All Products
Search
Document Center

Web Application Firewall:Manage rule libraries

Last Updated:Nov 25, 2024

When you use Web Application Firewall (WAF) 3.0, you can view all built-in protection rules and configure custom protection rules for hybrid cloud protection on the Rule Libraries page. This topic describes how to manage protection rules on the Rule Libraries page.

Built-in protection rules

Built-in protection rules are maintained and updated by the Alibaba Cloud security team. You can only view built-in protection rules.

  1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland for the region. In the left-side navigation pane, choose Detection and Response > Rule Libraries.

  2. Click the System Protection Rules tab. The left side of the tab displays the rule information, and the right side of the tab displays the rule update status.

Custom protection rules

Only users who add web services to WAF in hybrid cloud mode can view the Custom Protection Rules tab. You can create, view, modify, and delete custom protection rules on the Rule Libraries page.

Create a custom protection rule

  1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland for the region.

  2. In the left-side navigation pane, choose Detection and Response > Rule Libraries.

  3. Click the Custom Protection Rules tab and click Create Rule. Then, configure the parameters and click OK.

    Parameter

    Description

    Rule Name

    The name of the custom protection rule, which can contain letters, digits, periods (.), underscores (_), and hyphens (-).

    Module Name

    Valid values include SQL Injection, XSS, Code Execution, CRLF, Local File Inclusion, Remote File Inclusion, Webshell, Others, OS Command Injection, Expression Injection, Java Deserialization, PHP Deserialization, SSRF, Path Traversal, Protocol Non-compliance, Arbitrary File Upload, and File Inclusion.

    Rule Level

    The level of the custom protection rule. Valid values: Loose, Medium, Strict, and Super Strict.

    Status

    The status of the custom protection rule. By default, a custom protection rule is disabled. To enable a custom protection rule, go to the required protection rule template and click Configure Engine.

    Action

    The action of the custom protection rule. By default, the action is Block. To change the action, go to the Basic Protection Rule section and click Configure Engine.

    Rule Description

    The conditions and purpose of the custom protection rule. This parameter is optional.

    Match Field

    The characteristics of requests that you want the custom protection rule to match.

    You can add up to 10 conditions to a custom protection rule. If you specify multiple conditions, the custom protection rule is considered hit only when all conditions are matched.

    Each match condition consists of the Match Field, Logical Operator, and Match Content parameters. Examples:

    • Example 1: Set the Match Field parameter to URI, the Logical Operator parameter to Contains, and the Match Content parameter to /login.php. If the URI of a request contains /login.php, the request matches the rule.

    • Example 2: Set the Match Field parameter to IP, the Logical Operator parameter to Belongs To, and the Match Content parameter to 192.1X.XX.XX. If a request is sent from a client whose IP address is 192.1.XX.XX, the request matches the rule.

    For more information about the match fields and logical operators, see Match conditions.

    Note

    You can create up to 200 custom protection rules for an Alibaba Cloud account or a Resource Access Management (RAM) user.

  4. If the The operation is successful. message appears, the custom protection rule is created.

Enable a custom protection rule

If you want to associate a custom protection rule with a protected object after you create the custom protection rule, you must enable the custom protection rule in the Configure Engine panel.

  1. In the left-side navigation pane, choose Protection Configuration > Basic Web Protection. In the Basic Protection Rule section of the Basic Web Protection page, find the required protection rule template and click Edit in the Actions column.

  2. In the Edit - Basic Protection Rule panel, click Configure Engine. In the Configure Engine panel, find your rule and turn on Status.

Modify a custom protection rule

In the Custom Rule section, find the custom protection rule that you want to modify and click Edit in the Actions column. In the Edit Rule dialog box, you can edit the rule name, rule level, rule status, rule description, and match fields. After you modify the rule, click OK. After the message indicating that the operation is successful appears, you can view the information about the rule after modification.

Delete a custom protection rule

In the Custom Rule section, find the custom protection rule that you want to delete and click Delete in the Actions column.

Important

If a custom protection rule is deleted, the rule no longer takes effect and is synchronously deleted in the engine even if the custom protection rule is enabled in the engine.

Fields in match conditions

Supported match fields

Field

Description

Supported logical operator

Filename

Matches the complete file in the request. Example: abc.php.

Contains, Regular Expression Match, Equals, Prefix Match, and Suffix Match

URI PATH

Matches the request URI, which excludes request parameters. In this case, the URI is equivalent to a path.

Contains, Regular Expression Match, Equals, Prefix Match, and Suffix Match

RAW-URL

Matches the request URI, which excludes request parameters. Decoding is not performed. Example: %2Ftest.php.

Contains, Regular Expression Match, Equals, Prefix Match, and Suffix Match

URI

Matches a URI, which excludes a domain name. Example: /login.php?a=1.

Contains, Regular Expression Match, Equals, Prefix Match, and Suffix Match

Http-Method

Matches the request method. Examples: GET, POST, DELETE, PUT, OPTIONS, CONNECT, HEAD, TRACE, and PATCH.

Contains, Regular Expression Match, Equals, Prefix Match, and Suffix Match

Directory

Matches the complete path, including the URI and file. Example: /abc/123.txt.

Contains, Regular Expression Match, Equals, Prefix Match, and Suffix Match

Param

Matches the parameters and parameter names, which follow a question mark. Example: ?a=b.

Contains, Regular Expression Match, Equals, Prefix Match, and Suffix Match

Raw-Header

Matches the complete request header. Decoding is not performed. Key-value pairs are not split.

Contains, Regular Expression Match, Equals, Prefix Match, and Suffix Match

Body

Matches the complete request body. Key-value pairs are not split.

Contains, Regular Expression Match, Equals, Prefix Match, and Suffix Match

File Extension

Matches the file name extension in the URL. Example: .jspa.

Contains, Regular Expression Match, Equals, Prefix Match, and Suffix Match

Multipart-Keys

Matches the file name based on the Content-Type: multipart/form-data field in the request.

Contains, Regular Expression Match, Equals, Prefix Match, and Suffix Match

Multipart-Values

Matches the file content based on the Content-Type: multipart/form-data field in the request.

Contains, Regular Expression Match, Equals, Prefix Match, and Suffix Match

Header-Keys

Matches the key-value pairs in the header. The key is matched.

Contains, Regular Expression Match, Equals, Prefix Match, and Suffix Match

Header-Values

Matches the key-value pairs in the header. The key value is matched.

Contains, Regular Expression Match, Equals, Prefix Match, and Suffix Match

Post-Arg-Keys

Matches the parameter names in the body, which is in the form format. Example: k=v. The key is matched.

Contains, Regular Expression Match, Equals, Prefix Match, and Suffix Match

Post-Arg-Values

Matches the parameter values in the body, which is in the form format. Example: k=v. The key value is matched.

Contains, Regular Expression Match, Equals, Prefix Match, and Suffix Match

Query-Arg-Keys

Matches the parameter names in the URL. Example: /test.php?k=v. The key is matched.

Contains, Regular Expression Match, Equals, Prefix Match, and Suffix Match

Quer-Arg-Values

Matches the parameter values in the URL. Example: /test.php?k=v. The key value is matched.

Contains, Regular Expression Match, Equals, Prefix Match, and Suffix Match

Cookie-Keys

Matches the parameter names in the cookie. Example: cookie: a=b;c=d. The key a or c is matched.

Contains, Regular Expression Match, Equals, Prefix Match, and Suffix Match

Cookie-Values

Matches the parameter values in the cookie. Example: cookie: a=b;c=d. The key value b or d is matched.

Contains, Regular Expression Match, Equals, Prefix Match, and Suffix Match