Oracle Cloud Infrastructure Documentation

WAF Protection Rules

Protection rules match web traffic to rule conditions and determine the action to be taken when the conditions are met. Protection Rule Settings allow you to define the parameters for enforcement any time a protection rule is matched. Recommendations aid in the optimization of your WAF security profile. The Security Operations team proactively monitors all events to provide recommendations about the action of a specific ruleset. See Supported Protection Rules for additional information.

Using the Console

To apply an action to a protection rule
To edit rule settings
To accept recommendations
To publish changes
To discard changes

Using the API

For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.

Listing and Accepting Protection Rule Recommendations

Use the following operations to get the list of recommended rules:

{
   "name": "SQL authentication bypass attempts",
   "action": "OFF",
   "description": "Detects basic SQL authentication bypass attempts.",
   "exclusions": [],
   "key": "981244",
   "tags": "SQL Injections, Recommended"
   },

   {

   "modSecurityRuleIds": [
      "950001",
      "959070",
      "959071",
      "959072",
      "950908",
      "959073"
				],

   "name": "Common SQL Injections",
   "action": "OFF",
   "description": "detects common SQL injection attacks",
   "exclusions": [],
   "key": "950001",
   "tags": "SQL Injections, WASCTC, OWASP, A1, PCI, Recommended"

   },
			

Using the key values from the output of the GET call above, you can accept one or more of the recommendations using the following operation passing an array of the keys:

Body:

[
   “981244”,
   "950001”
]

Protection Rule Specific Settings

Several protection rule settings are settings for specific protection rules.

Setting Rule ID Rule Name
Allowed HTTP Methods 911100 Restrict HTTP Request Methods
Max Total Argument Length 960341 Total Arguments Limits
Max Number of Arguments 960335 Number of Arguments Limits
Max Length of Argument 960208 Values Limits
isResponseInspected 90007 Credit card leakage in request: MasterCard
  90009 Credit card leakage in request: American Express
  90012 Credit card leakage in request: Discover
  90020 Credit card leakage in response: Discover
  90021 Credit card leakage in response: JCB
  90022 Credit card Track 1 data leakage
  90023 Credit card Track 2 data leakage
  90024 Credit card PAN leakage

The term "Arguments" refers to either query parameters or body parameters in a PUT/POST request. For instance, if the Max Number of Arguments is 2 and RuleID 960335 is set to BLOCK, any of the following requests would be blocked:

    GET /myapp/path?query=one&query=two&query=three
    POST /myapp/path with Body {"arg1":"one","arg2":"two","arg3":"three"}
    POST /myapp/path?query=one&query=two with Body {"arg1":"one"}

Max Length of Argument is the length of either a name or the value of the argument. Total Argument Length refers to the sum of the name and value length.

Exclusions

Sometimes a protection rule can trigger a false positive. You can configure an exception if the request(s) generating the false positive have a particular argument or cookie that can be used to identify that request be excluded from the action normally taken on the rule. Exclusions have to be created through the API. The following exclusion parameters can be used:

Name Value
REQUEST_COOKIES Cookie Value
REQUEST_COOKIES_NAMES Cookie Name (value is irrelevant)
ARGS Argument (Query Parameter or POST/PUT data)
ARGS_NAMES Query Parameter Name (value is irrelevant)

Example

In this example, a block is applied to WAF Rule 911100 (Restrict HTTP Request Methods) with an exception to allow requests with an argument that contains “passthrough”.

PUT / waasPolicies /<policy_ocid>/wafConfig/protectionRules

With the body:

[
 {
	"key":"911100",
	"action":"BLOCK",
 	"exclusions": 
	 [
		{
		 "target":"REQUEST_COOKIES",
		 "exclusions":["yourcompany.com", "Wed, 21 Oct 2015 07:28:00 GMT", "12345", "219ffwef9w0f"]
		},
		{
				"target":"REQUEST_COOKIES_NAMES",
				"exclusions":["OAMAuthnCookie", "JSESSIONID", "HCM-PSJSESSIONID"]
		},
		{
		 "target":"ARGS",
		 "exclusions":["passthrough"]
 		}
 	 ]
 }
]

This will return a 202 Accepted HTTP status, which means the policy will enter an UPDATING state until changes are provisioned to the edge nodes.