WAF Custom Allowed Rules

Web Application Firewall (WAF) Custom Allowed Rules is a feature that allows you to instantiate WAF Rules specifically for the need of your edge application, considering the actual application traffic, request, and data. Use WAF Custom Allowed Rules to amplify the security levels of your application and also to stop false positives.

To instantiate Custom Allowed Rules in a WAF Rule Set, you must have an Edge Firewall configuration with the Web Application Firewall module activated.

Your WAF Custom Allowed Rules can be based on actual requests that were marked by WAF as possible threats. You can also allow a custom rule in case of tests and false positives.

When creating custom allowed rules for a WAF configuration, it’s necessary to choose between the available internal rules for its composition.

See the list of all available internal rules below:

Rule IDDescription
1Weird request, unable to parse.
2Request larger than 128 kilobytes, stored on disk, and not parsed.
10Invalid HEX encoding (null bytes).
11Missing or unknown Content-Type header in a POST (this rule applies only to Request Body match zone).
12Invalid formatted URL.
13Invalid POST format.
14Invalid POST boundary.
15Invalid JSON format.
16POST with no body.
17Possible SQL Injection attack: validation with libinjection_sql.
18Possible XSS attack: validation with libinjection_xss.
1000Possible SQL Injection attack: SQL keywords found in Body, Path, Query String, or Cookies.
1001Possible SQL Injection or XSS attack: double quote " found in Body, Path, Query String or Cookies.
1002Possible SQL Injection attack: possible hex encoding 0x found in Body, Path, Query String or Cookies.
1003Possible SQL Injection attack: MySQL comment /* found in Body, Path, Query String or Cookies.
1004Possible SQL Injection attack: MySQL comment */ found in Body, Path, Query String or Cookies.
1005Possible SQL Injection attack: MySQL keyword | found in Body, Path, Query String or Cookies.
1006Possible SQL Injection attack: MySQL keyword && found in Body, Path, Query String or Cookies.
1007Possible SQL Injection attack: MySQL comment -- found in Body, Path, Query String or Cookies.
1008Possible SQL Injection or XSS attack: semicolon ; found in Body, Path or Query String.
1009Possible SQL Injection attack: equal sign = found in Body or Query String.
1010Possible SQL Injection or XSS attack: open parenthesis ( found in Body, Path, Query String or Cookies.
1011Possible SQL Injection or XSS attack: close parenthesis ) found in Body, Path, Query String or Cookies.
1013Possible SQL Injection or XSS attack: apostrophe ' found in Body, Path, Query String or Cookies.
1015Possible SQL Injection attack: comma , found in Body, Path, Query String or Cookies.
1016Possible SQL Injection attack: MySQL comment # found in Body, Path, Query String or Cookies.
1017Possible SQL Injection attack: double at sign @@ found in Body, Path, Query String or Cookies.
1100Possible RFI attack: scheme http:// found in Body, Query String or Cookies.
1101Possible RFI attack: scheme https:// found in Body, Query String or Cookies.
1102Possible RFI attack: scheme ftp:// found in Body, Query String or Cookies.
1103Possible RFI attack: scheme php:// found in Body, Query String or Cookies.
1104Possible RFI attack: scheme sftp:// found in Body, Query String or Cookies.
1105Possible RFI attack: scheme zlib:// found in Body, Query String or Cookies.
1106Possible RFI attack: scheme data:// found in Body, Query String or Cookies.
1107Possible RFI attack: scheme glob:// found in Body, Query String or Cookies.
1108Possible RFI attack: scheme phar:// found in Body, Query String or Cookies.
1109Possible RFI attack: scheme file:// found in Body, Query String or Cookies.
1110Possible RFI attack: scheme gopher:// found in Body, Query String or Cookies.
1198Possible RCE attack: validation with log4j (Log4Shell) in HEADERS_VAR.
1199Possible RCE attack: validation with log4j (Log4Shell) in Body, Path, Query String, Headers, or Cookies.
1200Possible Directory Traversal attack: double dot .. found in Body, Path, Query String or Cookies.
1202Possible Directory Traversal attack: obvious probe /etc/passwd found in Body, Path, Query String or Cookies.
1203Possible Directory Traversal attack: obvious Windows path c:\\ found in Body, Path, Query String or Cookies.
1204Possible Directory Traversal attack: obvious probe cmd.exe found in Body, Path, Query String or Cookies.
1205Possible Directory Traversal attack: backslash \ found in Body, Path, Query String or Cookies.
1206Possible Directory Traversal attack: slash / found in Body, Query String, or Cookies.
1207Possible Directory Traversal attack: obvious probe /..;/) found in Body, Path, Query String or Cookies.
1208Possible Directory Traversal attack: obvious probe /.;/) found in Body, Path, Query String or Cookies.
1209Possible Directory Traversal attack: obvious probe /.%2e/) found in Body, Path, Query String or Cookies.
1210Possible Directory Traversal attack: obvious probe /%2e./) found in Body, Path, Query String or Cookies.
1302Possible XSS attack: HTML open tag < found in Body, Path, Query String or Cookies.
1303Possible XSS attack: HTML close tag > found in Body, Path, Query String or Cookies.
1310Possible XSS attack: open square bracket [ found in Body, Path, Query String or Cookies.
1311Possible XSS attack: close square bracket ] found in Body, Path, Query String or Cookies.
1312Possible XSS attack: tilde character ~ found in Body, Path, Query String, or Cookies.
1314Possible XSS attack: ` (backtick) found in Body, Path, Query String, or Cookies.
1315Possible XSS attack: double encoding %[2|3] found in Body, Path, Query String or Cookies.
1400Possible trick to evade protection: UTF7/8 encoding &# found in Body, Path, Query String or Cookies.
1401Possible trick to evade protection: MS encoding %U found in Body, Path, Query String or Cookies.
1402Possible trick to evade protection: encoded chars %20-%3F found in Body, Path, Query String or Cookies.
1500Possible File Upload attempt: asp/php or .ph, .asp, .ht found in filename in a multipart POST containing a file.

Contributors