Overview: WAF Rating-Based Protection

The Rating-Based template provides security features that constitute a high-level security policy, providing standard protection from untargeted attacks, which you can deploy with minimal administrative effort, time, and risk of disruption to your application. This template enforces violations by violation rating scale, which is system-based assessment of the request’s risk.

Violation Rating Scale
0: No violation
1-2: Likely false positive
3: Needs examination
4-5: Likely threat

This policy template enables most of the violations and signature sets with Alarm turned ON, but not Block. These violations and signatures, when detected in a request, affect the violation rating. By default, if the violation rating is calculated to be malicious (4-5) the request will be blocked. This is true even if the other violations and signatures detected in that request had the Block flag turned OFF. By default, other requests which have a lower violation rating are not blocked, except for some specific violations described below. This is to minimize false positives. However, you can change the default behavior.

The following violations and signature sets have a low chance of being false positives and are, therefore, configured by default to block the request regardless of its violation rating:

  • High accuracy attack signatures

  • Threat campaigns

  • Malformed request: unparsable header, malformed cookie and malformed body (JSON or XML).

Threats that need examination

Requests with a violation rating of 3 needs further examination to determine whether the traffic is malicious or allowed.

You can review requests by violation rating using the event log.

Violations that are immediately blocked

In order to get the best estimation of the traffic’s violation rating, the policy checks traffic for immediate flags that indicate a threat. The following is a list of those checks and violations and which violation/sub-violation will trigger violation rating of 5 immediately:

Category Details Violations that trigger 5 rating
Attack Signatures All matched signatures unless it is overridden. None
HTTP compliance Checks for all sub-violations The following sub-violations:
    Bad HTTP version
  • Null in request
  • Unparseable request content
  • Multiple host headers
  • No Host header in HTTP/1.1 request
Evasion techniques Checks for all sub-violations None
File Types Checks the disallowed file types list Illegal File Type (which is triggered only in case of disallowed file types)
HTTP methods Checks methods according to use case. Illegal Method
Threat Campaigns Checks all detected threat campaigns. Detected threat campaign
URLs Checks all signatures and metacharacters None
Disallowed Geolocations Checks whether the request location Access from disallowed geolocation
IP Address Exceptions Checks the IP address exception list. Access from disallowed IP address
Response Codes Checks allowed response code list. None
Header Length Checks global limits to the length of the header section and cookies, and total request length.
  • Illegal cookie length
  • Maximum HTTP Header Length
  • Maximum Cookie Header Length
Cookies Checks signatures on wildcard (*) cookie, modified WAF cookie, and cookie RFC compliance. Modified WAF cookie

Evasion Techniques Sub-Violations

The following table specifies the Evasion Techniques sub-violation settings.

Sub-Violation Default Template Description
%u decoding Enabled Performs Microsoft %u unicode decoding (%UXXXX where X is a hexadecimal digit). For example, the system turns a%u002fb to a/b. The system performs this action on URI and parameter input to evaluate if the request contains an attack.
Apache whitespace Enabled The system detects the following characters in the URI: 9 (0x09), 11 (0x0B), 12 (0x0C), and 13 (0x0D).
Bad unescape Enabled The system detects illegal HEX encoding. Reports unescaping errors (such as %RR).
Bare byte decoding Enabled The system detects higher ASCII bytes (greater than 127).
Directory traversals Enabled Ensures that directory traversal commands like ../ are not part of the URL. While requests generated by a browser should not contain directory traversal instructions, sometimes requests generated by JavaScript have them.
IIS backslashes Enabled Normalizes backslashes (\) to slashes (/) for further processing.
IIS Unicode codepoints Enabled Handles the mapping of IIS specific non-ASCII codepoints. Indicates that, when a character is greater than '0x00FF', the system decodes %u according to an ANSI Latin 1 (Windows 1252) code page mapping. For example, the system turns a%u2044b to a/b. The system performs this action on URI and parameter input.
Multiple decoding Enabled: 3 The system decodes URI and parameter values multiple times according to the number specified before the request is considered an evasion.