Configure protection rules and rule groups for the basic protection rule module - Web Application Firewall

After you add web services to Web Application Firewall (WAF), you can configure protection rules and rule groups for the basic protection rule module to protect the web services from common web application attacks, such as SQL injection attacks, cross-site scripting (XSS) attacks, code executions, webshell uploads, and command injection attacks. This topic describes how to configure protection rules and rule groups for the basic protection rule module.

Background information

Decoding

The basic protection rule module supports 23 decoding formats.

The module can parse data in various formats to improve detection accuracy. The data formats include JSON, XML, and Multipart.
The module can identify data that is encoded to bypass WAF to improve the recall rate of detection. The encoding formats include Unicode encoding and HTML entity encoding.

Supported detection modules

Rules Engine (enabled by default)
This detection module identifies known attack modes based on predefined rules and defends against common web application attacks.
- WAF provides the following Default rule groups:
  - Medium Rule Group: By default, this rule group is selected.
  - Loose Rule Group: If you want to reduce false positives, we recommend that you select this rule group.
  - Strict Rule Group: If you want WAF to strictly block attacks, we recommend that you select this rule group.
- You can also configure Custom rule groups based on your business requirements.
Semantic Engine (enabled by default)
This detection module analyzes the content and context of requests to comprehend the semantics and syntax structure. This helps identify unknown attacks and defend against SQL injection attacks. You can use the module to protect your web services in a more intelligent manner.
Intelligent O&M (disabled by default)
WAF performs intelligent learning based on historical service traffic and identifies protection rules that may cause false positives. Then, WAF adds the URLs that are incorrectly blocked to the intelligent whitelist. This prevents normal requests from being blocked.

Supported protection templates

Protection template		Default	Custom
Creation method		Built-in.	Manually created.
Detection module	Rules Engine	By default, this detection module is enabled, and Medium Rule Group and Block are selected.	You can set the Rule Group Type parameter to a default or custom rule group and configure the Action parameter based on your business requirements.
	Semantic Engine	By default, this detection module is enabled, Monitor is selected, and Complete SQL Statement Detection is turned on. If the switch is turned on, the module detects non-injection attacks.	You can configure the Action and Complete SQL Statement Detection parameters based on your business requirements.
	Intelligent O&M	By default, this detection module is disabled.	You can turn on or turn off Intelligent Whitelist based on your business requirements.
Effective scope		Protected objects or protected object groups that are added to WAF but are not associated with a custom protection template.	Selected protected objects or protected object groups.

Prerequisites

A WAF 3.0 instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.
A pay-as-you-go WAF instance or a subscription WAF instance that runs the Enterprise or Ultimate edition is available. Make sure that this prerequisite is met if you want to create a custom rule group.
Web services are added to WAF 3.0 as protected objects. For more information, see Configure protected objects and protected object groups.

Create a custom rule group

You can create a custom rule group from scratch or from a default rule group.

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose Protection Configuration > Basic Web Protection.
In the Basic Protection Rule section, click Rule Groups.
On the Rule Groups page, click Create Rule Group.

In the Configure Basic Information of Rule Group step, configure the parameters and click Next. The following table describes the parameters.

Important

After a custom rule group is created, you cannot modify the basic information about the rule group.

Parameter	Description
Rule Group Name	Specify a name for the rule group. The name of the rule can contain letters, digits, periods (.), underscores (_), and hyphens (-).
Select Protection Template	Select a rule template for the rule group. Valid values: Create from Scratch: No template is specified. You must manually add rules. Important If you select this option, Automatic Update is turned off and cannot be turned on. Use Default Rule Group: You can select a default rule group, including Loose Rule Group, Medium Rule Group, and Strict Rule Group.
Automatic Update	If you enable this feature, rules that are added to or removed from the selected default rule group are automatically synchronized to the current custom rule group. Important After the custom rule group is created, you cannot enable or disable this feature. You can enable or disable this feature only if you select Use Default Rule Group for Select Protection Template.

In the Configure Protection Rules step, click Add Rule. In the Add Rule dialog box, select the rules that you want to add to the rule group. You can enter a rule ID or CVE ID to search for a rule. You can also configure the Risk Level, Protection Rule Type, and Application Type parameters to search for a rule. Then, click Add. You can also click Add All to add all rules to the rule group.
Note
- If you select Use Default Rule Group for Select Protection Template in Step 5 and the rules you want to add are included in the selected default rule group, you can skip this step.
- Rules in the rule list are sorted in descending order based on the update time.
If you want to remove a rule after it is added, you can enter the rule ID or CVE ID of the rule in the rule list to search for the rule. You can also configure the Risk Level, Protection Rule Type, and Application Type parameters to search for the rule. Then, select the rule and click Remove below the rule list. You can also click Clear All to remove all rules.
Click Next. In the Complete step, click Complete.
After you create a rule group, you can perform the following operations on the rule group in the rule group list:
- Click the number in the Number of Built-in Rules column to view the built-in rules of the rule group.
- Click Edit, Copy, or Delete in the Actions column to modify, copy, or delete the rule group.
  Note
  - You cannot modify the basic information about a rule group.
  - The default name of a copied rule group is in the Original rule group name-copy format. A copied rule group is not associated with protected objects.
  - You cannot delete a rule group that is associated with a protection template. If you want to delete the rule group, you must dissociate the rule group from the protection template.

Create a protection template of the basic protection rule module

In the left-side navigation pane, choose Protection Configuration > Basic Web Protection.
In the Basic Protection Rule section of the Basic Web Protection page, click Create Template.
Note
If this is your first time to create a protection template of the basic protection rule module, you can also click Configure Now in the Basic Protection Rule card in the upper part of the Basic Web Protection page.

In the Create Template - Basic Protection Rule panel, configure the parameters and click OK. The following table describes the parameters.

Note

By default, a newly created protection template is enabled.

Parameter	Description
Template Information	Template Name: Specify a name for the template. The name of the rule can contain letters, digits, periods (.), underscores (_), and hyphens (-). Save as Default Template: Specify whether to set the template as the default template of the protection module. You can specify only one default template for a protection module. If you turn on Save as Default Template, you do not need to configure the Apply To parameter. A default template is applied to all protected objects and protected object groups to which no custom protection templates are applied.
Rule Configuration	Action: Specify the action that you want WAF to perform on requests that match the rule. Valid values: Block: blocks a request that matches the rule and returns a block page to the client that initiates the request. Note By default, WAF returns a preconfigured block page. You can use the custom response feature to configure a custom block page. For more information, see Configure protection rules for the custom response module to configure custom block pages. Monitor: records a request that matches the rule in a log and does not block the request. You can query the logs of requests that match the rule and analyze the protection performance. For example, you can query logs to check whether normal requests are blocked. Important You can query logs only if the Simple Log Service for WAF feature is enabled. For more information, see Enable or disable the Simple Log Service for WAF feature. If you select Monitor, you can perform a dry run on the rule to check whether the rule blocks normal requests. If the rule passes the dry run, you can set the Action parameter to Block. Note On the Security Reports page, you can query the details of matched rules in Monitor or Block mode. For more information, see Security reports. Rule Group Type: Select the type of the rule group with which you want to associate the template and then select the rule group that you want to use. Valid values: Default: If you select this option, the template is associated with a default rule group. You can select Loose Rule Group, Medium Rule Group, or Strict Rule Group from the drop-down list. Custom: If you select this option, the template is associated with a custom rule group. You must select a custom rule group from the drop-down list. For more information about how to create a rule group, see Create a custom rule group.
Semantic Engine	By default, Semantic Engine is enabled to defend against SQL injection attacks. You can also turn on Complete SQL Statement Detection below Semantic Engine to detect non-injection attacks. For more information, see Complete SQL Statement Detection. Note The following list describes the difference between SQL injection attacks and non-injection attacks: SQL injection attacks: Requests contain malicious SQL code, such as `/query.php?name='and 1=1%23`. Non-injection attacks: Requests contain complete SQL statements, such as `/query.php?sql=select name from users where 1=1%23`. You can configure the following parameters in the Semantic Engine section: Action: Specify the action that you want WAF to perform on requests that match the rule. Valid values: Block: blocks a request that matches the rule and returns a block page to the client that initiates the request. Note By default, WAF returns a preconfigured block page. You can use the custom response feature to configure a custom block page. For more information, see Configure protection rules for the custom response module to configure custom block pages. Monitor: records a request that matches the rule in a log and does not block the request. You can query the logs of requests that match the rule and analyze the protection performance. For example, you can query logs to check whether normal requests are blocked. Important You can query logs only if the Simple Log Service for WAF feature is enabled. For more information, see Enable or disable the Simple Log Service for WAF feature. If you select Monitor, you can perform a dry run on the rule to check whether the rule blocks normal requests. If the rule passes the dry run, you can set the Action parameter to Block. Note On the Security Reports page, you can query the details of matched rules in Monitor or Block mode. For more information, see Security reports. Complete SQL Statement Detection (enabled by default) If WAF detects non-injection attacks, WAF performs the specified action on the attacks. For example, if a request contains `/query.php?sql=select name from users where 1=1%23`, WAF identifies the request as an attack request. Note If tools such as phpMyAdmin or Adminer are used to analyze your business data, we recommend that you disable non-injection attack detection.
Protocol Compliance	Different programming languages have different levels of format processing requirements for HTTP requests. This may cause vulnerabilities that can be exploited to bypass WAF, such as file uploads. The protocol compliance feature checks whether HTTP requests use the correct formats at the protocol layer to prevent vulnerabilities and attacks. The protocol compliance feature is supported only for pay-as-you-go WAF instances and subscription WAF instances that run the Enterprise or Ultimate edition.
Intelligent O&M	After you turn on Intelligent Whitelist, WAF performs intelligent learning based on historical service traffic and identifies protection rules that may cause false positives. Then, WAF adds the URLs that are incorrectly blocked to the intelligent whitelist. This prevents normal requests from being blocked. Protection rules of the whitelist module are automatically created. You can view the protection rules in the AutoTemplate protection template in the Whitelist section of the Basic Web Protection page. For more information, see Configure protection rules of the whitelist module to allow specific requests. Note The intelligent whitelist feature is supported only for pay-as-you-go WAF instances and subscription WAF instances that run the Enterprise or Ultimate edition.
Apply To	Select the Protected Objects and Protected Object Group to which you want to apply the template. You can apply only one template of a protection module to a protected object or protected object group. For more information about how to add protected objects and create protected object groups, see Configure protected objects and protected object groups.

After you create a protection template, you can perform the following operations on the protection template in the protection template list:

View the numbers of protected objects and protected object groups that are associated with the template in the Protected Object/Group column.
Turn on or turn off the switch in the Status column to enable or disable the template.
Click Edit or Delete in the Actions column to modify or delete the template.
Click Delivery Record in the Actions column to view the automatically created protection rules of the whitelist module. If you turned on Intelligent Whitelist when you created the template, the icon is displayed next to the name of the template. If you did not turn on Intelligent Whitelist when you created the template, the icon is displayed next to the name of the template. You can directly turn on the switch in the Intelligent Whitelist column.
Click the icon to the left of the template name to view the protection rules in the template.

You can click Rule Groups in the Basic Protection Rule section to view the associated protection templates of each rule group.

What to do next

On the Basic Protection Rule tab of the Security Reports page, you can view the protection details of the configured protection rules. For example, you can find the ID of a protection rule and click View Details in the Actions column to view the protection details of the rule. For more information, see Basic protection rule module.

Important

You cannot search for a protection rule of the basic protection rule module by rule ID on the Basic Web Protection page. If a protection rule blocks normal traffic, you can configure the whitelist module to add the rule to the whitelist. For more information about how to configure the whitelist module, see Configure protection rules of the whitelist module to allow specific requests.

References

For more information about the protection objects, protection modules, and protection process of WAF 3.0, see Protection configuration overview.
For more information about how to create a protection template by calling an API operation, see CreateDefenseTemplate.
For more information about how to create a protection rule by calling an API operation, see CreateDefenseRule.