Web Application Firewall (WAF)¶
Web Protection Profiles are a collection of Web Application Firewall (WAF) Rules that can be used to evaluate web-based transactions to ensure the traffic is not malicious.
Valtix supports the following WAF Rule Sets:
Rule Sets | Description |
---|---|
Core Rules | The Core Rules are a standard set of Rules from ModSecurity CRS (Core Rule Set) that provide a base level of protection for any web application |
Trustwave Rules | The Trustwave Rules are a premium set of Rules from ModSecurity based on intelligence gathered from real-world investigations, penetration tests and research that provide an advanced level of protection for specific web applications and frameworks |
Custom Rules | The Custom Rules are a particular set of Rules written by customers that provide a specialized level of protection for custom web applications |
Custom Rules¶
A Custom Rules Ruleset containing one or more Rules can be uploaded and used by the Valtix WAF security engine. The Rules contained within the Ruleset provide specialized web application evaluations required by a customer for their specific web applications and frameworks. The Custom Rules included in the WAF Profile will be evaluated first before evaluating any other Rulesets configured in the WAF Profile.
When uploading a Custom Rules Ruleset, the file should be a Gzip compressed TAR file with extension tar.gz
. The compressed TAR file will consist of the following files:
- Readme File - File that gives a description of the Ruleset
- Changelog File - File that represents the change history
- Rules Folder - Folder that consists of one or more ModSecurity formatted Rules files. Each file must have an extension
.conf
. The folder must contain at least one Rule file (cannot be empty). Each file must follow the ModSecurity Rules format guidelines.
Upload Custom WAF Rules¶
- Navigate to Manage -> Threat Research -> Web Protection
- Click the Custom tab
- Click the Import button and upload the custom Ruleset file
Create WAF Profile¶
- Navigate to Manage -> Profiles -> Web Protection
- Click Create Protection Profile -> Application Threat
General Settings¶
- Specify a Profile Name and Description
- Specify the Action
- Rule Default - Allow or Deny the requests based on the action specified in each triggered Rule and log an Event
- Allow Log - Allow the requests and log an Event
- Deny Log - Deny the requests and log an Event
- Specify whether to generate a Threat HAR file if the WAF Profile detects malicious activity
- Specify whether to generate a HTTP Request HAR file if the WAF Profile detects malicious activity
Rule Sets¶
Tech Notes
At least one Ruleset from a Rules library (Core, Trustwave, Custom) is required to be specified in the WAF Profile.
If Core Rules Rulesets are specified, the Core Rules cannot be disabled. In order to disable the Core Rules, remove all Core Rules Rulesets from the WAF Profile so they will not be evaluated.
If Trustwave Rules and Custom Rules Rulesets are used, at least one of the two must be enabled. If the desire is to disable both, remove all Trustwave Rules and Custom Rules Rulesets from the WAF Profile so they will not be evaluated.
If the desire is to disable the entire WAF Profile, remove the WAF Profile from any Policy Ruleset Rules so the WAF Profile will not be evaluated.
Core Rules¶
- Specify Manual or Automatic
- Manual - Specify the Core Rules Version to use
- Automatic - Specify the numbers of days from publish date to delay automatic update to the latest Core Rules version
- Add specific Core Rules Rulesets to the WAF Profile
Trustwave Rules¶
- Specify Disabled, Manual or Automatic*
- Disabled - Specify whether to disable the use of Trustwave Rules (see Tech Notes above)
- Manual - Specify the Trustwave Rules Version to use
- Automatic - Specify the number of days from publish date to delay automatic update to the latest Trustwave Rules version
- Add specific Trustwave Rules Rulesets to the WAF Profile
Custom Rules¶
- Specify Disabled, Manual or Automatic*
- Disabled - Specify whether to disable the use of Custom Rules (see Tech Notes above)
- Manual - Specify the Custom Rules Version to use
- Automatic - Specify the number of days from publish date to delay automatic update to the latest Custom Rules version
- Add specific Custom Rules Rulesets to the WAF Profile
Advanced Settings¶
Rule Suppression¶
Rules can be suppressed for a specific IP or a list of CIDRs
- Click Advanced Settings tab
- Under Rule Suppression click Add
- For Source IP/CIDR List, provide a comma-separated list of IPs or CIDRs
- For Rule ID List, provide a comma-separated list of Rule IDs
Event Filtering¶
To reduce the number of security Events that are generated when the WAF Profile is triggered, the Event Filtering can be configured to rate limit or sample the Events. The configuration does not alter the detection or protection behavior.
When specifying Type as Rate, the generated Events are rate limited based on the specified Number of Events triggered over a Time evaluation interval (in seconds). For example, if Number of Events is specified as 50 and Time is specified as 5 seconds, only 10 Events per second will be generated.
When specifying Type as Sample, the generated Events are sampled based on the specified Number of Events. For example, if Number of Events is specified as 10, only 1 Event will be generated for every 10 Events triggered.
Profile Event Filtering¶
Profile Event Filtering applies to all Rules that are configured in the WAF Profile
- Specify the Type as Rate or Sample
- Rate - Specify the Number of Events and the Time evaluation interval (in seconds)
- Sample - Specify the Number of Events
Rule Event Filtering¶
Rule Event Filtering applies to specific Rules that are configured in the WAF Profile
- Click Add under Rule Event Filtering
- For Rule ID List, specify a comma-separated list of Rule IDs
- Specify Type as Rate or Sample
- Rate - Specify the Number of Events and the Time evaluation interval (in seconds)
- Sample - Specify the Number of Events
Associate Profile with a Policy Rule¶
Check this document to create/edit Policy Rules