IPDS | WAF | Update

POSTED BY Zevenet | 25 October, 2021

This section shows all the settings available for the current WAF rule set organized in three tabs, Global, Rules, and Farms. Keep in mind that changes in this section have to be applied by clicking on the Apply button.

Global Settings WAF Rule Set

This configuration manages the behavior of all rules contained in the set.

idps update

Name. A label that easily identifies a rule. The label you choose to name your ruleset will not be modifiable.
Check Request Body. It is a flag that sets if the body of the HTTP requests is to be analyzed. If this flag is disabled, the body will be skipped and the rule matches against the request body parameters will not be processed.
Request Body Limit. It is the maximum number of bytes of the request body saved to inspect the body request. If this parameter has the value 0, the WAF will save the content-length size completely. It is recommended to set any limit value.
Check Response Body. It is a flag to set if the body of the HTTP response is to be analyzed. If this flag is disabled, the body will be skipped and rule matches against response body parameters will not be processed. A response greater than 524288 (512KB) will be ignored.
Default Action. This select box is used as the default resolution when no resolution is specified in a rule. All matches of the rule are a success. Here is a brief description of each action.

  • Allow. Will enable processing of the current WAF till it finishes to complete the HTTP transaction
  • Pass. WAF will continue evaluating the next rule without cutting the HTTP transaction.
  • Deny. Finish the current HTTP transaction. Evaluation of more rules will not be allowed. If the rule matches in phase 1 or 2 (analyzing the request), the request will not be delivered to the backend. If the rule matches in phase 3 or 4 (analyzing the response), the response will not be delivered to the client.
  • Redirect. The HTTP transaction will be halted and an HTTP redirect will be sent to the client.

Redirect url. It is the URL sent to the client when a rule matches. This URL has a redirect resolution set up.
Default phase. This select-box is used as the default phase when no phase is specified in a rule. A phase is an HTTP step that allows you to hook a WAF rule. These are the defined phases:

  • Request headers are received. The rule will be executed once all request headers from the client are read by the load balancer.
  • Request body is received. The rule will be executed when the complete request body from the client is buffered in the load balancer.
  • Response readers are received. The rule will be executed once all response headers from the server are read by the load balancer.
  • Response body is received. The rule will be executed when the complete response body from the server is read by the load balancer.
  • Before than logging. The rule is executed when the WAF process finishes the logging task.

Default log. It is a log default action. This value is used if no action about logs is specified in the rule settings.
Only logging. If this checkbox is enabled, the resolution parameter of the rules in the set will never be executed. This working mode is only available when the set is running.

Disable Rules

Those tables allow disabling rules of the set without modifying them.

idps disable rulesets

Enabled Rules. It is the list of rules currently enabled in the set. The rules are identified by its rule id and its description parameters.
Disabled Rules. It is the list of rules currently disabled in the set.

List of WAF Rules

The Rules section permits creating and modifying WAF rules that detect and protect against HTTP attacks.

Those rules are directives that are evaluated sequentially, i.e. In the same order that is shown on this screen. If it is necessary to sort the rules, enable the Sort button then and drag and drop in the requested position.

The possible parameters for the rules have been described below.

idps rules

ID. It is an identifier to identify the rule inside the rule set. This identifier corresponds with the rule position in the set.
Rule ID. It is a unique identifier of the rule. It is not possible to link a farm to a waf set that contains two rules with the same rule ID.
Description. It is a descriptive message to identify the rule. This message will be logged in a successful match.
Phase. The phase represents the step of the HTTP request where a rule will be executed. The possible phases are:

  • Request headers are received. The rule will be executed once all request headers from the client are read by the load balancer.
  • Request body is received. The rule will be executed when the complete request body from the client is buffered in the load balancer.
  • Response readers are received. The rule will be executed once all response headers from the server are read by the load balancer.
  • Response body is received. The rule will be executed when the complete response body from the server is read by the load balancer.
  • Before than logging. The rule is executed when the WAF process finishes the logging task.

Resolution. This select box is the action chosen to execute if all the match conditions are achieved.

  • Allow. No more rules will be evaluated (for the current HTTP transaction) if a rule with this action matches.
  • Pass. WAF will continue evaluating the next rule without cutting the HTTP transaction.
  • Deny. Finish the current HTTP transaction. There will be no more evaluation of rules. If the rule matches in phase 1 or 2 (analyzing the request), the request will not be delivered to the backend. If the rule matches in phase 3 or 4 (analyzing the response), the response will not be delivered to the client.
  • Redirect. The HTTP transaction will be halted and an HTTP redirect will be sent to the client.
  • Default action. The resolution will be set if you don’t apply any. Usually, it will be the Allow resolution

Redirect URL. It is the URL where the client will be redirected in the case that rule will execute a redirect. This parameter will appear when a redirect is chosen in the resolution field.
Skip. If all matches are achieved, the rule will skip the number of rules specifies in this field.
Skip After. If all matches are achieved, the rule will jump to another firewall position. The rule can jump to a ‘mark’ or another rule ID. The rule ID executes after a jump and will be in the same phase as the current rule.
Execute. It is the path to an LUA script. The script has to be previously uploaded to the load balancer. It will be executed once the first match is achieved.
Log. If this parameter is enabled, the rule will be logged when the first match is achieved.

Editing a WAF rule in raw

If the form doesn’t adequately describe a given WAF rule, and the administrator is not familiar with the SecLang syntax, it is possible to create rules or a batch of rules through the edit option. This field accepts any instructions. If the instructions and parameters are supported by the SecLang syntax, the parameters that are expressed in the form will not be shown. However, they will be shown in the edit form and processed in the running time.

Here are the examples in both form mode and raw mode.

Form Mode

This is mode is more user-friendly to edit a WAF rule.
zevenet ipds editing rule

Raw Mode

This mode is for more advanced users.
zevenet ipds editing rule

Creating a WAF rule

When a new rule is added, it will be added by appending it to the other rules of the sets. To create a new rule, there are three ways to create a new rule.

zevenet ipds creating rule
Rule type:

  • Action. It will create a basic rule using a form. The parameters of the form are the same explained in the List of WAF Rules section. If the execution of the rule is conditional, click on the Add Condition button to set the execution conditions.

    zevenet ipds creating rule action

  • Mark. It sets a firewall mark. These marks are used once a match condition is achieved. The expected parameter is the name that identifies the mark.

    zevenet ipds creating rule mark

  • Custom. This form accepts rules (and a batch of rules) of SecLang syntax. For more information about the SecLang syntax, visit the libmodsecurity project documentation.

    zevenet ipds creating rule custom

List of Conditions

The table in the image below shows a list of conditions that the HTTP parsed packet must match to the rule that will be applied. All of these matches will be executed in the phase defined in the rule. The matches will be checked sequentially and the rule will be applied if all of them are accomplished.

idps conditions list

To evaluate the match, the WAF will execute an operation (parameters Operator and Operating) against a list of variables. If some variables in the list comply with the operation, they will be considered successful. For example, in the following image, the header IMAGES are looked for in the list of request headers sent by the client. First, it decodes every 64 bases of each header and then converts the headers to low case characters. When the transformation of the variables is completed, a regular expression is applied, looking for the string images in the list of transformed variables. The multi match option will try a match for each transformation operation (after base 64 decoding and after low case conversion).

Creating Conditions

The match builds a condition that has to be achieved to execute the WAF rule. To evaluate the match, the WAF will execute an operation (parameters Operator and operating) against a list of variables. If there is a match between the operations and the variables of the list, the match is taken as successful. For example, to look for the local host (127.0.0.1) in the request headers list and in the virtual host HTTP field, it can be evaluated with the following configuration.

idps creating condition

These are the configuration parameters for setting conditions:

Variable. It suggests which part of the HTTP transaction the rule will try to match. You can select from the variables listed, and the matches will be taken as valid if some of them match. A drop-down menu will appear when you click through the variables field. Information about the variable configuration can be found in the Creating variables section.
Transformations. The transformation is a list of modifications applied to variables. Transformations are applied sequentially, in the same order shown in the field, and it is possible to try a match for each transformation applied using the multi-match option. Transformation does not modify any information of the HTTP transaction, they are saved in temporal contexts and removed once the operation has concluded. Here is a list of the transformations. This parameter is used to remove anti-avoid techniques or to remove codification data.
Operator. This is how the rule tries the match. This parameter is usually combined with the Operating. Here is a list of operators.
Operating. This is what the rules try in the match. The parameter is usually combined with the operator. The type of the expected value has to align with the operator.
Multi-Match. This parameter is used when more than one transformation is configured. The rule will try to match the variables, the Operator, and the Operating for each value of transformations. The possible values are: true, which enables multi-match, or false which disables the multi-match feature.
Not Match. If this check-box is enabled, the result of the match will be negated, converting to true when the result is false or converting to false when the result is true.

Creating variables

The variables are mandatory parameters in a match condition. They select the part of the HTTP request/response to look for the information.

Variables. This parameter specifies the field of the HTTP request/response to look for the information (time, server…)

variables creating condition

Variable’s argument. When a variable is selected, it is sometimes necessary to specify an element from it. For example, the image below shows how the request header host is selected checked.

idps variables count

Count elements of variables. This checkbox counts the number of elements in the variable. This feature is useful when the variable is a list.

idps conditions ignore variable

Ignore this variable for the match. If this checkbox is enabled, the variable will not be checked in the match. This feature is useful when a variable that contains a list of values is going to be checked, but also required to exclude one of them.

 

Table of Variables

VariableDescription
ARGSIt is a collection of the values of arguments in a request.
ARGS_JSONIt is a collection with the values of arguments in a JSON request. This variable will be available in the case that WAF parses the JSON arguments. The rule set REQUEST-901-INITIALIZATION should be enabled.
ARGS_COMBINED_SIZEtotal size of the request parameters. The files are excluded.
ARGS_NAMESIt is a collection of the names of the arguments in a request.
FILESIt contains the file names in the user filesys. Only when the data is multipart/form-data.
FILES_COMBINED_SIZEIt is the total size of the files in a request. Only when the data is multipart/form-data.
FILES_NAMESIt is a list of file names used to upload the files. Only when the data is multipart/form-data.
FILES_SIZESIt contains a list of individual file sizes. Only when the data is multipart/form-data.
REQBODY_ERRORThis variable is 1 if the request body format is not correct for a JSON or XML, else it has the value 0.
REQUEST_BODYIt is the raw body request. If the request does not have the “application/x-www-form-urlencoded” header, it is necessary to use “ctl:forceRequestBodyVariable” in the REQUEST_HEADER phase.
REQUEST_BODY_LENGTHIt is the number of bytes of the request body.
REQUEST_COOKIESIt is a list with all request cookie values.
REQUEST_COOKIES_NAMESIt is a list with all request cookie names.
REQUEST_HEADERSThis variable has all request headers.
REQUEST_HEADERS_NAMESThis variable has a list with the request header names.
REQUEST_METHODIt is the request method.
REQUEST_PROTOCOLThis variable holds the request HTTP version protocol.
REQUEST_URIIt is the URI request path. The virtual host is excluded.
PATH_INFOIt is the information before the URI path.
FULL_REQUESTIt is the full request.
FULL_REQUEST_LENGTHIt is the number of bytes that a full request can have.
RESPONSE_BODYIt is the raw body response.
RESPONSE_CONTENT_LENGTHIt is the number of bytes of the response body.
RESPONSE_HEADERSThis variable has all response headers.
RESPONSE_HEADERS_NAMESThis variable has a list with the response header names.
RESPONSE_PROTOCOLThis variable holds the response HTTP version protocol.
RESPONSE_STATUSIt is the response HTTP code.
REMOTE_ADDRIt is the IP address of the client.
REMOTE_PORTIt is the port where the client initializes the connection.
REMOTE_USERIt is the name of the authenticated user.
TIMEIt is the server time. The format is hours:minutes:seconds.
DURATIONIt is the number of milliseconds starting from the initiation time of the current transaction.
MULTIPART_FILENAMEIt is the field filename in a multipart request.
MULTIPART_NAMEIt is the field name in a multipart request.
MATCHED_VARIt is the matched value in the last match operation. This value does not need the capture option but it is replaced in each match operation.
MATCHED_VARSIt is a list of all matched values.
SERVER_ADDRIt is the IP address of the server.
SERVER_NAMEIt is the virtual host it gets from the request URI.
ENVIt is the environment variables of the WAF.
TXIt is a collection of variables for the current transaction. These variables will be removed when the transaction ends. The variables TX:0-TX:9 save the values captured with the strRegex or phrases operators.

 

Table of Operators

The operators can have different contexts. This context is indicated by a prefix, such as an int for integer, IP for IP operations, str for strings or validate to validate data.

VariableDescription
strBeginsThe rule will match if any of the variables begin with the value of operating.
strContainsThe rule will match if any of the variables contain the value of operating.
strContainsWordThe rule will match if any of the variables contain the word or the value of the operating.
strEndThe rule will match if any of the variables end with the value of operating.
strWithinThe rule will match if any of the variables start with the value of operating.
strMatchThe rule will match if any of the variables match the value of operating. This operating can be a list of strings split by the character |
strEqThe rule will match if any of the variables is identical to the value of the operating.
strRegexThe rule will match if any of the variables match the regular expression used in operating.
strPhrasesThe rule will match if any of the variables match any of the values of the list operating.
strPhrasesFromFileAlmost similar to the operator strPhrases but the operating is where it will be defined as a list of phrases.
intEQThe rule will match if any of the variables is equal to the number used in operating.
intGEThe rule will match if any of the variables is greater or equal to the number used in operating.
intGTThe rule will match if any of the variables is greater than the number used in operating.
intLEThe rule will match if any of the variables is lower or equal to the number used in operating.
intLTThe rule will match if any of the variables is lower than the number used in operating.
detectSQLiDetects an SQL injection on the list of variables. This operator does not expect any operating.
detectXSSApplies the detection of XSS injection to the list of variables. This operator does not expect any operating.
ipMatchAttempts matching the IP or network segments of operating with the list of variables.
ipMatchFromFileIt is the same as the operator ipMatch, but this tries the match of the variables against a file with a list of IPs and network segments.
validateByteRangeIt ensures that the number of bytes of the variables is in one of the operating values. An example of operating is “10, 13, 32-126”.
validateUrlEncodingIt validates encoded data. This operator must be used only for data that does not encode data commonly or for data that are encoded several times.
validateUtf8EncodingIt validates variables that are UTF-8. This operator does not expect any operating.
verifyCreditCardIt verifies if variables are credit card numbers. This parameter accepts a regular expression as operating. If it matches, then it will successfully verify the card.
verifySSNIt verifies if variables are a US Social Security Number. This parameter accepts a regular expression as operating, if it matches then it applies the SSN verify.
matchAllwaysIt always returns true, forcing a match.
matchNeverIt always returns false, forcing a non-match.

 

Table of Transformation

TransformationDescription
base64DecodeDecodes a Base64-encoded string.
base64DecodeExtDecodes a Base64-encoded string ignoring invalid characters.
sqlHexDecodeDecodes SQL hex data.
base64EncodeEncodes using Base64 encoding.
cmdLineAvoids the problems associated with the escaped command line.
compressWhitespaceConverts any of the whitespace characters (0x20, \f, \t, \n, \r, \v, 0xa0) to spaces (ASCII 0x20), compressing multiple consecutive space characters into one.
cssDecodeDecodes characters encoded using the CSS 2.x escape rules. This function uses only up to two bytes in the decoding process, meaning that it is used to uncover ASCII characters encoded using CSS encoding (that wouldn’t normally be encoded), or to counter evasion, which is a combination of a backslash and non-hexadecimal characters (e.g., ja\vascript is equivalent to javascript).
escapeSeqDecodeDecodes ANSI C escape sequences: \a, \b, \f, \n, \r, \t, \v, \\, \?, \’, \”, \xHH (hexadecimal), \0OOO (octal). Invalid encodings are left in the output.
hexDecodeDecodes a string that has been encoded using the same algorithm as the one used in hexEncode (see following entry).
hexEncodeEncodes string (possibly containing binary characters) by replacing each input byte with two hexadecimal characters. For example, xyz is encoded as 78797a.
htmlEntityDecodeDecodes the characters encoded as HTML entities.
jsDecodeDecodes JavaScript escape sequences.
lengthLooks up the length of the input string in bytes, placing it (as string) in the output.
lowercaseConverts all characters to lowercase using the current C locale.
md5Calculates an MD5 hash from the data input. The computed hash is in a raw binary form and may need to be encoded into the text to be printed (or logged). Hash functions are commonly used in combination with hexEncode.
noneNot an actual transformation function, but an instruction to remove previous transformation functions associated with the current rule.
normalizePathRemoves multiple slashes, directory self-references, and directory back-references (except when at the beginning of the input) from the input string.
normalizePathWinSame as normalizePath, but first converts backslash characters to forward slashes.
parityEven7bitCalculates even parity of 7-bit data, replacing the 8th bit of each target byte with the calculated parity bit.
parityOdd7bitCalculates odd parity of 7-bit data, replacing the 8th bit of each target byte with the calculated parity bit.
parityZero7bitCalculates zero parity of 7-bit data, replacing the 8th bit of each target byte with a zero-parity bit, which allows inspection of even/odd parity 7-bit data as ASCII7 data.
removeNullsRemoves all NUL bytes from input.
removeWhitespaceRemoves all whitespace characters from the input.
replaceCommentsReplaces each occurrence of a C-style comment (/* … */) with a single space (multiple consecutive occurrences of which will not be compressed). Unterminated comments will also be replaced with space (ASCII 0x20). However, a standalone termination of a comment (*/) will not be acted upon.
removeCommentsCharRemoves common comments chars (/*, */, –, #).
replaceNullsReplaces NUL bytes in input with space characters (ASCII 0x20).
urlDecodeDecodes a URL-encoded input string. Invalid encodings (i.e., the ones that use non-hexadecimal characters, or the ones that are at the end of the string and have one or two bytes missing) are not converted, but no error is raised.
uppercaseConverts all characters to uppercase using the current C locale.
urlDecodeUniLike urlDecode, but with support for the Microsoft-specific %, u encoding.
urlEncodeEncodes input string using URL encoding.
utf8toUnicodeConverts all UTF-8 characters sequences to Unicode. This helps input normalization, especially for non-English languages minimizing false positives and false negatives.
sha1Calculates a SHA1 hash from the input string. The computed hash is in a raw binary form and may need to be encoded into the text to be printed (or logged). Hash functions are commonly used in combination with hexEncode.
trimLeftRemoves whitespace from the left side of the input string.
trimRightRemoves whitespace from the right side of the input string.
trimRemoves whitespace from both the left and right sides of the input string.

 

Farms WAF Settings

This section allows assigning the current WAF rule set to the HTTP(s) farms.

zevenet ipds rulesets farms

In this section, it will be possible to select one or more than one farm (by maintaining the shift keyboard button pressed) and then assign the WAF rule set or remove them. It is also possible to assign or remove it from all the available farms with the double arrow buttons.

Share on:

Documentation under the terms of the GNU Free Documentation License.

Was this article helpful?

Related Articles