Overview: WAF Rating-Based Protection¶
The Rating-Based template provides security features that constitute a high-level security policy, providing standard protection from untargeted attacks, which you can deploy with minimal administrative effort, time, and risk of disruption to your application. This template enforces violations by violation rating scale, which is system-based assessment of the request’s risk.
Violation Rating Scale
0: No violation
1-2: Likely false positive
3: Needs examination
4-5: Likely threat
This policy template enables most of the violations and signature sets with Alarm turned ON, but not Block. These violations and signatures, when detected in a request, affect the violation rating. By default, if the violation rating is calculated to be malicious (4-5) the request will be blocked. This is true even if the other violations and signatures detected in that request had the Block flag turned OFF. By default, other requests which have a lower violation rating are not blocked, except for some specific violations described below. This is to minimize false positives. However, you can change the default behavior.
The following violations and signature sets have a low chance of being false positives and are, therefore, configured by default to block the request regardless of its violation rating:
High accuracy attack signatures
Threat campaigns
Malformed request: unparsable header, malformed cookie and malformed body (JSON or XML).
Threats that need examination¶
Requests with a violation rating of 3 needs further examination to determine whether the traffic is malicious or allowed.
You can review requests by violation rating using the event log.
Violations that are immediately blocked¶
In order to get the best estimation of the traffic’s violation rating, the policy checks traffic for immediate flags that indicate a threat. The following is a list of those checks and violations and which violation/sub-violation will trigger violation rating of 5 immediately:
Category | Details | Violations that trigger 5 rating |
---|---|---|
Attack Signatures | All matched signatures unless it is overridden. | None |
HTTP compliance | Checks for all sub-violations | The following sub-violations:
|
Evasion techniques | Checks for all sub-violations | None |
File Types | Checks the disallowed file types list | Illegal File Type (which is triggered only in case of disallowed file types) |
HTTP methods | Checks methods according to use case. | Illegal Method |
Threat Campaigns | Checks all detected threat campaigns. | Detected threat campaign |
URLs | Checks all signatures and metacharacters | None |
Disallowed Geolocations | Checks whether the request location | Access from disallowed geolocation |
IP Address Exceptions | Checks the IP address exception list. | Access from disallowed IP address |
Response Codes | Checks allowed response code list. | None |
Header Length | Checks global limits to the length of the header section and cookies, and total request length. |
|
Cookies | Checks signatures on wildcard (*) cookie, modified WAF cookie, and cookie RFC compliance. | Modified WAF cookie |
Evasion Techniques Sub-Violations¶
The following table specifies the Evasion Techniques sub-violation settings.
Sub-Violation | Default Template | Description |
---|---|---|
%u decoding | Enabled | Performs Microsoft %u unicode decoding (%UXXXX where X is a hexadecimal digit). For example, the system turns a%u002fb to a/b. The system performs this action on URI and parameter input to evaluate if the request contains an attack. |
Apache whitespace | Enabled | The system detects the following characters in the URI: 9 (0x09), 11 (0x0B), 12 (0x0C), and 13 (0x0D). |
Bad unescape | Enabled | The system detects illegal HEX encoding. Reports unescaping errors (such as %RR). |
Bare byte decoding | Enabled | The system detects higher ASCII bytes (greater than 127). |
Directory traversals | Enabled | Ensures that directory traversal commands like ../ are not part of the URL. While requests generated by a browser should not contain directory traversal instructions, sometimes requests generated by JavaScript have them. |
IIS backslashes | Enabled | Normalizes backslashes (\) to slashes (/) for further processing. |
IIS Unicode codepoints | Enabled | Handles the mapping of IIS specific non-ASCII codepoints. Indicates that, when a character is greater than '0x00FF', the system decodes %u according to an ANSI Latin 1 (Windows 1252) code page mapping. For example, the system turns a%u2044b to a/b. The system performs this action on URI and parameter input. |
Multiple decoding | Enabled: 3 | The system decodes URI and parameter values multiple times according to the number specified before the request is considered an evasion. |