This topic describes best practices for using RegEx Protection Engine provided by Web Application Firewall (WAF).

Scenario

WAF protects your website against web attacks, such as SQL injection, XSS attacks, remote code execution, and webshell attacks. For more information about web attacks, see Definitions of common web vulnerabilities.

Note WAF cannot defend against server intrusion caused by host security issues, such as unauthorized access to ApsaraDB for Redis or ApsaraDB RDS for MySQL.

Protection policies

By default, RegEx Protection Engine is enabled and Protection Rule Group is set to Medium rule group after you add your website configurations to WAF. This blocks common attacks. To view the settings, go to the Website Protection page and view the RegEx Protection Engine settings. For more information about how to configure RegEx Protection Engine, see Configure RegEx Protection Engine. Web application protection
Protection status description
  • Status: Turn on or off the switch to enable or disable the RegEx Protection Engine function. This function is enabled by default.
  • Mode: Specify the actions that you want WAF to take on attack requests when the attack requests are detected. Valid values:
    • Block: WAF automatically blocks attack requests and logs attacks in the backend.
    • Warn: WAF does not block attack requests but logs attacks in the backend.
  • Protection Rule Group: Specify a set of protection rules that you can apply. Valid values:
    • Medium rule group: blocks common web application attacks by using a standard way. These attacks can bypass protection policies.
    • Strict rule group: blocks web application attacks by using a strict way. These attacks can bypass complex protection policies.
    • Loose rule group: blocks common web application attacks.
    Note These settings take effect only when you enable RegEx Protection Engine.

    If you are using WAF Business or Enterprise in mainland China or WAF Enterprise in regions outside mainland China, you can customize protection rule groups. The custom rule groups combine all protection rules provided by WAF and provide specific protection policies for your website. For more information, see Customize protection rule groups.

Recommended configurations
  • If you are not clear about the characteristics of your business traffic, we recommend that you set Mode to Warn. After one or two weeks, analyze the attack logs in this mode.
    • If the attack logs show that normal traffic is not blocked, you can set Mode to Block.
    • If the attack logs show that normal traffic is blocked, you can contact an Alibaba Cloud security expert to resolve the issue.
  • If you add phpMyAdmin and development technology forums to WAF for protection, WAF may block normal requests. If this occurs, we recommend that you contact an Alibaba Cloud security expert to resolve this issue.
  • You need to pay attention to the following issues:
    • Do not pass original SQL statements or JavaScript code in the HTTP requests of your normal business.
    • Do not use special keywords (such as UPDATE and SET) in the path for normal business URLs, such as www.example.com/abc/update/mod.php? set=1.
    • Do not upload files that exceed 50 MB by using a browser. We recommend that you upload the files by using OSS or other methods. For more information about how to use OSS, see Get started with Object Storage Service.

Protection effects

After you enable RegEx Protection Engine, you can view its protection records. To view the records, click Security report. On the page that appears, click Web Security and view the report on the Web Intrusion Prevention tab. For more information, see View security reports. Attack protection reports
Web Intrusion Prevention displays attack records in the last 30 days. The section below the report shows the attack records. You can select Regular Protection, find an attack record, and click View details to query the attack details. The following figure shows an SQL injection request that is blocked by WAF. Attack details
Note If you find that WAF blocks normal traffic, we recommend that you use the Whitelisting Rules function to configure a whitelist for the blocked URLs and then contact an Alibaba Cloud security expert to find a solution. For more information about how to configure a whitelist, see Configure the web intrusion prevention whitelist.

Rule updates

WAF updates protection rules and releases protection bulletins in a timely manner to fix known and zero-day vulnerabilities. To query Rule updates notice, go to the Product Information page. For more information, see View product information. Rule updates
Note Web attacks typically have more than one proof of concept (POC). Alibaba Cloud security experts conduct a thorough analysis of vulnerability principles to ensure that published web protection rules cover all disclosed and undisclosed vulnerabilities.