If your Web rule base supports 25 types of attacks, then you are using the new rule engine. Please refer to the settings for Rule Engine (New) to configure your protection rules.
This document describes how to configure protection rules in Web Application Firewall (WAF) to defend against web attacks.
Overview
WAF uses a regex-based rule protection engine and a machine learning-based AI protection engine to defend against web vulnerabilities and unknown threats.
WAF's rule protection engine provides expert rule sets based on Tencent Security's accumulated web threat intelligence to automatically prevent OWASP top 10 attacks. Currently, it can defend against 17 categories of common web attacks, such as SQL injections, XSS attacks, malicious scanning, command injection attacks, web application vulnerabilities, WebShell uploads, non-compliant protocols, and trojans.
WAF's rule protection engine supports rule level configuration. You can set the rule protection level according to your actual business needs and enable or disable rule sets, individual rules, and preset rules. You can also use the allowlist of specified URLs and rule IDs to process false positives.
Directions
Rule management
1. Log in to the Web Application Firewall console, and at the top of the left sidebar, switch the console to the instance location (Chinese mainland/non-Chinese mainland).
2. Select Protection Policies > Basic Security on the left sidebar.
3. On the page that appears, click Web security. On the Rule engine tab, you can enable individual rules based on domain names. All rules are enabled by default.
4. Check the rules and click the “Batch enable” or “Batch disable” button at the top left corner of the rule engine page to enable/disable the rules in one click.
5. You can search in the rule set by specifying the rule level, defense level, rule ID, attack category, or CVE number to view specific rules and perform operations.
Note:
The level "Super Strict" covers all rules, "Strict" covers rules of the level "Normal" and "Loose", and "Normal" covers "Loose".
Rule allowlist and false positive processing
1. Log in to the Web Application Firewall console, and at the top of the left sidebar, switch the console to the instance location (Chinese mainland/non-Chinese mainland).
2. Select Protection Policies > Basic Security on the left sidebar.
3. On the basic security page, click Web security. On the "Rule engine" tab, you can add domain name URLs and rule IDs to the allowlist and process false positives.
4. On the Rule engine tab, select the target rule, click Add to allowlist, and the custom rule adding window will pop up.
5. In the pop-up window, configure relevant parameters and click OK.
Field description
Rule ID: ID of the rule that needs to be allowed. You can add one rule ID for each policy.
Match method: Match method of the URL to be allowed. You can select "Exact match" (default value), "Prefix match", or "Suffix match".
URL: URL path to be allowed. The URL must be unique under one domain name.
Enable allowlist: It controls whether to enable allowlist, which is disabled by default.
6. After the allowlist is configured, click View allowlist to view the allowed rules and perform relevant operations.
Field description:
Rule ID: ID of the rule added to the allowlist, which can be obtained through attack logs or rule management.
Match method: Match method of the URL to be allowed. You can select "Exact match" (default value), "Prefix match", or "Suffix match".
URL: URL path to be allowed. The URL must be unique under one domain name.
Enable allowlist: It controls whether to enable allowlist.
Last modified: The last time the rule was added or modified.
Operation: It allows you to edit or delete a rule.
Click Edit, modify relevant parameters, and click OK.
Click Delete and confirm the deletion.
Viewing the rule category
1. Log in to the Web Application Firewall console, and at the top of the left sidebar, switch the console to the instance location (Chinese mainland/non-Chinese mainland).
2. Select Service Management > System Settings > Web Rule Library on the left sidebar.
3. On the Protection rules tab, you can view the descriptions and rule updates of the attack categories that WAF currently can defend against.
Attack categories that WAF currently can defend against include:
Attack Category
Attack Description
SQL injection attack
In the implementation of websites, the input parameters are not strictly filtered, resulting in the unauthorized acquisition of SQL database content.
XSS attack
XSS vulnerabilities occur when the application's new webpage contains untrusted data or data that is not properly validated or escaped, or when an existing webpage is updated using a browser API that can create HTML or JavaScript. XSS enables attackers to execute scripts in victims' browsers, hijack user sessions, destroy websites, or redirect users to malicious sites.
Malicious scanning
WAF can detect whether the website has been maliciously scanned.
Unauthorized access to core files
The scope of protection includes, but is not limited to, detecting behaviors that may lead to the leakage of sensitive information such as SVN, Git sensitive files, database files, or other access paths.
Open-source component vulnerability exploiting
Attacks caused by vulnerabilities in common open-source web components.
Command injection attack
This is a type of injection attacks, such as shell command injections, PHP code injections, and Java code injections, which can cause websites to execute the injected code if successfully exploited by attackers.
Web application vulnerability exploiting
Web application security (security of Java, ActiveX, PHP, and ASP code running on the web server).
XXE attack
If the XML processor has external entity references in the XML file, attackers can use external entities to steal internal files and shared files that use the URI file processor, monitor internal scanning ports, execute remote code, and implement denial of service attacks.
Trojan horse attack
WAF can detect the communication with the control terminal during or after trojan upload.
File upload attack
After a malicious script disguised as a file with a normal extension is uploaded, attackers can execute it through the local file inclusion vulnerability.
Other vulnerability exploiting
Attacks caused by the security configuration or vulnerabilities of the web server itself and other software.
Non-compliant protocol
Exceptions with HTTP protocol and header parameters.
