Queries the rules that are configured in a specific protection module of Web Application Firewalls (WAF), such as the web intrusion prevention, data security, bot management, access control or throttling, or website whitelist module.

Usage notes

You can call the DescribeProtectionModuleRules operation to perform a paged query of the rules that are configured in a specific WAF protection module. The protection modules include web intrusion prevention, data security, bot management, access control or throttling, and website whitelist.

You can set the DefenseType parameter to specify a protection module. For more information about the values of this parameter, see the description of the DefenseType parameter.

Limits

You can call this operation up to 50 times per second per account. If the number of the calls per second exceeds the limit, throttling is triggered. As a result, your business may be affected. We recommend that you take note of the limit when you call this operation.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes DescribeProtectionModuleRules

The operation that you want to perform. Set the value to DescribeProtectionModuleRules.

PageSize Integer No 10

The number of entries to return on each page. Default value: 10.

PageNumber Integer No 1

The number of the page to return. Default value: 1.

Domain String No www.aliyundoc.com

The domain name that you want to query.

  • If you set the DefenseType parameter to a value other than ng_account, you must also specify this parameter.
    Note You can call the DescribeDomainList operation to query all the domain names that are protected by WAF.
  • If you set the DefenseType parameter to ng_account, leave this parameter unspecified. Otherwise, an error message is returned.
DefenseType String Yes ac_highfreq

The type of the protection feature whose rule you want to query. Valid values:

  • waf-codec: decoding configuration of the protection rules engine feature
  • tamperproof: website tamper-proofing
  • dlp: data leak prevention
  • ng_account: account security
  • bot_crawler: allowed crawlers
  • bot_intelligence: bot threat intelligence
  • antifraud: data risk control
  • antifraud_js: configuration of a web page into which a JavaScript plug-in is inserted for data risk control
  • bot_algorithm: intelligent algorithm
  • bot_wxbb_pkg: version protection for the app protection module
  • bot_wxbb: path protection for the app protection module
  • ac_blacklist: IP address blacklist
  • ac_highfreq: blocking configuration of IP addresses that initiate high-frequency web attacks
  • ac_dirscan: scan protection
  • ac_custom: custom protection policy
  • whitelist: website whitelist
Query String No e2ZpbHRlcjp7InJ1bGVJZCI6NDI3NTV9LG9yZGVyQnk6ImdtdF9tb2RpZmllZCIsZGVzYzp0cnVlfQ==

The methods that are used to filter and sort the rules. The value is a JSON string that contains the following parameters:

Note The value of the Query parameter must be Base64-encoded.
  • filter: the filter conditions. This parameter is optional. Data type: JSON string. The value is a string that consists of a JSON struct. The JSON struct contains the following fields:
    • nameId: queries the rules whose IDs are the same as the value of this parameter or the rules whose names contain the parameter value. This parameter is optional. Data type: string.
    • scene: the protection module whose rule you want to query. The valid values of this parameter are the same as those of the DefenseType parameter. This parameter is optional. Data type: string.
    • enabled: specifies whether the rule is enabled. This parameter is optional. Data type: Boolean. Valid values:
      • false: disabled
      • true: enabled
    • status: the status of the rule. The meaning of this parameter is the same as that of the enabled parameter. This parameter is optional. Data type: integer. Valid values:
      • 0: disabled
      • 1: enabled
    • ruleId: the ID of the rule. This parameter is optional. Data type: integer.
    • ruleIdList: the list of rule IDs. Separate multiple rule IDs with commas (,). This parameter is optional. Data type: array.
    • sceneList: the list of protection modules. The valid values of this parameter are the same as those of the DefenseType parameter. Separate multiple protection modules with commas (,). This parameter is optional. Data type: array.
    • originList: the list of rule sources. Separate multiple rule sources with commas (,). This parameter is optional. Data type: array. Valid values: system (system-generated) and custom (user-customized).
    • tag: If you set the DefenseType parameter to whitelist, you can set this parameter to query the whitelist rules of specific modules that do not detect requests. This parameter is optional. Data type: string. For more information about tag, see the description of whitelist rules in the "Description of the Content parameter" section.
    • origin: If you set the DefenseType parameter to whitelist, you can set this parameter to query the whitelist rules that are automatically added by the intelligent rule hosting feature. This parameter is optional. Data type: string. Set the value to ai. If you do not set this parameter, all whitelist rules are queried, including the rules that you manually added and the rules that are automatically added by the intelligent rule hosting feature.
    • category: If you set the DefenseType parameter to whitelist, you can set this parameter to query a specific type of whitelist. This parameter is optional. Data type: string. Valid values:
      • waf: website whitelist
      • ws: whitelist for web intrusion prevention whitelist
      • ac: whitelist for access control/throttling
      • ds: data security whitelist
  • orderBy: the sorting method. This parameter is optional. Data type: string. Valid values:
    • action: the action that is performed after the rule is matched. This parameter takes effect only when you query the rules of the custom protection policy module.
    • gmt_modified: the time when the rule was last modified. This is the default value.
    • name: the name of the rule.
    • status: the status of the rule.
  • desc: specifies whether the rule is sorted in descending order. This parameter is optional. Data type: Boolean. Valid values:
    • false: ascending order.
    • true: descending order. This is the default value.
Lang String No zh

The language of the rule name. Valid values:

  • zh: Chinese
  • en: English
  • ja: Japanese
InstanceId String Yes waf_elasticity-cn-0xldbqt****

The ID of the WAF instance.

Note You can call the DescribeInstanceInfo operation to query the ID of the WAF instance.
ResourceGroupId String No rg-acfm2pz25js****

The ID of the resource group to which the WAF instance belongs in Resource Management.

If you do not specify this parameter, the WAF instance belongs to the default resource group.

All Alibaba Cloud API operations must include common request parameters. For more information about common request parameters, see Common parameters.

For more information about sample requests, see the "Examples" section of this topic.

Response parameters

Parameter Type Example Description
TotalCount Integer 1

The total number of entries returned.

RequestId String D7861F61-5B61-46CE-A47C-6B19160D5EB0

The ID of the request.

Rules Array of Rule

The configurations of the rule, including the rule ID, creation time, and status.

Status Long 1

The status of the rule. Valid values:

  • 0: disabled
  • 1: enabled
Time Long 1570700044

The time when the rule was created. This value is a UNIX timestamp. Unit: seconds.

Content Map

The content of the rule. This value is a JSON string that contains multiple parameters.

Note The parameters vary based on the value of the DefenseType parameter. For more information, see the "Description of the Content parameter" section.
Version Long 2

The version of the rule.

RuleId Long 42755

The ID of the rule.

Description of the Content parameter

  • If the DefenseType parameter is set to waf-codec, the value of the Content parameter contains the following parameter:
    • codecList: the enabled decoding items. This parameter is required. Data type: string.
    • Example
      
          {
              "codecList":["url","base64"]
          }
          
  • If the DefenseType parameter is set to tamperproof, the value of the Content parameter contains the following parameters:
    • uri: the URL that requires protection. Data type: string. This parameter is required. Data type: string.
    • name: the name of the rule. This parameter is required. Data type: string.
    • status: the status of the rule. This parameter is optional. Data type: integer. Valid values:
      • 0: disabled. This is the default value.
      • 1: enabled.
    • Example
      
          {
              "name":"example",
              "uri":"http://www.example.com/example",
              "status":1
          }
          
  • If the DefenseType parameter is set to dIp, the value of the Content parameter contains the following parameters:
    • name: the name of the rule. This parameter is required. Data type: string.
    • conditions: the matching conditions, which are formulated in a JSON string. You can specify a maximum of two conditions. The two conditions use a logical AND. This parameter is required. Data type: array. The JSON string contains the following parameters:
      • key: the matching item. Valid values:
        • 0: URL
        • 10: sensitive data
        • 11: HTTP status code
      • operation: the matching logic. This value is fixed as 1, which indicates the INCLUDES logical relation.
      • value: the matching value, which is formulated in a JSON string. You can specify multiple values. The JSON string contains the following parameters:
        • v: This parameter takes effect only when the key parameter is set to 0 or 11.
          • URL: If the key parameter is set to 0, the value of the v parameter is a URL.
          • HTTP status code: If the key parameter is set to 11, the valid values of the v parameter are 400,401,402,403,404,405 to 499,500,501,502,503,504, and 505 to 599.
        • k: This parameter takes effect only when the key parameter is set to 10. Valid values:
          • 100: ID card numbers
          • 101: credit card numbers
          • 102: phone numbers
          • 103: default sensitive words
    • action: the action that is performed after the rule is matched
      • 3: generates alerts.
      • 10: filters sensitive data. This action takes effect only when the key parameter is set to 10.
      • 11: returns the built-in block page of the system. This action takes effect only when the key parameter is set to 11.
    • Example
      
        {
      	"name":"example",
      	"conditions":[{"key":11,"operation":1,"value":[{"v":401}]},{"key":"0","operation":1,"value":[{"v":"www.example.com"}]}],
      	"action":3
        }
        
  • If the DefenseType parameter is set to ng_account, the value of the Content parameter contains the following parameters:
    • domain: the domain name that is protected by WAF. This parameter is required. Data type: string.
    • method: the method of the requests. This parameter is required. Data type: string. Valid values: POST, GET, PUT, and DELETE. You can specify multiple request methods. Separate the request methods with commas (,).
    • url_path: the URL path in the requests that are detected. The path must start with a forward slash (/). This parameter is required. Data type: string.
    • account_left: the account. This parameter is required. Data type: string.
    • password_left: the password. This parameter is optional. Data type: string.
    • action: the action that is performed after the rule is matched. This parameter is required. Data type: string. Valid values:
      • monitor: generates alerts.
      • block: blocks requests.
    • Example
      
          {
              "domain":"www.example.com",
              "method":"GET,POST",
              "url_path":"/example",
              "account_left":"aaa",
              "action":"monitor"
          }
          
  • If the DefenseType parameter is set to bot_crawler, the value of the Content parameter contains the following parameters:
    • Status: the status of the rule. This parameter is required. Data type: integer. Valid values:
      • 0: disabled
      • 1: enabled
    • Version: the version of the rule. This parameter is required. Data type: integer.
    • Content: the details of the rule. This parameter is required. Data type: string. The value is a JSON string that contains the following parameters:
      • name: the name of the rule. This parameter is required. Data type: string.
      • conditions: the condition for URL paths that are protected. This parameter is optional. Data type: array. If the DefenseType parameter is set to bot_crawler, the value of the conditions parameter is fixed as empty, which indicates that all URL paths are protected.
      • expressions: the conditional expression of the rule. The expression represents all the conditions of the rule. This parameter is required. Data type: array.
      • bypassTags: the protection module that does not detect requests. This parameter is required. Data type: string. If the DefenseType parameter is set to bot_crawler, the value of the bypassTags parameter is fixed as antibot, which indicates the bot management module.
      • tags: the protection module to which the rule belongs. This parameter is required. Data type: array. If the DefenseType parameter is set to bot_crawler, the value of the tags parameter is fixed as ["antibot"], which indicates the bot management module.
    • RuleId: the ID of the rule. This parameter is required. Data type: integer.
    • Time: the UNIX timestamp of when the rule was last modified. Unit: seconds. This parameter is required. Data type: string.
    • Example
      
          {
              "Status":0,
              "Version":1,
              "Content":{
                  "name":"Baidu Spider whitelist",
                  "conditions":[],
                  "expressions":["remote_addr inl 'ioc.210d077a-cf34-49ad-a9b3-0aa48095c595' && uri =^ '/'"],
                  "bypassTags":"antibot",
                  "tags":["antibot"]
              },
      	"RuleId":20384,
      	"Time":1585818161
          }
          
  • If the DefenseType parameter is set to bot_intelligence, the value of the Content parameter contains the following parameters:
    • Status: the status of the rule. This parameter is required. Data type: integer. Valid values:
      • 0: disabled
      • 1: enabled
    • Version: the version of the rule. This parameter is required. Data type: integer.
    • Content: the details of the rule. This parameter is required. Data type: string. The value is a JSON string that contains the following parameters:
      • name: the name of the rule. This parameter is required. Data type: string.
      • action: the action that is performed after the rule is matched. This parameter is required. Data type: string. Valid values:
        • monitor: monitors requests.
        • captcha: performs slider CAPTCHA verification.
        • captcha_strict: performs strict slider CAPTCHA verification.
        • js: performs JavaScript verification.
        • block: blocks requests.
      • urlList: the URL path that requires protection. You can specify up to 10 URL paths. This parameter is required. Data type: array. The value is a JSON string that contains the following parameters:
        • mode: the matching method. This parameter is required. Data type: string. This parameter specifies a URL path in combination with the url parameter. Valid values: eq (exact match), prefix-match (prefix match), and regex (regular expression match).
        • url: the keyword of the URL path. The path must start with a forward slash (/). This parameter is required. Data type: string.
      • keyType: the type of the intelligence library. Valid values: IP (IP address library) and ua (fingerprint library).
    • RuleId: the ID of the rule. This parameter is required. Data type: integer.
    • Time: the UNIX timestamp of when the rule was last modified. Unit: seconds. This parameter is required. Data type: string.
    • Example
      
          {
              "Status":1,
              "Version":1,
              "Content":{
                  "name":"IDC IP Address Library-Tencent Cloud",
                  "action":"captcha_strict",
                  "urlList":[{"mode":"prefix-match","url":"/indexa"},	{"mode":"regex","url":"/"},{"mode":"eq","url":"/"}],
                  "keyType":"ip"
              },
              "RuleId":922777,
              "Time":1585907112
          }
          
  • If the DefenseType parameter is set to antifraud, the value of the Content parameter contains the following parameters:
    • uri: the requested URL. This parameter is required. Data type: string.
    • Example
      
          {
              "uri": "http://1.example.com/example"
          }
          
  • If the DefenseType parameter is set to antifraud_js, the value of the Content parameter contains the following parameters:
    • uri: the URL path of the web page into which the JavaScript plug-in for data risk control is inserted. The path must start with a forward slash (/). The system inserts the JavaScript plug-in into all the pages in the specified URL path. This parameter is required. Data type: string.
    • Example
      
          {
              "uri": "/example/example"
          }
          
  • If the DefenseType parameter is set to bot_algorithm, the value of the Content parameter contains the following parameters:
    • Status: the status of the rule. This parameter is required. Data type: integer. Valid values:
      • 0: disabled
      • 1: enabled
    • Version: the version of the rule. This parameter is required. Data type: integer.
    • Content: the details of the rule. This parameter is required. Data type: string. The value is a JSON string that contains the following parameters:
      • name: the name of the rule. This parameter is required. Data type: string.
      • timeInterval: the interval of detection. This parameter is required. Data type: integer. Valid values: 30, 60, 120, 300, and 600. Unit: seconds.
      • action: the action that is performed after the rule is matched. This parameter is required. Data type: string. Valid values:
        • monitor: monitors requests.
        • captcha: performs slider CAPTCHA verification.
        • js: performs JavaScript verification.
        • block: blocks requests. If you set the parameter to block, you must also specify the blocktime parameter.
      • blocktime: the period during which requests are blocked. This parameter is optional. Data type: integer. Valid values: 1 to 600. Unit: minutes.
      • algorithmName: the name of the algorithm. This parameter is required. Data type: string. Valid values:
        • RR: the algorithm that is used to identify specific resource crawlers
        • PR: the algorithm that is used to identify specific path crawlers
        • DPR: the algorithm that is used to identify parameter round-robin crawlers
        • SR: the algorithm that is used to identify dynamic IP address crawlers
        • IND: the algorithm that is used to identify proxy device crawlers
        • Periodicity: the algorithm that is used to identify periodic crawlers
      • config: the configuration of the algorithm, which is formulated in a JSON string. This parameter is required. Data type: string. The parameters that are contained in the JSON string vary based on the value of the algorithmName parameter.
        • If you set the algorithmName parameter to RR, the value of the config parameter contains the following parameters:
          • resourceType: the type of the requested resource. This parameter is optional. Data type: integer. Valid values:
            • 1: dynamic resources.
            • 2: static resources.
            • -1: custom resources. In this case, you must also use the extensions parameter to specify resource suffixes in a string. Separate suffixes with commas (,). Example: css,jpg,xls.
          • minRequestCountPerIp: the minimum number of requests from an IP address. The system detects an IP address only when the number of requests from this IP address is greater than or equal to the value of this parameter. This parameter is required. Data type: integer. Valid values: 5 to 10000.
          • minRatio: the threshold for the proportion of requests that access specified types of resources to requests that are initiated from an IP address. This threshold is used to determine whether risks exist. If an actual proportion is greater than the threshold, risks exist. This parameter is required. Data type: float. Valid values: 0.01 to 1.
        • If you set the algorithmName parameter to PR, the value of the config parameter contains the following parameters:
          • keyPathConfiguration: the requested URL path. You can specify a maximum of 10 URL paths. This parameter is required only when the algorithmName parameter is set to PR. This parameter is optional. Data type: array. This parameter is a JSON string that contains the following parameters:
            • method: the request method. This parameter is required. Data type: string. Valid values: POST, GET, PUT, DELETE, HEAD, and OPTIONS.
            • url: the keyword of the URL path. The path must start with a forward slash (/). This parameter is required. Data type: string.
            • matchType: the matching method. This parameter specifies a requested URL path in combination with the url parameter. This parameter is required. Data type: string. Valid values: all (exact match), prefix (prefix match), and regex (regular expression match).
          • minRequestCountPerIp: the minimum number of requests from an IP address. The system detects an IP address only when the number of requests from this IP address is greater than or equal to the value of this parameter. This parameter is required. Data type: integer. Valid values: 5 to 10000.
          • minRatio: the threshold for the proportion of requests that access specified URL paths to requests that are initiated from an IP address. This threshold is used to determine whether risks exist. If an actual proportion is greater than the threshold, risks exist. This parameter is required. Data type: float. Valid values: 0.01 to 1.
        • If you set the algorithmName parameter to DPR, the value of the config parameter contains the following parameters:
          • method: the request method. This parameter is required. Data type: string. Valid values: POST, GET, PUT, DELETE, HEAD, and OPTIONS.
          • urlPattern: the path of key parameters. The path must start with a forward slash (/). This parameter is required. Data type: string. You can specify multiple key parameters and enclose each parameter with a pair of braces {}. Example: /company/{}/{}/{}/user.php?uid={}.
          • minRequestCountPerIp: the minimum number of requests from an IP address. The system detects an IP address only when the number of requests from this IP address is greater than or equal to the value of this parameter. This parameter is required. Data type: integer. Valid values: 5 to 10000.
          • minRatio: the threshold for the proportion of requests that use specified key parameters to requests that are initiated from an IP address. This threshold is used to determine whether risks exist. If an actual proportion is greater than the threshold, risks exist. This parameter is required. Data type: float. Valid values: 0.01 to 1.
        • If you set the algorithmName parameter to SR, the value of the config parameter contains the following parameters:
          • maxRequestCountPerSrSession: the minimum number of requests in each session. If the number of requests in a single session is smaller than the value of this parameter, the session is considered abnormal. This parameter is required. Data type: integer. Valid values: 1 to 8.
          • minSrSessionCountPerIp: the threshold for the number of abnormal sessions in the requests that are initiated from an IP address. The threshold is used to determine whether risks exist. If an actual number is greater than the threshold, risks exist. This parameter is required. Data type: integer. Valid values: 5 to 300.
        • If you set the algorithmName parameter to IND, the value of the config parameter contains the following parameters:
          • minIpCount: the threshold for the number of IP addresses that the Wi-Fi connected device accesses. This parameter specifies the condition that is used to determine malicious devices. If an actual number is greater than the threshold, risks exist. This parameter is required. Data type: integer. Valid values: 5 to 500.
          • keyPathConfiguration: the requested URL path. You can specify a maximum of 10 URL paths. This parameter is optional. Data type: array. This parameter is a JSON string that contains the following parameters:
            • method: the request method. This parameter is required. Data type: string. Valid values: POST, GET, PUT, DELETE, HEAD, and OPTIONS.
            • url: the keyword of the URL path. The path must start with a forward slash (/). This parameter is required. Data type: string.
            • matchType: the matching method. This parameter specifies a requested URL path in combination with the url parameter. This parameter is required. Data type: string. Valid values: all (exact match), prefix (prefix match), and regex (regular expression match).
        • If you set the algorithmName parameter to Periodicity, the value of the config parameter contains the following parameters:
          • minRequestCountPerIp: the minimum number of requests from an IP address. The system detects an IP address only when the number of requests from this IP address is greater than or equal to the value of this parameter. This parameter is required. Data type: integer. Valid values: 5 to 10000.
          • level: the risk level, which is the extent of obviousness of periodic access from IP addresses. This parameter is required. Data type: integer. Valid values:
            • 0: obvious
            • 1: moderate
            • 2: weak
    • RuleId: the ID of the rule. This parameter is required. Data type: integer.
    • Time: the UNIX timestamp of when the rule was last modified. Unit: seconds. This parameter is required. Data type: string.
    • Example
      
          {
              "Status":1,
              "Version":1,
              "Content":{
                  "name":"Dynamic IP address",
                  "timeInterval":60,
                  "action":"warn",
                  "algorithmName":"IND",
                  "config":{"minIpCount":5,"keyPathConfiguration":[{"method":"GET","matchType":"prefix","url":"/index"}]}
              },
              "RuleId":940180,
              "Time":1585832957
          }
          
  • If the DefenseType parameter is set to bot_wxbb_pkg, the value of the Content parameter contains the following parameters:
    • Version: the version of the rule. This parameter is required. Data type: integer.
    • Content: the details of the rule. This parameter is required. Data type: string. The value is a JSON string that contains the following parameters:
      • name: the name of the rule. This parameter is required. Data type: string.
      • action: the action that is performed after the rule is matched. This parameter is required. Data type: string. Valid values:
        • test: monitors requests.
        • close: blocks requests.
      • nameList: the version information of valid package. You can specify the version information for a maximum of five valid packages. This parameter is required. Data type: array. The value is a JSON string that contains the following parameters:
        • name: the name of the valid package. This parameter is required. Data type: string.
        • signList: the signature for the package. You can specify a maximum of 15 signatures. Separate them with commas (,). This parameter is required. Data type: array.
    • RuleId: the ID of the rule. This parameter is required. Data type: integer.
    • Time: the UNIX timestamp of when the rule was last modified. Unit: seconds. This parameter is required. Data type: string.
    • Example
      
          {
              "Version":0,
              "Content":{
                  "nameList":[{"signList":["xxxxxx","xxxxx","xxxx","xx"],"name":"apk-xxxx"}],
                  "name":"test",
                  "action":"close"
              },
              "RuleId":271,
              "Time":1585836143
          }
          
  • If the DefenseType parameter is set to bot_wxbb, the value of the Content parameter contains the following parameters:
    • Version: the version of the rule. This parameter is required. Data type: integer.
    • Content: the details of the rule. This parameter is required. Data type: string. The value is a JSON string that contains the following parameters:
      • name: the name of the rule. This parameter is required. Data type: string.
      • uri: the URL path that requires protection. The path must start with a forward slash (/). This parameter is required. Data type: string.
      • matchType: the matching method. This parameter is required. Data type: string. Valid values: all (exact match), prefix (prefix match), regex (regular expression match).
      • arg: the included parameters. This parameter specifies a URL path in combination with the matchType parameter. This parameter is required. Data type: string.
      • action: the action that is performed after the rule is matched. This parameter is required. Data type: string. Valid values:
        • test: monitors requests.
        • close: blocks requests.
      • wxbbVmpFieldType: the type of the signature field. This parameter is optional. Data type: integer. If no custom signature fields are added to the rule, this parameter is not returned. Valid values:
        • 0: header
        • 1: parameter
        • 2: cookie
      • wxbbVmpFieldValue: the value of the signature field. This parameter is optional. Data type: string. If no custom signature fields are added to the rule, this parameter is not returned.
      • blockInvalidSign: specifies whether to take actions on an invalid signature. This parameter is required. Data type: Boolean.
      • blockProxy: specifies whether to take actions on a proxy. This parameter is required. Data type: Boolean.
      • blockSimulator: specifies whether to take actions on a simulator. This parameter is required. Data type: Boolean.
    • RuleId: the ID of the rule. This parameter is required. Data type: integer.
    • Time: the UNIX timestamp of when the rule was last modified. Unit: seconds. This parameter is required. Data type: string.
    • Example
      
          {
              "Version":6,
              "Content":{
                  "blockInvalidSign":true,
                  "wxbbVmpFieldValue":"test",
                  "blockSimulator":true,
                  "matchType":"all",
                  "arg":"test",
                  "name":"test",
                  "action":"close",
                  "blockProxy":true,
                  "uri":"/index",
                  "wxbbVmpFieldType":1
              },
              "RuleId":2585,
              "Time":1586241849
          }
          
  • If the DefenseType parameter is set to ac_blacklist, the value of the Content parameter contains the following parameters:
    • empty: specifies whether the blacklist is empty. This parameter is required. Data type: Boolean.
    • remoteAddr: the IP addresses in the blacklist. This parameter is required. Data type: array.
    • area: the region blocking rule, which is formulated in a JSON string that contains the countryCodes, regionCodes, and not parameters. (The not parameter specifies whether to allow access.) This parameter is required. Data type: string. The blocked countries and regions are returned as codes. We recommend that you go to the console to view the blocked countries and regions.
    • Example
      
          {
              "empty":false,
              "remoteAddr":["1.XX.XX.1","12.XX.XX.2"]
          }
          
  • If the DefenseType parameter is set to ac_highfreq, the value of the Content parameter contains the following parameters:
    • interval: the interval of detection. This parameter is required. Data type: integer. Valid values: 5 to 1800. Unit: seconds.
    • ttl: the period during which an IP address is blocked. Data type: integer. Valid values: 60 to 86400. Unit: seconds.
    • count: the threshold for the number of web attacks initiated from an IP address. If the number of attacks initiated from an IP address during the specified period is greater than the threshold, the IP address is blocked. This parameter is required. Data type: integer. Valid values: 2 to 50000.
    • Example
      
          {
          	"interval":60,
          	"ttl":300,
          	"count":60
           }
          
  • If the DefenseType parameter is set to ac_dirscan, the value of the Content parameter contains the following parameters:
    • interval: the interval of detection. This parameter is required. Data type: integer. Valid values: 5 to 1800. Unit: seconds.
    • ttl: the period during which an IP address is blocked. This parameter is required. Data type: integer. Unit: seconds.
    • count: the maximum number of requests allowed from an IP address. This parameter is required. Data type: integer. Valid values: 2 to 50000.
    • weight: the proportion of requests with HTTP 404 status codes to all requests. This parameter is required. Data type: float. Valid values: (0,1].
    • uriNum: the maximum number of paths that can be scanned. This parameter is required. Data type: integer. Valid values: 2 to 50000.
    • Example
      
          {
          	"interval":10,
          	"ttl":1800,
          	"count":50,
          	"weight":0.7,
              "uriNum":20 
          }
          
  • If the DefenseType parameter is set to ac_custom, the value of the Content parameter varies based on the scene parameter.
    • If the scene parameter is set to custom_acl to configure an ACL rule, the value of the Content parameter contains the following parameters:
      • name: the name of the rule. This parameter is required. Data type: string.
      • scene: the type of the protection policy. This parameter is required. Data type: string. If an ACL rule is configured, the value of this parameter is fixed as custom_acl.
      • action: the action that is performed after the rule is matched. This parameter is required. Data type: string. Valid values:
        • monitor: monitors requests.
        • captcha: performs slider CAPTCHA verification.
        • captcha_strict: performs strict slider CAPTCHA verification.
        • js: performs JavaScript verification.
        • block: blocks requests.
      • conditions: the matching condition. This parameter is required. Data type: array. The value is a JSON string that contains the following parameters:
        • key: the matching item. Valid values: URL, IP, Referer, User-Agent, Params, Cookie, Content-Type, Content-Length, X-Forwarded-For, Post-Body, Http-Method, Header, and URLPath.
        • opCode: the logical relation. Valid values:
          • 11: equals
          • 10: does not equal
          • 41: equals one of multiple values
          • 50: does not equal any value
          • 1: includes
          • 0: does not include
          • 51: includes one of multiple values
          • 52: does not include any value
          • 82: exists
          • 2: does not exist
          • 21: length equal to
          • 22: length greater than
          • 20: length less than
          • 60: does not match a regular expression
          • 61: matches a regular expression
          • 72: matches a prefix
          • 81: matches a suffix
          • 80: empty content
        • values: the matching value. You can specify this parameter based on your business requirements. Data type: string.
        • contain: the logical relation. The valid values of this parameter are the same as those of the opCode parameter.
        • opValue: the description of the abbreviated logical relation. For more information, see the description of the opCode parameter.
        • pattern: the description of the abbreviated logical relation. The valid values of this parameter are the same as those of the opValue parameter.
      • expressions: the conditional expression of the rule. The expression represents all the conditions of the rule. This parameter is required. Data type: array.
      • Example
        
                {
                    "name":"test2",
                    "action":"monitor",
                    "conditions":[{"contain":1,"values":"login","pattern":"contain","opCode":1,"opValue":"contain","key":"URL"}],
                    "expressions":["request_uri contains 'login' "],
                    "scene":"custom_acl"
                }
                
    • If the scene parameter is set to custom_cc to configure an HTTP flood protection rule, the value of the Content parameter contains the following parameters:
      • name: the name of the rule. This parameter is required. Data type: string.
      • scene: the type of the protection policy. This parameter is required. Data type: string. If an HTTP flood protection rule is configured, the value of this parameter is fixed as custom_cc.
      • conditions: the matching condition. This parameter is required. Data type: array. The value is a JSON string that contains the following parameters:
        • key: the matching item. Valid values: URL, IP, Referer, User-Agent, Params, Cookie, Content-Type, Content-Length, X-Forwarded-For, Post-Body, Http-Method, Header, and URLPath.
        • opCode: the logical relation. Valid values:
          • 11: equals
          • 10: does not equal
          • 41: equals one of multiple values
          • 50: does not equal any value
          • 1: includes
          • 0: does not include
          • 51: includes one of multiple values
          • 52: does not include any value
          • 82: exists
          • 2: does not exist
          • 21: length equal to
          • 22: length greater than
          • 20: length less than
          • 60: does not match a regular expression
          • 61: matches a regular expression
          • 72: matches a prefix
          • 81: matches a suffix
          • 80: empty content
        • values: the matching value. You can specify this parameter based on your business requirements. Data type: string.
        • contain: the logical relation. The valid values of this parameter are the same as those of the opCode parameter.
        • opValue: the description of the abbreviated logical relation. For more information, see the description of the opCode parameter.
        • pattern: the description of the abbreviated logical relation. The valid values of this parameter are the same as those of the opValue parameter.
      • expressions: the conditional expression of the rule. The expression represents all the conditions of the rule. This parameter is required. Data type: array.
      • action: the action that is performed after the rule is matched. This parameter is required. Data type: string. Valid values:
        • monitor: monitors requests.
        • captcha: performs slider CAPTCHA verification.
        • captcha_strict: performs strict slider CAPTCHA verification.
        • js: performs JavaScript verification.
        • block: blocks requests.
      • ratelimit: the maximum rate of requests from an object. This parameter is required. Data type: JSON string. The value is a JSON string that contains the following parameters:
        • target: the type of the object from which the request rate is measured. This parameter is required. Data type: string. Valid values:
          • remote_addr: IP addresses.
          • cookie.acw_tc: sessions.
          • queryarg: custom parameters. If you choose to use custom parameters, you must specify the name of the custom parameter in the subkey parameter.
          • cookie: custom cookies. If you choose to use custom cookies, you must specify the cookie content in the subkey parameter.
          • header: custom headers. If you choose to use custom headers, you must specify the header content in the subkey parameter.
        • subkey: This parameter is required only when the target parameter is set to cookie, header, or queryarg. The subkey parameter is optional. Data type: string.
        • interval: the period for measuring the number of requests from the specified object. This parameter must be used together with the threshold parameter. This parameter is required. Data type: integer. Unit: seconds.
        • threshold: the maximum number of requests that are allowed from an individual object during the specified period. This parameter is required. Data type: integer.
        • status: the frequency of an HTTP status code. This parameter is optional. Data type: JSON string. The value is a JSON string that contains the following parameters:
          • code: the HTTP status code. This parameter is required. Data type: integer.
          • count: the threshold for the number of times that the specified HTTP status code is returned. The threshold is used to determine whether a rule is matched. If an actual number is greater than the threshold, the rule specified by the name parameter is matched. This parameter is optional. Data type: integer. Valid values: 1 to 999999999. You can set the count or ratio parameter. You cannot set both parameters at the same time.
          • ratio: the threshold for the percentage of times that the specified HTTP status code is returned. The threshold is used to determine whether a rule is matched. If an actual percentage is greater than the threshold, the rule specified by the name parameter is matched. This parameter is optional. Data type: integer. Valid values: 1 to 100. You can set the count or ratio parameter. You cannot set both parameters at the same time.
        • scope: the scope in which the settings take effect. This parameter is required. Data type: string. Valid values:
          • rule: the objects that match the specified conditions
          • domain: the domain names to which the rule is applied
        • ttl: the period during which the specified action is performed. This parameter is required. Data type: integer. Valid values: 60 to 86400. Unit: seconds.
        • Example
          
                  {
                      "name":"HTTP flood protection rule",
                      "conditions":[{"contain":1,"values":"login","pattern":"contain","opCode":1,"opValue":"contain","key":"URL"}],
                      "expressions":["request_uri contains 'login' "],
                      "action":"block", 
                      "scene":"custom_cc",  
                      "ratelimit":{
                          "target": "remote_addr", 
                          "interval": 300,
                          "threshold": 2000,
                          "status": {
                              "code": 404,
                              "count": 200
                          },
                          "scope": "rule",
                          "ttl": 1800
                      }
                  }
                  
  • If the DefenseType parameter is set to whitelist, the value of the Content parameter contains the following parameters:
    • name: the name of the rule. This parameter is required. Data type: string.
    • tags: the protection module that skips detection. You can specify multiple modules. This parameter is required. Data type: array. Valid values:
      • waf: website whitelist
      • cc: HTTP flood protection
      • customrule: custom protection policy
      • blacklist: IP address blacklist
      • antiscan: scan protection
      • regular: protection rules engine
      • deeplearning: deep learning engine
      • antifraud: data risk control
      • dlp: data leak prevention
      • tamperproof: website tamper-proofing
      • bot_intelligence: bot threat intelligence
      • bot_algorithm: intelligent algorithm
      • bot_wxbb: app protection
    • bypassTags: the protection module that does not detect requests. This parameter is required. Data type: string.
    • origin: the source of the whitelist rule. This parameter is optional. Data type: string. The value is fixed as ai, which indicates that the whitelist rules are automatically added by the intelligent rule hosting feature. If the parameter is not returned, the whitelist rules include the rules that you manually added and the rules that are automatically added by the intelligent rule hosting feature.
    • conditions: the matching condition. This parameter is required. Data type: array. The value is a JSON string that contains the following parameters:
      • key: the matching item. Valid values: URL, IP, Referer, User-Agent, Params, Cookie, Content-Type, Content-Length, X-Forwarded-For, Post-Body, Http-Method, Header, and URLPath.
      • opCode: the logical relation. Valid values:
        • 11: equals
        • 10: does not equal
        • 41: equals one of multiple values
        • 50: does not equal any value
        • 1: includes
        • 0: does not include
        • 51: includes one of multiple values
        • 52: does not include any value
        • 82: exists
        • 2: does not exist
        • 21: length equal to
        • 22: length greater than
        • 20: length less than
        • 60: does not match a regular expression
        • 61: matches a regular expression
        • 72: matches a prefix
        • 81: matches a suffix
        • 80: empty content
      • values: the matching value. You can specify this parameter based on your business requirements. Data type: string.
      • contain: the logical relation. The valid values of this parameter are the same as those of the opCode parameter.
      • opValue: the description of the abbreviated logical relation. For more information, see the description of the opCode parameter.
      • pattern: the description of the abbreviated logical relation. The valid values of this parameter are the same as those of the opValue parameter.
    • expressions: the conditional expression of the rule. The expression represents all the conditions of the rule. This parameter is required. Data type: array.
    • Example
      
          {
              "name": "test",
              "tags": ["cc","customrule"],
              "bypassTags":"antifraud,dlp,tamperproof", 
              "conditions":[{"contain":1,"values":"login","pattern":"contain","opCode":1,"opValue":"contain","key":"URL"}],
              "expressions":["request_uri contains 'login' "]
         }
         

Examples

Sample requests

http(s)://[Endpoint]/?Action=DescribeProtectionModuleRules
&InstanceId=waf_elasticity-cn-0xldbqt****
&Domain=www.example.com
&DefenseType=ac_highfreq
&<Common request parameters>

Sample success responses

XML format

HTTP/1.1 200 OK
Content-Type:application/xml

<?xml version="1.0" encoding="UTF-8" ?>
<DescribeProtectionModuleRulesResponse>
	<TotalCount>1</TotalCount>
	<Rules>
		<Version>2</Version>
		<Status>1</Status>
		<Content>
			<count>60</count>
			<interval>60</interval>
			<ttl>300</ttl>
		</Content>
		<RuleId>42755</RuleId>
		<Time>1570700044</Time>
	</Rules>
	<RequestId>D7861F61-5B61-46CE-A47C-6B19160D5EB0</RequestId>
</DescribeProtectionModuleRulesResponse>

JSON format

HTTP/1.1 200 OK
Content-Type:application/json

{
  "TotalCount" : 1,
  "Rules" : [ {
    "Version" : 2,
    "Status" : 1,
    "Content" : {
      "count" : 60,
      "interval" : 60,
      "ttl" : 300
    },
    "RuleId" : 42755,
    "Time" : 1570700044
  } ],
  "RequestId" : "D7861F61-5B61-46CE-A47C-6B19160D5EB0"
}

Error codes

For a list of error codes, visit the API Error Center.