Scribd
Upload
214 views12 pages

Armor Rule Tuning

The document discusses tuning Google Cloud Armor's preconfigured web application firewall (WAF) rules. It provides a table listing the preconfigured rules available in Cloud Armor which are based on the ModSecurity Core Rule Set. The document explains that each preconfigured rule contains multiple signatures and tuning involves disabling unwanted signatures to reduce false positives. It then provides details on the individual signatures within the SQL injection preconfigured rule including their IDs, sensitivity levels, and descriptions.

Uploaded by

Rizky 'Kimun' Rachmanto Prastyo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
214 views12 pages

Armor Rule Tuning

The document discusses tuning Google Cloud Armor's preconfigured web application firewall (WAF) rules. It provides a table listing the preconfigured rules available in Cloud Armor which are based on the ModSecurity Core Rule Set. The document explains that each preconfigured rule contains multiple signatures and tuning involves disabling unwanted signatures to reduce false positives. It then provides details on the individual signatures within the SQL injection preconfigured rule including their IDs, sensitivity levels, and descriptions.

Uploaded by

Rizky 'Kimun' Rachmanto Prastyo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 12

8/23/2020 Tuning Google Cloud Armor WAF rules  

|  Google Cloud Armor Documentation

Tuning Google Cloud Armor WAF rules

Precon gured rules

Google Cloud Armor precon gured rules are complex web application rewall (WAF) rules with
dozens of signatures that are compiled from open source industry standards. Google offers
these rules as-is. The rules enable Google Cloud Armor to evaluate dozens of distinct tra c
signatures by referring to conveniently-named rules, rather than requiring you to de ne each
signature manually.

The following table contains a comprehensive list of precon gured WAF rules that are available
for use in a Google Cloud Armor security policy. The rule source is ModSecurity Core Rule Set
3.0.2  (https://modsecurity.org/crs/).

Google Cloud Armor rule name ModSecurity rule name Current Status

sqli-stable SQL injection In sync with sqli-canary

sqli-canary SQL injection Latest

xss-stable Cross-site scripting In sync with xss-canary

xss-canary Cross-site scripting Latest

l -stable (Beta) Local le inclusion In sync with l -canary

l -canary (Beta) Local le inclusion Latest

r -stable (Beta) Remote le inclusion In sync with r -canary

r -canary (Beta) Remote le inclusion Latest

rce-stable (Beta) Remote code execution In sync with rce-canary

rce-canary (Beta) Remote code execution Latest

About rule tuning

https://cloud.google.com/armor/docs/rule-tuning/ 1/12
8/23/2020 Tuning Google Cloud Armor WAF rules  |  Google Cloud Armor Documentation

Each precon gured rule consists of multiple signatures. Incoming requests are evaluated
against the precon gured rules. A request matches a precon gured rule if the request matches
any of the signatures that are associated with the precon gured rule. A match is made when
the evaluatePreconfiguredExpr() command returns the value true.

If you decide that a precon gured rule matches more tra c than is necessary or if the rule is
blocking tra c that needs to be allowed, the rule can be tuned to disable noisy or otherwise
unnecessary signatures. To disable signatures in a particular precon gured rule, you provide a
list of IDs of the unwanted signatures to the evaluatePreconfiguredExpr() command. For
example, here is an example match condition in the rules language with a tuned rule:

atePreconfiguredExpr('xss-stable', ['owasp-crs-v020901-id981136-xss', 'owasp-crs-v02

Precon gured ModSecurity rules

SQL injection

Signature ID (CRS Rule Sensitivity


Description
ID) Level

owasp-crs-v030001- 1 SQL Injection Attack: Common DB Names Detected


id942140-sqli

owasp-crs-v030001- 1 Detects blind sqli tests using sleep() or benchmark().


id942160-sqli

owasp-crs-v030001- 1 Detects SQL benchmark and sleep injection attempts including


id942170-sqli conditional queries

owasp-crs-v030001- 1 Detects MSSQL code execution and information gathering attempts


id942190-sqli

owasp-crs-v030001- 1 Looking for integer over ow attacks


id942220-sqli

owasp-crs-v030001- 1 Detects conditional SQL injection attempts


id942230-sqli

https://cloud.google.com/armor/docs/rule-tuning/ 2/12
8/23/2020 Tuning Google Cloud Armor WAF rules  |  Google Cloud Armor Documentation

Signature ID (CRS Rule Sensitivity


Description
ID) Level

owasp-crs-v030001- 1 Detects MySQL charset switch and MSSQL DoS attempts


id942240-sqli

owasp-crs-v030001- 1 Detects MATCH AGAINST


id942250-sqli

owasp-crs-v030001- 1 Looking for basic sql injection. Common attack string for mysql
id942270-sqli

owasp-crs-v030001- 1 Detects Postgres pg_sleep injection


id942280-sqli

owasp-crs-v030001- 1 Finds basic MongoDB SQL injection attempts


id942290-sqli

owasp-crs-v030001- 1 Detects MySQL and PostgreSQL stored procedure/function injections


id942320-sqli

owasp-crs-v030001- 1 Detects MySQL UDF injection and other data/structure manipulation


id942350-sqli attempts

owasp-crs-v030001- 1 Detects concatenated basic SQL injection and SQLLFI attempts


id942360-sqli

owasp-crs-v030001- 2 SQL Injection Attack: Common Injection Testing Detected


id942110-sqli

owasp-crs-v030001- 2 SQL Injection Attack: SQL Operator Detected


id942120-sqli

owasp-crs-v030001- 2 SQL Injection Attack


id942150-sqli

owasp-crs-v030001- 2 Detects basic SQL authentication bypass attempts 1/3


id942180-sqli

owasp-crs-v030001- 2 Detects MySQL comment-/space-obfuscated injections and backtick


id942200-sqli termination

owasp-crs-v030001- 2 Detects chained SQL injection attempts 1/2


id942210-sqli

owasp-crs-v030001- 2 Detects basic SQL authentication bypass attempts 2/3


id942260-sqli

https://cloud.google.com/armor/docs/rule-tuning/ 3/12
8/23/2020 Tuning Google Cloud Armor WAF rules  |  Google Cloud Armor Documentation

Signature ID (CRS Rule Sensitivity


Description
ID) Level

owasp-crs-v030001- 2 Detects MySQL comments


id942300-sqli

owasp-crs-v030001- 2 Detects chained SQL injection attempts 2/2


id942310-sqli

owasp-crs-v030001- 2 Detects classic SQL injection probings 1/2


id942330-sqli

owasp-crs-v030001- 2 Detects basic SQL authentication bypass attempts 3/3


id942340-sqli

owasp-crs-v030001- 2 SQL Injection Attack


id942380-sqli

owasp-crs-v030001- 2 SQL Injection Attack


id942390-sqli

owasp-crs-v030001- 2 SQL Injection Attack


id942400-sqli

owasp-crs-v030001- 2 SQL Injection Attack


id942410-sqli

owasp-crs-v030001- 2 Restricted SQL Character Anomaly Detection (args): # of special


id942430-sqli characters exceeded (12)

owasp-crs-v030001- 2 SQL Comment Sequence Detected.


id942440-sqli

owasp-crs-v030001- 2 SQL Hex Encoding Identi ed


id942450-sqli

owasp-crs-v030001- 3 Detects HAVING injections


id942251-sqli

owasp-crs-v030001- 3 Restricted SQL Character Anomaly Detection (cookies): # of special


id942420-sqli characters exceeded (8)

owasp-crs-v030001- 3 Restricted SQL Character Anomaly Detection (args): # of special


id942431-sqli characters exceeded (6)

owasp-crs-v030001- 3 Meta-Character Anomaly Detection Alert - Repetitive Non-Word


id942460-sqli Characters

https://cloud.google.com/armor/docs/rule-tuning/ 4/12
8/23/2020 Tuning Google Cloud Armor WAF rules  |  Google Cloud Armor Documentation

Signature ID (CRS Rule Sensitivity


Description
ID) Level

owasp-crs-v030001- 4 Restricted SQL Character Anomaly Detection (cookies): # of special


id942421-sqli characters exceeded (3)

owasp-crs-v030001- 4 Restricted SQL Character Anomaly Detection (args): # of special


id942432-sqli characters exceeded (2)

To con gure a rule at a particular sensitivity level, disable the signatures at greater sensitivity
levels:

SQLi Sensitivity Level 1

evaluatePreconfiguredExpr('sqli-stable', ['owasp-crs-v030001-id942110-sqli',
'owasp-crs-v030001-id942120-sqli',
'owasp-crs-v030001-id942150-sqli',
'owasp-crs-v030001-id942180-sqli',
'owasp-crs-v030001-id942200-sqli',
'owasp-crs-v030001-id942210-sqli',
'owasp-crs-v030001-id942260-sqli',
'owasp-crs-v030001-id942300-sqli',
'owasp-crs-v030001-id942310-sqli',
'owasp-crs-v030001-id942330-sqli',
'owasp-crs-v030001-id942340-sqli',
'owasp-crs-v030001-id942380-sqli',
'owasp-crs-v030001-id942390-sqli',
'owasp-crs-v030001-id942400-sqli',
'owasp-crs-v030001-id942410-sqli',
'owasp-crs-v030001-id942430-sqli',
'owasp-crs-v030001-id942440-sqli',
'owasp-crs-v030001-id942450-sqli',
'owasp-crs-v030001-id942251-sqli',
'owasp-crs-v030001-id942420-sqli',
'owasp-crs-v030001-id942431-sqli',
'owasp-crs-v030001-id942460-sqli',
'owasp-crs-v030001-id942421-sqli',
'owasp-crs-v030001-id942432-sqli']
)

https://cloud.google.com/armor/docs/rule-tuning/ 5/12
8/23/2020 Tuning Google Cloud Armor WAF rules  |  Google Cloud Armor Documentation

SQLi Sensitivity Level 2

evaluatePreconfiguredExpr('sqli-stable', ['owasp-crs-v030001-id942251-sqli',
'owasp-crs-v030001-id942420-sqli',
'owasp-crs-v030001-id942431-sqli',
'owasp-crs-v030001-id942460-sqli',
'owasp-crs-v030001-id942421-sqli',
'owasp-crs-v030001-id942432-sqli']
)

SQLi Sensitivity Level 3

evaluatePreconfiguredExpr('sqli-stable', ['owasp-crs-v030001-id942421-sqli',
'owasp-crs-v030001-id942432-sqli']
)

SQLi Sensitivity Level 4

evaluatePreconfiguredExpr('sqli-stable')

Cross-Site Scripting (XSS)

Sensitivity
Signature ID (Rule ID) Description
Level

owasp-crs-v030001-id941110- 1 XSS Filter - Category 1: Script Tag Vector


xss

owasp-crs-v030001-id941120- 1 XSS Filter - Category 2: Event Handler Vector


xss

owasp-crs-v030001-id941130- 1 XSS Filter - Category 3: Attribute Vector


xss

https://cloud.google.com/armor/docs/rule-tuning/ 6/12
8/23/2020 Tuning Google Cloud Armor WAF rules  |  Google Cloud Armor Documentation

Sensitivity
Signature ID (Rule ID) Description
Level

owasp-crs-v030001-id941140- 1 XSS Filter - Category 4: JavaScript URI Vector


xss

owasp-crs-v030001-id941160- 1 NoScript XSS InjectionChecker: HTML Injection


xss

owasp-crs-v030001-id941170- 1 NoScript XSS InjectionChecker: Attribute Injection


xss

owasp-crs-v030001-id941180- 1 Node-Validator Blacklist Keywords


xss

owasp-crs-v030001-id941190- 1 IE XSS Filters - Attack Detected.


xss

owasp-crs-v030001-id941200- 1 IE XSS Filters - Attack Detected.


xss

owasp-crs-v030001-id941210- 1 IE XSS Filters - Attack Detected.


xss

owasp-crs-v030001-id941220- 1 IE XSS Filters - Attack Detected.


xss

owasp-crs-v030001-id941230- 1 IE XSS Filters - Attack Detected.


xss

owasp-crs-v030001-id941240- 1 IE XSS Filters - Attack Detected.


xss

owasp-crs-v030001-id941250- 1 IE XSS Filters - Attack Detected.


xss

owasp-crs-v030001-id941260- 1 IE XSS Filters - Attack Detected.


xss

owasp-crs-v030001-id941270- 1 IE XSS Filters - Attack Detected.


xss

owasp-crs-v030001-id941280- 1 IE XSS Filters - Attack Detected.


xss

owasp-crs-v030001-id941290- 1 IE XSS Filters - Attack Detected.


xss

https://cloud.google.com/armor/docs/rule-tuning/ 7/12
8/23/2020 Tuning Google Cloud Armor WAF rules  |  Google Cloud Armor Documentation

Sensitivity
Signature ID (Rule ID) Description
Level

owasp-crs-v030001-id941300- 1 IE XSS Filters - Attack Detected.


xss

owasp-crs-v030001-id941310- 1 US-ASCII Malformed Encoding XSS Filter - Attack


xss Detected.

owasp-crs-v030001-id941350- 1 UTF-7 Encoding IE XSS - Attack Detected.


xss

owasp-crs-v030001-id941150- 2 XSS Filter - Category 5: Disallowed HTML Attributes


xss

owasp-crs-v030001-id941320- 2 Possible XSS Attack Detected - HTML Tag Handler


xss

owasp-crs-v030001-id941330- 2 IE XSS Filters - Attack Detected.


xss

owasp-crs-v030001-id941340- 2 IE XSS Filters - Attack Detected.


xss

To con gure a rule at a particular sensitivity level, disable the signatures at greater sensitivity
levels:

XSS Sensitivity Level 1

evaluatePreconfiguredExpr('xss-stable', ['owasp-crs-v030001-id941150-xss',
'owasp-crs-v030001-id941320-xss',
'owasp-crs-v030001-id941330-xss',
'owasp-crs-v030001-id941340-xss'])

All signatures for XSS are below sensitivity level 2. The following con guration works for other
sensitivity levels:

XSS Sensitivity Level 2/3/4

https://cloud.google.com/armor/docs/rule-tuning/ 8/12
8/23/2020 Tuning Google Cloud Armor WAF rules  |  Google Cloud Armor Documentation

XSS Sensitivity Level 2/3/4

evaluatePreconfiguredExpr('xss-stable')

Local le inclusion (LFI) (beta)

Signature ID (Rule ID) Sensitivity Level Description

owasp-crs-v030001-id930100-l 1 Path Traversal Attack (/../)

owasp-crs-v030001-id930110-l 1 Path Traversal Attack (/../)

owasp-crs-v030001-id930120-l 1 OS File Access Attempt

owasp-crs-v030001-id930130-l 1 Restricted File Access Attempt

All signatures for LFI are at sensitivity level 1. The following con guration works for all
sensitivity levels:

LFI Sensitivity Levels 1/2/3/4

evaluatePreconfiguredExpr('lfi-canary')

Remote Code Execution (RCE) (Beta)

Signature ID (Rule ID) Sensitivity Level Description

owasp-crs-v030001-id932100-rce 1 UNIX Command Injection

owasp-crs-v030001-id932105-rce 1 UNIX Command Injection

https://cloud.google.com/armor/docs/rule-tuning/ 9/12
8/23/2020 Tuning Google Cloud Armor WAF rules  |  Google Cloud Armor Documentation

Signature ID (Rule ID) Sensitivity Level Description

owasp-crs-v030001-id932110-rce 1 Windows Command Injection

owasp-crs-v030001-id932115-rce 1 Windows Command Injection

owasp-crs-v030001-id932120-rce 1 Windows PowerShell Command Found

owasp-crs-v030001-id932130-rce 1 Unix Shell Expression Found

owasp-crs-v030001-id932140-rce 1 Windows FOR/IF Command Found

owasp-crs-v030001-id932150-rce 1 Direct UNIX Command Execution

owasp-crs-v030001-id932160-rce 1 UNIX Shell Code Found

owasp-crs-v030001-id932170-rce 1 Shellshock (CVE-2014-6271)

owasp-crs-v030001-id932171-rce 1 Shellshock (CVE-2014-6271)

All signatures for RCE are at sensitivity level 1. The following con guration works for all
sensitivity levels:

RCE Sensitivity Levels 1/2/3/4

evaluatePreconfiguredExpr('rce-canary')

Remote File Inclusion (RFI) (Beta)

Sensitivity
Signature ID (Rule ID) Description
Level

owasp-crs-v030001-id931100- 1 URL Parameter using IP Address


r

owasp-crs-v030001-id931110- 1 Common RFI Vulnerable Parameter Name used w/URL


r Payload

https://cloud.google.com/armor/docs/rule-tuning/ 10/12
8/23/2020 Tuning Google Cloud Armor WAF rules  |  Google Cloud Armor Documentation

Sensitivity
Signature ID (Rule ID) Description
Level

owasp-crs-v030001-id931120- 1 URL Payload Used w/Trailing Question Mark Character (?)


r

owasp-crs-v030001-id931130- 2 Off-Domain Reference/Link


r

To con gure a rule at a particular sensitivity level, disable the signatures at greater sensitivity
levels:

RFI Sensitivity Level 1

evaluatePreconfiguredExpr('rfi-canary', ['owasp-crs-v030001-id931130-rfi'])

RFI Sensitivity Level 2/3/4

evaluatePreconfiguredExpr('rfi-canary')

What's next

To con gure security policies, rules, and expressions, use the instructions in Con guring
security policies (/armor/docs/con gure-security-policies) and Creating Google Cloud Armor
security policies, rules, and expressions
 (/armor/docs/con gure-security-policies#creating-policy-rules).

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License
 (https://creativecommons.org/licenses/by/4.0/), and code samples are licensed under the Apache 2.0 License
 (https://www.apache.org/licenses/LICENSE-2.0). For details, see the Google Developers Site Policies
 (https://developers.google.com/site-policies). Java is a registered trademark of Oracle and/or its a liates.

Last updated 2020-08-11 UTC.

https://cloud.google.com/armor/docs/rule-tuning/ 11/12
8/23/2020 Tuning Google Cloud Armor WAF rules  |  Google Cloud Armor Documentation

https://cloud.google.com/armor/docs/rule-tuning/ 12/12

You might also like