Web Application Firewall (WAF)
The OWASP Web Application Firewall (WAF) is a powerful security layer that protects your web applications from various types of attacks. It can be enabled at the ingress level using OWASP Core Rule Set (CRS) rules.
What is OWASP WAF?
The OWASP WAF is based on the ModSecurity engine and the OWASP Core Rule Set (CRS), which is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, while minimizing false positives.
We are using version 4.15.0. You can view the rules from the official repository on GitHub.
Key Benefits
- Comprehensive Protection: Covers the OWASP Top 10 vulnerabilities.
- Real-time Monitoring: Detects and blocks malicious requests in real-time.
- Attack Prevention: Blocks common attack vectors like SQL injection, XSS, and file inclusion attacks.
Enabling WAF
To enable the WAF at the ingress level:
-
Configure the OWASP rules as shown in the following image o the
Settingstab.
-
Make a new deployment clicking on
Apply changes
Enabled Rule Sets
The following table lists the enabled OWASP Core Rule Set (CRS) version 4.15.0 rule sets (grouped by configuration files) with their descriptions:
| Rule Set ID | Rule File | Description |
|---|---|---|
| 900 | REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf | Exclusion rules that should be processed before the main CRS rules |
| 901 | REQUEST-901-INITIALIZATION.conf | Initialization rules that set up the basic CRS environment |
| 905 | REQUEST-905-COMMON-EXCEPTIONS.conf | Common exception rules for legitimate traffic patterns |
| 911 | REQUEST-911-METHOD-ENFORCEMENT.conf | Rules to enforce allowed HTTP methods and block unauthorized ones |
| 913 | REQUEST-913-SCANNER-DETECTION.conf | Rules to detect and block automated scanning tools and bots |
| 920 | REQUEST-920-PROTOCOL-ENFORCEMENT.conf | Protocol enforcement rules to ensure requests follow HTTP standards |
| 921 | REQUEST-921-PROTOCOL-ATTACK.conf | Detection rules for protocol-based attacks |
| 922 | REQUEST-922-MULTIPART-ATTACK.conf | Rules to detect attacks in multipart form data |
| 930 | REQUEST-930-APPLICATION-ATTACK-LFI.conf | Local File Inclusion (LFI) attack detection rules |
| 931 | REQUEST-931-APPLICATION-ATTACK-RFI.conf | Remote File Inclusion (RFI) attack detection rules |
| 932 | REQUEST-932-APPLICATION-ATTACK-RCE.conf | Remote Code Execution (RCE) attack detection rules |
| 933 | REQUEST-933-APPLICATION-ATTACK-PHP.conf | PHP-specific attack detection rules |
| 934 | REQUEST-934-APPLICATION-ATTACK-GENERIC.conf | Generic application attack detection rules |
| 941 | REQUEST-941-APPLICATION-ATTACK-XSS.conf | Cross-Site Scripting (XSS) attack detection rules |
| 942 | REQUEST-942-APPLICATION-ATTACK-SQLI.conf | SQL Injection attack detection rules |
| 943 | REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf | Session fixation attack detection rules |
| 944 | REQUEST-944-APPLICATION-ATTACK-JAVA.conf | Java-specific attack detection rules |
| 949 | REQUEST-949-BLOCKING-EVALUATION.conf | Rules for evaluating and determining blocking actions |
| 950 | RESPONSE-950-DATA-LEAKAGES.conf | Rules to detect data leakage in HTTP responses |
| 951 | RESPONSE-951-DATA-LEAKAGES-SQL.conf | SQL-specific data leakage detection rules |
| 952 | RESPONSE-952-DATA-LEAKAGES-JAVA.conf | Java-specific data leakage detection rules |
| 953 | RESPONSE-953-DATA-LEAKAGES-PHP.conf | PHP-specific data leakage detection rules |
| 954 | RESPONSE-954-DATA-LEAKAGES-IIS.conf | IIS-specific data leakage detection rules |
| 955 | RESPONSE-955-WEB-SHELLS.conf | Web shells detection rules |
| 959 | RESPONSE-959-BLOCKING-EVALUATION.conf | Response-based blocking evaluation rules |
| 980 | RESPONSE-980-CORRELATION.conf | Rules for correlating request and response data |
| 999 | RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf | Exclusion rules that should be processed after the main CRS rules |
Viewing WAF Logs
To view the WAF logs:
-
Go to the
Logstab.
-
In the filter, select
Log Type->WAFand clickApply.
Now you will see WAF blocking events.
-
You can filter for specific content using the search function.
Downloading WAF Logs
To download the logs:
-
Filter the desired content as demonstrated in the Viewing WAF Logs section.
-
Select the
Download filtered logsoption.
A file with the log content will be generated and will appear in the list to be downloaded.
The log file will have the following field structure:
| Field | Description |
|---|---|
| dateTime | The timestamp of the WAF event. |
| clientIp | The IP address of the client making the request. |
| requestMethod | The HTTP method used (e.g., GET, POST). |
| responseHttpCode | The HTTP status code returned (e.g., 403 for blocked). |
| requestHost | The host header value. |
| requestUri | The requested URL path. |
| uniqueId | A unique identifier for the request. |
| messages | Details of the triggered rules and reasons for blocking. |
Retention Period
Logs are retained for a period of 20 days. After this period, older logs are automatically deleted from the system. Make sure to download any important logs that you might need for future reference before they expire.