1 of 20
2 of 20
3 of 20
4 of 20
5 of 20
6 of 20
7 of 20
8 of 20
9 of 20
10 of 20
11 of 20
12 of 20
13 of 20
14 of 20
15 of 20
16 of 20
17 of 20
18 of 20
19 of 20
20 of 20

site

doc

blog

success stories

Web Application Firewall - custom Allowed Rules

Edit on GitHub

Creating custom rules amplifies the breadth and depth of security levels in your application. You can define custom Allowed Rules to manage and define protocols when configuring your Web Application Firewall (WAF).

That means you’re able to set up and manage such lists according to the behavior and traffic between your application and the internet.

  1. List of protocols
  2. Setting up a custom Allowed Rule
  3. Support Documentation

1. List of protocols

When creating Allowed Rules in your WAF setup, choose between the available protocols to define this custom composition. Check them below:

Rule ID Description
1 Validation of protocol compliance: weird request, unable to parse
2 Request too big, stored on disk and not parsed
10 Validation of protocol compliance: invalid HEX encoding (null bytes)
11 Validation of protocol compliance: missing or unknown Content-Type header in a POST (this rule applies only to Request Body match zone)
12 Validation of protocol compliance: invalid formatted URL
13 Validation of protocol compliance: invalid POST format
14 Validation of protocol compliance: invalid POST boundary
15 Validation of protocol compliance: invalid JSON
16 Validation of protocol compliance: POST with no body
17 Possible SQL Injection attack: validation with libinjection_sql
18 Possible XSS attack: validation with libinjection_xss
1000 Possible SQL Injection attack: SQL keywords found in Body, Path, Query String or Cookies
1001 Possible SQL Injection or XSS attack: double quote (“) found in Body, Path, Query String or Cookies
1002 Possible SQL Injection attack: possible hex encoding (0x) found in Body, Path, Query String or Cookies
1003 Possible SQL Injection attack: MySQL comment (/*) found in Body, Path, Query String or Cookies
1004 Possible SQL Injection attack: MySQL comment (*/) found in Body, Path, Query String or Cookies
1005 Possible SQL Injection attack: MySQL keyword (|) found in Body, Path, Query String or Cookies
1006 Possible SQL Injection attack: MySQL keyword (&&) found in Body, Path, Query String or Cookies
1007 Possible SQL Injection attack: MySQL comment (–) found in Body, Path, Query String or Cookies
1008 Possible SQL Injection or XSS attack: semicolon (;) found in Body, Path or Query String
1009 Possible SQL Injection attack: equal sign (=) found in Body or Query String
1010 Possible SQL Injection or XSS attack: open parenthesis [(] found in Body, Path, Query String or Cookies
1011 Possible SQL Injection or XSS attack: close parenthesis [)] found in Body, Path, Query String or Cookies
1013 Possible SQL Injection or XSS attack: apostrophe (‘) found in Body, Path, Query String or Cookies
1015 Possible SQL Injection attack: comma (,) found in Body, Path, Query String or Cookies
1016 Possible SQL Injection attack: MySQL comment (#) found in Body, Path, Query String or Cookies
1017 Possible SQL Injection attack: double at sign (@@) found in Body, Path, Query String or Cookies
1100 Possible RFI attack: scheme “http://” found in Body, Query String or Cookies
1101 Possible RFI attack: scheme “https://” found in Body, Query String or Cookies
1102 Possible RFI attack: scheme “ftp://” found in Body, Query String or Cookies
1103 Possible RFI attack: scheme “php://” found in Body, Query String or Cookies
1104 Possible RFI attack: scheme “sftp://” found in Body, Query String or Cookies
1105 Possible RFI attack: scheme “zlib://” found in Body, Query String or Cookies
1106 Possible RFI attack: scheme “data://” found in Body, Query String or Cookies
1107 Possible RFI attack: scheme “glob://” found in Body, Query String or Cookies
1108 Possible RFI attack: scheme “phar://” found in Body, Query String or Cookies
1109 Possible RFI attack: scheme “file://” found in Body, Query String or Cookies
1110 Possible RFI attack: scheme “gopher://” found in Body, Query String or Cookies
1200 Possible Directory Traversal attack: double dot (..) found in Body, Path, Query String or Cookies
1202 Possible Directory Traversal attack: obvious probe (/etc/passwd) found in Body, Path, Query String or Cookies
1203 Possible Directory Traversal attack: obvious windows path (c:\) found in Body, Path, Query String or Cookies
1204 Possible Directory Traversal attack: obvious probe (cmd.exe) found in Body, Path, Query String or Cookies
1205 Possible Directory Traversal attack: backslash () found in Body, Path, Query String or Cookies
1206 Possible Directory Traversal attack: slash (/) found in Body, Query String or Cookies
1302 Possible XSS attack: html open tag (<) found in Body, Path, Query String or Cookies
1303 Possible XSS attack: html close tag (>) found in Body, Path, Query String or Cookies
1310 Possible XSS attack: open square bracket ([) found in Body, Path, Query String or Cookies
1311 Possible XSS attack: close square bracket (]) found in Body, Path, Query String or Cookies
1312 Possible XSS attack: tilde character (~) found in Body, Path, Query String or Cookies
1314 Possible XSS attack: back quote ( `) found in Body, Path, Query String or Cookies
1315 Possible XSS attack: double encoding (%[2|3]) found in Body, Path, Query String or Cookies
1400 Possible trick to evade protection: UTF7/8 encoding (&#) found in Body, Path, Query String or Cookies
1401 Possible trick to evade protection: MS encoding (%U) found in Body, Path, Query String or Cookies
1500 Possible File Upload attempt: asp/php (.ph, .asp or .ht) found in filename in a multipart POST containing a file

2. Setting up a custom Allowed Rule

To bring a new WAF Rule Set into action, make sure to add it into a Rule in the Behaviors section of Edge Firewall’s Rules Engine.

  1. After defining the WAF configuration, head to the Allowed Rules tab.
  2. Click Add Rule.
  3. From the Rule ID list, choose a protocol to define the set-up.
  4. In the Rule Description, write down a suggestive description to identify the ruleset.
  5. The Path will be used to restrict the range of a matching zone. If this is undesired, leave it blank.
  6. In the Match Zones fields, choose the matching zones you’d like to put into the allowlist. You can create as many Match Zones as desired, according to the the type of setup:
  • Use Query String or Conditional Query String to insert all GET arguments or one named argument into the allowlist. For example, the “search” argument;
  • Use Request Header or Conditional Request Header to put all HTTP request headers or one named header into the allowlist. For example, the Cookie header.
  • Use Request Body or Conditional Request Body to insert all POST arguments or one named argument into the allowlist. For example, the “search” argument;
  • Use Raw Body to use the unparsed (raw) request body into the allowlist;
  • Use File Name (Multipart Body) to put the file name of a multipart POST containing a file into the allowlist;
  • Use Path to add the path itself or one named path into the allowlist
  1. Once you’re done configuring the custom rule, click Save.

Using Regex

To use this functionality correctly some configuration patterns must be followed:

  • our Regex engine uses only regular expressions compatible with the standards of the PCRE library (Perl Compatible Regular Expressions);
  • the use of Regex only applies to Conditional type match zones with Content Type having key and value semantics;

  • when using regex you have to enable the “This Match Zone uses Regex” switch;

  • alternation operators are not yet supported by our WAF;

Note: Follow all the requirements above to avoid errors when creating your rule.


3. Support Documentation


Didn’t find what you were looking for? Open a support ticket.