Loading...
Back

About rule customization (AWS WAF v2)

AWS WAF v2Old PlanNew PlanAdvancedLegacyFeature / Spec.

Overview

WafCharm can customize rules based on your request.

If you would like to request a customization, please contact the WafCharm support team.

For Advanced rule policy

If you are using AWS WAF v2 with a new plan or MP ver., you can choose to use the Advanced rule policy.

With the Advanced rule policy, some rules, such as geo-match rules and rate-based rules, can be added from the WafCharm Console.

If you request the WafCharm support team to add such rules, we may suggest you add them yourself via the WafCharm Console instead.

If the rules contain conditions that cannot be achieved via the WafCharm Console, we will apply the rules via customization.

Available customizations

  • Excluding from a specific WafCharm rule.
  • Adding a new block rule.
  • Adding a new allow rule.
  • Adding or deleting an IP address from an existing rule.
  • Adding a geo-match rule.
  • Adding a rate-based rule.
  • Adding a rule to mitigate a specific CVE ID.
  • Deleting an existing custom rule or custom condition.
  • Adding other custom rules.

Excluding from a specific WafCharm rule

In case of false positives with WafCharm rules, we can exclude those requests using conditions like URIs and headers.

Conditions that can be specified to exclude depend on the AWS WAF specifications. For more information about what can be specified, please refer to the AWS document.

Please contact the WafCharm support team with the information below to request this type of customization.

  • Name of the target WAF Config.
  • Name of the rule to exclude from.
  • Excluding conditions (values of URIs, headers, etc.).
  • The WAF log of the request in question, if possible. (*)
  • The body data of the request, if possible. (*)

*These information are not required. However, if you are uncertain about the conditions to exclude or desire to know what caused the detection, we would ask you to send the data.

To avoid false positives before the customization is applied, please consider changing the rule action to Count.

Adding a new block rule

This is a customization to block specific requests if they match the specified conditions.

Please contact the WafCharm support team with the information below to request this type of customization.

  • Name of the target WAF Config.
  • Values to match the request you want to block.
    • IP addresses.
    • String.
    • Name of the header that contains the string (ex. User-Agent).
    • etc.
  • Match condition (if condition should match strings).

Adding a new allow rule

This is a customization to allow specific requests if they match the specified conditions.

If you want to exclude a specific request from all WafCharm rules, an allow rule will be applied.

Please contact the WafCharm support team with the information below to request this type of customization.

  • Name of the target WAF Config.
  • Values to match the request you want to allow.
    • IP addresses.
    • String.
    • Name of the header that contains the string (ex. User-Agent).
    • etc.
  • String match condition (if condition should match strings).

Adding or deleting an IP address from an existing rule

This is a customization to add or delete IP addresses from the existing custom rules with IP address-related conditions such as a rule to block requests from non-registered IP addresses.

*Allowlist rule and denylist rule you can manually edit from the WafCharm Console is out of scope.

Please contact the WafCharm support team with the information below to request this type of customization.

  • Name of the target WAF Config.
  • IP address to add or delete.
  • Information that we can use to determine the custom rule you want to adjust.

Notes

  • IP address to add or delete.
    • If you have multiple IP addresses to add and delete, please organize the information so we can easily see which IP addresses need to be added or deleted. We adjust custom rules based on your request, so please double-check for any mistakes in your request beforehand.
    • You are not required to list all IP addresses if you want to delete them from the rule. In that case, please let us know that you want to delete all IP addresses from the custom rule.
  • Information that we can use to determine the custom rule you want to adjust.
    • If you have similar custom rules on your web ACL, please specify the rule name. For example, if you have multiple custom rules to block requests that do not contain specified IP addresses and specific host headers, we may be unable to determine which custom rule to adjust. In such a case, the host header condition should be different between each custom rule, so you can also use information like the host header value to specify which custom rule to adjust.

Adding a geo-match rule

If you do not expect requests from specific countries, we can create rules that block requests from unexpected countries.

To request this type of customization, please contact the WafCharm support team with information about what you want to achieve and the information below.

  • Name of the target WAF Config.
  • Country or region name.
  • If you want to block requests from the above or block requests that are not from the above.
  • Rule action.

Adding a rate-based rule

We can create a rate-based rules to detect a large number of requests.

To request this type of customization, please contact the WafCharm support team with information about what you want to achieve and the information below.

  • Name of the target WAF Config.
  • Rate limit.
  • Evaluation window.
  • Request aggregation.
  • Scope of inspection and rate limiting.
  • Conditions you want to include.
  • Rule action.

Please refer to the page below for more information about what kind of conditions can be specified in the rate-based rules.

  • Using rate-based rule statements in AWS WAF (AWS document)
  • How to use rate-based rules (WafCharm blog post)
  • You can now specify detailed conditions in rate-based rules (WafCharm blog post)
  • AWS WAF now supports URI paths as custom key in rate-based rules (WafCharm blog post)
  • You can now select the evaluation window for rate-based rules (WafCharm blog post)

Adding a rule to mitigate a specific CVE ID

When vulnerabilities are discovered, in principle, we recommend updating or taking provisional measures according to the instructions provided by the vendors. However, if you want to mitigate the impact of or protect against new vulnerabilities, we can check if we can create a custom rule if you can provide us with the information below.

  • Name of the target WAF Config.
  • The CVE ID of the said vulnerability.

Please keep in mind that WafCharm is a service to add rules to your WAF and the WAF mechanism is provided by AWS WAF. If vulnerabilities cannot be handled by WAF, WafCharm cannot mitigate or protect against the vulnerabilities as well.

*Explanations about the CVEs are not provided.

Deleting an existing custom rule or custom condition

If you no longer need the existing custom rules, we will delete them for you.

Please contact the WafCharm support team with the information below to request this type of customization.

To delete a custom rule:

  • Name of the target WAF Config.
  • Name of the rule to delete, or details of the conditions of the said rule that can help determine the custom rule to delete.

To delete a condition within a custom rule:

  • Name of the target WAF Config.
  • Name of the rule to delete, or details of the conditions of the said rule that can help determine the custom rule to delete.
  • Details of the condition to delete.

Adding other custom rules

If you have other forms of custom rules you want to apply, please contact the WafCharm support team with the information below. We will determine if we can apply the custom rule based on your request.

  • Name of the target WAF Config.
  • Conditions you want to apply.

If you have questions about the conditions, please send us the details of what you are trying to achieve and any background information in order for us to help you decide on the conditions.

Notes

  • Custom rules available from WafCharm depends on the AWS WAF v2 specifications.
  • Depending on the requested conditions, we may ask you to reconsider or check the conditions before proceeding.
  • AWS WAF v2 has limitations on how many rules can be applied to a web ACL. If the requested custom rule cannot be applied due to the limitations, we may need to discuss how we can accommodate your request.
  • Custom rules are applied based on your request. Please note that we are unable to suggest custom rules that should be applied based on the characteristics of the website or application.
  • The lead time for the whole customization process is best efforts basis. Specific schedule for the customization process or completion time will not be provided.
  • We will send an email to notify you once the customization process is complete and the custom rule has been applied.
  • Customization service is available for Business plan or above and AWS Marketplace version without added cost.
  • We may be unable to accept the request if a custom rules cannot be created or is unnecessary.
    • If the attack does not occur via network or WAF cannot detect the request because WAF cannot be placed between the traffic.
    • If the request cannot be detected by WAF because it abuses compromised information, such as IDs and passwords, and pretends to be a normal request.
    • If the request contains very little differences compared to normal requests and may cause a lot of false positives.
    • If a rule to detect the request embedded with an attack using a common attack techniques that abuse vulnerabilities already exists.