Build Custom WAF Rule Groups to Reduce False Positives - Web Application Firewall - Alibaba Cloud - Web Application Firewall

Web Application Firewall (WAF) provides three built-in rule groups — Loose, Medium, and Strict — that cover most use cases. When a default rule group triggers false positives for your application (for example, a legacy CMS that conflicts with certain rules), create a custom rule group based on a default template and remove the rules that don't apply to your site.

Custom rule groups apply only to the Protection Rules Engine feature, also called Web Application Protection.

Prerequisites

Before you begin, make sure that you have:

A WAF instance using the subscription billing method
- Chinese Mainland region: Business edition or higher
- Outside Chinese Mainland region: Enterprise edition or higher
A website added to WAF. For more information, see Tutorial

Limits

Limit	Details
Maximum custom rule groups	10 (Web Application Protection feature)
Rule groups per website	Each website can have only one active rule group
Default rule groups	Cannot be edited or deleted
Supported feature	Custom rule groups apply only to the Protection Rules Engine (Web Application Protection) feature

How it works

Each custom rule group starts from one of three default templates (Loose, Medium, or Strict). All rules from the selected template are included by default. You then remove the rules that don't apply to your site or that cause false positives, and save the result as a named rule group. The rule group is then applied to one or more websites.

The workflow has two steps:

Create a rule group — choose a template, remove unwanted rules, and optionally enable automatic updates.
Apply the rule group — assign the rule group to a website.

Create a rule group

Important

Test a new rule group in a non-production environment before applying it to production websites. Rule changes can affect live traffic.

Log on to the WAF console. In the top navigation bar, select the resource group and the region (Chinese Mainland or Outside Chinese Mainland) where your WAF instance is deployed.
In the left-side navigation pane, choose Systems > Protection Rule Group. The Web Application Protection tab appears automatically. It lists both default rule groups and any custom rule groups you have created. Default rule groups (Loose, Medium, and Strict) cannot be edited or deleted. Click a value in the Built-in Rule Number column to view the rules included in each group.
Click Create Rule Group.
Each WAF instance supports a maximum of 10 custom rule groups for the Web Application Protection feature.

In the Specify rule information step, configure the following parameters. Filtering rules Use the filter or search bar to find rules to remove: Enter a rule name or ID in the search box to locate a specific rule.

Risk level: High, Medium, or Low
Protection type: SQL Injection, Cross-site Script, Code Execution, Local File Inclusion, Remote File Inclusion, Webshell, or Others
Application type: Common, Wordpress, Dedecms, Discuz, Phpcms, Ecshop, Shopex, Drupal, Joomla, Metinfo, Struts2, Spring Boot, Jboss, Weblogic, Websphere, Tomcat, Elastic Search, Thinkphp, Fastjson, ImageMagick, PHPwind, phpMyAdmin, or Others

Parameter	Description
Rule Group Name	A name that identifies this rule group. Use a name that reflects its purpose, such as `wordpress-loose` or `api-strict`.
Rule Group Template	The baseline template: Strict rule group, Medium rule group, or Loose rule group. All rules from the selected template appear in the Selected Rules tab.
Description	(Optional) Free-text description of the rule group's purpose or scope.
Automatic Update	When enabled, rule updates pushed to the template are automatically applied to this custom group. If a custom rule group does not support automatic updates, create a new rule group to replace it.
Select Rule	Review the rules in the Selected Rules tab. Select rules that don't apply to your site or that cause false positives, then click Remove Selected Rules.

Click Next: Apply to Websites.
- To apply the rule group now, select your website from Websites not Added to WAF and move it to Websites Added to WAF. > Important: Each website can have only one rule group applied at a time.
- To apply the rule group later, click Save.
Click Save to finish.

The new rule group appears in the rule group list. The Updated On: column shows when the rule group was last modified.

Apply the rule group

After creating a custom rule group, apply it to a website using either of these methods:

From the Protection Rule Group page (described below)
From the Website Protection page: open the Protection Rules Engine card and select the rule group from the Protection Rule Group drop-down list. For details, see Configure the protection rules engine feature.

To apply a rule group from the Protection Rule Group page:

Log on to the WAF console. In the top navigation bar, select the resource group and the region where your WAF instance is deployed.
In the left-side navigation pane, choose Systems > Protection Rule Group.
In the rule group list, find the rule group and click Apply to Website in the Action column.
On the Apply to Website page, select the website from Websites not Added to WAF, move it to Websites Added to WAF, and click Save.
Important
Each website must have exactly one rule group applied.

After the rule group is applied, the website name appears in the Website column of the rule group list.

Manage rule groups

On the Protection Rule Group page, you can perform the following operations on custom rule groups.

Operation	Description
Copy	Creates a copy of the rule group. You can change the Rule Group Name, Description, and Automatic Update settings in the copy, but not the Rule Group Template or individual rule selections. To change rule selections, copy the group and edit the copy.
Edit	Changes the name, description, or rule selections of the rule group. Default rule groups cannot be edited.
Delete	Removes the rule group. Default rule groups cannot be deleted. Before deleting a custom rule group, apply a different rule group to any websites that currently use it.

What's next

Configure the protection rules engine feature — enable and configure the Protection Rules Engine for a specific website, including selecting which rule group to use.