After you add web services to Web Application Firewall (WAF), you can configure the basic protection rule module to protect the web services from common web application attacks, such as SQL injections, cross-site scripting (XSS) attacks, code execution, webshell uploads, and command injections. This topic describes how to create a basic protection rule template.

Background information

Decoding

Basic protection rules can be used to decode data that is encoded by using any one of the 23 methods.
  • Basic protection rules can be used to parse data in various formats, such as JSON, XML, and Multipart, to improve detection accuracy.
  • Basic protection rules can be used to identify data that is encoded by using methods that can bypass WAF, such as Unicode encoding and HTML entity encoding, to improve the recall rate of detection.

Supported basic protection rule templates

  • Default protection rule template
    • The basic protection rule module provides a built-in protection rule template named Default. The default basic protection rule template contains a basic protection rule named WAF group rule. By default, the rule is enabled and the Block action is specified in the rule. default protection
    • By default, the default basic protection rule template protects all protected objects that are newly added to WAF. If WAF detects that a request matches a basic protection rule of the default protection rule template, WAF blocks the request and returns the block page to the request client.
  • Custom basic protection rule template

    If the default basic protection rule template cannot meet your business requirements, you can create a custom basic protection rule template and associate it with a protected object or protected object group. You can also specify protection actions other than the Block action in the custom basic protection rule template. For more information, see Step 2: Create a custom basic protection rule template.

    You can associate a custom basic protection rule template with the default rule group or a custom rule group.
    • The basic protection rule module provides a built-in rule group named Default Rule. You cannot modify, copy, or delete the default rule group. default rule
    • You can also create a custom rule group based on your business requirements. For more information, see Step 1: Create a custom rule group.

Prerequisites

Step 1: Create a custom rule group

If a custom rule group already exists or the custom basic protection rule template that you want to create only needs to be associated with the default rule group, skip this step.

  1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region to which the WAF instance that you want to manage belongs. You can select Chinese Mainland or Outside Chinese Mainland for the region.
  2. In the left-side navigation pane, choose Protection Configuration > Protection Rules.
  3. In the Basic Protection Rule section, click Rule Groups.
  4. On the Rule Groups page, click Create Rule Group.
  5. Configure the parameters in the Configure Basic Information of Rule Group step and click Next.
    Important After a custom rule group is created, you cannot modify the basic information of the rule group. The following table describes the parameters.
    Parameter Description
    Rule Group Name Specify a name for the rule group.

    The name can contain letters, digits, periods (.), underscores (_), and hyphens (-).

    Automatic Update After you enable this feature, rules that are added or removed from the default rule group are automatically synchronized to the current custom rule group.
    Important After you create a custom rule group, you cannot modify the configuration of this parameter.
    Select Protection Template Select a rule template for the rule group. Valid values:
    • Create from Scratch: No preset protection rule templates are specified. You must manually add rules.
    • Use Default Rule Group: The default rule group is based on the built-in protection rule group provided by the Alibaba Cloud security team.
  6. Configure protection rules and click Next.
    1. In the Configure Protection Rules step, click Add Rule. In the Add Rule panel, you can select the rule that you want to add to the rule group or enter a rule ID or CVE ID to search for the rule. You can also specify Risk Level, Protection Rule Type, and Application Type to search for rules that you want to add to the rule group. Then, click Add. You can also click Add All to add all rules to the rule group.
      Note
      • If you set the Select Protection Template parameter to Use Default Rule Group in Step5 and the rules that you want to add are in the rule library, you can skip this step.
      • By default, rules in the rule list are sorted in descending order by update time.
    2. If you want to delete a protection rule, you can enter the rule ID or CVE ID of the rule or specify Risk Level, Protection Rule Type, and Application Type to search for the rule. Then, click Remove. You can also click Clear All to delete all rules.
  7. In the message that appears, click OK.
    After you create a rule group, you can perform the following operations in the rule group list:
    • You can click the numbers in the Number of Built-in Rules column to view the built-in rules of each rule group.
    • You can click Edit, Copy, or Delete in the Actions column to modify, copy, or delete a rule group.
      Note
      • You can modify only protection rules in a rule group. You cannot modify the basic information of a rule group.
      • By default, the name of a copied rule group is in the following format: Original rule group name-copy. No protected objects are associated with a copied rule group.
      • A rule group that is associated with a protection rule template cannot be deleted. If you want to delete the rule group, you must first dissociate the rule group from the protection rule template.

Step 2: Create a custom basic protection rule template

  1. In the left-side navigation pane, choose Protection Configuration > Protection Rules.
  2. Click Create Template in the Basic Protection Rule section in the lower part of the Protection Rules page.
    Note If no custom basic protection rule templates exist, click Configure Now in the Basic Protection Rule card in the upper part of the Protection Rules page.
  3. In the Create Template - Basic Protection Rule panel, configure the parameters and click OK.
    Note By default, the new basic protection rule template is enabled. The following table describes the parameters.
    Parameter Description
    Template Name Specify a name for the template.

    The name can contain letters, digits, periods (.), underscores (_), and hyphens (-).

    Save as Default Template

    You can specify only one default template for a protection module. If you turn on Save as Default Template, you do not need to configure the Apply To parameter. The default template is applied to all protected objects and protected object groups to which no protection rule templates are applied.

    Action Select the action that you want WAF to perform when a request matches the protection rule. Valid values:
    • Block: blocks requests that match the rule and returns a block page to the client that initiated the request.
      Note By default, WAF returns a preconfigured block page. You can use the custom response feature to configure a custom block page. For more information, see Configure the custom response module.
    • Monitor: records matching requests to logs without blocking them. You can query logs about requests that match the rule and analyze the protection performance. For example, you can check whether normal requests are blocked based on logs.
      Important You can query logs only when the Log Service for WAF feature is enabled. For more information, see Enable Log Service for WAF.

      If you select Monitor, you can test the protection performance of the rule and check whether the rule blocks normal requests. Then, you can determine whether to set Action to Block.

    Note You can query rule match details in Monitor and Block modes on the Security Reports page. For more information, see Security reports.
    Rule Group Type Select the type of the rule group with which you want the template to be associated. Valid values:
    • Default: If you select this option, the rule template is associated with the default rule group.
    • Custom: If you select this option, you must select a rule group from the drop-down list and the rule template is associated with the rule group that you select. For information about how to create a rule group, see Step 1: Create a custom rule group.
    Apply To Select the protected objects and protected object groups to which you want to apply the template.

    You can apply only one template of a protection module to a protected object or a protected object group.

    For more information about how to manage protected objects and protected object groups, see Manage protected objects and Manage protected object groups.

    After you create a basic protection rule template, you can perform the following operations in the rule template list in the Basic Protection Rule section:
    • View the basic protection rule template that you created and the number of protected objects or protected object groups for which the rule template takes effect. Click the Hide/show icon icon on the left side of the rule template name to view the rules in the rule template.
    • Click Edit or Delete in the Actions column to modify or delete the rule template.

    You can also view the associated rule templates of each rule group in the Basic Protection Rule section.

What to do next

On the Basic Protection Rule tab of the Security Reports page, you can view the protection details of each basic protection rule. For example, you can find the protection rule whose protection details you want to query and click View Details in the Actions column to view the protection details of the protection rule. For more information, see Security reports.
Important You cannot search for a protection rule by Rule ID on the Protection Rules page. If a protection rule blocks normal traffic, you can configure the whitelist module to allow specific normal traffic or consult our experts in the DingTalk Group (Group ID: 34657699). For information about how to create a whitelist rule, see Configure the whitelist module.

References