Queries the information about rules configured in a specified Web Application Firewall (WAF) protection module. WAF protection modules include web intrusion prevention, data security, bot management, access control or throttling, and website whitelist.

You can specify the protection module by setting the DefenseType parameter. For more information about the values of this parameter, see the description of DefenseType.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes DescribeProtectionModuleRules

The operation that you want to perform. Set the value to DescribeProtectionModuleRules.

DefenseType String Yes ac_highfreq

The protection module. Valid values:

  • waf-codec: RegEx protection engine
  • tamperproof: website tamper-proofing
  • dlp: data leak prevention
  • account: account security
  • bot_crawler: legitimate crawlers
  • bot_intelligence: bot threat intelligence
  • antifraud: data risk control
  • antifraud_js: insertion of JavaScript plug-ins for data risk control
  • bot_algorithm: intelligent algorithm
  • bot_wxbb_pkg: version protection rules for app protection
  • bot_wxbb: URL protection rules for app protection
  • ac_blacklist: IP address blacklist rules
  • ac_highfreq: IP blocking for high-frequency web attacks
  • block_dirscan: directory traversal protection
  • ac_custom: custom protection policies
  • whitelist: whitelist rules
InstanceId String Yes waf_elasticity-cn-0xldbqt****

The ID of the WAF instance.

Note You can query the ID by calling DescribeInstanceInfo.
PageSize Integer No 10

The number of entries to return on each page.

PageNumber Integer No 1

The number of the page to return. Pages start from page 1.

Domain String No www.example.com

The domain name that is added to WAF.

Note This parameter must be specified when DefenseType is set to a value other than account.
Query String No e2ZpbHRlcjp7InJ1bGVJZCI6NDI3NTV9LG9yZGVyQnk6ImdtdF9tb2RpZmllZCIsZGVzYzp0cnVlfQ==

Specifies how rules are filtered and ordered in a JSON string that contains the following parameters:

Note The value of the query parameter must be Base64-encoded.
  • filter: optional. The filter conditions. Data type: JSON string. Specify this request parameter in a JSON string that contains the following parameters:
    • nameId: optional. This parameter queries rules whose IDs are the same as the value of this parameter or names contain the parameter value. Data type: string.
    • scene: optional. This parameter specifies the protection module. The valid values of this parameter are the same as those of the DefenseType parameter. Data type: string.
    • enabled: optional. This parameter specifies whether the rule is enabled. Data type: Boolean. Valid values:
      • false: disabled
      • true: enabled
    • status: optional. This parameter specifies the rule status. The description of this parameter is the same as that of the enabled parameter. Data type: integer. Valid values:
      • 0: disabled
      • 1: enabled
    • ruleId: optional. This parameter specifies the ID of the rule. Data type: integer.
    • ruleIdList: optional. This parameter specifies the list of rule IDs. Separate multiple rule IDs with commas (,). Data type: array.
    • sceneList: optional. This parameter specifies the list of protection modules. The valid values of this parameter are the same as those of the DefenseType parameter. Data type: array.
    • originList: optional. This parameter specifies the source of the rule. Valid values: system (automatically generated by the system) and custom (customized by the user). Separate multiple rule sources with commas (,). Data type: array.
    • tag: optional. If you set DefenseType to whitelist, you can set this parameter to query whitelist rules for specified modules on which the detection can be skipped. Data type: string. For more information about tag, see the descriptions of whitelist rules in the response parameters.
    • category: optional. If you set DefenseType to whitelist, you can set this parameter to query whitelists of a specified category. Valid values:
      • waf: website whitelist
      • ws: web intrusion protection whitelist
      • ac: access control or throttling whitelist
      • ds: data security whitelist
  • orderBy: optional. The order of rules. Data type: string. Valid values:
    • action: the action that is taken after the rule is ordered. This parameter is valid only when you query custom protection policies.
    • gmt_modified: the last time when the rule was modified. This is the default value.
    • name: the name of the rule.
    • status: the status of the rule.
  • desc: optional. This parameter specifies whether the rules are arranged in descending order. Data type: Boolean. Valid values:
    • false: ascending order.
    • true: descending order. This is the default value.
Lang String No zh

The natural language in which the rule name is displayed. Valid values:

  • zh: Chinese
  • en: English
  • ja: Japanese

Response parameters

Parameter Type Example Description
RequestId String D7861F61-5B61-46CE-A47C-6B19160D5EB0

The ID of the request.

Rules Array

The configurations of the rules.

Content String {"count":60,"interval":60,"ttl":300}

The content of the rule. It is a JSON string that contains multiple parameters.

Note The parameters vary with the value of the DefenseType parameter. For more information, see the "Content parameters" section.
RuleId Long 42755

The ID of the rule.

Status Long 1

The status of the rule. Valid values:

  • 0: disabled
  • 1: enabled
Time Long 1570700044

The time when the rule was created. This value is a UNIX timestamp representing the number of seconds that have elapsed since the epoch time January 1, 1970, 00:00:00 UTC.

Version Long 2

The data identifier in the system. The identifier is used to control optimistic locking.

TotalCount Integer 1

The total number of entries returned.

Content parameters

  • If the DefenseType parameter is set to waf-codec, the value of the Content parameter contains the following parameters:
    • codecList: required. The enabled decoding settings. Data type: string.
    • Example
      
          {
              "codecList":["url","base64"]
          }
          
  • If the DefenseType parameter is set to tamperproof, the value of the Content parameter contains the following parameters:
    • uri: required. The URL that needs protection. Data type: string.
    • name: required. The name of the rule. Data type: string.
    • status: optional. The protection status of the rule. Data type: integer. Valid values:
      • 0: invalid. This is the default value.
      • 1: valid.
    • Example
      
          {
              "name":"example",
              "uri":"http://www.example.com/example",
              "status":1
          }
          
  • If the DefenseType parameter is set to dIp, the value of the Content parameter contains the following parameters:
    • name: required. The name of the rule. Data type: string.
    • conditions: required. The matching conditions, which are formulated in a JSON string. You can specify a maximum of two conditions. The two conditions must have the AND logical relation. Data type: array. The JSON string contains the following parameters:
      • key: the matching items. Valid values:
        • 0: URL
        • 10: sensitive information
        • 11: HTTP status code
      • operation: the matching logic. Set the value to 1, which indicates the INCLUDES logical relation.
      • value: the matching condition values, which are formulated in a JSON string. You can specify multiple values. The JSON string contains the following parameters:
        • v: This parameter is valid only when key is set to 0 or 11.
          • URL: If key is set to 0, the value of the v parameter is a URL.
          • HTTP status code: If key is set to 11, the valid values of the v parameter are 400, 401, 402, 403, 404, 405 to 499, 500, 501, 502, 503, 504, and 505 to 599.
        • k: This parameter is valid only when key is set to 10. Valid values:
          • 100: resident ID card numbers
          • 101: credit card numbers
          • 102: phone numbers
          • 103: default sensitive words
    • action: matching actions. Valid values:
      • 3: reports an alert.
      • 10: filters sensitive information. This action applies to only scenarios where key is set to 10.
      • 11: returns the built-in interception page of the system. This action applies to only scenarios where key is set to 11.
    • Example
      
        {
          "name":"example",
          "conditions":[{"key":11,"operation":1,"value":[{"v":401}]},{"key":"0","operation":1,"value":[{"v":"www.example.com"}]}],
          "action":3
        }
        
  • If the DefenseType parameter is set to ng_account, the value of the Content parameter contains the following parameters:
    • domain: required. The domain name that is protected. Data type: string.
    • method: required. The method of the requests that are detected. Valid values: POST, GET, PUT, and DELETE. Data type: string. You can specify multiple request methods. Separate them with commas (,).
    • url_path: required. The URL in the requests that are detected. The URL must start with a forward slash (/). Data type: string.
    • account_left: required. The parameter that specifies the account. Data type: string.
    • password_left: optional. The parameter that specifies the password. Data type: string.
    • action: required. The protection action. Data type: string. Valid values:
      • monitor: reports an alert for the request.
      • block: blocks the request.
    • Example
      
          {
              "domain":"www.example.com",
              "method":"GET,POST",
              "url_path":"/example",
              "account_left":"aaa",
              "action":"monitor"
          }
          
  • If the DefenseType parameter is set to bot_crawler, the value of the Content parameter contains the following parameters:
    • Status: required. The status of the rule. Data type: integer. Valid values:
      • 0: disabled
      • 1: enabled
    • Version: required. The version number of the rule. Data type: integer.
    • Content: required. The details of the rule. Data type: string. Specify this parameter in a JSON string that contains the following parameters:
      • name: required. The name of the rule. Data type: string.
      • conditions: optional. The condition for the protection URL. Data type: array. If the DefenseType parameter is set to bot_crawler, the value of the conditions parameter can only be empty, which indicates all URLs.
      • expressions: required. The regular expression that represents all matching conditions of the rules in a readable way. Data type: array.
      • bypassTags: required. The list of protection modules on which the detection can be skipped. Data type: string. If the DefenseType parameter is set to bot_crawler, the value of the bypassTags parameter can only be antibot, which indicates the bot management module.
      • tags: required. The protection module to which the rule belongs. Data type: array. If the DefenseType parameter is set to bot_crawler, the value of the tags parameter can only be ["antibot"], which indicates the bot management module.
    • RuleId: required. The ID of the rule. Data type: integer.
    • Time: required. The time when the rule was last modified. This value is a UNIX timestamp representing the number of seconds that have elapsed since the epoch time January 1, 1970, 00:00:00 UTC. Data type: string.
    • Example
      
          {
              "Status":0,
              "Version":1,
              "Content":{
                  "name":"Baidu Spider whitelist",
                  "conditions":[],
                  "expressions":["remote_addr inl 'ioc.210d077a-cf34-49ad-a9b3-0aa48095c595' && uri =^ '/'"],
                  "bypassTags":"antibot",
                  "tags":["antibot"]
              },
          "RuleId":20384,
          "Time":1585818161
          }
          
  • If the DefenseType parameter is set to bot_intelligence, the value of the Content parameter contains the following parameters:
    • Status: required. The status of the rule. Data type: integer. Valid values:
      • 0: disabled
      • 1: enabled
    • Version: required. The version number of the rule. Data type: integer.
    • Content: required. The details of the rule. Data type: string. Specify this parameter in a JSON string that contains the following parameters:
      • name: required. The name of the rule. Data type: string.
      • action: required. The action performed after the rule is matched. Data type: string. Valid values:
        • monitor: monitors requests.
        • captcha: performs CAPTCHA verification.
        • captcha_strict: performs strict CAPTCHA verification.
        • JS: performs JavaScript verification.
        • block: blocks requests.
      • urlList: required. The protection URL. You can specify a maximum of 10 protection URLs. Data type: array. Specify this parameter in a JSON string that contains the following parameters:
        • mode: required. The matching method. Data type: string. This parameter specifies the protection URL in combination with the url parameter. Valid values: eq (exact match), prefix-match (prefix match), and regex (regular expression match).
        • url: required. The keyword for the URL, which must start with a forward slash (/). Data type: string.
      • keyType: required. The type of the intelligence database, including the IP database (IP) and fingerprint database (ua).
    • RuleId: required. The ID of the rule. Data type: integer.
    • Time: required. The time when the rule was last modified. This value is a UNIX timestamp representing the number of seconds that have elapsed since the epoch time January 1, 1970, 00:00:00 UTC. Data type: string.
    • Example
      
          {
              "Status":1,
              "Version":1,
              "Content":{
                  "name":"IDC IP Address Library-Tencent Cloud",
                  "action":"captcha_strict",
                  "urlList":[{"mode":"prefix-match","url":"/indexa"},    {"mode":"regex","url":"/"},{"mode":"eq","url":"/"}],
                  "keyType":"ip"
              },
              "RuleId":922777,
              "Time":1585907112
          }
          
  • If the DefenseType parameter is set to antifraud, the value of the Content parameter contains the following parameters:
    • uri: required. The request URL. Data type: string.
    • Example
      
          {
              "uri": "http://1.example.com/example"
          }
          
  • If the DefenseType parameter is set to antifraud_js, the value of the Content parameter contains the following parameters:
    • uri: required. The URL of the web page into which you want to insert JavaScript plug-ins for data risk control. Data type: string. The system inserts JavaScript plug-ins for data risk control into all web pages under the specified URL directory.
    • Example
      
          {
              "uri": "/example/example"
          }
          
  • If the DefenseType parameter is set to bot_algorithm, the value of the Content parameter contains the following parameters:
    • Status: required. The status of the rule. Data type: integer. Valid values:
      • 0: disabled
      • 1: enabled
    • Version: required. The version number of the rule. Data type: integer.
    • Content: required. The details of the rule. Data type: string. Specify this parameter in a JSON string that contains the following parameters:
      • name: required. The name of the rule. Data type: string.
      • timeInterval: required. The time period during which the request is detected. Valid values: 30, 60, 120, 300, and 600. Unit: seconds. Data type: integer.
      • action: required. The action performed after the rule is matched. Data type: string. Valid values:
        • monitor: monitors requests.
        • captcha: performs CAPTCHA verification.
        • JS: performs JavaScript verification.
        • block: blocks requests. If you set the parameter to block, you must specify the blocktime parameter.
      • blocktime: optional. The block time. Unit: minutes. Data type: integer. Valid values: 1 to 600.
      • algorithmName: required. The name of the algorithm. Data type: string. Valid values:
        • RR: identification algorithm for specific resource crawlers
        • PR: identification algorithm for specific path crawlers
        • DPR: identification algorithm for parameter round-robin crawlers
        • SR: identification algorithm for dynamic IP address crawlers
        • IND: identification algorithm for proxy device crawlers
        • Periodicity: identification algorithm for periodical crawlers
      • config: required. The algorithm. Specify this parameter in a JSON string. Data type: string. The parameters that are contained in the JSON string vary with the value of the algorithmName parameter.
        • If you set algorithmName to RR, the configuration information contains the following parameters:
          • resourceType: optional. The type of the requested resources. Data type: integer. Valid values:
            • 1: dynamic resources.
            • 2: static resources.
            • -1: custom resources. In this case, you must also use the extensions parameter to specify resource suffixes in a string. Separate suffixes with commas (,), such as css,jpg,xls.
          • minRequestCountPerIp: required. The minimum number of requests from an IP address. If the number of requests from an IP address is greater than or equal to the value of this parameter, the system detects this IP address. Data type: integer. Valid values: 5 to 10000.
          • minRatio: required. The threshold for the proportion of requests that access specified types of resources to requests that are initiated from an IP address. This threshold is used to determine whether risks exist. If the proportion of such requests that access specified types of resources is greater than the threshold, risks exist. Valid values: 0.01 to 1.
        • If you set algorithmName to PR, the configuration information contains the following parameters:
          • keyPathConfiguration: optional. The requested URL. Data type: array. You can specify a maximum of 10 URLs. This parameter is valid only when the algorithmName parameter is set to PR. Specify this parameter in a JSON string that contains the following parameters:
            • method: required. The request method. Data type: string. Valid values: POST, GET, PUT, DELETE, HEAD, and OPTIONS.
            • url: required. The keyword for the requested URL, which must start with a forward slash (/). Data type: string.
            • matchType: required. The matching method. This parameter specifies the requested URL in combination with the url parameter. Valid values: all (exact match), prefix (prefix match), and regex (regular expression match).
          • minRequestCountPerIp: required. The minimum number of requests from an IP address. If the number of requests from an IP address is greater than or equal to the value of this parameter, the system detects this IP address. Data type: integer. Valid values: 5 to 10000.
          • minRatio: required. The threshold for the proportion of requests that access specified URLs to requests that are initiated from an IP address. This threshold is used to determine whether risks exist. If the proportion of the requests that access specified URLs is greater than the threshold, risks exist. The requests for access to specified URLs are identified by using the identification algorithm for specific path crawlers. Valid values: 0.01 to 1.
        • If you set algorithmName to DPR, the configuration information contains the following parameters:
          • method: required. The request method. Data type: string. Valid values: POST, GET, PUT, DELETE, HEAD, and OPTIONS.
          • urlPattern: required. The key parameter in the requested URL. This parameter must start with a forward slash (/). Data type: string. You can specify multiple key parameters. Include each parameter with braces {}. Example: /company/{}/{}/{}/user.php? uid={}.
          • minRequestCountPerIp: required. The minimum number of requests from an IP address. If the number of requests from an IP address is greater than or equal to the value of this parameter, the system detects this IP address. Data type: integer. Valid values: 5 to 10000.
          • minRatio: required. The threshold for the proportion of requests that contain specified key parameters to requests that are initiated from an IP address. This threshold is used to determine whether risks exist. If the proportion of the requests that contain specified key parameters is greater than the threshold, risks exist. Data type: float. Valid values: 0.01 to 1.
        • If you set algorithmName to SR, the configuration information contains the following parameters:
          • maxRequestCountPerSrSession: required. The minimum number of requests in each session. If the number of requests in a single session is smaller than the value of this parameter, the session is considered abnormal. Data type: integer. Valid values: 1 to 8.
          • minSrSessionCountPerIp: required. The threshold for abnormal sessions in the requests that are initiated from an IP address. The threshold is used to determine whether risks exist. If the number of abnormal sessions in the requests that are initiated from an IP address is greater than the threshold, a risk exists. Data type: integer. Valid values: 5 to 300.
        • If you set algorithmName to IND, the configuration information contains the following parameters:
          • minIpCount: required. The threshold for the number of IP addresses that the device linked with Wi-Fi accesses. This parameter specifies the condition that is used to determine malicious devices. If the number of IP addresses exceed the parameter value, a risk exists. Data type: integer. Valid values: 5 to 500.
          • keyPathConfiguration: optional. The URL configuration for the detection. You can specify a maximum of 10 URLs. Specify this parameter in a JSON string that contains the following parameters:
            • method: required. The request method. Data type: string. Valid values: POST, GET, PUT, DELETE, HEAD, and OPTIONS.
            • url: required. The keyword for the detection URL. The keyword must start with a forward slash (/). Data type: string.
            • matchType: required. The matching method. Data type: string. This parameter specifies the requested URL in combination with the url parameter. Valid values: all (exact match), prefix (prefix match), and regex (regular expression match).
        • If you set algorithmName to Periodicity, the configuration information contains the following parameters:
          • minRequestCountPerIp: required. The minimum number of requests from an IP address. If the number of requests from an IP address is greater than or equal to the value of this parameter, the system detects this IP address. Data type: integer. Valid values: 5 to 10000.
          • level: required. The risk level, namely, the extent of obviousness of periodical access from IP addresses. Data type: integer. Valid values:
            • 0: obvious
            • 1: moderate
            • 2: weak
    • RuleId: required. The ID of the rule. Data type: integer.
    • Time: required. The time when the rule was last modified. This value is a UNIX timestamp representing the number of seconds that have elapsed since the epoch time January 1, 1970, 00:00:00 UTC. Data type: string.
    • Example
      
          {
              "Status":1,
              "Version":1,
              "Content":{
                  "name":"Dynamic IP address",
                  "timeInterval":60,
                  "action":"warn",
                  "algorithmName":"IND",
                  "config":{"minIpCount":5,"keyPathConfiguration":[{"method":"GET","matchType":"prefix","url":"/index"}]}
              },
              "RuleId":940180,
              "Time":1585832957
          }
          
  • If the DefenseType parameter is set to bot_wxbb_pkg, the value of the Content parameter contains the following parameters:
    • Version: required. The version number of the rule. Data type: integer.
    • Content: required. The details of the rule. Data type: string. Specify this parameter in a JSON string that contains the following parameters:
      • name: required. The name of the rule. Data type: string.
      • action: required. The action performed after the rule is matched. Data type: string. Valid values:
        • test: monitors requests.
        • block: blocks requests.
      • nameList: required. The information of the valid version. You can specify a maximum of five rules. Data type: array. Specify this parameter in a JSON string that contains the following parameters:
        • name: required. The name of the valid package. Data type: string.
        • signList: required. The signature for the package. You can specify a maximum of 15 signatures. Separate them with commas (,).
    • RuleId: required. The ID of the rule. Data type: integer.
    • Time: required. The time when the rule was last modified. This value is a UNIX timestamp representing the number of seconds that have elapsed since the epoch time January 1, 1970, 00:00:00 UTC. Data type: string.
    • Example
      
          {
              "Version":0,
              "Content":{
                  "nameList":[{"signList":["xxxxxx","xxxxx","xxxx","xx"],"name":"apk-xxxx"}],
                  "name":"test",
                  "action":"close"
              },
              "RuleId":271,
              "Time":1585836143
          }
          
  • If the DefenseType parameter is set to bot_wxbb, the value of the Content parameter contains the following parameters:
    • Version: required. The version number of the rule. Data type: integer.
    • Content: required. The details of the rule. Data type: string. Specify this parameter in a JSON string that contains the following parameters:
      • name: required. The name of the rule. Data type: string.
      • uri: required. The protection URL, which must start with a forward slash (/). Data type: string.
      • matchType: required. The matching method. Data type: string. Valid values: all (exact match), prefix (prefix match), and regex (regular expression match).
      • arg: required. The inclusion of the parameter. This parameter specifies the protection URL in combination with the matchType parameter. Data type: string.
      • action: required. The action performed after the rule is matched. Data type: string. Valid values:
        • test: monitors requests.
        • block: blocks requests.
      • wxbbVmpFieldType: optional. The type of the signature field. Data type: integer. If the signature field is not customized in the rule, this parameter is not returned. Valid values:
        • 0: header
        • 1: parameter
        • 2: cookie
      • wxbbVmpFieldValue: optional. The value of the signature field. Data type: string. If the signature field is not customized in the rule, this parameter is not returned.
      • blockInvalidSign: required. This parameter specifies whether the system takes actions on an invalid signature. Data type: Boolean.
      • blockProxy: required. This parameter specifies whether the system takes actions on a proxy. Data type: Boolean.
      • blockSimulator: required. This parameter specifies whether the system takes actions on a simulator. Data type: Boolean.
    • RuleId: required. The ID of the rule. Data type: integer.
    • Time: required. The time when the rule was last modified. This value is a UNIX timestamp representing the number of seconds that have elapsed since the epoch time January 1, 1970, 00:00:00 UTC. Data type: string.
    • Example
      
          {
              "Version":6,
              "Content":{
                  "blockInvalidSign":true,
                  "wxbbVmpFieldValue":"test",
                  "blockSimulator":true,
                  "matchType":"all",
                  "arg":"test",
                  "name":"test",
                  "action":"close",
                  "blockProxy":true,
                  "uri":"/index",
                  "wxbbVmpFieldType":1
              },
              "RuleId":2585,
              "Time":1586241849
          }
          
  • If the DefenseType parameter is set to ac_blacklist, the value of the Content parameter contains the following parameters:
    • empty: required. This parameter specifies whether the blacklist is empty. Data type: Boolean.
    • remoteAddr: required. The IP addresses in the blacklist. Data type: array.
    • area: required. The region blocking rule. Data type: string. Specify this parameter in a JSON string that contains country codes (countryCodes), region codes (regionCodes), and whether to allow the access (not). The blocked countries and regions are returned as codes. We recommend that you go to the console to view the blocked countries and regions.
    • Example
      
          {
              "empty":false,
              "remoteAddr":["1.1.1.1","12.11.1.2"]
          }
          
  • If the DefenseType parameter is set to ac_highfreq, the value of the Content parameter contains the following parameters:
    • interval: required. The time period during which the number of requests from an IP address is counted. Data type: integer. Valid values: [5,1800]. Unit: seconds.
    • ttl: required. The time period during which an IP address is blocked. Data type: integer. Valid values: 60 to 86400. Unit: seconds.
    • count: required. The maximum number of web attacks from an IP address. If the number of attacks initiated from an IP address during the specified time period exceeds the limit, the IP address is blocked. Data type: integer. Valid values: 2 to 50000.
    • Example
      
          {
              "interval":60,
              "ttl":300,
              "count":60
           }
          
  • If the DefenseType parameter is set to ac_dirscan, the value of the Content parameter contains the following parameters:
    • interval: required. The time period during which the number of requests from an IP address is counted. Data type: integer. Valid values: [5,1800]. Unit: seconds.
    • ttl: required. The time period during which an IP address is blocked. Unit: seconds. Data type: integer.
    • count: required. The threshold of access requests allowed from an IP address. Data type: integer. Valid values: [2,50000].
    • weight: required. The proportion of requests with 404 HTTP status codes to all requests. Data type: float. Valid values: (0,1]. Unit: seconds.
    • uriNum: required. The maximum number of directories that can be scanned. Data type: integer. Valid values: [2,50000].
    • Example
      
          {
              "interval":10,
              "ttl":1800,
              "count":50,
              "weight":0.7,
              "uriNum":20 
          }
          
  • If the DefenseType parameter is set to ac_custom, you also need to specify the scene parameter in the Content parameter to configure an ACL rule and HTTP flood protection rule.
    • To modify an ACL rule, set scene to custom_acl and construct a JSON string that contains the following parameters:
      • name: required. The name of the rule. Data type: string.
      • scene: required. The type of the protection policy. Data type: string. If you modify an ACL rule, the value of this parameter can only be custom_acl.
      • action: required. The action performed after the rule is matched. Data type: string. Valid values:
        • monitor: monitors requests.
        • captcha: performs CAPTCHA verification.
        • captcha_strict: performs strict CAPTCHA verification.
        • js: performs JavaScript verification.
        • block: blocks requests.
      • conditions: required. The matching conditions. Data type: array. Specify this parameter in a JSON string that contains the following parameters:
        • key: the matching field. Valid values: URL, IP, Referer, User-Agent, Params, Cookie, Content-Type, Content-Length, X-Forwarded-For, Post-Body, Http-Method, Header, and URLPath.
        • opCode: the logical operator. Valid values:
          • 0: exclusion
          • 1: inclusion
          • 2: non-existence
          • 10: not equal to
          • 11: equal to
          • 20: the length less than
          • 21: the length equal to
          • 22: the length greater than
          • 30: the value less than
          • 31: the value equal to
          • 32: the value greater than
          • 40: not belong to
          • 41: belong to
        • values: the matching content. Set this parameter as needed. Data type: string.
        • contain: the logical operator. The valid values of this parameter are the same as those of the opCode parameter.
        • opValue: the description of the abbreviated logical operator. For more information, see the description of opCode.
        • pattern: the description of the abbreviated logical operator. The valid values of this parameter are the same as those of the opValue parameter.
      • expressions: required. The regular expression that represents all matching conditions of the rules in a readable way. Data type: array.
      • Example
        
                {
                    "name":"test2",
                    "action":"monitor",
                    "conditions":[{"contain":1,"values":"login","pattern":"contain","opCode":1,"opValue":"contain","key":"URL"}],
                    "expressions":["request_uri contains 'login' "],
                    "scene":"custom_acl"
                }
                
    • To configure the protection rule against HTTP flood attacks, set scene to custom_cc and construct a JSON string that contains the following parameters:
      • name: required. The name of the rule. Data type: string.
      • scene: required. The type of the protection policy. Data type: string. If you modify the protection rule against HTTP flood attacks, set the value to custom_cc.
      • conditions: required. The matching conditions. Data type: array. Specify this parameter in a JSON string that contains the following parameters:
        • key: the matching field. Valid values: URL, IP, Referer, User-Agent, Params, Cookie, Content-Type, Content-Length, X-Forwarded-For, Post-Body, Http-Method, Header, and URLPath.
        • opCode: the logical operator. Valid values:
          • 0: exclusion
          • 1: inclusion
          • 2: non-existence
          • 10: not equal to
          • 11: equal to
          • 20: the length less than
          • 21: the length equal to
          • 22: the length greater than
          • 30: the value less than
          • 31: the value equal to
          • 32: the value greater than
          • 40: not belong to
          • 41: belong to
        • values: the matching content. Set this parameter as needed. Data type: string.
        • contain: the logical operator. The valid values of this parameter are the same as those of the opCode parameter.
        • opValue: the description of the abbreviated logical operator. For more information, see the description of opCode.
        • pattern: the description of the abbreviated logical operator. The valid values of this parameter are the same as those of the opValue parameter.
      • expressions: required. The regular expression that represents all matching conditions of the rules in a readable way. Data type: array.
      • action: required. The action performed after the rule is matched. Data type: string. Valid values:
        • monitor: monitors requests.
        • captcha: performs CAPTCHA verification.
        • captcha_strict: performs strict CAPTCHA verification.
        • js: performs JavaScript verification.
        • block: blocks requests.
      • ratelimit: required. The maximum request rate from an object. Data type: JSON string. Specify the rate in a JSON string that contains the following parameters:
        • target: required. The type of the object whose request rate is calculated. Data type: string. Valid values:
          • remote_addr: IP addresses.
          • cookie.acw_tc: sessions.
          • queryarg: custom parameters. If you choose to use custom parameters, you must specify the name of the custom parameter in the subkey parameter.
          • cookie: custom cookies. If you choose to use custom cookies, you must specify the cookie content in the subkey parameter.
          • header: custom headers. If you choose to use custom headers, you must specify the header content in the subkey parameter.
        • subkey: optional. This parameter must be specified when target is set to cookie, header or queryarg. Data type: string.
        • interval: required. The time period during which the number of requests from the specified object is calculated. This parameter must be used together with the threshold parameter. Data type: integer. Unit: seconds.
        • threshold: required. The maximum number of requests that are allowed from an individual object during a specified time period. Data type: integer.
        • status: optional. The frequency of an HTTP status code. Data type: JSON string. Specify the frequency in a JSON string that contains the following parameters:
          • code: required. The specified HTTP status code. Data type: integer.
          • count: optional. The threshold for the number of the specified HTTP status codes. The threshold is used to determine whether the protection rule is hit. If the number of the HTTP status codes exceeds the threshold, the corresponding protection rule is hit. Data type: integer. Valid values: [1,999999999]. You can set the count or ratio parameter. You cannot set both parameters at the same time.
          • ratio: optional. The threshold for the percentage of the specified HTTP status codes. The threshold is used to determine whether the protection rule is hit. If the percentage of the HTTP status codes exceeds the threshold, the corresponding protection rule is hit. Data type: integer. Valid values: [1,100]. You can set the count or ratio parameter. You cannot set both parameters at the same time.
        • scope: required. This parameter specifies where the settings take effect. Data type: string. Valid values:
          • rule: objects that match the specified conditions
          • domain: domains where the rule is applied
        • ttl: required. The effective time period of the action. Data type: integer. Valid values: [60,86400]. Unit: seconds.
        • Example
          
                  {
                      "name":"Protection against HTTP flood attacks",
                      "conditions":[{"contain":1,"values":"login","pattern":"contain","opCode":1,"opValue":"contain","key":"URL"}],
                      "expressions":["request_uri contains 'login' "],
                      "action":"block", 
                      "scene":"custom_cc",  
                      "ratelimit":{
                          "target": "remote_addr", 
                          "interval": 300,
                          "threshold": 2000,
                          "status": {
                              "code": 404,
                              "count": 200
                          },
                          "scope": "rule",
                          "ttl": 1800
                      }
                  }
                  
  • If the DefenseType parameter is set to whitelist, the value of the Content parameter contains the following parameters:
    • name: required. The name of the rule. Data type: string.
    • tags: required. The protection modules on which the detection can be skipped. You can specify multiple modules. Valid values:
      • waf: website whitelist
      • cc: protection against HTTP flood attacks in the system
      • customrule: custom rules
      • blacklist: IP blacklist
      • antiscan: anti-scan
      • regular: web application protection
      • deeplearning: deep learning
      • antifraud: data risk control
      • dlp: data leak prevention
      • tamperproof: website tamper-proofing
      • bot_intelligence: bot threat intelligence
      • bot_algorithm: intelligent algorithm
      • bot_wxbb: app protection
    • bypassTags: required. The list of protection modules on which the detection can be skipped. Data type: string.
    • conditions: required. The matching conditions. Data type: array. Specify this parameter in a JSON string that contains the following parameters:
      • key: the matching field. Valid values: URL, IP, Referer, User-Agent, Params, Cookie, Content-Type, Content-Length, X-Forwarded-For, Post-Body, Http-Method, Header, and URLPath.
      • opCode: the logical operator. Valid values:
        • 0: exclusion
        • 1: inclusion
        • 2: non-existence
        • 10: not equal to
        • 11: equal to
        • 20: the length less than
        • 21: the length equal to
        • 22: the length greater than
        • 30: the value less than
        • 31: the value equal to
        • 32: the value greater than
        • 40: not belong to
        • 41: belong to
      • values: the matching content. Set this parameter as needed. Data type: string.
      • contain: the logical operator. The valid values of this parameter are the same as those of the opCode parameter.
      • opValue: the description of the abbreviated logical operator. For more information, see the description of opCode.
      • pattern: the description of the abbreviated logical operator. The valid values of this parameter are the same as those of the opValue parameter.
    • expressions: required. The regular expression that represents all matching conditions of the rules in a readable way. Data type: array.
    • Example
      
          {
              "name": "test",
              "tags": ["cc","customrule"],
              "bypassTags":"antifraud,dlp,tamperproof", 
              "conditions":[{"contain":1,"values":"login","pattern":"contain","opCode":1,"opValue":"contain","key":"URL"}],
              "expressions":["request_uri contains 'login' "]
         }
         

Examples

Sample requests

http(s)://[Endpoint]/?Action=DescribeProtectionModuleRules
&InstanceId=waf_elasticity-cn-0xldbqt****
&Domain=www.example.com
&DefenseType=ac_highfreq
&<Common request parameters>

Sample success responses

XML format

<DescribeProtectionModuleRulesResponse>
      <TotalCount>1</TotalCount>
      <Rules>
            <Version>2</Version>
            <Status>1</Status>
            <Content>
                  <count>60</count>
                  <interval>60</interval>
                  <ttl>300</ttl>
            </Content>
            <RuleId>42755</RuleId>
            <Time>1570700044</Time>
      </Rules>
      <RequestId>D7861F61-5B61-46CE-A47C-6B19160D5EB0</RequestId>
</DescribeProtectionModuleRulesResponse>

JSON format

{
    "TotalCount": 1,
    "Rules": [
        {
            "Version": 2,
            "Status": 1,
            "Content": {
                "count": 60,
                "interval": 60,
                "ttl": 300
            },
            "RuleId": 42755,
            "Time": 1570700044
        }
    ],
    "RequestId": "D7861F61-5B61-46CE-A47C-6B19160D5EB0"
}

Error codes

For a list of error codes, visit the API Error Center.