IPDS | WAF

POSTED BY Zevenet | 25 October, 2021

ZEVENET Web Application Firewall

The Web Application Firewall (WAF) is the tool used to detect and block malicious HTTP traffic going across the HTTP(S) farms. WAF works by searching and analyzing patterns to apply advanced security policies. Those rules are grouped in set rules and they have to be applied to HTTP farms. The WAF rules will be checked after decrypting SSL packets, then, it will be possible to apply patterns again to the HTTP body in an SSL traffic.

ZEVENET IPDS packages use the OWASP ModSecurity rules, but you can create your ruleset to protect your system against any kind of attack. If you want to read more about OWASP rules, please refer to OWASP Modsecurity Project.

Those rules are ordered by preferences. If you decide to use them, please consider them and apply them as follows:

REQUEST-90-CONFIGURATION
REQUEST-901-INITIALIZATION
Apply any other OWASP ruleset based on what you want to protect
REQUEST-949-BLOCKING-EVALUATION
RESPONSE-959-BLOCKING-EVALUATION
RESPONSE-980-CORRELATION *for logging purposes, enable this only for troubleshooting.

By default, this OWASP ruleset uses a scoring system called paranoia levels, and the default is 1. If you want to read more about those levels, please refer to the following faqs OWASP Modsecurity ruleset FAQ.

In case you want to increase the paranoia level, please do the following:

Go to ruleset REQUEST-901-INITIALIZATION Rules Tab, then Edit in raw mode the rule number 901120, and change:

setvar:'tx.paranoia_level=1

by the desired paranoia level.

The WAF rulesets view shows an overview of the available rulesets:

idps settings

Name. A descriptive name to identify a ruleset. Click on it to enter the editing form.
Farms. The Farms to which the rule is applied. You may expand the farm list using an upward arrow placed adjacent to the FARMS column header on its right. By default is limited to 20 characters.
STATUS. Ruleset status is represented by the following status color codes:

  • Green. Means ENABLED. The ruleset is being checked for the farms that are using it.
  • Red. Means DISABLED. The ruleset is not enabled, thus it is not having any effect on the farm.

Actions. Allowed actions for the status of the WAF rules:

  • Edit. Modify the ruleset settings or assign a farm service if needed.
  • Restart. Reinitialize a WAF rule.
  • Start. Apply the WAF ruleset.
  • Delete. Remove a ruleset.
Share on:

Documentation under the terms of the GNU Free Documentation License.

Was this article helpful?

Related Articles