The protection rules engine feature uses built-in rules and automatically protects websites against common web attacks, such as SQL injections, XSS attacks, webshell uploads, command injections, backdoor isolations, invalid file requests, path traversals, and vulnerability exploits.

Prerequisites

  • A WAF instance is purchased.
  • Your website is added to WAF. For more information, see Tutorials.

Background information

By default, the protection rules engine feature is enabled. After you add a website to Web Application Firewall (WAF), the feature protects the website.

The Alibaba Cloud security team accumulates a large number of basic protection rules to defend against web attacks. WAF uses these rules to protect your websites against common web attacks. You can specify a group of protection rules that are used by the protection rules engine feature based on your business requirements. WAF provides the following built-in protection rule groups based on the protection effects:
  • Medium rule group: By default, this rule group is selected.
  • Loose rule group: If you want to reduce the risk of blocking normal requests, we recommend that you select this rule group.
  • Strict rule group: If you want WAF to block attacks in a strict way, we recommend that you select this rule group.
You can also create custom protection rule groups. For more information, see Customize protection rule groups.

Intelligent rule hosting

By default, Intelligent Rule Hosting is enabled. The intelligent rule hosting feature helps reduce the risk of blocking normal requests by the protection rules engine feature.

The feature automatically learns the pattern of historical traffic of your website by using intelligent algorithms and automatically identifies the protection rules that are not suitable for specific services or interfaces based on Alibaba Cloud threat intelligence. These protection rules may block normal requests or cause false positives for specific services or interfaces. Then, the feature adds the identified protection rules to the whitelist for web intrusion prevention. This helps reduce the risk of blocking normal requests or causing false positives and ensure protection performance. For more information about the whitelist for web intrusion prevention, see Configure the whitelist for web intrusion prevention. After the risk of blocking normal requests or causing false positives is eliminated, the protection rules engine feature automatically deletes the rules that are automatically added to the whitelist.

Procedure

  1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region to which the WAF instance belongs. You can select Chinese Mainland or Outside Chinese Mainland for the region.
  2. In the left-side navigation pane, choose Protection Settings > Website Protection.
  3. In the upper part of the Website Protection page, select the domain name for which you want to configure a whitelist. Switch Domain Name
  4. Click the Web Security tab, find the Protection Rules Engine section. The following table describes the parameters. Protection Rules Engine
    ParameterDescription
    StatusThe switch that is used to enable or disable the protection rules engine feature. By default, the protection rules engine feature is enabled. The feature helps protect the websites that are added to WAF against common web attacks.

    To view the attacks blocked by the protection rules engine feature, navigate to Security Report and choose Web Security > Web Intrusion Prevention. If a normal request is blocked by a rule, find the rule and click Ignore False Positives in the Actions column. For more information, see View security reports on the Web Security tab.

    Ignore False Positives
    ModeThe action that you want to perform on requests when WAF detects attacks. Valid values:
    • Block: blocks requests.
    • Warn: triggers alerts but does not block requests.
    Intelligent Rule HostingThe switch that is used to enable or disable Intelligent Rule Hosting. By default, the intelligent rule hosting feature is enabled. The feature dynamically manages the whitelist for web intrusion prevention to reduce the risk of blocking normal requests.

    To view the number of rules that are automatically added to the whitelist, view A total of xxx rules are optimized in the Protection Rules Engine section. To view the rules, click Click to go to the Web Intrusion Prevention - Whitelisting page and set the rule source to Intelligent Rule Hosting. You can modify or delete the rules that are automatically added to the whitelist.

    After the risk is eliminated, the rules that are automatically added to the whitelist are deleted,
    Important
    • If you modify a rule that is automatically added to the whitelist, the rule is automatically deleted after the risk is eliminated.
    • The rules that you manually add to the whitelist are not automatically deleted after the risk is eliminated.
    Protection Rule GroupThe protection rule group that you want to use. WAF allows you to create custom rule groups and provides the following built-in rule groups:
    • Medium rule group: detects common web application attacks in a standard way. By default, this rule group is used.
    • Strict rule group: detects web application attacks, such as path traversals, SQL injections, and command injections, in a strict way.
    • Loose rule group: detects common web application attacks in a loose way. If a high false positive rate exists when you apply the medium rule group or a large amount of uncontrollable user input, such as rich text editors and technical forums, is involved in your business, we recommend that you select the loose rule group.

    You can click Settings to go to the Protection Rule Group page. On this page, you can create custom rule groups. Then, select rules based on your business requirements. For more information, see Customize protection rule groups.

    Decoding SettingsThe data formats that you want the protection rules engine feature to decode and analyze.

    By default, the protection rules engine feature decodes and analyzes the request data in all formats. This ensures protection performance. If the protection rules engine feature blocks normal requests that contain data in specific formats, you can clear the formats to reduce the false positive rate.

    You can select the format that you want to decode or clear the format that you do not want to decode in the Decode Settings drop-down list.
    Important You cannot clear the following formats: URL Decoding, JavaScript Unicode Decoding, Hex Decoding, Comment Processing, and Space Compression.
    Decoding Settings

Query protection rules

You can use the following methods to query the latest protection rules that are added for the protection rules engine feature and query all protection rules that are included in the protection rules engine feature:

  • Query the latest protection rules

    Log on to the Web Application Firewall console. Go to the Overview page, find the Vulnerabilities section, and then click items in the section to view the latest protection rules.

    The Vulnerabilities section displays the updated protection rules that are provided by WAF to help you handle the latest security vulnerabilities disclosed on the Internet.

    You can click a rule to open the Details of Emergency Vulnerability panel. The panel displays the domain names that are affected by the vulnerability, the details of the vulnerability, and the information about protection rules.

  • Query all protection rules

    Log on to the Web Application Firewall console. In the left-side navigation pane, choose System Management > Protection Rule Group and view all protection rules that are included in the protection rules engine feature.

    1. On the Web Application Protection tab, find Strict rule group and click the number in the Built-in Rule Number column.
      The strict rule group is a built-in rule group. The group contains all protection rules of the protection rules engine feature and cannot be modified.
      Note The number of protection rules of the protection rules engine feature dynamically changes. The number of protection rules that are displayed in the WAF console may be different from the number shown in the following figure.
      Strict rule group
    2. In the Built-in Rule Number panel, query the protection rules that you want to view.

      You can configure Risk Level, Protection Type, and Application Type to filter protection rules. You can also use Rule ID or CVEID to query a protection rule. You can obtain a rule ID on the Overview or Security Report page.

      Built-in Rule Number panel

      The rule list displays the following information: Risk Level/Rule name, Rule ID, Updated On, Application Type, CVE ID, Protection Type, and Description.

      You can click a CVE ID to view the details about the vulnerability.