Creates a Web core protection rule.
Try it now
Test
RAM authorization
|
Action |
Access level |
Resource type |
Condition key |
Dependent action |
|
yundun-waf:CreateDefenseRule |
create |
*All Resource
|
|
None |
Request parameters
|
Parameter |
Type |
Required |
Description |
Example |
| InstanceId |
string |
Yes |
Instance ID of the WAF instance. Note
You can call the DescribeInstance operation to query instance ID of your current WAF instance. |
waf_v2_public_cn-**** |
| TemplateId |
integer |
No |
The ID of the protection template for the protection rule to be created. Note
This parameter is required only when DefenseType is set to template. |
1122 |
| DefenseScene |
string |
Yes |
The WAF protection scenario to be created. When the protection rule type DefenseType is set to template, valid values:
When the protection rule type DefenseType is set to resource, valid values:
When the protection rule type DefenseType is set to global, valid values:
Note
The custom response in global configuration can be referenced by protection objects or rules. When custom response rules are referenced at different levels, the effective priority is: rule level > protection object level > default page. |
waf_group |
| Rules |
string |
Yes |
The rule configuration content, which is a JSON string constructed from a series of parameters. Note
The specific parameters vary depending on the specified protection rule type (DefenseScene). For more information, see Protection rule parameter description. |
waf_group |
| ResourceManagerResourceGroupId |
string |
No |
The ID of the Alibaba Cloud resource group. |
rg-acfm***q |
| DefenseType |
string |
No |
The type of the protection rule. Valid values:
|
template |
| RegionId |
string |
No |
The region where the WAF instance resides. Valid values:
|
cn-hangzhou |
| Resource |
string |
No |
The protection object associated with the rule to be created. Note
This parameter is required only when DefenseType is set to resource. |
sec****-waf |
Protection rule parameter description
Template-based protection rules (template)
When the protection rule type DefenseType is set to template, the specific rule configuration content is as follows.
Basic protection rules (waf_group)
Parameter description
| Name | Type | Required | Example | Description |
| status | Integer | Yes | 1 | The status of the protection rule. This parameter is used only when creating a protection rule. To modify the status of a protection rule, use the RuleStatus parameter of the ModifyDefenseRuleStatus operation. Valid values: - 0: disabled. - 1 (default): enabled. |
| action | String | Yes | block | The action of the protection rule. Valid values: - block: block. - monitor: monitor. |
| policyId | Long | No | 1012 | The ID of the protection rule group. Default value: 1012 (medium rule group). |
| protectionType | String | No | sema | The type of the protection rule. Valid values: - regular (default): regular expression-based protection. - sema: semantic-based protection. |
| config | String | No | {"nonInjectionSql":1} | The custom configuration in JSON string format. For more information, see config detailed configuration. |
config detailed configuration
When protectionType is set to sema (basic protection rule configured as semantic-based protection)
| Name | Type | Required | Example | Description |
| nonInjectionSql | Integer | Yes | 1 | The status of non-injection attack detection. Valid values: - 0: disabled. - 1 (default): enabled. |
Example
{
"DefenseScene": "waf_group",
"TemplateId": 322,
"InstaneId": "waf_cn****",
"Rules": "[{\"status\":1,\"policyId\":1012,\"action\":\"block\"},{\"status\":1,\"action\":\"block\",\"protectionType\":\"sema\",\"config\":\"{\\\"nonInjectionSql\\\":1}\"}]"
}
New version Web core protection rules (waf_base)
Parameter description
| Name | Type | Required | Example | Description |
| autoUpdate | Boolean | Yes | true | Specifies whether to enable automatic updates. Valid values: - true: enabled. - false: disabled. |
| config | Array | Yes | [{"ruleType":"system","ruleDetail":[{"ruleId":13000412,"ruleStatus":1,"ruleAction":"block"}]}] | The rule configuration to be modified. For more information, see config detailed configuration. Important You can call the DescribeBaseSystemRules operation to query the system protection rule configuration of this template, and call the DescribeDefenseRules operation to query the custom regular expression rule configuration of this template. |
config detailed configuration
| Name | Type | Required | Example | Description |
| ruleType | String | Yes | system | The rule type. Valid values: - system: system rules in basic protection. - custom: custom regular expression rules in basic protection. |
| ruleBatchOperationConfig | String | No | default | The batch rule modification operation. When this field is not empty, the RuleDetail field must be empty. Valid values: - default: restore defaults. - all_on: enable all rules. - all_off: disable all rules. - all_block: set all rule actions to block. - all_monitor: set all rule actions to monitor. |
| ruleDetail | Array | No | [{"ruleId":13000412,"ruleStatus":1,"ruleAction":"block"}]] | The rule configuration to be modified. Fields: - ruleId: the rule ID. - ruleStatus: the rule status. - ruleAction: the rule action. |
Example
{
"DefenseScene": "waf_base",
"TemplateId": 322,
"InstaneId": "waf_cn****",
"Rules": "[{\"autoUpdate\":true,\"config\":[{\"ruleType\":\"system\",\"ruleDetail\":[{\"ruleId\":13000412,\"ruleStatus\":1,\"ruleAction\":\"block\"}]}]}]"
}
Scan protection rules (antiscan)
Parameter description
| Name | Type | Required | Example | Description |
| protectionType | String | Yes | highfreq | The subtype of the scan protection rule. Valid values: - highfreq: high-frequency scan blocking. - dirscan: directory traversal blocking. - scantools: scan tool blocking. |
| status | Integer | Yes | 1 | The status of the protection rule. This parameter is used only when creating a protection rule. To modify the status of a protection rule, use the RuleStatus parameter of the ModifyDefenseRuleStatus operation. Valid values: - 0: disabled. - 1 (default): enabled. |
| action | String | Yes | block | The action of the protection rule. Valid values: - block: block. - monitor: monitor. |
| actionExternal | JSON | No | {"responseRuleId":123444} | The extended configuration of the protection rule action. Only the new version of custom response supports this configuration. When action is set to block, you can specify a custom block page. |
| config | String | No | {"target":"remote_addr","interval":60,"ttl":180,"count":20} | The custom configuration in JSON string format. For more information, see config detailed configuration. |
config detailed configuration
When protectionType is set to highfreq (scan protection rule configured as high-frequency scan blocking)
| Name | Type | Required | Example | Description |
| target | String | Yes | remote_addr | The object type for statistics. Valid values: - remote_addr (default): IP address. - cookie.acw_tc: session. - header: custom header. When you select custom header, you must specify the header content to be counted in the subkey parameter. - queryarg: custom parameter. When you select custom parameter, you must specify the custom parameter name to be counted in the subkey parameter. - cookie: custom cookie. When you select custom cookie, you must specify the cookie content to be counted in the subkey parameter. |
| subKey | String | No | abc | The sub-character of the statistical object. When the target parameter is set to cookie, header, or queryarg, you must specify the corresponding information in the subkey parameter. |
| interval | Integer | No | 60 | The detection period, in seconds. Default value: 60. Valid values: 5 to 1800. |
| ttl | Integer | No | 1800 | The blocking duration, in seconds. Default value: 1800. Valid values: 60 to 86400. |
| count | Integer | No | 20 | The maximum number of times a basic protection rule is triggered. Default value: 20. Valid values: 3 to 50000. |
| ruleIdCount | Integer | No | 2 | The maximum number of triggered rules. Default value: 2. Valid values: 1 to 50. |
When protectionType is set to dirscan (scan protection rule configured as directory traversal blocking)
| Name | Type | Required | Example | Description |
| target | String | Yes | remote_addr | The statistical and blocking object. Valid values: - remote_addr (default): IP address. - cookie.acw_tc: session. - header: custom header. - queryarg: custom parameter. - cookie: custom cookie. |
| subKey | String | No | 1 | The sub-character of the statistical and blocking object. Configure this parameter only when target is set to header, queryarg, or cookie. |
| interval | Integer | No | 60 | The detection period, in seconds. Default value: 60. Valid values: 5 to 1800. |
| ttl | Integer | No | 1800 | The blocking duration, in seconds. Default value: 1800. Valid values: 60 to 86400. |
| count | Integer | No | 20 | The maximum number of times a basic protection rule is triggered. Default value: 20. Valid values: 3 to 50000. |
| weight | Float | No | 2 | The percentage of 404 response codes. Default value: 0.7. Valid values: 0.01 to 1.0, accurate to two decimal places. |
| uriNum | Integer | No | 2 | The maximum number of nonexistent directories. Default value: 50. Valid values: 2 to 50000. |
Example
{
"InstanceId": "waf_v2_public_****",
"TemplateId": 2222,
"DefenseScene": "antiscan",
"Rules": "[{\"protectionType\":\"scantools\",\"action\":\"block\",\"status\":1},{\"protectionType\":\"dirscan\",\"status\":1,\"action\":\"block\",\"config\":\"{\\\"target\\\":\\\"remote_addr\\\",\\\"interval\\\":10,\\\"ttl\\\":1800,\\\"weight\\\":0.7,\\\"uriNum\\\":50,\\\"count\\\":50}\"},{\"protectionType\":\"highfreq\",\"status\":1,\"action\":\"block\",\"config\":\"{\\\"target\\\":\\\"remote_addr\\\",\\\"interval\\\":60,\\\"ttl\\\":1800,\\\"count\\\":20,\\\"ruleIdCount\\\":2}\"}]"
}
IP blacklist rules (ip_blacklist)
Parameter description
| Name | Type | Required | Example | Description |
| name | String | Yes | iptest | The name of the IP blacklist rule. The name must be 1 to 255 characters in length and can contain Chinese characters, letters, digits, underscores (_), periods (.), or hyphens (-). |
| status | Integer | Yes | 1 | The status of the protection rule. This parameter is used only when creating a protection rule. To modify the status of a protection rule, use the RuleStatus parameter of the ModifyDefenseRuleStatus operation. Valid values: - 0: disabled. - 1 (default): enabled. |
| action | String | Yes | block | The action of the protection rule. Valid values: - block: block. - monitor: monitor. |
| actionExternal | JSON | No | {"responseRuleId":123444} | The extended configuration of the protection rule action. Only the new version of custom response supports this configuration. When action is set to block, you can specify a custom block page. |
| remoteAddr | Array | Yes | ["1.1.XX.XX", "3.1.XX.XX/24"] | The list of IP addresses to be added to the IP blacklist. Use the format ["ip1","ip2",...]. |
Example
{
"InstanceId": "waf_v2_public_****",
"TemplateId": 2222,
"DefenseScene": "ip_blacklist",
"Rules": "[{\"name\":\"iptest1\",\"remoteAddr\":[\"1.1.1.2\",\"3.3.3.3/24\"],\"action\":\"monitor\",\"status\":1},{\"name\":\"iptest2\",\"remoteAddr\":[\"4.4.4.4\",\"5.5.5.5/32\"],\"action\":\"block\",\"status\":1}]"
}
Custom rules (custom_acl)
Parameter description
| Name | Type | Required | Example | Description |
| name | String | Yes | iptest | The name of the custom ACL rule. The name must be 1 to 255 characters in length and can contain Chinese characters, letters, digits, underscores (_), periods (.), or hyphens (-). |
| status | Integer | Yes | 1 | The status of the protection rule. This parameter is used only when creating a protection rule. To modify the status of a protection rule, use the RuleStatus parameter of the ModifyDefenseRuleStatus operation. Valid values: - 0: disabled. - 1 (default): enabled. |
| action | String | Yes | block | The action of the protection rule. Valid values: - block: block. - monitor: monitor. - js: JavaScript challenge. - captcha: slider CAPTCHA. - captcha_strict: strict slider CAPTCHA. Note The supported protection rule actions for custom ACL rules are subject to the custom rule actions displayed in the WAF console. |
| actionExternal | JSON | No | {"responseRuleId":123444} | The extended configuration of the protection rule action. Only the new version of custom response supports this configuration. When action is set to block, you can specify a custom block page. When action is set to captcha or captcha_strict, you can specify a custom slider CAPTCHA page. |
| conditions | Array | Yes | [{"key":"IP","opValue":"eq","values":"11.XX.XX.1"},{"key":"Header","subKey":"abc","opValue":"contains","values":"test"}] | The traffic characteristics of the ACL rule, described in JSON string format. A maximum of five match conditions are supported. For more information, see the conditions configuration description in Protection rule parameter settings. |
| ccStatus | Integer | Yes | 1 | Specifies whether to enable rate limiting. Valid values: - 0: disabled. - 1: enabled. |
| ratelimit | JSON | No | {"target":"remote_addr","interval":5,"threshold":2,"ttl":1800,"status":{"code":404,"count":2}} | The detailed rate limiting configuration, described in JSON string format. Configure this parameter only when ccStatus is set to 1. For more information, see the ratelimit detailed configuration in Protection rule parameter settings. |
| effect | String | No | rule | The scope of rate limiting. Configure this parameter only when ccStatus is set to 1. Valid values: - service: the protection object. - rule: the individual rule. |
| grayStatus | Integer | No | 1 | Specifies whether to enable canary release for the rule. Valid values: - 0 (default): disabled. - 1: enabled. |
| grayConfig | JSON | No | {"grayTarget":"header","grayRate":80,"graySubKey":"test"} | The canary release environment configuration for the rule, described in JSON string format. Configure this parameter only when grayStatus is set to 1. For more information, see the grayConfig detailed configuration in Protection rule parameter settings. |
| timeConfig | JSON | No | {"timeScope":"period","timeZone":8,"timePeriods":[{"start":1758771729787,"end":1758816000000}]} | The scheduled configuration for the rule, described in JSON string format. For more information, see the timeConfig detailed configuration in Protection rule parameter settings. |
Example
{
"InstanceId": "waf_v2_public_****",
"TemplateId": 6242,
"DefenseScene": "custom_acl",
"Rules":"[{\"name\":\"acl_test\",\"action\":\"block\",\"conditions\":[{\"key\":\"URL\",\"opValue\":\"contain\",\"values\":\"abc\"}],\"ratelimit\":{\"target\":\"remote_addr\",\"interval\":5,\"threshold\":2,\"ttl\":1800,\"status\":{\"code\":404,\"count\":2}},\"ccStatus\":1,\"effect\":\"rule\",\"status\":1,\"origin\":\"custom\",\"timeConfig\":{\"timeScope\":\"cycle\",\"timeZone\":8,\"weekTimePeriods\":[{\"day\":\"1\",\"dayPeriods\":[{\"start\":0,\"end\":51644084}]},{\"day\":\"1,2,5\",\"dayPeriods\":[{\"start\":0,\"end\":42928908}]}]},\"grayStatus\":1,\"grayConfig\":{\"grayRate\":80,\"graySubKey\":\"test\",\"grayTarget\":\"header\"}}]"
}
Whitelist rules (whitelist)
Parameter description
| Name | Type | Required | Example | Description |
| name | String | Yes | whitelistTest | The name of the whitelist rule. The name must be 1 to 255 characters in length and can contain Chinese characters, letters, digits, underscores (_), periods (.), or hyphens (-). |
| status | Integer | Yes | 1 | The status of the protection rule. This parameter is used only when creating a protection rule. To modify the status of a protection rule, use the RuleStatus parameter of the ModifyDefenseRuleStatus operation. Valid values: - 0: disabled. - 1 (default): enabled. |
| conditions | Array | Yes | [{"key":"IP","opValue":"eq","values":"11.XX.XX.1"},{"key":"Header","subKey":"abc","opValue":"contains","values":"test"}] | The traffic characteristics of the whitelist, described in JSON string format. A maximum of five match conditions are supported. For more information, see the conditions configuration description in Protection rule parameter settings. |
| tags | Array | Yes | ["waf", "regular"] | The list of modules to which the whitelist applies, in the format ["XX1", "XX2",...]. Valid values: - waf: all modules. - customrule_rule: specific custom rules. - customrule: custom rules. - blacklist: IP blacklist. - blacklist_rule: specific IP blacklist rules. - antiscan: scan protection. - regular: basic protection rules. - regular_rule: specific basic protection regular expression rules. - regular_type: specific basic protection regular expression rule types. - regular_field: specific basic protection fields. - major_protection: major event protection. - cc: HTTP flood protection. - region_block: Location Blacklist. - antibot_scene: bot scenario protection. - antibot_scene_rule: specific bot scenario protection rule IDs. - antibot_scene_label: specific bot scenario protection rule types. - dlp: information leak prevention. - tamperproof: web tamper proofing. - spike_throttle: peak traffic throttling protection. |
| regularRules | Array | No | [ "111111", "222222" ] | The list of regular expression rule IDs to skip, in the format ["XX1", "XX2",...]. Configure this parameter only when the whitelist module is set to specific basic protection regular expression rules (the tags parameter is set to regular_rule). |
| regularTypes | Array | No | [ "xss", "css" ] | The list of regular expression rule types to skip, in the format ["XX1", "XX2",...]. Configure this parameter only when the whitelist module is set to Web application regular expression types (the tags parameter is set to regular_type). Valid values: - sqli: SQL injection. - xss: cross-site scripting. - code_exec: code execution. - crlf: CRLF. - lfilei: local file inclusion. - rfilei: remote file inclusion. - webshell: WebShell. - csrf: CSRF. - other: other. |
| regularFields | Array | No | [{"key":"URL"},{"key":"Header","subKey":"abc"}] | The list of basic protection fields to skip, described in JSON string format. A maximum of five match conditions are supported. For more information, see regularFields detailed configuration. Configure this parameter only when the whitelist module is set to specific basic protection fields (the tags parameter is set to regular_field). |
| customRules | Array | No | [ "111111", "222222" ] | The list of custom rule IDs to skip, in the format ["XX1", "XX2",...]. Configure this parameter only when the whitelist module is set to specific custom rules (the tags parameter is set to customrule_rule). |
| blacklistRules | Array | No | [ "111111", "222222" ] | The list of IP blacklist rule IDs to skip, in the format ["XX1", "XX2",...]. Configure this parameter only when the whitelist module is set to specific IP blacklist rules (the tags parameter is set to blacklist_rule). |
| botRules | Array | No | [ "111111", "222222" ] | The list of bot scenario protection rule IDs to skip, in the format ["XX1", "XX2",...]. Configure this parameter only when the whitelist module is set to specific bot scenario protection rule IDs (the tags parameter is set to antibot_scene_rule). |
| botLables | Array | No | [ "abc", "cdcc" ] | The list of bot scenario protection rule types to skip, in the format ["XX1", "XX2",...]. Configure this parameter only when the whitelist module is set to specific bot scenario protection rule types (the tags parameter is set to antibot_scene_label). You can invoke the DescribeBotRuleLabels operation to query the bot rule type information. |
regularFields detailed configuration
| Name | Type | Required | Example | Description |
| key | String | Yes | URL | The field to skip. Valid values: - URL-All: all URI-related fields. - URL: specified URI field. - URLPath: URI path. - Query-All: all query-related fields. - Query-Arg: specified query parameter. - Cookie-All: all cookie-related fields. - Cookie-Exact: specified cookie name. - Header-All: all header-related fields. - Header: specified header field. - Body-All: all body parameters. |
| subKey | String | No | abc | The specified field. Configure this parameter when the field to skip (key) is set to URLPath, Query-Arg, Cookie-Exact, or Header. |
Example
{
"InstanceId": "waf_v2_public_****",
"TemplateId": 9242,
"DefenseScene": "whitelist",
"Rules":"[{\"name\":\"whitelistTest\",\"tags\":[\"regular_rule\",\"customrule\"],\"status\":1,\"origin\":\"custom\",\"conditions\":[{\"key\":\"URL\",\"opValue\":\"contain\",\"values\":\"/test\"},{\"key\":\"Header\",\"opValue\":\"eq\",\"values\":\"ffff\",\"subKey\":\"abc\"}],\"regularRules\":[\"123444\",\"444444\"]}]"
}
Custom response rules (custom_response)
Parameter description
| Name | Type | Required | Example | Description |
| responseType | String | Yes | response_block | The type of the custom response. Set the value to response_block, which indicates a block response. |
| status | Integer | Yes | 1 | The status of the protection rule. This parameter is used only when creating a protection rule. To modify the status of a protection rule, use the RuleStatus parameter of the ModifyDefenseRuleStatus operation. Valid values: - 0: disabled. - 1 (default): enabled. |
| config | String | Yes | {"responseCode":400,"responseHeaders":[{"key":"custom","value":"123"},{"key":"aaa","value":"2223"}],"responseContent":"HelloWorld"} | The custom configuration in JSON string format. For more information, see config detailed configuration. |
config detailed configuration
| Name | Type | Required | Example | Description |
| responseCode | Integer | Yes | 400 | The specified response code. |
| responseHeaders | Array | No | [{"key":"custom","value":"123"},{"key":"aaaa","value":"2223"}] | The list of custom response headers, described in JSON string format. key is the header field, and value is the header value. |
| responseContent | String | Yes | helloworld | The content of the custom response. |
Example
{
"InstanceId": "waf_v2_public_****",
"TemplateId": 2841,
"DefenseScene": "custom_response",
"Rules":"[{\"responseType\":\"response_block\",\"config\":\"{\\\"templateName\\\":\\\"aaa\\\",\\\"responseCode\\\":\\\"400\\\",\\\"responseContent\\\":\\\"helloWorld\\\",\\\"responseHeaders\\\":[{\\\"key\\\":\\\"test1\\\",\\\"value\\\":\\\"abc\\\"}]}\",\"status\":1}]"
}
Location Blacklist rules (region_block)
Parameter description
| Name | Type | Required | Example | Description |
| cnRegionList | String | No | 610000,230000 | The list of regions within China. Set the value to ["CN"] to block the Chinese mainland (excluding Hong Kong (China), Macao (China), and Taiwan (China)). Separate multiple regions with commas (,). For the meanings of region codes, see Region codes within China. |
| abroadRegionList | String | No | KE,KG | The list of regions outside China. Separate multiple regions with commas (,). You can call the DescribeIpAbroadCountryInfos operation to query the supported overseas countries and regions for blocking. |
| status | Integer | Yes | 1 | The status of the protection rule. This parameter is used only when creating a protection rule. To modify the status of a protection rule, use the RuleStatus parameter of the ModifyDefenseRuleStatus operation. Valid values: - 0: disabled. - 1 (default): enabled. |
| action | String | Yes | block | The action of the protection rule. Valid values: - block: block. - monitor: monitor. |
| actionExternal | JSON | No | {"responseRuleId":123444} | The extended configuration of the protection rule action. Only the new version of custom response supports this configuration. When action is set to block, you can specify a custom block page. When action is set to captcha or captcha_strict, you can specify a custom slider CAPTCHA page. |
Region codes within China
{
"110000": "Beijing",
"120000": "Tianjin",
"130000": "Hebei",
"140000": "Shanxi",
"150000": "Inner Mongolia",
"210000": "Liaoning",
"220000": "Jilin",
"230000": "Heilongjiang",
"310000": "Shanghai",
"320000": "Jiangsu",
"330000":
Response elements
|
Element |
Type |
Description |
Example |
|
object |
The response struct. |
||
| RequestId |
string |
The ID of the request. |
26E46541-7AAB-5565-801D-F14DBDC5**** |
| RuleIds |
string |
The IDs of the created protection rules. Multiple IDs are separated by commas (,). |
22215,23354,462165 |
Examples
Success response
JSON format
{
"RequestId": "26E46541-7AAB-5565-801D-F14DBDC5****",
"RuleIds": "22215,23354,462165"
}
Error codes
|
HTTP status code |
Error code |
Error message |
Description |
|---|---|---|---|
| 400 | Defense.Control.DefenseWhitelistBypassRuleNotExist | The whitelist protection rule does not exist. | The whitelist protection rule does not exist. Rule ID:%s. |
| 400 | Defense.Control.DefenseWhitelistConfigInvalid | The whitelist rule is misconfigured. | Error configuring whitelist rule: %s. |
| 400 | Defense.Control.DefenseBookTypeInvalid | The address book type is illegal. | The address book type is illegal. |
| 400 | Defense.Control.DefenseThreatIntelligenceConfigInvalid | Threat Intelligence Rule configuration error. | Threat Intelligence Rule configuration error. %s |
| 400 | Defense.Control.DefenseIpCountOversize | The number of IPs exceeds the limit. | The number of IPs exceeds the limit. |
See Error Codes for a complete list.
Release notes
See Release Notes for a complete list.