All Products
Search

This Product

    Web Application Firewall:Manage rule libraries

    Document Center

    Web Application Firewall:Manage rule libraries

    Last Updated:Nov 22, 2024

    When you use Web Application Firewall (WAF) 3.0, you can view all built-in protection rules and configure custom protection rules for hybrid cloud protection on the Rule Libraries page. This topic describes how to manage protection rules on the Rule Libraries page.

    Built-in protection rules

    Built-in protection rules are maintained and updated by the Alibaba Cloud security team. You can only view built-in protection rules.

    1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland for the region. In the left-side navigation pane, choose Detection and Response > Rule Libraries.

    2. Click the System Protection Rules tab. The left side of the tab displays the rule information, and the right side of the tab displays the rule update status.

    Custom protection rules

    Only users who add web services to WAF in hybrid cloud mode can view the Custom Protection Rules tab. You can create, view, modify, and delete custom protection rules on the Rule Libraries page.

    Create a custom protection rule

    1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland for the region.

    2. In the left-side navigation pane, choose Detection and Response > Rule Libraries.

    3. Click the Custom Protection Rules tab and click Create Rule. Then, configure the parameters and click OK.

      Parameter

      Description

      Rule Name

      The name of the custom protection rule, which can contain letters, digits, periods (.), underscores (_), and hyphens (-).

      Module Name

      Valid values include SQL Injection, XSS, Code Execution, CRLF, Local File Inclusion, Remote File Inclusion, Webshell, Others, OS Command Injection, Expression Injection, Java Deserialization, PHP Deserialization, SSRF, Path Traversal, Protocol Non-compliance, Arbitrary File Upload, and File Inclusion.

      Rule Level

      The level of the custom protection rule. Valid values: Loose, Medium, Strict, and Super Strict.

      Status

      The status of the custom protection rule. By default, a custom protection rule is disabled. To enable a custom protection rule, go to the required protection rule template and click Configure Engine.

      Action

      The action of the custom protection rule. By default, the action is Block. To change the action, go to the Basic Protection Rule section and click Configure Engine.

      Rule Description

      The conditions and purpose of the custom protection rule. This parameter is optional.

      Match Field

      The characteristics of requests that you want the custom protection rule to match.

      You can add up to 10 conditions to a custom protection rule. If you specify multiple conditions, the custom protection rule is considered hit only when all conditions are matched.

      Each match condition consists of the Match Field, Logical Operator, and Match Content parameters. Examples:

      • Example 1: Set the Match Field parameter to URI, the Logical Operator parameter to Contains, and the Match Content parameter to /login.php. If the URI of a request contains /login.php, the request matches the rule.

      • Example 2: Set the Match Field parameter to IP, the Logical Operator parameter to Belongs To, and the Match Content parameter to 192.1X.XX.XX. If a request is sent from a client whose IP address is 192.1.XX.XX, the request matches the rule.

      For more information about the match fields and logical operators, see Match conditions.

      Note

      You can create up to 200 custom protection rules for an Alibaba Cloud account or a Resource Access Management (RAM) user.

    4. If the The operation is successful. message appears, the custom protection rule is created.

    Enable a custom protection rule

    If you want to associate a custom protection rule with a protected object after you create the custom protection rule, you must enable the custom protection rule in the Configure Engine panel.

    1. In the left-side navigation pane, choose Protection Configuration > Basic Web Protection. In the Basic Protection Rule section of the Basic Web Protection page, find the required protection rule template and click Edit in the Actions column.

    2. In the Edit - Basic Protection Rule panel, click Configure Engine. In the Configure Engine panel, find your rule and turn on Status.

    Modify a custom protection rule

    In the Custom Rule section, find the custom protection rule that you want to modify and click Edit in the Actions column. In the Edit Rule dialog box, you can edit the rule name, rule level, rule status, rule description, and match fields. After you modify the rule, click OK. After the message indicating that the operation is successful appears, you can view the information about the rule after modification.

    Delete a custom protection rule

    In the Custom Rule section, find the custom protection rule that you want to delete and click Delete in the Actions column.

    Important

    If a custom protection rule is deleted, the rule no longer takes effect and is synchronously deleted in the engine even if the custom protection rule is enabled in the engine.

    Fields in match conditions

    Supported match fields

    Field

    Description

    Supported logical operator

    Filename

    Matches the complete file in the request. Example: abc.php.

    Contains, Regular Expression Match, Equals, Prefix Match, and Suffix Match

    URI PATH

    Matches the request URI, which excludes request parameters. In this case, the URI is equivalent to a path.

    Contains, Regular Expression Match, Equals, Prefix Match, and Suffix Match

    RAW-URL

    Matches the request URI, which excludes request parameters. Decoding is not performed. Example: %2Ftest.php.

    Contains, Regular Expression Match, Equals, Prefix Match, and Suffix Match

    URI

    Matches a URI, which excludes a domain name. Example: /login.php?a=1.

    Contains, Regular Expression Match, Equals, Prefix Match, and Suffix Match

    Http-Method

    Matches the request method. Examples: GET, POST, DELETE, PUT, OPTIONS, CONNECT, HEAD, TRACE, and PATCH.

    Contains, Regular Expression Match, Equals, Prefix Match, and Suffix Match

    Directory

    Matches the complete path, including the URI and file. Example: /abc/123.txt.

    Contains, Regular Expression Match, Equals, Prefix Match, and Suffix Match

    Param

    Matches the parameters and parameter names, which follow a question mark. Example: ?a=b.

    Contains, Regular Expression Match, Equals, Prefix Match, and Suffix Match

    Raw-Header

    Matches the complete request header. Decoding is not performed. Key-value pairs are not split.

    Contains, Regular Expression Match, Equals, Prefix Match, and Suffix Match

    Body

    Matches the complete request body. Key-value pairs are not split.

    Contains, Regular Expression Match, Equals, Prefix Match, and Suffix Match

    File Extension

    Matches the file name extension in the URL. Example: .jspa.

    Contains, Regular Expression Match, Equals, Prefix Match, and Suffix Match

    Multipart

    Header

    Query String Parameter

    Suppose you have a URL like this:

    Body Paramter

    Multipart-Keys

    Matches the file name based on the Content-Type: multipart/form-data field in the request.

    Contains, Regular Expression Match, Equals, Prefix Match, and Suffix Match

    Multipart-Values

    Matches the file content based on the Content-Type: multipart/form-data field in the request.

    Contains, Regular Expression Match, Equals, Prefix Match, and Suffix Match

    Header-Keys

    Matches the key-value pairs in the header. The key is matched.

    Contains, Regular Expression Match, Equals, Prefix Match, and Suffix Match

    Header-Values

    Matches the key-value pairs in the header. The key value is matched.

    Contains, Regular Expression Match, Equals, Prefix Match, and Suffix Match

    Post-Arg-Keys

    Matches the parameter names in the body, which is in the form format. Example: k=v. The key is matched.

    Contains, Regular Expression Match, Equals, Prefix Match, and Suffix Match

    Post-Arg-Values

    Matches the parameter values in the body, which is in the form format. Example: k=v. The key value is matched.

    Contains, Regular Expression Match, Equals, Prefix Match, and Suffix Match

    Query-Arg-Keys

    Matches the parameter names in the URL. Example: /test.php?k=v. The key is matched.

    Contains, Regular Expression Match, Equals, Prefix Match, and Suffix Match

    Quer-Arg-Values

    Matches the parameter values in the URL. Example: /test.php?k=v. The key value is matched.

    Contains, Regular Expression Match, Equals, Prefix Match, and Suffix Match

    Cookie-Keys

    Matches the parameter names in the cookie. Example: cookie: a=b;c=d. The key a or c is matched.

    Contains, Regular Expression Match, Equals, Prefix Match, and Suffix Match

    Cookie-Values

    Matches the parameter values in the cookie. Example: cookie: a=b;c=d. The key value b or d is matched.

    Contains, Regular Expression Match, Equals, Prefix Match, and Suffix Match