From 6f32ac130853e49e7d979d4e431b8e7cecbcf67d Mon Sep 17 00:00:00 2001
From: 0xInfection <theinfecteddrake@gmail.com>
Date: Tue, 2 Apr 2019 20:39:40 +0530
Subject: [PATCH] Added some changes to existing fingerprints

---
 README.md | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 87aea6f..79787d7 100644
--- a/README.md
+++ b/README.md
@@ -1036,6 +1036,21 @@ Wanna fingerprint WAFs? Lets see how.
             </ul>
         </td>
     </tr>
+    <tr>
+        <td>
+            Nemesida Firewall
+        </td>
+        <td>
+            <ul>
+                <li><b>Detectability: </b>Difficult</li>
+                <li><b>Detection Methodology:</b></li>
+                <ul>
+                    <li>Blocked response page conatins <code>Suspicious activity detected. Access to the site is blocked.</code>.</li>
+                    <li>Contains reference to email <code>nwaf@{site.tld}</code></li>
+                </ul>
+            </ul>
+        </td>
+    </tr>
     <tr>
         <td>
             Netcontinuum (Barracuda)
@@ -1392,7 +1407,7 @@ Wanna fingerprint WAFs? Lets see how.
                     <li>Response page contains either of the following text snippet:</li>
                     <ul>
                         <li>Image displaying <code>beyondtrust</code> logo.</li>
-                        <li><code>SecureIIS Web Server Protection.</code></li>
+                        <li><code>Download SecureIIS Personal Edition</code></li>
                         <li>Reference to <code>http://www.eeye.com/SecureIIS/</code> URL.</li>
                         <li><code>SecureIIS Error</code> text snippet.</li>
                     </ul>
@@ -1615,8 +1630,10 @@ Wanna fingerprint WAFs? Lets see how.
                     <li>Response headers may contain <code>Sucuri</code> or <code>Cloudproxy</code> keywords.</li>
                     <li>Blocked response page contains the following text snippet:</li>
                     <ul>
-                        <li><code>Access Denied</code> and <code>Sucuri Website Firewall</code> texts.</li>
-                        <li>Email <code>cloudproxy@sucuri.net</code>.</li>
+                        <li><code>Access Denied - Sucuri Website Firewall</code> text.</li>
+                        <li>Reference to <code>https://sucuri.net/privacy-policy</code> URL.</li>
+                        <li>Sometimes the email <code>cloudproxy@sucuri.net</code>.</li>
+                        <li>Contains copyright notice <code>;copy {year} Sucuri Inc</code>.</li>
                     </ul>
                     <li>Response headers contains <code>X-Sucuri-ID</code> header along with normal requests.</li>
                 </ul>
@@ -2289,6 +2306,7 @@ Content-Length: 115
 ```
 
 The following table shows the support of different character encodings on the tested systems (when messages could be obfuscated using them):
+> __TIP:__ You can use [this small python script](others/obfu.py) to convert your payloads and parameters to your desired encodings.
 
 <table>
     <tr>