whitelists bnf
Whitelists are meant to instruct naxsi to ignore specific patterns in specific context(s) to avoid false positives.
ie. Allow the ' character in the field named term at url /search :
BasicRule wl:1013 "mz:$ARGS_VAR:term|$URL:/search";
Whitelists can be present at location level (BasicRule) or at http level (MainRule).
Whitelists have the following syntax :
Everything must be quoted with double quotes, except the wl part.
Which rule ID(s) are whitelisted. Possible syntax are:
-
wl:0: Whitelist all rules -
wl:42: Whitelist rule#42 -
wl:42,41,43: Whitelist rules42,41and43 -
wl:-42: Whitelist all user rules (>= 1000), excepting rule42
note: you can't mix negative and positive ID(s) in whitelists
Please refer to Match Zones for details.
mz is the match-zone, specifying in which part(s) of the request the specified ID(s) must be ignored.
In whitelist context, all conditions specificied in the mz must be satisfied :
BasicRule wl:4242 "mz:$ARGS_VAR:foo|$URL:/x";
ignore id 4242 in GET var named foo only on URL /x
As for rules, $URL* in match-zone is not enough to specify the target zone.
- A zone (ARGS,BODY,HEADERS) can be suffixed with
|NAME, meaning the rule matched in the name of the variable, but not its content. -
RAW_BODYwhitelists are written just as anyBODYwhitelist, see Whitelists Examples - A whitelist can't mix
_Xelements with_VARor$URLitems. ie:
$URL_X:/foo|$ARGS_VAR:bar : WRONG
$URL_X:^/foo$|$ARGS_VAR_X:^bar$ : GOOD
You can also whitelist by IP/CIDR and all the rules will not be blocked for these ips but logs will be generated. For more details look here: IgnoreIP and IgnoreCIDR