IPDS | WAF

POSTED ON 13 March, 2020

The Web Application Firewall, WAF, is the tool to detect and to block malicious HTTP traffic that is going across the HTTP(S) farms. WAF works searching and analyzing patterns with the purpose of applying advanced security policies. Those rules are grouped in set rules and they have to be applied to HTTP farms. The WAF rules will be checked after decrypting SSL packets, then, it is possible to apply patterns again to the HTTP body in an SSL traffic.

The Zevenet IPDS package includes in it rules the OWAS ModSecurity rules, but you can create your own ruleset to protect your system against any kind of attack. if you want to read more about OWASP rules, please refer to OWASP Modsecurity Project.

Those rules are ordered by preferences, if you decide to use them please take into consideration to apply them as follow:

REQUEST-90-CONFIGURATION
REQUEST-901-INITIALIZATION
Apply any other OWASP ruleset based on what you want to protect
REQUEST-949-BLOCKING-EVALUATION
RESPONSE-959-BLOCKING-EVALUATION
RESPONSE-980-CORRELATION *for logging purpose, enable this only for troubleshooting.

By default this OWASP ruleset uses a scoring system called paranoia levels, by default to 1, if you want to read more about those levels, please refer to the following faqs:

OWASP Modsecurity ruleset FAQ

In case you want to increase this paranoia level please do the following:

Go to ruleset REQUEST-901-INITIALIZATION, Tab Rules, Edit in raw mode the Rule number 901120 and change:

setvar:'tx.paranoia_level=1

by the desired paranoia level.

In the WAF rulesets view is shown an overview of the available rulesets:

idps settings

NAME. Ruleset name identification, it is a descriptive name about the kind of rules that the set contains. Click on it to enter to the editing form.
FARMS. The Farms to which the rule is applied. This field may be expanded using the small icon (little arrows) at the right side of the FARMS column header. By default is limited to 20 characters. If the list of farms is longer it is possible some of them are hidden. Use that small icon to expand the view.
STATUS. Ruleset status is represented by the following status color codes:

  • Green: Means ENABLED. The ruleset is actually being checked for the farms are using it.
  • Red: Means DISABLED. The ruleset is not enabled, thus it is not having any effect on the farm.

ACTIONS. Allowed actions for the status of the WAF rules:

  • Edit. To modify the ruleset settings or assign a farm service if needed.
  • Delete. Remove a ruleset.
  • Enable. To enable the WAF set for all farms where it is applied.
  • Disable. To deactivate the WAF set for all farms where it is applied.
Share on:

Documentation under the terms of the GNU Free Documentation License.

Was this article helpful?

Related Articles