Loading...
Back

About WafCharm rules for AWS WAF v2

AWS WAF v2Old PlanNew PlanAdvancedLegacyFeature / Spec.

Overview

WafCharm has two rule policies: Advanced and Legacy.

Advanced: This is a new rule structure released with the WafCharm Console. It allows the configuration of rules such as rate-based rules, geo-match rules, and bot rules. This feature is only available for the new plan.

Legacy: A rule structure that has been available from the old WafCharm Dashboard. It allows the configuration of IP address-related rules and is available for both old and new plans.

If you choose to use the Advanced rule policy, the rule configurations below will be available.

  • IP addresses
  • Geo-match
  • Rate-based
  • Bot
  • Regular expressions (regex)
  • Exceptions

If you choose to use the Legacy rule policy, the rule configurations below will be available.

  • IP addresses
  • Exceptions

The denylist, one of the IP address rules, and regular expression rules (previously called default rules) will be applied regardless of the rule configurations. Other rules' application status may change based on your configurations.

The regular expression rules (previously called default rules) applied for the Advanced rule policy and Legacy rule policy differ in structure and other details, but their basic content is equivalent.

About WCUs

As explained above, the number of rules applied to your web ACL will vary based on your configurations, so the number of WCUs will also change.

In the Legacy rule policy, the application will use 1,100 WCUs. For the Advanced rule policy, the WCUs will vary based on the configurations, but the minimum number used on the application is 600-700 WCUs.

Please keep in mind that AWS WAF may reduce the WCUs after the application is complete if you have multiple web ACLs on the same AWS account and the same region and share the rule groups among multiple web ACLs. The details on WCU calculation are not available to the public and could change depending on an individual situation. The WCUs listed above will be required when applying rules, but the total WCUs used may be different after the rule application is complete.

Rule priorities

Advanced

In the Advanced rule policy, rules are categorized in sections.

  • Bypass Bot rule section
    • Rule group
    • Priority:101
    • This is a section for bot labeling rules.
  • Bypass rule section
    • Rule group
    • Priority:111
    • This is a section for rules to allow requests, such as Allowlist (an allow rule based on IP addresses), and rules to exclude specific conditions from subsequent rules.
  • Rate-based rule section
    • Rule
    • Priority:201 ~ 210
    • This is a section for rate-based rules. If you are not using the rate-based rules, this section may not be present on your web ACL.
  • Scoping rule section
    • Rule group
    • Priority:301
    • This is a section for rules such as denylist (a block rule based on IP addresses). If you add a geo-match rule, it will be included in this section.
  • Use case rule section
    • Custom rules
      • Rule group
      • Priority:401
      • This section is only available if you have requested customizations from the WafCharm support team.
    • Bot rules
      • Rule
      • Priority:411 ~ 413
      • This section is only available if you enabled bot rules and used them with rule actions other than Count. If you are not using the bot rules, this section may not be present.
    • Regular expression rules
      • Rule group
      • Priority:421
      • These are the original WafCharm rules that are applied by default.

Notes

  • Priorities cannot be changed. Even if you change them from the AWS management console, they will return to the values above.
    • If you apply rules from the AWS management console, the priorities for all rules may change to numbers like 0 and 1 on the web ACL. Even in that case, priorities reserved by WafCharm will not change, and the priorities will return to the values listed above. When doing so, WafCharm will not change the priorities of any rules you add.
  • You can use the priorities that are not listed above. For example. 101 is used by the Bypass Bot rule section, and 111 is used by the Bypass rule section. However, priorities below 100 and priorities between 102 and 110 are available for you to use. Because these priorities are not reserved, WafCharm will not automatically adjust them either.
  • Using the priorities reserved by WafCharm will cause an error in WafCharm's system. If you use the AWS management console or other methods to apply rules outside of WafCharm with the reserved priorities, WafCharm will not be able to update your web ACLs. Please avoid using the reserved priorities.
    • The same applies to rules that are not in use at the time, such as rate-based rules. Even if you have not configured rate-based rules from the WafCharm Console, please refrain from using priorities 201 - 210.
  • Please refrain from using the word "WafCharm" in your own rules to avoid malfunctions.

Legacy

The rule order of the Legacy rule policy is as follows.

  • Allowlist rule (if you registered IP addresses from the WafCharm Console)
  • User registered rules
  • WafCharm_Common_Basic_Group
  • WafCharm_Common_Advanced_Group
  • Denylist rule

Notes

  • The rule order will automatically return to the order listed above even if you change the priorities from the AWS management console.
    • The rule order within the [User registered rules] section will not change.
    • Please refrain from using the word "WafCharm" in your own rules to avoid malfunctions.
  • Legacy rule policy has no specific priority value for each rule/rule group. The overall rule order is as above, and specific values do not affect it.
  • Except for a few rules, all rules are applied using rule groups in the Legacy rule policy.
  • The order of the rules applied by customization will be different based on the conditions. The basic rule is that custom rules are placed behind the Allowlist rule or WafCharm_Common_Advanced_Group.

Web attacks WafCharm rules can handle

WafCharm provides rules to protect against cyber attacks exploiting the application's vulnerabilities.

The basic idea is that there must be conditions that can be determined to be abnormal when the request passes through WAF. Requests that could be considered normal from the application's point of view or requests that use compromised passwords cannot be detected.

List of example attacks WafCharm can handle

  • SQL injection
  • OS command injection
  • Code injection
  • Header injection
  • Path traversal/directory traversal
  • Cross-site scripting
  • XML external entity (XXE) attack
  • Malicious User-Agents
  • Attacks that target vulnerabilities related to middleware and operating systems

etc.

*Some of the vulnerabilities may be detected and categorized by the general attack if the vulnerability can be detected by the rules intended for general web attacks.
For example, if a web system receives an SQL injection attack that exploits the vulnerability of specific middleware, the request will be detected as SQL injection.

List of example attacks WafCharm cannot handle

  • CSRF

etc.

Notes

  • The list of WafCharm rules and details of WafCharmr rules are not disclosed from the security perspective.
  • Please note that we cannot guarantee the operation if you change any settings (e.g., conditions) other than the rule action of the rules provided by WafCharm.