![]() Protect against protocol and encoding issues Protect against port and environment scanners If you need to downgrade, contact Azure Support. ![]() Because CRS 3.2 runs on the new Azure WAF engine, you can't downgrade to CRS 3.1 or earlier. The ruleset is based off OWASP CRS 3.2.0 version.ĬRS 3.2 is only available on the WAF_v2 SKU. Each group contains multiple rules, which can be disabled. OWASP CRS 3.2ĬRS 3.2 includes 14 rule groups, as shown in the following table. For more information, please see Anomaly Scoring mode. If the anomaly score is 5 or greater, there is a separate rule triggered with either "Blocked" or "Detected" action depending on whether WAF policy is in Prevention or Detection mode. When an anomaly rule is triggered, it shows a "Matched" action in the logs. However, one Warning rule match only increases the anomaly score by 3, which isn't enough by itself to block the traffic. If the anomaly score is 5 or greater, and the WAF is in Detection mode, the request is logged but not blocked.įor example, a single Critical rule match is enough for the WAF to block a request when in Prevention mode, because the overall anomaly score is 5. If the anomaly score is 5 or greater, and the WAF is in Prevention mode, the request is blocked. The severity affects a numeric value for the request, which is called the anomaly score: Rule severity Instead, the OWASP rule sets define a severity for each rule: Critical, Error, Warning, or Notice. Traffic that matches any rule isn't immediately blocked, even when your WAF is in prevention mode. When you use CRS, your WAF is configured to use anomaly scoring by default. No other custom rules or the rules in the Core Rule Set are processed. The request is either blocked or passed through to the back-end. If a request matches a custom rule, the corresponding rule action is applied. Additionally, custom rules can be configured in the same WAF policy if you wish to bypass any of the pre-configured rules in the Core Rule Set.Ĭustom rules are always applied before rules in the Core Rule Set are evaluated. For more information, see Web Application Firewall (WAF) with Application Gateway exclusion lists.īy default, CRS version 3.2 and above will leverage anomaly scoring when a request matches a rule, CRS 3.1 and below will block matching requests by default. Exclusion rules apply to your whole web application. You can configure exclusions to apply when specific WAF rules are evaluated, or to apply globally to the evaluation of all WAF rules. A common example is Active Directory-inserted tokens that are used for authentication. Sometimes you might need to omit certain request attributes from a WAF evaluation. The Bot Manager ruleset supports the allow, block and log actions. The CRS supports block, log and anomaly score actions. You can also set specific actions per rule. You can disable or enable individual rules within the Core Rule Set to meet your application requirements. Common application misconfigurations (for example, Apache and IIS)ĬRS is enabled by default in Detection mode in your WAF policies.HTTP protocol anomalies, such as missing host user-agent and accept headers.Other common attacks, such as command injection, HTTP request smuggling, HTTP response splitting, and remote file inclusion.The WAF protects against the following web vulnerabilities:
0 Comments
Leave a Reply. |