The WAF service allows you to define and apply custom
protection rules from open source firewall modules to your WAF configurations, such
as ModSecurity modules. This topic describes how to format, create, and implement
custom protection rules in your WAF policies using the Console and WAAS API.
For a list of protection rules already available in the service, see Supported Protection Rules.
Custom Protection Rule Syntax
Provides information about custom protection rule syntax for the Web Application Firewall service.
All custom protection rules are expressed in ModSecurity Rule Language. For more
information about ModSecurity syntax, see Making Rules: The Basic Syntax.
Additionally, each rule must include two placeholder variables that are updated by
the WAF service upon publication of the rule.
id:{{id_1}} - This field is updated with a unique rule ID generated by the WAF service which identifies a SecRule. More than one SecRule can be defined in the template field of a CreateCustomProtectionRule call. The value of the first SecRule must be id:{{id_1}} and the id field of each subsequent SecRule should increase by one, as shown in the example.
ctl:ruleEngine={{mode}} - The action to be taken when the criteria of the
SecRule are met, either OFF,
DETECT or BLOCK. This field is updated with
the corresponding value of the action field of the
CustomProtectionRuleSetting object when using the UpdateWafConfig
operation.
Open the navigation menu and click Identity & Security. Under Web Application Firewall, click Policies.
Click Custom protection rules.
Click Create custom protection rule.
In the Create custom protection rule dialog box, enter the following:
Name: A unique name for the protection rule.
Description: Optional. A description of the custom protection rule.
Template: Enter the protection rule criteria in ModSecurity Rule Language. Each rule must include two placeholder variables: id:{{id_1}} and ctl:ruleEngine={{mode}}. For more information about ModSecurity syntax, see Making Rules: The Basic Syntax.
Show advanced options: Click this link to display options for tagging. See Overview of Tagging.
Open the navigation menu and click Identity & Security. Under Web Application Firewall, click Policies.
Click the name of the WAF Policy you want to configure rule settings for. The WAF Policy overview appears.
Click Protection Rules.
Click the Custom Rules tab.
Click Add from the Actions drop down menu.
In the Add Custom Rule dialog box, select a custom protection rule from the drop down menu. If the custom protection rule exists in another compartment, you can change the compartment where the rule exists.
Select one of the following actions to apply to the rule:
Detect: Matching requests generate an alert and the request is proxied.
Open the navigation menu and click Identity & Security. Under Web Application Firewall, click Policies.
Click the name of the WAF Policy where you want to remove a custom protection rule. The WAF Policy overview appears.
Click Protection Rules.
Click the Custom Rules tab.
Select the check box for the custom rule you want to delete.
Select delete from the Actions drop down menu.
Using the API 🔗
Custom protection rules can be created and added to a compartment using the CreateProtectionRule call in the WAAS API. Using ModSecurity Rule Language formatting, populate the template field with the criteria of the rule.
Example:
{
"compartmentId": "ocid1.compartment.region1..<unique_ID>",
"description": "The description text for the rule being created",
"displayName": "Custom Protection Rule Name",
"template": "SecRule REQUEST_URI / \"phase:2, t:none, capture, msg:'Custom (XSS) Attack. Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', id:{{id_1}}, ctl:ruleEngine={{mode}}, tag:'Custom', severity:'2'\""
}
Adding Custom Protection Rules to a WAF Configuration 🔗
Custom protection rules can be added to a WAF configuration using the UpdateWafConfig call in the WAAS API.
Add the OCID and the desired action to take to the CustomProtectionRuleSetting object of the UpdateWafConfig schema.
To view a list of available custom protection rules in a compartment and their corresponding OCIDs, use the ListCustomProtectionRules call in the WAAS API.