Configure basic protection rules and rule groups - Web Application Firewall

After you add web services to Web Application Firewall (WAF), you can configure basic protection rules and rule groups to protect the web services from common web application attacks, such as SQL injection attacks, cross-site scripting (XSS) attacks, code execution, webshell uploads, and command injection attacks. This topic describes how to configure basic protection rules and rule groups.

Background information

Decoding

Basic protection rules can be used to decode data that is encoded by using one of the 23 different methods.

Basic protection rules can be used to parse data in various formats, such as JSON, XML, and Multipart, to improve detection accuracy.
Basic protection rules can be used to identify data that is encoded to bypass WAF, such as Unicode encoding and HTML entity encoding. This helps improve the recall rate of detection.

Detection modules

Rules Engine (enabled by default)
This detection module identifies known attack modes based on predefined rules and defends against common web application attacks.
- WAF provides three default rule groups.
  - Medium Rule Group: By default, this rule group is selected.
  - Loose Rule Group: If you want to reduce false positives, we recommend that you select this rule group.
  - Strict Rule Group: If you want WAF to strictly block attacks, we recommend that you select this rule group.
- You can also configure custom rule groups based on your business requirements.
Semantic Engine (enabled by default)
This detection module can protect your web services in a more intelligent manner. The module analyzes the content of requests for a better understanding of semantics and syntax. This helps identify unknown attacks and defend against SQL injection attacks.
Intelligent O&M (disabled by default)
WAF performs intelligent learning based on historical service traffic and identifies basic protection rules that may cause false positives. Then, WAF automatically adds the URLs that are incorrectly blocked to a whitelist. This helps prevent normal requests from being blocked.

Supported basic protection rule templates

Template		Default basic protection rule template	Custom basic protection rule template
Creation methods		The templates are predefined in the system.	You can create a custom template.
Detection modules	Rules Engine	By default, Medium Rule Group is used and the Block action is specified.	To create a custom template, you must specify a default rule group or custom rule group and an action that you want to perform on detected requests.
	Semantic Engine	By default, the Monitor action is specified and Non-injection Attack Detection is turned on for non-injection attacks.	You can specify an action and enable or disable non-injection attack detection based on your business requirements.
	Intelligent O&M	By default, intelligent O&M is disabled.	Turn on or turn off Intelligent Whitelist based on your business requirements.
Objects for which templates take effect		Protected objects or protected object groups that are added to WAF but are not associated with a custom rule template.	Selected protected objects or protected object groups.

Prerequisites

A WAF 3.0 instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.
A pay-as-you-go WAF instance or a subscription WAF instance of the Enterprise or Ultimate edition is available.
Web services are added to WAF 3.0 as protected objects. For more information, see Protected objects and protected object groups.

Create a custom rule group

A custom rule group can be created from scratch or from a basic rule group.

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. The region can be Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose Protection Configuration > Protection Rules.
In the Basic Protection Rule section, click Rule Groups.
On the Rule Groups page, click Create Rule Group.

In the Configure Basic Information of Rule Group step, configure the parameters and click Next. The following table describes the parameters.

Important

After a custom rule group is created, you cannot modify the basic information about the rule group.

Parameter	Description
Rule Group Name	Specify a name for the rule group. The name of the rule can contain letters, digits, periods (.), underscores (_), and hyphens (-).
Select Protection Template	Select a protection rule template with which you want to associate this rule group. Valid values: Create from Scratch: manually adds rules without using a template. Important If you select this option, Automatic Update is turned off and cannot be turned on. Default Rule Group: uses a built-in protection rule group. You can select Loose Rule Group, Medium Rule Group, or Strict Rule Group.
Automatic Update	If you enable this feature, rules that are added to or removed from the default rule group are automatically synchronized to the current custom rule group. Important After the custom rule group is created, you cannot enable or disable this feature. You can enable or disable this feature only when you set the Select Protection Template parameter to Use Default Rule Group.

In the Configure Protection Rules step, click Add Rule. In the Add Rule panel, you can select the rule that you want to add to the rule group or enter the rule ID or CVE ID to search for the rule. You can also configure the Risk Level, Protection Rule Type, and Application Type parameters to search for the rules that you want to add to the rule group. Then, click Add. You can also click Add All to add all rules to the rule group.
Note
- If you set the Select Protection Template parameter to Use Default Rule Group in Step 5 and the rules that you want to add are in the rule library, you can skip this step.
- Rules in the rule list are sorted in descending order based on update time.
If you want to remove a protection rule, you can enter the rule ID or CVE ID of the rule or configure the Risk Level, Protection Rule Type, and Application Type parameters to search for the rule. Then, click Remove. You can also click Clear All to remove all rules.
Click Next. In the Complete step, click Complete.
After you create a rule group, you can perform the following operations in the rule group list:
- Click the numbers in the Number of Built-in Rules column to view the built-in rules of each rule group.
- Click Edit, Copy, or Delete in the Actions column to modify, copy, or delete a rule group.
  Note
  - You cannot modify the basic information about a rule group.
  - By default, the name of a copied rule group is in the "original rule group name-copy" format. No protected objects are associated with a copied rule group.
  - A rule group that is associated with a protection rule template cannot be deleted. If you want to delete the rule group, you must dissociate the rule group from the protection rule template.

Create a custom basic protection rule template

In the left-side navigation pane, choose Protection Configuration > Protection Rules.
In the lower part of the Protection Rules page, click Create Template in the Basic Protection Rule section.
Note
If no custom basic protection rule templates exist, click Configure Now in the Basic Protection Rule card in the upper part of the Protection Rules page.

In the Create Template - Basic Protection Rule panel, configure the parameters and click OK. The following table describes the parameters.

Note

By default, new basic protection rule templates are enabled.

Parameter	Description
Template Information	Template Name: Specify a name for the template. The name of the rule can contain letters, digits, periods (.), underscores (_), and hyphens (-). Save as Default Template: Specify whether to set this template as the default template of the protection module. You can specify only one default template for a protection module. If you turn on Save as Default Template, you do not need to configure the Apply To parameter. The default template is applied to all protected objects and protected object groups to which custom protection rule templates are not applied.
Rule Configuration	Action: Specify the action that you want WAF to perform on requests that match the rule. Valid values: Block: blocks the requests that match the rule and returns a block page to the client. Note By default, WAF uses a unified block page. You can use the custom response feature to configure a custom block page. For more information, see Configure custom response rules to configure custom block pages. Monitor records the requests that match the rule in logs without blocking the requests. You can query logs about requests that match the rule and analyze the protection performance. For example, you can check whether normal requests are blocked based on logs. Important You can query logs only when Simple Log Service is enabled for WAF. For more information, see Enable or disable Simple Log Service for WAF. If you select Monitor, you can perform a dry run on the rule to check whether the rule blocks normal requests. If the rule passes the dry run, you can set the Action parameter to Block based on your business requirements. Note On the Security Reports page, you can query the details of matched rules in Monitor mode or Block mode. For more information, see Security reports. Rule Group Type: Select the type of the rule group with which you want to associate the template. Valid values: Default: If you select this option, the rule template is associated with a default rule group. You can select Loose Rule Group, Medium Rule Group, or Strict Rule Group from the drop-down list. Custom: If you select this option, you must select a rule group from the drop-down list. The rule template is associated with the selected rule group. For information about how to create a rule group, see Create a custom rule group.
Semantic Engine	By default, Semantic Engine is enabled to defend against SQL injection attacks. The Non-Injection Attack Detection switch is provided. You can turn on or turn off the switch to enable or disable the detection of non-injection attacks. For more information, see the description of the Non-injection Attack Detection parameter. Note The following list describes the difference between SQL injection attacks and non-injection attacks: SQL injection attacks: requests that contain malicious SQL code, such as `/query.php?name='and 1=1%23`. Non-injection attacks: requests that contain complete SQL statements, such as `/query.php?sql=select name from users where 1=1%23`. You can configure the following parameters in the Semantic Engine section: Action: Specify the action that you want WAF to perform on requests that match the rule. Valid values: Block: blocks the requests that match the rule and returns a block page to the client. Note By default, WAF uses a unified block page. You can use the custom response feature to configure a custom block page. For more information, see Configure custom response rules to configure custom block pages. Monitor records the requests that match the rule in logs without blocking the requests. You can query logs about requests that match the rule and analyze the protection performance. For example, you can check whether normal requests are blocked based on logs. Important You can query logs only when Simple Log Service is enabled for WAF. For more information, see Enable or disable Simple Log Service for WAF. If you select Monitor, you can perform a dry run on the rule to check whether the rule blocks normal requests. If the rule passes the dry run, you can set the Action parameter to Block based on your business requirements. Note On the Security Reports page, you can query the details of matched rules in Monitor mode or Block mode. For more information, see Security reports. Non-injection Attack Detection (enabled by default) If WAF detects non-injection attacks, WAF performs actions on the attacks based on the configured rule. Note If your business requires data analysis, such as using phpmyadmin or Adminer for data analysis, we recommend that you disable non-injection attack detection.
Protocol Compliance	Different programming languages have different levels of requirements for the processing of the formats of HTTP requests, which may cause vulnerabilities that can be exploited to bypass WAF, such as file uploads. The protocol compliance feature performs validation checks on HTTP requests to check whether the requests are properly formatted. This helps prevent vulnerabilities such as file uploads. The protocol compliance feature is supported only for pay-as-you-go WAF instances and subscription WAF instances of the Enterprise and Ultimate editions.
Intelligent O&M	After you turn on the Intelligent Whitelist switch, WAF performs intelligent learning based on historical service traffic and identifies basic protection rules that may cause false positives. Then, the URLs that are always inadvertently blocked are automatically added to a whitelist. This way, requests that are sent from the URLs can bypass the detection of the basic protection rules. The automatically created whitelist rules are named AutoTemplate and are displayed in the whitelist rule list. For more information, see Configure whitelist rules. Note Only pay-as-you-go and subscription WAF instances of the Enterprise and Ultimate editions support the intelligent whitelist feature.
Apply To	Select the protected objects and protected object groups to which you want to apply the template. You can apply only one template of a protection module to a protected object or a protected object group. For information about how to associate protected objects and protected object groups with the template, see Protected objects and protected object groups.

After you create a basic protection rule template, you can perform the following operations in the rule template list:

View the number of protected objects and protected object groups that are associated with the template.
Turn on or turn off the switch in the Status column to enable or disable the template.
Click Edit or Delete in the Actions column to modify or delete the template.
If the icon is displayed on the right side of a rule template name, it indicates that the intelligent whitelist feature is enabled for the template. You can click Delivery Record in the Actions column to view the automatically created whitelist rules. If the icon is displayed on the right side of a rule template name, it indicates that the intelligent whitelist feature is not enabled for the template. You can turn on or turn off the switch in the Intelligent Whitelist column to enable or disable the intelligent whitelist feature.
Click the icon to the left of a template name to view the rules in the template.

You can click Rule Groups to view the associated rule templates of each rule group in the Basic Protection Rule section.

What to do next

On the Basic Protection Rule tab of the Security Reports page, you can view the protection details of each basic protection rule. For example, you can click View Details in the Actions column of a protection rule to view the protection details of the rule. For more information, see the "Basic protection rule module" section in the Security reports topic.

Important

You cannot search for a protection rule by rule ID on the Protection Rules page. If a protection rule blocks normal traffic, you can configure a whitelist rule. For information about how to create a whitelist rule, see Configure whitelist rules to allow specific requests.

References

Protection configuration overview: describes the protected objects, protection modules, and protection process of WAF 3.0.
CreateDefenseTemplate: creates a protection rule template.
CreateDefenseRule: creates a protection rule. When you call this operation to create a basic protection rule, you must set the DefenseScene parameter to waf_group.