Rule library management - Web Application Firewall - Alibaba Cloud Documentation Center

Use the Rule Libraries page in Web Application Firewall (WAF) 3.0 to view system protection rules and configure custom protection rules for hybrid cloud protection. This topic describes how to configure your custom protection rules.

System protection rules

The Alibaba Cloud security team maintains and updates system protection rules. These rules are view-only.

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of your WAF instance (Chinese Mainland or Outside Chinese Mainland). In the left-side navigation pane, choose Detection and Response > Rule Libraries.
Click the System Protection Rules tab. The left side of the tab displays rule information, and the right side displays the rule update status.

Custom protection rules

Custom protection rules apply only to assets protected by hybrid cloud protection. You can create, view, edit, and delete custom rules on the Rule Libraries page.

Create custom protection rule

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of your WAF instance (Chinese Mainland or Outside Chinese Mainland).
In the left-side navigation pane, choose Detection and Response > Rule Libraries.

On the Custom Protection Rules tab, click Create Rule. Configure the following parameters and click OK.

Parameter	Description
Rule Name	The name of the rule. The name can contain Chinese characters, letters, digits, periods (.), underscores (_), and hyphens (-).
Module Name	The type of attack that the rule detects. Supported modules include SQL Injection, XSS, Code Execution, CRLF, Local File Inclusion, Remote File Inclusion, webshell, Others, OS Command Injection, Expression Injection, Java Deserialization, PHP Deserialization, SSRF, Path Traversal, Protocol Non-compliance, Arbitrary File Upload, and File Inclusion.
Rule Level	The sensitivity level of the rule. Valid values: Loose, Medium, Strict, and Super Strict.
Status	The rule is disabled by default and must be enabled on the engine configuration page of a protection template.
Rule Action	The default action for a new rule is Block. You can change this action in the engine configuration of the Core Web Protection rule template.
Rule Description	A description of the rule's conditions and purpose. This parameter is optional.
Match Field	Defines the request characteristics that trigger the rule. You can add up to 10 conditions to a rule. If you define multiple conditions, a request must meet all of them to match the rule. Each condition consists of a Match Field, a Logical Operator, and Match Content. The following provides some examples: Example 1: Set Match Field to URI, Logical Operator to Contains, and Match Content to `/login.php`. A request matches the rule if its path contains `/login.php`. Example 2: Set Match Field to IP, Logical Operator to Belongs to, and Match Content to `192.1X.XX.XX`. A request matches the rule if the client IP address is `192.1.XX.XX`. For more information about match fields and logical operators, see Match conditions.

Note

An Alibaba Cloud account, including its RAM users, can create a maximum of 200 custom rules.

If the The operation is successful. message appears, the rule is created.

Enable custom protection rule

After you create a custom protection rule, you must enable it in the engine configuration to apply it to the protected assets in your hybrid cloud deployment.

In the left-side navigation pane, choose Protection Config > Core Web Protection. On the Core Web Protection page, find the target Rule Templates in the Core Protection Rule section and click Actions in the Edit column.
In the Edit panel, click Configure Engine. Go to the Custom Protection Rules tab, find your target rule, and turn on its Status switch.

Edit custom protection rule

On the Custom Protection Rules tab, find the rule that you want to modify and click Edit in the Actions column. In the Edit Rule dialog box, you can modify the rule name, rule level, rule status, rule description, and match conditions. After you finish editing, click OK. After a success message appears, the updated rule information is displayed on the page.

Delete custom protection rule

On the Custom Protection Rules tab, find the rule that you want to delete and click Delete in the Actions column.

Important

Deleting a rule removes it from the detection engine and deactivates it immediately, regardless of its previous status.

Match conditions

Supported match fields

Match field	Description	Logical operators
Filename	Matches the full filename in the request. Example: `abc.php`.	Contains, Regular expression match, Equals, Prefix match, Suffix match.
File extension	Matches the file extension in the URL. Example: .jspa.	Contains, Regular expression match, Equals, Prefix match, Suffix match.
HTTP method	Matches the request method. Examples: GET, POST, DELETE, PUT, OPTIONS, CONNECT, HEAD, TRACE, and PATCH.	Contains, Regular expression match, Equals, Prefix match, Suffix match.
URI path	Matches the path of the URI, without query parameters. It is equivalent to the path component.	Contains, Regular expression match, Equals, Prefix match, Suffix match.
raw URL	Matches the raw URI path, without query parameters and without URL decoding. Example: %2Ftest.php.	Contains, Regular expression match, Equals, Prefix match, Suffix match.
URI	Matches the request URI, excluding the domain name. Example: /login.php?a=1.	Contains, Regular expression match, Equals, Prefix match, Suffix match.
Directory	Matches the full path, which includes the URI and filename. Example: /abc/123.txt.	Contains, Regular expression match, Equals, Prefix match, Suffix match.
Param	Matches the entire query string, including parameter names and values that follow the question mark (?). Example: ?a=b.	Contains, Regular expression match, Equals, Prefix match, Suffix match.
Body	Matches the entire request body without parsing it into key-value pairs.	Contains, Regular expression match, Equals, Prefix match, Suffix match.
Multipart keys	For requests with `Content-Type: multipart/form-data`, this field matches the filename.	Contains, Regular expression match, Equals, Prefix match, Suffix match.
Multipart values	For requests with `Content-Type: multipart/form-data`, this field matches the file content.	Contains, Regular expression match, Equals, Prefix match, Suffix match.
Raw header	Matches the entire raw header without URL decoding or parsing it into key-value pairs.	Contains, Regular expression match, Equals, Prefix match, Suffix match.
header keys	Matches the keys of key-value pairs in the request header.	Contains, Regular expression match, Equals, Prefix match, Suffix match.
header values	Matches the values of key-value pairs in the request header.	Contains, Regular expression match, Equals, Prefix match, Suffix match.
query arg keys	Matches the keys (names) of query string parameters in the URL. Example: in /test.php?k=v, it matches k.	Contains, Regular expression match, Equals, Prefix match, Suffix match.
query arg values	Matches the values of query string parameters in the URL. Example: in /test.php?k=v, it matches v.	Contains, Regular expression match, Equals, Prefix match, Suffix match.
post arg keys	For form-encoded request bodies, this field matches the keys (names) of parameters. Example: in k=v, it matches k.	Contains, Regular expression match, Equals, Prefix match, Suffix match.
post arg values	For form-encoded request bodies, this field matches the values of parameters. Example: in k=v, it matches v.	Contains, Regular expression match, Equals, Prefix match, Suffix match.
cookie keys	Matches the keys (names) of parameters in the request cookie. Example: in `Cookie: a=b;c=d`, it matches `a` or `c`.	Contains, Regular expression match, Equals, Prefix match, Suffix match.
cookie values	Matches the values of parameters in the request cookie. Example: in `Cookie: a=b;c=d`, it matches `b` or `d`.	Contains, Regular expression match, Equals, Prefix match, Suffix match.
Multipart	Precisely matches a specified part of a multipart request to prevent overmatching. For example, you can use `multipart.filename` to match only the value associated with `filename=../test`.	Contains, Regular expression match, Equals, Prefix match, Suffix match.
Query string parameter	Precisely matches a specified query string parameter to prevent matching similar parameters. For example, in the URL `https://example.com/path?queryarg.k=value1&queryarg.other=value2`, using `queryarg.k` allows you to precisely match `value1` without also matching the value of `queryarg.other`.	Contains, Regular expression match, Equals, Prefix match, Suffix match.
Header	Precisely matches a specified header value to prevent overmatching. For example, `header.cookie` allows you to precisely match the value of the Cookie header, such as `../test`.	Contains, Regular expression match, Equals, Prefix match, Suffix match.
body parameter	Precisely matches the value of a specified parameter in the request body to prevent overmatching. For example, `postarg.k` precisely matches the value associated with the key `k`.	Contains, Regular expression match, Equals, Prefix match, Suffix match.