Tuning Google Cloud Armor WAF rules

Preconfigured rules

Google Cloud Armor preconfigured rules are complex web application firewall (WAF) rules with dozens of signatures that are compiled from open source industry standards. Google offers these rules as-is. The rules allow Google Cloud Armor to evaluate dozens of distinct traffic signatures by referring to conveniently-named rules, rather than requiring you to define each signature manually.

The following table contains a comprehensive list of preconfigured WAF rules that are available for use in a Google Cloud Armor security policy. The rule source is ModSecurity Core Rule Set 3.0.2 (CRS).

Google Cloud Armor rule name ModSecurity rule name Current status
sqli-stable SQL injection In sync with sqli-canary
sqli-canary SQL injection Latest
xss-stable Cross-site scripting In sync with xss-canary
xss-canary Cross-site scripting Latest
lfi-stable Local file inclusion In sync with lfi-canary
lfi-canary Local file inclusion Latest
rfi-stable Remote file inclusion In sync with rfi-canary
rfi-canary Remote file inclusion Latest
rce-stable Remote code execution In sync with rce-canary
rce-canary Remote code execution Latest

Each preconfigured rule consists of multiple signatures. Incoming requests are evaluated against the preconfigured rules. A request matches a preconfigured rule if the request matches any of the signatures that are associated with the preconfigured rule. A match is made when the evaluatePreconfiguredExpr() command returns the value true.

If you decide that a preconfigured rule matches more traffic than is necessary, or if the rule is blocking traffic that needs to be allowed, the rule can be tuned to disable noisy or otherwise unnecessary signatures. To disable signatures in a particular preconfigured rule, you provide a list of IDs of the unwanted signatures to the evaluatePreconfiguredExpr() command.

The following example excludes two CRS rule IDs from the preconfigured xss-stable WAF rule:

evaluatePreconfiguredExpr('xss-stable', ['owasp-crs-v020901-id981136-xss', 'owasp-crs-v020901-id981138-xss'])

The preceding example is an expression in the custom rules language. The general syntax is:

evaluatePreconfiguredExpr(RULE, ['SIGNATURE1', 'SIGNATURE2', 'SIGNATURE3'])

Preconfigured ModSecurity rules

SQL injection (SQLi)

Signature ID (CRS Rule ID) Sensitivity level Description
owasp-crs-v030001-id942140-sqli 1 SQL injection attack: Common DB Names Detected
owasp-crs-v030001-id942160-sqli 1 Detects blind SQLi tests using sleep() or benchmark()
owasp-crs-v030001-id942170-sqli 1 Detects SQL benchmark and sleep injection attempts including conditional queries
owasp-crs-v030001-id942190-sqli 1 Detects MSSQL code execution and information gathering attempts
owasp-crs-v030001-id942220-sqli 1 Looks for integer overflow attacks
owasp-crs-v030001-id942230-sqli 1 Detects conditional SQL injection attempts
owasp-crs-v030001-id942240-sqli 1 Detects MySQL charset switch and MSSQL DoS attempts
owasp-crs-v030001-id942250-sqli 1 Detects MATCH AGAINST
owasp-crs-v030001-id942270-sqli 1 Looks for basic SQL injection; common attack string for MySql
owasp-crs-v030001-id942280-sqli 1 Detects Postgres pg_sleep injection
owasp-crs-v030001-id942290-sqli 1 Finds basic MongoDB SQL injection attempts
owasp-crs-v030001-id942320-sqli 1 Detects MySQL and PostgreSQL stored procedure/function injections
owasp-crs-v030001-id942350-sqli 1 Detects MySQL UDF injection and other data/structure manipulation attempts
owasp-crs-v030001-id942360-sqli 1 Detects concatenated basic SQL injection and SQLLFI attempts
owasp-crs-v030001-id942110-sqli 2 SQL injection attack: Common Injection Testing Detected
owasp-crs-v030001-id942120-sqli 2 SQL injection attack: SQL Operator Detected
owasp-crs-v030001-id942150-sqli 2 SQL injection attack
owasp-crs-v030001-id942180-sqli 2 Detects basic SQL authentication bypass attempts 1/3
owasp-crs-v030001-id942200-sqli 2 Detects MySQL comment-/space-obfuscated injections and backtick termination
owasp-crs-v030001-id942210-sqli 2 Detects chained SQL injection attempts 1/2
owasp-crs-v030001-id942260-sqli 2 Detects basic SQL authentication bypass attempts 2/3
owasp-crs-v030001-id942300-sqli 2 Detects MySQL comments
owasp-crs-v030001-id942310-sqli 2 Detects chained SQL injection attempts 2/2
owasp-crs-v030001-id942330-sqli 2 Detects classic SQL injection probings 1/2
owasp-crs-v030001-id942340-sqli 2 Detects basic SQL authentication bypass attempts 3/3
owasp-crs-v030001-id942380-sqli 2 SQL injection attack
owasp-crs-v030001-id942390-sqli 2 SQL injection attack
owasp-crs-v030001-id942400-sqli 2 SQL injection attack
owasp-crs-v030001-id942410-sqli 2 SQL injection attack
owasp-crs-v030001-id942430-sqli 2 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)
owasp-crs-v030001-id942440-sqli 2 SQL Comment Sequence Detected
owasp-crs-v030001-id942450-sqli 2 SQL Hex Encoding Identified
owasp-crs-v030001-id942251-sqli 3 Detects HAVING injections
owasp-crs-v030001-id942420-sqli 3 Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (8)
owasp-crs-v030001-id942431-sqli 3 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6)
owasp-crs-v030001-id942460-sqli 3 Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters
owasp-crs-v030001-id942421-sqli 4 Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3)
owasp-crs-v030001-id942432-sqli 4 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)


To configure a rule at a particular sensitivity level, disable the signatures at greater sensitivity levels.

SQLi sensitivity level 1

evaluatePreconfiguredExpr('sqli-stable', ['owasp-crs-v030001-id942110-sqli',
  'owasp-crs-v030001-id942120-sqli',
  'owasp-crs-v030001-id942150-sqli',
  'owasp-crs-v030001-id942180-sqli',
  'owasp-crs-v030001-id942200-sqli',
  'owasp-crs-v030001-id942210-sqli',
  'owasp-crs-v030001-id942260-sqli',
  'owasp-crs-v030001-id942300-sqli',
  'owasp-crs-v030001-id942310-sqli',
  'owasp-crs-v030001-id942330-sqli',
  'owasp-crs-v030001-id942340-sqli',
  'owasp-crs-v030001-id942380-sqli',
  'owasp-crs-v030001-id942390-sqli',
  'owasp-crs-v030001-id942400-sqli',
  'owasp-crs-v030001-id942410-sqli',
  'owasp-crs-v030001-id942430-sqli',
  'owasp-crs-v030001-id942440-sqli',
  'owasp-crs-v030001-id942450-sqli',
  'owasp-crs-v030001-id942251-sqli',
  'owasp-crs-v030001-id942420-sqli',
  'owasp-crs-v030001-id942431-sqli',
  'owasp-crs-v030001-id942460-sqli',
  'owasp-crs-v030001-id942421-sqli',
  'owasp-crs-v030001-id942432-sqli']
)
          
SQLi sensitivity level 2

evaluatePreconfiguredExpr('sqli-stable', ['owasp-crs-v030001-id942251-sqli',
 'owasp-crs-v030001-id942420-sqli',
 'owasp-crs-v030001-id942431-sqli',
 'owasp-crs-v030001-id942460-sqli',
 'owasp-crs-v030001-id942421-sqli',
 'owasp-crs-v030001-id942432-sqli']
)
SQLi sensitivity level 3

evaluatePreconfiguredExpr('sqli-stable', ['owasp-crs-v030001-id942421-sqli',
         'owasp-crs-v030001-id942432-sqli']
         )
SQLi sensitivity level 4

evaluatePreconfiguredExpr('sqli-stable')

Cross-site scripting (XSS)

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030001-id941110-xss 1 XSS Filter - Category 1: Script Tag Vector
owasp-crs-v030001-id941120-xss 1 XSS Filter - Category 2: Event Handler Vector
owasp-crs-v030001-id941130-xss 1 XSS Filter - Category 3: Attribute Vector
owasp-crs-v030001-id941140-xss 1 XSS Filter - Category 4: JavaScript URI Vector
owasp-crs-v030001-id941160-xss 1 NoScript XSS InjectionChecker: HTML Injection
owasp-crs-v030001-id941170-xss 1 NoScript XSS InjectionChecker: Attribute Injection
owasp-crs-v030001-id941180-xss 1 Node-Validator Blacklist Keywords
owasp-crs-v030001-id941190-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030001-id941200-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030001-id941210-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030001-id941220-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030001-id941230-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030001-id941240-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030001-id941250-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030001-id941260-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030001-id941270-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030001-id941280-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030001-id941290-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030001-id941300-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030001-id941310-xss 1 US-ASCII Malformed Encoding XSS Filter - Attack Detected
owasp-crs-v030001-id941350-xss 1 UTF-7 Encoding IE XSS - Attack Detected
owasp-crs-v030001-id941150-xss 2 XSS Filter - Category 5: Disallowed HTML Attributes
owasp-crs-v030001-id941320-xss 2 Possible XSS Attack Detected - HTML Tag Handler
owasp-crs-v030001-id941330-xss 2 IE XSS Filters - Attack Detected
owasp-crs-v030001-id941340-xss 2 IE XSS Filters - Attack Detected


To configure a rule at a particular sensitivity level, disable the signatures at greater sensitivity levels.

XSS sensitivity level 1

evaluatePreconfiguredExpr('xss-stable', ['owasp-crs-v030001-id941150-xss',
  'owasp-crs-v030001-id941320-xss',
  'owasp-crs-v030001-id941330-xss',
  'owasp-crs-v030001-id941340-xss'])
          


All signatures for XSS are below sensitivity level 2. The following configuration works for other sensitivity levels:

XSS sensitivity levels 2/3/4

evaluatePreconfiguredExpr('xss-stable')

Local file inclusion (LFI)

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030001-id930100-lfi 1 Path Traversal Attack (/../)
owasp-crs-v030001-id930110-lfi 1 Path Traversal Attack (/../)
owasp-crs-v030001-id930120-lfi 1 OS File Access Attempt
owasp-crs-v030001-id930130-lfi 1 Restricted File Access Attempt


All signatures for LFI are at sensitivity level 1. The following configuration works for all sensitivity levels:

LFI sensitivity levels 1/2/3/4

evaluatePreconfiguredExpr('lfi-canary')

Remote code execution (RCE)

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030001-id932100-rce 1 UNIX Command Injection
owasp-crs-v030001-id932105-rce 1 UNIX Command Injection
owasp-crs-v030001-id932110-rce 1 Windows Command Injection
owasp-crs-v030001-id932115-rce 1 Windows Command Injection
owasp-crs-v030001-id932120-rce 1 Windows PowerShell Command Found
owasp-crs-v030001-id932130-rce 1 Unix Shell Expression Found
owasp-crs-v030001-id932140-rce 1 Windows FOR/IF Command Found
owasp-crs-v030001-id932150-rce 1 Direct UNIX Command Execution
owasp-crs-v030001-id932160-rce 1 UNIX Shell Code Found
owasp-crs-v030001-id932170-rce 1 Shellshock (CVE-2014-6271)
owasp-crs-v030001-id932171-rce 1 Shellshock (CVE-2014-6271)


All signatures for RCE are at sensitivity level 1. The following configuration works for all sensitivity levels:

RCE sensitivity levels 1/2/3/4

evaluatePreconfiguredExpr('rce-canary')

Remote file inclusion (RFI)

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030001-id931100-rfi 1 URL Parameter using IP Address
owasp-crs-v030001-id931110-rfi 1 Common RFI Vulnerable Parameter Name used w/URL Payload
owasp-crs-v030001-id931120-rfi 1 URL Payload Used w/Trailing Question Mark Character (?)
owasp-crs-v030001-id931130-rfi 2 Off-Domain Reference/Link


To configure a rule at a particular sensitivity level, disable the signatures at greater sensitivity levels.

RFI sensitivity level 1

evaluatePreconfiguredExpr('rfi-canary', ['owasp-crs-v030001-id931130-rfi'])

All signatures for RFI are below sensitivity level 2. The following configuration works for other sensitivity levels:

RFI sensitivity levels 2/3/4

evaluatePreconfiguredExpr('rfi-canary')

What's next