WAF Rule Sets
Web Application Firewall (WAF) provides the creation of rule sets to protect your edge applications against threat families.
Each threat receives a score and it’s processed according to the sensitivity level set. If there’s more than one case for the same threat type, the score will increase.
After creating a rule set, you also need to create a rule in Rules Engine for Edge Firewall to execute the criteria and behavior.
Implementation
Section titled Implementation| Scope | Source |
|---|---|
| Rule set | How to create a WAF rule set |
Threat types
Section titled Threat typesThe Threat Type Configuration table is available in the Main Settings tab of a WAF configuration. Threats are categorized into families, according to the purpose of the attack.
| Threat family | Description |
|---|---|
| SQL Injection | Detects attack attempts by injecting SQL code into the application |
| Remote File Inclusions (RFI) | Detects attempts to include files, usually through scripts on the web server |
| Directory Traversal | Prevents exploitation of vulnerability regarding insufficient sanitization of file name fields provided by users, so that characters representing shortcuts to the parent directory are passed through the file API |
| Cross-Site Scripting (XSS) | Prevents the injection of client-side scripts into pages viewed by your visitors |
| File Upload | Detects the attempt to upload files to the web server |
| Evading Tricks | Protects against some coding tricks used to try to evade protective mechanisms |
| Unwanted Access | Detects attempts to access administrative or vulnerable pages, bots, and security scanning tools |
| Identified Attack | Prevents several types of common attacks and known vulnerabilities that should certainly be blocked |
Sensitivity levels
Section titled Sensitivity levelsA request will be blocked by WAF if it obtains a score greater than or equal to the configured sensitivity level threshold. You can set one sensitivity level for each threat family.
| Sensitivity | Description and WAF sore threshold |
|---|---|
| Lowest | The request will be considered a threat if it presents very strong evidence and receives a score equal to or greater than 40. This sensitivity has a lower level of protection for your applications, but it’ll also avoid blocking requests with less chance of false positives |
| Low | The request will be considered a threat if it presents very strong evidence and receives a score equal to or greater than 24. This sensitivity has a lower level of protection for your applications, but it’ll also avoid blocking requests with less chance of false positives |
| Medium | Recommended sensitivity level. The request will be considered a threat if it presents sufficient evidence and receives a score equal to or greater than 16 |
| High | At the slightest hint of a threat, the requisition may be blocked, even when it has a score equal to or greater than 8. This level of sensitivity may present more false positives if the learning stage doesn’t have sufficient coverage of the variability of scenarios and uses of its application |
| Highest | At the slightest hint of a threat, the requisition may be blocked, even when it has a score equal to or greater than 4. This level of sensitivity may present more false positives if the learning stage doesn’t have sufficient coverage of the variability of scenarios and uses of its application |
Rules Engine configuration
Section titled Rules Engine configurationAfter configuring WAF’s main settings with the Threat Type Configuration table, you must create a Rules Engine for Edge Firewall rule to execute the behavior you’ve configured.
This configuration guarantees your WAF settings are implemented along with other Edge Firewall security logic.
go to create a rule guideThreat monitoring with Real-Time Metrics
Section titled Threat monitoring with Real-Time MetricsOnce you’ve completed your WAF rule set configuration and your edge application is receiving incoming traffic, you can use Real-Time Metrics to monitor requests and threats. You’ll find charts comparing how WAF processed requests and a few specific charts for different threat families.
go to real-time metrics referenceYou can also conduct further analysis regarding WAF threats via Data Stream and Real-Time Events.
Watch a video tutorial about WAF Rule Sets on Azion’s YouTube channel:
Contributors
