Rule Set

Rules:

How are the rules categorised?

The rules are grouped based on the type of vulnerability or attack they target. These categories correspond to the "OWASP Top 10" web application security risks, a well-known industry standard.

What do the rule names (A01:2021-Broken Access Control, etc.) mean?

These names follow a common format used for referencing security vulnerabilities. They likely refer to the "Common Vulnerabilities and Exposures" (CVE) classification system.

  • The first part (A01, A02, etc.) indicates a specific vulnerability category.

  • The year (2021) represents the year the vulnerability was first identified.

  • The description provides details about the type of vulnerability the rule targets

What kind of attacks do these rules protect against?

Here's a breakdown of some rule categories and examples of attacks they might target:

  • A01:2021-Broken Access Control: Attacks that exploit weaknesses in how applications control access to resources (e.g., unauthorized access attempts).

  • A02:2021-Cryptographic Failures: Attacks that exploit weaknesses in encryption algorithms or implementations.

  • A03:2021-Injection: Attacks that inject malicious code into website inputs (e.g., SQL injection, XSS).

  • A04:2021-Insecure Design: Rules that target vulnerabilities arising from flawed application design practices.

  • A05:2021-Security Misconfiguration: Attacks that exploit improper security settings or configurations on the web server.

  • A06:2021-Vulnerable and Outdated Components: Rules that detect suspicious requests associated with known vulnerabilities in outdated software components.

  • A07:2021-Identification and Authentication Failures: Attacks that exploit weaknesses in user authentication mechanisms (e.g., brute-force attacks, session hijacking).

  • A08:2021-Software and Data Integrity Failures: Rules that target vulnerabilities allowing attackers to modify or manipulate software or data.

  • A09:2021-Security Logging and Monitoring Failures: Attacks that attempt to disable or bypass security logging mechanisms.

  • A10:2021-Server-Side Request Forgery: Attacks that exploit vulnerabilities allowing attackers to manipulate the server into performing unauthorized actions.

Are there additional rule categories not shown here?

Yes, there are more WAF rule categories beyond what's displayed based on AI/ML application profiling.

How do rules handle complex attacks that combine multiple techniques?

WAF rules can be layered to address different aspects of an attack. For instance, a rule might block specific SQL injection characters, while another rule might look for suspicious patterns in the request body.

Can custom WAF rules be created to address specific vulnerabilities?

Yes, Prophaze WAF allows creating custom rules based on regular expressions or other patterns. This can be helpful for targeting vulnerabilities unique to your website application.

Exceptions:

What does the "Exceptions" section show?

This section lists specific paths or resources within the website that are excluded from certain WAF rule checks. This allows legitimate functionality while maintaining security.

How can I determine which WAF rules to enable or disable?

Enabling all rules offers maximum protection but might lead to false positives (blocking legitimate traffic). Disabling rules increases risk but allows specific functionality.

Adding a New Rule:

What options are available to define the rule condition?

You can select various attributes to define the matching criteria for your rule. These include:

  • IP Address: Block requests originating from specific IP addresses.

  • Country: Block requests originating from specific countries.

  • ASN (Autonomous System Number): Block requests from a specific network provider.

  • User Agent: Block requests from specific browser types or suspicious user agents.

  • Cookie: Block requests containing specific cookies (might be useful for advanced scenarios).

  • Header: Block requests containing specific HTTP headers or header values.

  • Request URI: Block requests targeting specific URLs or URL patterns.

  • HTTP Method: Block requests using specific HTTP methods (e.g., POST, GET).

  • Referrer: Block requests coming from specific referring websites.

  • Content Type: Block requests with specific content types (e.g., script files).

  • Content Length: Block requests with content length exceeding a certain limit.

  • URL Length: Block requests with URLs exceeding a certain length (might be useful for blocking certain attack patterns).

Can I combine multiple conditions in a single rule?

The interface offers an "AND" option, which suggests you can combine multiple conditions using logical AND. This allows the creation of more granular rules that only trigger when all specified conditions are met.

What actions can be taken when a rule matches?

You can define various actions to be taken when a request matches your rule:

  • DENY: Completely block the request.

  • TEMPORARY REDIRECT TO: Redirect the request to a different temporary URL (useful for mitigating certain attacks).

  • PERMANENT REDIRECT TO: Redirect the request to a different permanent URL.

  • RATE LIMIT: Limit the number of requests allowed from a specific source within a defined timeframe.

What is the purpose of the "Status" option?

The "Status" option allows you to enable or disable the newly created rule. Disabled rules won't actively block traffic.

Custom Error Text:

What is the purpose of Custom Error Text?

This section allows you to define custom error messages displayed to users when specific security events occur. This can provide more informative messages compared to generic error codes.

What information can be included in the custom error text?

You might be able to include details like the error code, any relevant information about the blocked request, or instructions for the user.

IP Reputation:

What is IP reputation?

IP reputation refers to the scoring or classification of IP addresses based on their known malicious activity. Security solutions leverage IP reputation databases to identify and potentially block traffic originating from suspicious sources.

What does the "IP Reputation" section allow you to do?

This section lets you manually override the IP reputation for specific IP addresses. You can choose to "Allow" traffic from an IP address even if it has a poor reputation.

When might I use the "IP Allowed" action?

You might use this if a known business partner's IP address is flagged incorrectly or if you trust a specific IP source. However, proceed with caution as allowing IPs with poor reputations can bypass security measures.

Geo Reputation:

What is Geo Reputation?

Geo reputation assigns a risk score or classification based on the geographical location of a request's origin. This can be helpful for identifying suspicious traffic patterns originating from specific countries known for cybercrime activity.

How can I create a Geo reputation exception?

You might be able to specify a country and choose the "Allowed" action. This allows traffic from users in that country even if it has a negative reputation. (Use with caution, as it could bypass security measures).

Allowed URLs:

What does the "Allowed URL" section allow you to do?

This section allows you to whitelist specific URLs within your website. Requests targeting these URLs won't be filtered by certain security rules, ensuring functionality.

When might I use the "Allowed URL" action?

You might whitelist specific URLs that are flagged by security rules but are essential for website functionality (e.g., URLs for plugins or scripts).

PreviousAttack SectionNextTraffic 360: General Traffic Logs

Last updated