NGINX App Protect WAF Release 4.0

November 29, 2022

In this release, NGINX App Protect WAF supports NGINX Plus R28.

This release includes new signatures for Anti Automation (bot defense):

Added the following Spam Bot bot signatures: RealStresser, AraTurka, Ocarinabot, A Fake Google Certificates Bridge
Added the following Exploit Tool bot signatures: RealityCheats, Root S, Report Runner, Momentum, 103scUWU
Added the following Service Agent bot signatures: AppDynamics, Blackbox Exporter, B2B Bot, BlogTraffic, Fyrebot, CipaCrawler, redditbot, jpg-newsbot, Elastic-Heartbeat, W3C-mobileOK, WGETbot, BoxcarBot, DynatraceSynthetic, Rackspace Monitoring, Site24x7, webchk
Added the following Crawler bot signatures: blogmuraBot Crawler, contxbot, SocialRankIO Bot, DataProvider crawler, Speedy Spider, SiteExplorer, Taboolabot, Eyeotabot, Mappy, PiplBot, PR-CY.RU, NTENTbot, FemtosearchBot, CrunchBot, Whoiswebsitebot, CC Metadata Scaper, eright, wp.com feedbot, G2 Web Services, duedil crawler, IT Stuttgart Crawler, 2ip.ru CMS Crawler, startmebot, StorygizeBot
Added the following Social Media Agent bot signatures: @LinkArchiver twitter bot
Added the following Site Monitor bot signatures: Uptime-Kuma, Google-Structured-Data-Testing-Tool, Dubbotbot
Added the following RSS Reader bot signatures: rssbot
Added the following Network Scanner bot signatures: Baidu-YunGuanCe-SLABot

6561 Fixed - Some updates to NGINX App Protect WAF policy template as listed below:
1. The policy field enablePassiveMode is not supported in NGINX App Protect WAF and has been removed from configurable elements.
2. HTTP protocol compliance sub-violation “Check maximum number of cookies” is now enabled by default. A request which contains over 100 cookies will be marked illegal.