Web Application Firewall — Custom Allowed Rules
Creating custom rules amplifies the breadth and depth of security levels in your application. You can define Custom Allowed Rules to manage and define internal rules when configuring your Web Application Firewall (WAF).
That means you’re able to set up and manage such lists according to the behavior and traffic between your application and the internet.
1. List of internal rules
When creating Custom Allowed Rules in your WAF setup, it’s necessary to choose between the available internal rules (see list below) for its composition:
| Rule ID | Description |
|---|---|
| 1 | weird request, unable to parse |
| 2 | Request too big, stored on disk and not parsed |
| 10 | invalid HEX encoding (null bytes) |
| 11 | missing or unknown Content-Type header in a POST (this rule applies only to Request Body match zone) |
| 12 | invalid formatted URL |
| 13 | invalid POST format |
| 14 | invalid POST boundary |
| 15 | invalid JSON format |
| 16 | POST with no body |
| 17 | Possible SQL Injection attack: validation with libinjection_sql |
| 18 | Possible XSS attack: validation with libinjection_xss |
| 1000 | Possible SQL Injection attack: SQL keywords found in Body, Path, Query String or Cookies |
| 1001 | Possible SQL Injection or XSS attack: double quote (“) found in Body, Path, Query String or Cookies |
| 1002 | Possible SQL Injection attack: possible hex encoding (0x) found in Body, Path, Query String or Cookies |
| 1003 | Possible SQL Injection attack: MySQL comment (/*) found in Body, Path, Query String or Cookies |
| 1004 | Possible SQL Injection attack: MySQL comment (*/) found in Body, Path, Query String or Cookies |
| 1005 | Possible SQL Injection attack: MySQL keyword (|) found in Body, Path, Query String or Cookies |
| 1006 | Possible SQL Injection attack: MySQL keyword (&&) found in Body, Path, Query String or Cookies |
| 1007 | Possible SQL Injection attack: MySQL comment (–) found in Body, Path, Query String or Cookies |
| 1008 | Possible SQL Injection or XSS attack: semicolon (;) found in Body, Path or Query String |
| 1009 | Possible SQL Injection attack: equal sign (=) found in Body or Query String |
| 1010 | Possible SQL Injection or XSS attack: open parenthesis [(] found in Body, Path, Query String or Cookies |
| 1011 | Possible SQL Injection or XSS attack: close parenthesis [)] found in Body, Path, Query String or Cookies |
| 1013 | Possible SQL Injection or XSS attack: apostrophe (‘) found in Body, Path, Query String or Cookies |
| 1015 | Possible SQL Injection attack: comma (,) found in Body, Path, Query String or Cookies |
| 1016 | Possible SQL Injection attack: MySQL comment (#) found in Body, Path, Query String or Cookies |
| 1017 | Possible SQL Injection attack: double at sign (@@) found in Body, Path, Query String or Cookies |
| 1100 | Possible RFI attack: scheme “http://” found in Body, Query String or Cookies |
| 1101 | Possible RFI attack: scheme “https://” found in Body, Query String or Cookies |
| 1102 | Possible RFI attack: scheme “ftp://” found in Body, Query String or Cookies |
| 1103 | Possible RFI attack: scheme “php://” found in Body, Query String or Cookies |
| 1104 | Possible RFI attack: scheme “sftp://” found in Body, Query String or Cookies |
| 1105 | Possible RFI attack: scheme “zlib://” found in Body, Query String or Cookies |
| 1106 | Possible RFI attack: scheme “data://” found in Body, Query String or Cookies |
| 1107 | Possible RFI attack: scheme “glob://” found in Body, Query String or Cookies |
| 1108 | Possible RFI attack: scheme “phar://” found in Body, Query String or Cookies |
| 1109 | Possible RFI attack: scheme “file://” found in Body, Query String or Cookies |
| 1110 | Possible RFI attack: scheme “gopher://” found in Body, Query String or Cookies |
| 1198 | Possible RCE attack: validation with log4j (Log4Shell) in HEADERS_VAR |
| 1199 | Possible RCE attack: validation with log4j (Log4Shell) in Body, Path, Query String, Headers or Cookies |
| 1200 | Possible Directory Traversal attack: double dot (..) found in Body, Path, Query String or Cookies |
| 1202 | Possible Directory Traversal attack: obvious probe (/etc/passwd) found in Body, Path, Query String or Cookies |
| 1203 | Possible Directory Traversal attack: obvious windows path (c:\) found in Body, Path, Query String or Cookies |
| 1204 | Possible Directory Traversal attack: obvious probe (cmd.exe) found in Body, Path, Query String or Cookies |
| 1205 | Possible Directory Traversal attack: backslash (\) found in Body, Path, Query String or Cookies |
| 1206 | Possible Directory Traversal attack: slash (/) found in Body, Query String or Cookies |
| 1302 | Possible XSS attack: html open tag (<) found in Body, Path, Query String or Cookies |
| 1303 | Possible XSS attack: html close tag (>) found in Body, Path, Query String or Cookies |
| 1310 | Possible XSS attack: open square bracket ([) found in Body, Path, Query String or Cookies |
| 1311 | Possible XSS attack: close square bracket (]) found in Body, Path, Query String or Cookies |
| 1312 | Possible XSS attack: tilde character (~) found in Body, Path, Query String or Cookies |
| 1314 | Possible XSS attack: back quote (`) found in Body, Path, Query String or Cookies |
| 1315 | Possible XSS attack: double encoding (%[2|3]) found in Body, Path, Query String or Cookies |
| 1400 | Possible trick to evade protection: UTF7/8 encoding (&#) found in Body, Path, Query String or Cookies |
| 1401 | Possible trick to evade protection: MS encoding (%U) found in Body, Path, Query String or Cookies |
| 1500 | Possible File Upload attempt: asp/php (.ph, .asp or .ht) found in filename in a multipart POST containing a file |
2. Setting up a Custom Allowed Rule
To bring a new WAF Rule Set into action, make sure to add it into a Rule in Behaviors inside the Edge Firewall Rules Engine.
- After defining the WAF configuration, head to the Allowed Rules tab.
- Click Add Rule.
- From the Rule ID list, choose a protocol to define the set-up.
- In the Rule Description, write down a suggestive description to identify the ruleset.
- The Path will be used to restrict the range of a matching zone. If this is undesired, leave it blank.
- In the Match Zone fields, choose the matching zones you’d like to put into the allowlist. You can create as many Match Zones as desired, according to the the type of setup:
- Use Query String or Conditional Query String to insert all GET arguments or one named argument into the allowlist. For example, the “search” argument.
- Use Request Header or Conditional Request Header to put all HTTP request headers or one named header into the allowlist. For example, the Cookie header.
- Use Request Body or Conditional Request Body to insert all POST arguments or one named argument into the allowlist. For example, the “search” argument.
- Use Raw Body to use the unparsed (raw) request body into the allowlist.
- Use File Name (Multipart Body) to put the file name of a multipart POST containing a file into the allowlist.
- Use Path to add the path itself or one named path into the allowlist.
Once you’re done configuring your new Custom Allowed Rule, click the Save button.
Using Regex
To use this functionality correctly some configuration patterns must be followed:
- Our Regex engine uses only regular expressions compatible with the standards of the Perl Compatible Regular Expressions (PCRE) library.
-
The use of Regex only applies to Conditional type Match Zones with Content Type having key and value semantics.
-
When using Regex you have to enable the
This Match Zone uses Regexswitch.
- Alternation operators are not yet supported by our WAF.
Follow all the requirements above to avoid errors when creating your rule.
3. Related documentation
Didn’t find what you were looking for? Open a support ticket.