Web Application Firewall (WAF)¶

Web Protection Profiles are a collection of Web Application Firewall (WAF) Rules that can be used to evaluate web-based transactions to ensure the traffic is not malicious.

Valtix supports the following WAF Rule Sets:

Rule Sets	Description
Core Rules	The Core Rules are a standard set of Rules from ModSecurity CRS (Core Rule Set) that provide a base level of protection for any web application
Trustwave Rules	The Trustwave Rules are a premium set of Rules from ModSecurity based on intelligence gathered from real-world investigations, penetration tests and research that provide an advanced level of protection for specific web applications and frameworks
Custom Rules	The Custom Rules are a particular set of Rules written by customers that provide a specialized level of protection for custom web applications

Custom Rules¶

A Custom Rules Ruleset containing one or more Rules can be uploaded and used by the Valtix WAF security engine. The Rules contained within the Ruleset provide specialized web application evaluations required by a customer for their specific web applications and frameworks. The Custom Rules included in the WAF Profile will be evaluated first before evaluating any other Rulesets configured in the WAF Profile.

When uploading a Custom Rules Ruleset, the file should be a Gzip compressed TAR file with extension tar.gz. The compressed TAR file will consist of the following files:

Readme File - File that gives a description of the Ruleset
Changelog File - File that represents the change history
Rules Folder - Folder that consists of one or more ModSecurity formatted Rules files. Each file must have an extension .conf. The folder must contain at least one Rule file (cannot be empty). Each file must follow the ModSecurity Rules format guidelines.

Upload Custom WAF Rules¶

Navigate to Manage -> Threat Research -> Web Protection
Click the Custom tab
Click the Import button and upload the custom Ruleset file

Create WAF Profile¶

Navigate to Manage -> Profiles -> Web Protection
Click Create Protection Profile -> Application Threat

General Settings¶

Specify a Profile Name and Description
Specify the Action
Rule Default - Allow or Deny the requests based on the action specified in each triggered Rule and log an Event
Allow Log - Allow the requests and log an Event
Deny Log - Deny the requests and log an Event
Specify whether to generate a Threat HAR file if the WAF Profile detects malicious activity
Specify whether to generate a HTTP Request HAR file if the WAF Profile detects malicious activity

Rule Sets¶

Tech Notes

At least one Ruleset from a Rules library (Core, Trustwave, Custom) is required to be specified in the WAF Profile.

If Core Rules Rulesets are specified, the Core Rules cannot be disabled. In order to disable the Core Rules, remove all Core Rules Rulesets from the WAF Profile so they will not be evaluated.

If Trustwave Rules and Custom Rules Rulesets are used, at least one of the two must be enabled. If the desire is to disable both, remove all Trustwave Rules and Custom Rules Rulesets from the WAF Profile so they will not be evaluated.

If the desire is to disable the entire WAF Profile, remove the WAF Profile from any Policy Ruleset Rules so the WAF Profile will not be evaluated.

Core Rules¶

Specify Manual or Automatic
Manual - Specify the Core Rules Version to use
Automatic - Specify the numbers of days from publish date to delay automatic update to the latest Core Rules version
Add specific Core Rules Rulesets to the WAF Profile

Trustwave Rules¶

Specify Disabled, Manual or Automatic*
Disabled - Specify whether to disable the use of Trustwave Rules (see Tech Notes above)
Manual - Specify the Trustwave Rules Version to use
Automatic - Specify the number of days from publish date to delay automatic update to the latest Trustwave Rules version
Add specific Trustwave Rules Rulesets to the WAF Profile

Custom Rules¶

Specify Disabled, Manual or Automatic*
Disabled - Specify whether to disable the use of Custom Rules (see Tech Notes above)
Manual - Specify the Custom Rules Version to use
Automatic - Specify the number of days from publish date to delay automatic update to the latest Custom Rules version
Add specific Custom Rules Rulesets to the WAF Profile

Advanced Settings¶

Rule Suppression¶

Rules can be suppressed for a specific IP or a list of CIDRs

Click Advanced Settings tab
Under Rule Suppression click Add
For Source IP/CIDR List, provide a comma-separated list of IPs or CIDRs
For Rule ID List, provide a comma-separated list of Rule IDs

Event Filtering¶

To reduce the number of security Events that are generated when the WAF Profile is triggered, the Event Filtering can be configured to rate limit or sample the Events. The configuration does not alter the detection or protection behavior.

When specifying Type as Rate, the generated Events are rate limited based on the specified Number of Events triggered over a Time evaluation interval (in seconds). For example, if Number of Events is specified as 50 and Time is specified as 5 seconds, only 10 Events per second will be generated.

When specifying Type as Sample, the generated Events are sampled based on the specified Number of Events. For example, if Number of Events is specified as 10, only 1 Event will be generated for every 10 Events triggered.

Profile Event Filtering¶

Profile Event Filtering applies to all Rules that are configured in the WAF Profile

Specify the Type as Rate or Sample
Rate - Specify the Number of Events and the Time evaluation interval (in seconds)
Sample - Specify the Number of Events

Rule Event Filtering¶

Rule Event Filtering applies to specific Rules that are configured in the WAF Profile

Click Add under Rule Event Filtering
For Rule ID List, specify a comma-separated list of Rule IDs
Specify Type as Rate or Sample
Rate - Specify the Number of Events and the Time evaluation interval (in seconds)
Sample - Specify the Number of Events

Associate Profile with a Policy Rule¶

Check this document to create/edit Policy Rules