of rules available as well.

no, it doesnt cover actual and new threats and has a long long long

history of stupid bypasses.

and there is nothing like a commmunity that delivers new rules on

new threats, just owasp_bureaucracy :)

do you know the emerging threats community for snort rules?

this is how it should/could be.

I am trying to build here a high-level WAF, very brief but very effective. We can say an immediate pain pain reliever for small and medium e-business owners.

what is your definition of high-level vs low-lewel waf?

I am also experimenting with some "whitelisting approach" in QuickDefence, I will commit the changes once it is done.

Actually, I dont like writing rules. The rule writing facility is only for Virtual Patching of vulnerabilities and false positive removals.

yes, but because of the stupidity of some developers one needs that :(

what does a waf* protect against in your opinion? in my: 99% skiddos

and scanners, 0,99% configuration_issues and left_overs from devs.

when the rails_vulns came out last year i was more than happy that i could

write and deploy a sig within 1 hour to our rails-customers.

btw, nobody (i know) actually "writes" rules, but uses rules-generators

waf -> actual web application firewall and a set of good deny_rules,

think example.com/app/.git/ :)

regards,

mex

appa

Based on a rather cursory look of your code I could not see any code that unescapes the URI.

Considering the many ways to encode there are just for SQL injections just doing simple matching without unescaping is not going
to cut it IMHO.

I join mex saying that 80% of the work should be done at the nginx config layer where you block URLs like .git,.svn, etc.

Then rely on the WAF for the things you can't do just using the nginx config language. Unescaping an URL is an example
of that.

----appa

On Fri, Jan 17, 2014 at 11:10 AM, mex <lazy....@gmail.com> wrote:

2014/1/17 Jaydeep Dave <jayd...@gmail.com>

Hi Mex,

Thanks for taking time in writing your feedback.

Naxsi is a full fledged low level WAF, very similar to mod_security. I would rather use mod_security

i completely disagree. mod_security is PITA when it comes to
implementation, cost-of-ownership, performance and rules_writing; and
i think it is only useful for netowners that have a 24/7 netsec-monitoring,

read BIG.

mod_security is as dead as apache in the field of
application_server_infrastructure and fast reverse_proxies like nginx,
/me thinx

> as it has a long range of rules available as well.

no, it doesnt cover actual and new threats and has a long long long
history of stupid bypasses.

and there is nothing like a commmunity that delivers new rules on
new threats, just owasp_bureaucracy :)

do you know the emerging threats community for snort rules?
this is how it should/could be.

I am trying to build here a high-level WAF, very brief but very effective. We can say an immediate pain pain reliever for small and medium e-business owners.

what is your definition of high-level vs low-lewel waf?

I am also experimenting with some "whitelisting approach" in QuickDefence, I will commit the changes once it is done.

Actually, I dont like writing rules. The rule writing facility is only for Virtual Patching of vulnerabilities and false positive removals.

yes, but because of the stupidity of some developers one needs that :(

what does a waf* protect against in your opinion? in my: 99% skiddos
and scanners, 0,99% configuration_issues and left_overs from devs.

when the rails_vulns came out last year i was more than happy that i could

write and deploy a sig within 1 hour to our rails-customers.

btw, nobody (i know) actually "writes" rules, but uses rules-generators

waf -> actual web application firewall and a set of good deny_rules,
think example.com/app/.git/ :)

regards,

mex

.

jaydipdave

Hi Antonio, Hi Mex,

:) Please dont take me so seriously. I am a "dummy" lua developer, who started this WAF for my hobby. Please bare with me.

I 100% agree that all the blacklisted folders/files (like /admin,.git, .svn) should be protected at Nginx config level. (Similar to .htaccess in apache).

I haven't see code of any WAF, so I dont know what to unscape and what to escape right now. Let me play with my WAF for few more months. (By the way, I got married recently and work in my office from 10am to 7pm, so no time at all :'( )

I dont want to get into the comparison with other WAFs who are in market since many years.

If you are interested in developing something new and unique, and if you know Lua, please fix my mistakes in the code and/or reshape the project. :)

I will keep contributing to the WAF, whenever I get time.

Thanks all for taking a look in the WAF.

Jaydeep

On Fri, Jan 17, 2014 at 3:56 PM, António P. P. Almeida <a...@perusio.net> wrote:

Based on a rather cursory look of your code I could not see any code that unescapes the URI.

Considering the many ways to encode there are just for SQL injections just doing simple matching without unescaping is not going
to cut it IMHO.

I join mex saying that 80% of the work should be done at the nginx config layer where you block URLs like .git,.svn, etc.

Then rely on the WAF for the things you can't do just using the nginx config language. Unescaping an URL is an example
of that.

----appa

On Fri, Jan 17, 2014 at 11:10 AM, mex <lazy....@gmail.com> wrote:

2014/1/17 Jaydeep Dave <jayd...@gmail.com>

Hi Mex,

Thanks for taking time in writing your feedback.

Naxsi is a full fledged low level WAF, very similar to mod_security. I would rather use mod_security

i completely disagree. mod_security is PITA when it comes to
implementation, cost-of-ownership, performance and rules_writing; and
i think it is only useful for netowners that have a 24/7 netsec-monitoring,

read BIG.

mod_security is as dead as apache in the field of
application_server_infrastructure and fast reverse_proxies like nginx,
/me thinx

> as it has a long range of rules available as well.

no, it doesnt cover actual and new threats and has a long long long
history of stupid bypasses.

and there is nothing like a commmunity that delivers new rules on
new threats, just owasp_bureaucracy :)

do you know the emerging threats community for snort rules?
this is how it should/could be.

I am trying to build here a high-level WAF, very brief but very effective. We can say an immediate pain pain reliever for small and medium e-business owners.

what is your definition of high-level vs low-lewel waf?

I am also experimenting with some "whitelisting approach" in QuickDefence, I will commit the changes once it is done.

Actually, I dont like writing rules. The rule writing facility is only for Virtual Patching of vulnerabilities and false positive removals.

yes, but because of the stupidity of some developers one needs that :(

what does a waf* protect against in your opinion? in my: 99% skiddos
and scanners, 0,99% configuration_issues and left_overs from devs.

when the rails_vulns came out last year i was more than happy that i could

write and deploy a sig within 1 hour to our rails-customers.

btw, nobody (i know) actually "writes" rules, but uses rules-generators

waf -> actual web application firewall and a set of good deny_rules,
think example.com/app/.git/ :)

regards,

mex

--
.

--
Regards,

Jaydeep Dave
Mobile: +919898456445

appa

Hello Jaydeep,

No intention of dissing your initiave. Quite the opposite it launched the discussion. Which reminds me that agentzh
spoke of a ngix + Lua based WAF they use at CloudFlare :)

Any plans to make it free software, at least for the engine, even if I can understand that you d'ont hare the rules?

Thanks,

----appa

On Fri, Jan 17, 2014 at 11:44 AM, Jaydeep Dave <jayd...@gmail.com> wrote:

Hi Antonio, Hi Mex,

:) Please dont take me so seriously. I am a "dummy" lua developer, who started this WAF for my hobby. Please bare with me.

I 100% agree that all the blacklisted folders/files (like /admin,.git, .svn) should be protected at Nginx config level. (Similar to .htaccess in apache).

I haven't see code of any WAF, so I dont know what to unscape and what to escape right now. Let me play with my WAF for few more months. (By the way, I got married recently and work in my office from 10am to 7pm, so no time at all :'( )

I dont want to get into the comparison with other WAFs who are in market since many years.

If you are interested in developing something new and unique, and if you know Lua, please fix my mistakes in the code and/or reshape the project. :)

I will keep contributing to the WAF, whenever I get time.

Thanks all for taking a look in the WAF.

Jaydeep

On Fri, Jan 17, 2014 at 3:56 PM, António P. P. Almeida <a...@perusio.net> wrote:

Based on a rather cursory look of your code I could not see any code that unescapes the URI.

Considering the many ways to encode there are just for SQL injections just doing simple matching without unescaping is not going
to cut it IMHO.

I join mex saying that 80% of the work should be done at the nginx config layer where you block URLs like .git,.svn, etc.

Then rely on the WAF for the things you can't do just using the nginx config language. Unescaping an URL is an example
of that.

----appa

On Fri, Jan 17, 2014 at 11:10 AM, mex <lazy....@gmail.com> wrote:

2014/1/17 Jaydeep Dave <jayd...@gmail.com>

Hi Mex,

Thanks for taking time in writing your feedback.

Naxsi is a full fledged low level WAF, very similar to mod_security. I would rather use mod_security

i completely disagree. mod_security is PITA when it comes to
implementation, cost-of-ownership, performance and rules_writing; and
i think it is only useful for netowners that have a 24/7 netsec-monitoring,

read BIG.

mod_security is as dead as apache in the field of
application_server_infrastructure and fast reverse_proxies like nginx,
/me thinx

> as it has a long range of rules available as well.

no, it doesnt cover actual and new threats and has a long long long
history of stupid bypasses.

and there is nothing like a commmunity that delivers new rules on
new threats, just owasp_bureaucracy :)

do you know the emerging threats community for snort rules?
this is how it should/could be.

I am trying to build here a high-level WAF, very brief but very effective. We can say an immediate pain pain reliever for small and medium e-business owners.

what is your definition of high-level vs low-lewel waf?

I am also experimenting with some "whitelisting approach" in QuickDefence, I will commit the changes once it is done.

Actually, I dont like writing rules. The rule writing facility is only for Virtual Patching of vulnerabilities and false positive removals.

yes, but because of the stupidity of some developers one needs that :(

what does a waf* protect against in your opinion? in my: 99% skiddos
and scanners, 0,99% configuration_issues and left_overs from devs.

when the rails_vulns came out last year i was more than happy that i could

write and deploy a sig within 1 hour to our rails-customers.

btw, nobody (i know) actually "writes" rules, but uses rules-generators

waf -> actual web application firewall and a set of good deny_rules,
think example.com/app/.git/ :)

regards,

mex

--
.

jaydipdave

Hi Antonio,

:) I completely understand. I am really thankful to you guys for at least discussing on the WAF.

CloudFlare implementation of Nginx & Lua is really a state of art.

The WAF is and will stay a free software and rules for all. I am working on a "Positive" approach engine. (kind of rule generator). I just want to help small and medium business owners. I will also try to create some CMS specific rule converters.

I will submit it as soon as it is developed.

Thanks,

Jaydeep

On Fri, Jan 17, 2014 at 6:32 PM, António P. P. Almeida <a...@perusio.net> wrote:

Hello Jaydeep,

No intention of dissing your initiave. Quite the opposite it launched the discussion. Which reminds me that agentzh
spoke of a ngix + Lua based WAF they use at CloudFlare :)

Any plans to make it free software, at least for the engine, even if I can understand that you d'ont hare the rules?

Thanks,

----appa

On Fri, Jan 17, 2014 at 11:44 AM, Jaydeep Dave <jayd...@gmail.com> wrote:

Hi Antonio, Hi Mex,

:) Please dont take me so seriously. I am a "dummy" lua developer, who started this WAF for my hobby. Please bare with me.

I 100% agree that all the blacklisted folders/files (like /admin,.git, .svn) should be protected at Nginx config level. (Similar to .htaccess in apache).

I haven't see code of any WAF, so I dont know what to unscape and what to escape right now. Let me play with my WAF for few more months. (By the way, I got married recently and work in my office from 10am to 7pm, so no time at all :'( )

I dont want to get into the comparison with other WAFs who are in market since many years.

If you are interested in developing something new and unique, and if you know Lua, please fix my mistakes in the code and/or reshape the project. :)

I will keep contributing to the WAF, whenever I get time.

Thanks all for taking a look in the WAF.

Jaydeep

On Fri, Jan 17, 2014 at 3:56 PM, António P. P. Almeida <a...@perusio.net> wrote:

Based on a rather cursory look of your code I could not see any code that unescapes the URI.

Considering the many ways to encode there are just for SQL injections just doing simple matching without unescaping is not going
to cut it IMHO.

I join mex saying that 80% of the work should be done at the nginx config layer where you block URLs like .git,.svn, etc.

Then rely on the WAF for the things you can't do just using the nginx config language. Unescaping an URL is an example
of that.

----appa

On Fri, Jan 17, 2014 at 11:10 AM, mex <lazy....@gmail.com> wrote:

2014/1/17 Jaydeep Dave <jayd...@gmail.com>

Hi Mex,

Thanks for taking time in writing your feedback.

Naxsi is a full fledged low level WAF, very similar to mod_security. I would rather use mod_security

i completely disagree. mod_security is PITA when it comes to
implementation, cost-of-ownership, performance and rules_writing; and
i think it is only useful for netowners that have a 24/7 netsec-monitoring,

read BIG.

mod_security is as dead as apache in the field of
application_server_infrastructure and fast reverse_proxies like nginx,
/me thinx

> as it has a long range of rules available as well.

no, it doesnt cover actual and new threats and has a long long long
history of stupid bypasses.

and there is nothing like a commmunity that delivers new rules on
new threats, just owasp_bureaucracy :)

do you know the emerging threats community for snort rules?
this is how it should/could be.

I am trying to build here a high-level WAF, very brief but very effective. We can say an immediate pain pain reliever for small and medium e-business owners.

what is your definition of high-level vs low-lewel waf?

I am also experimenting with some "whitelisting approach" in QuickDefence, I will commit the changes once it is done.

Actually, I dont like writing rules. The rule writing facility is only for Virtual Patching of vulnerabilities and false positive removals.

yes, but because of the stupidity of some developers one needs that :(

what does a waf* protect against in your opinion? in my: 99% skiddos
and scanners, 0,99% configuration_issues and left_overs from devs.

when the rails_vulns came out last year i was more than happy that i could

write and deploy a sig within 1 hour to our rails-customers.

btw, nobody (i know) actually "writes" rules, but uses rules-generators

waf -> actual web application firewall and a set of good deny_rules,
think example.com/app/.git/ :)

regards,

mex

--
.

--
Regards,

Jaydeep Dave
Mobile: +919898456445