Google Cloud Armor preconfigured rules are complex web application firewall (WAF)
rules with dozens of signatures that are compiled from open source industry
standards. Google offers these rules as-is. The rules allow
Google Cloud Armor to evaluate dozens of distinct traffic signatures by
referring to conveniently-named rules, rather than requiring you to define
each signature manually.
The following table contains a comprehensive list of preconfigured WAF rules
that are available for use in a Google Cloud Armor security policy. The
rule source is
ModSecurity Core Rule Set 3.0.2 (CRS).
| Google Cloud Armor rule name |
ModSecurity rule name |
Current status |
sqli-stable |
SQL injection |
In sync with sqli-canary |
sqli-canary |
SQL injection |
Latest |
xss-stable |
Cross-site scripting |
In sync with xss-canary |
xss-canary |
Cross-site scripting |
Latest |
lfi-stable |
Local file inclusion |
In sync with lfi-canary |
lfi-canary |
Local file inclusion |
Latest |
rfi-stable |
Remote file inclusion |
In sync with rfi-canary |
rfi-canary |
Remote file inclusion |
Latest |
rce-stable |
Remote code execution |
In sync with rce-canary |
rce-canary |
Remote code execution |
Latest |
methodenforcement-stable |
Method enforcement (public preview) |
In sync with methodenforcement-canary |
methodenforcement-canary |
Method enforcement (public preview) |
Latest |
scannerdetection-stable |
Scanner detection |
In sync with scannerdetection-canary |
scannerdetection-canary |
Scanner detection |
Latest |
protocolattack-stable |
Protocol attack |
In sync with protocolattack-canary |
protocolattack-canary |
Protocol attack |
Latest |
php-stable |
PHP injection attack |
In sync with php-canary |
php-canary |
PHP injection attack |
Latest |
sessionfixation-stable |
Session fixation attack |
In sync with sessionfixation-canary |
sessionfixation-canary |
Session fixation attack |
Latest |
In addition, the following cve-canary rule is available to all
Google Cloud Armor customers to help detect and optionally block exploit
attempts of the CVE-2021-44228 and CVE-2021-45046 vulnerabilities.
| Google Cloud Armor rule name |
Rule content |
Covered vulnerability types |
cve-canary |
Newly discovered vulnerabilities |
Log4j vulnerability |
Each preconfigured rule consists of multiple signatures. Incoming requests are
evaluated against the preconfigured rules. A request matches a preconfigured
rule if the request matches any of the signatures that are associated with the
preconfigured rule. A match is made when the evaluatePreconfiguredExpr()
command returns the value true.
If you decide that a preconfigured rule matches more traffic than is necessary,
or if the rule is blocking traffic that needs to be allowed, the rule can be
tuned to disable noisy or otherwise unnecessary signatures. To disable signatures
in a particular preconfigured rule, you provide a list of IDs of the unwanted
signatures to the evaluatePreconfiguredExpr() command.
The following example excludes two CRS rule IDs from the preconfigured
xss-stable WAF rule:
evaluatePreconfiguredExpr('xss-stable', ['owasp-crs-v020901-id981136-xss', 'owasp-crs-v020901-id981138-xss'])
The preceding example is an expression in the custom rules language.
The general syntax is:
evaluatePreconfiguredExpr(RULE, ['SIGNATURE1', 'SIGNATURE2', 'SIGNATURE3'])
Each preconfigured rule has a sensitivity level that corresponds to a
ModSecurity
paranoia level.
A lower sensitivity level indicates a higher confidence signature, which is less
likely to generate a false positive. A higher sensitivity level increases
security, but also increases the risk of generating a false positive.
SQL injection (SQLi)
| Signature ID (CRS Rule ID) |
Sensitivity level |
Description |
owasp-crs-v030001-id942140-sqli |
1 |
SQL injection attack: Common DB Names Detected |
owasp-crs-v030001-id942160-sqli |
1 |
Detects blind SQLi tests using sleep() or benchmark() |
owasp-crs-v030001-id942170-sqli |
1 |
Detects SQL benchmark and sleep injection attempts including
conditional queries |
owasp-crs-v030001-id942190-sqli |
1 |
Detects MSSQL code execution and information gathering attempts |
owasp-crs-v030001-id942220-sqli |
1 |
Looks for integer overflow attacks |
owasp-crs-v030001-id942230-sqli |
1 |
Detects conditional SQL injection attempts |
owasp-crs-v030001-id942240-sqli |
1 |
Detects MySQL charset switch and MSSQL DoS attempts |
owasp-crs-v030001-id942250-sqli |
1 |
Detects MATCH AGAINST |
owasp-crs-v030001-id942270-sqli |
1 |
Looks for basic SQL injection; common attack string for MySql |
owasp-crs-v030001-id942280-sqli |
1 |
Detects Postgres pg_sleep injection |
owasp-crs-v030001-id942290-sqli |
1 |
Finds basic MongoDB SQL injection attempts |
owasp-crs-v030001-id942320-sqli |
1 |
Detects MySQL and PostgreSQL stored procedure/function injections |
owasp-crs-v030001-id942350-sqli |
1 |
Detects MySQL UDF injection and other data/structure manipulation
attempts |
owasp-crs-v030001-id942360-sqli |
1 |
Detects concatenated basic SQL injection and SQLLFI attempts |
owasp-crs-v030001-id942110-sqli |
2 |
SQL injection attack: Common Injection Testing Detected |
owasp-crs-v030001-id942120-sqli |
2 |
SQL injection attack: SQL Operator Detected |
owasp-crs-v030001-id942150-sqli |
2 |
SQL injection attack |
owasp-crs-v030001-id942180-sqli |
2 |
Detects basic SQL authentication bypass attempts 1/3 |
owasp-crs-v030001-id942200-sqli |
2 |
Detects MySQL comment-/space-obfuscated injections and backtick
termination |
owasp-crs-v030001-id942210-sqli |
2 |
Detects chained SQL injection attempts 1/2 |
owasp-crs-v030001-id942260-sqli |
2 |
Detects basic SQL authentication bypass attempts 2/3 |
owasp-crs-v030001-id942300-sqli |
2 |
Detects MySQL comments |
owasp-crs-v030001-id942310-sqli |
2 |
Detects chained SQL injection attempts 2/2 |
owasp-crs-v030001-id942330-sqli |
2 |
Detects classic SQL injection probings 1/2 |
owasp-crs-v030001-id942340-sqli |
2 |
Detects basic SQL authentication bypass attempts 3/3 |
owasp-crs-v030001-id942380-sqli |
2 |
SQL injection attack |
owasp-crs-v030001-id942390-sqli |
2 |
SQL injection attack |
owasp-crs-v030001-id942400-sqli |
2 |
SQL injection attack |
owasp-crs-v030001-id942410-sqli |
2 |
SQL injection attack |
owasp-crs-v030001-id942430-sqli |
2 |
Restricted SQL Character Anomaly Detection (args): # of special
characters exceeded (12) |
owasp-crs-v030001-id942440-sqli |
2 |
SQL Comment Sequence Detected |
owasp-crs-v030001-id942450-sqli |
2 |
SQL Hex Encoding Identified |
owasp-crs-v030001-id942251-sqli |
3 |
Detects HAVING injections |
owasp-crs-v030001-id942420-sqli |
3 |
Restricted SQL Character Anomaly Detection (cookies): # of special
characters exceeded (8) |
owasp-crs-v030001-id942431-sqli |
3 |
Restricted SQL Character Anomaly Detection (args): # of special
characters exceeded (6) |
owasp-crs-v030001-id942460-sqli |
3 |
Meta-Character Anomaly Detection Alert - Repetitive Non-Word
Characters |
owasp-crs-v030001-id942421-sqli |
4 |
Restricted SQL Character Anomaly Detection (cookies): # of special
characters exceeded (3) |
owasp-crs-v030001-id942432-sqli |
4 |
Restricted SQL Character Anomaly Detection (args): # of special
characters exceeded (2) |
To configure a rule at a particular sensitivity level, disable the signatures
at greater sensitivity levels.
| SQLi sensitivity level 1 |
evaluatePreconfiguredExpr('sqli-stable', ['owasp-crs-v030001-id942110-sqli',
'owasp-crs-v030001-id942120-sqli',
'owasp-crs-v030001-id942150-sqli',
'owasp-crs-v030001-id942180-sqli',
'owasp-crs-v030001-id942200-sqli',
'owasp-crs-v030001-id942210-sqli',
'owasp-crs-v030001-id942260-sqli',
'owasp-crs-v030001-id942300-sqli',
'owasp-crs-v030001-id942310-sqli',
'owasp-crs-v030001-id942330-sqli',
'owasp-crs-v030001-id942340-sqli',
'owasp-crs-v030001-id942380-sqli',
'owasp-crs-v030001-id942390-sqli',
'owasp-crs-v030001-id942400-sqli',
'owasp-crs-v030001-id942410-sqli',
'owasp-crs-v030001-id942430-sqli',
'owasp-crs-v030001-id942440-sqli',
'owasp-crs-v030001-id942450-sqli',
'owasp-crs-v030001-id942251-sqli',
'owasp-crs-v030001-id942420-sqli',
'owasp-crs-v030001-id942431-sqli',
'owasp-crs-v030001-id942460-sqli',
'owasp-crs-v030001-id942421-sqli',
'owasp-crs-v030001-id942432-sqli']
)
|
| SQLi sensitivity level 2 |
evaluatePreconfiguredExpr('sqli-stable', ['owasp-crs-v030001-id942251-sqli',
'owasp-crs-v030001-id942420-sqli',
'owasp-crs-v030001-id942431-sqli',
'owasp-crs-v030001-id942460-sqli',
'owasp-crs-v030001-id942421-sqli',
'owasp-crs-v030001-id942432-sqli']
)
|
| SQLi sensitivity level 3 |
evaluatePreconfiguredExpr('sqli-stable', ['owasp-crs-v030001-id942421-sqli',
'owasp-crs-v030001-id942432-sqli']
)
|
| SQLi sensitivity level 4 |
evaluatePreconfiguredExpr('sqli-stable')
|
Cross-site scripting (XSS)
| Signature ID (Rule ID) |
Sensitivity level |
Description |
owasp-crs-v030001-id941110-xss |
1 |
XSS Filter - Category 1: Script Tag Vector |
owasp-crs-v030001-id941120-xss |
1 |
XSS Filter - Category 2: Event Handler Vector |
owasp-crs-v030001-id941130-xss |
1 |
XSS Filter - Category 3: Attribute Vector |
owasp-crs-v030001-id941140-xss |
1 |
XSS Filter - Category 4: JavaScript URI Vector |
owasp-crs-v030001-id941160-xss |
1 |
NoScript XSS InjectionChecker: HTML Injection |
owasp-crs-v030001-id941170-xss |
1 |
NoScript XSS InjectionChecker: Attribute Injection |
owasp-crs-v030001-id941180-xss |
1 |
Node-Validator Blacklist Keywords |
owasp-crs-v030001-id941190-xss |
1 |
IE XSS Filters - Attack Detected |
owasp-crs-v030001-id941200-xss |
1 |
IE XSS Filters - Attack Detected |
owasp-crs-v030001-id941210-xss |
1 |
IE XSS Filters - Attack Detected |
owasp-crs-v030001-id941220-xss |
1 |
IE XSS Filters - Attack Detected |
owasp-crs-v030001-id941230-xss |
1 |
IE XSS Filters - Attack Detected |
owasp-crs-v030001-id941240-xss |
1 |
IE XSS Filters - Attack Detected |
owasp-crs-v030001-id941250-xss |
1 |
IE XSS Filters - Attack Detected |
owasp-crs-v030001-id941260-xss |
1 |
IE XSS Filters - Attack Detected |
owasp-crs-v030001-id941270-xss |
1 |
IE XSS Filters - Attack Detected |
owasp-crs-v030001-id941280-xss |
1 |
IE XSS Filters - Attack Detected |
owasp-crs-v030001-id941290-xss |
1 |
IE XSS Filters - Attack Detected |
owasp-crs-v030001-id941300-xss |
1 |
IE XSS Filters - Attack Detected |
owasp-crs-v030001-id941310-xss |
1 |
US-ASCII Malformed Encoding XSS Filter - Attack Detected |
owasp-crs-v030001-id941350-xss |
1 |
UTF-7 Encoding IE XSS - Attack Detected |
owasp-crs-v030001-id941150-xss |
2 |
XSS Filter - Category 5: Disallowed HTML Attributes |
owasp-crs-v030001-id941320-xss |
2 |
Possible XSS Attack Detected - HTML Tag Handler |
owasp-crs-v030001-id941330-xss |
2 |
IE XSS Filters - Attack Detected |
owasp-crs-v030001-id941340-xss |
2 |
IE XSS Filters - Attack Detected |
To configure a rule at a particular sensitivity level, disable the signatures
at greater sensitivity levels.
| XSS sensitivity level 1 |
evaluatePreconfiguredExpr('xss-stable', ['owasp-crs-v030001-id941150-xss',
'owasp-crs-v030001-id941320-xss',
'owasp-crs-v030001-id941330-xss',
'owasp-crs-v030001-id941340-xss'])
|
All signatures for XSS are below sensitivity level 2. The following
configuration works for other sensitivity levels:
| XSS sensitivity levels 2/3/4 |
evaluatePreconfiguredExpr('xss-stable')
|
Local file inclusion (LFI)
| Signature ID (Rule ID) |
Sensitivity level |
Description |
owasp-crs-v030001-id930100-lfi |
1 |
Path Traversal Attack (/../) |
owasp-crs-v030001-id930110-lfi |
1 |
Path Traversal Attack (/../) |
owasp-crs-v030001-id930120-lfi |
1 |
OS File Access Attempt |
owasp-crs-v030001-id930130-lfi |
1 |
Restricted File Access Attempt |
All signatures for LFI are at sensitivity level 1. The following configuration
works for all sensitivity levels:
| LFI sensitivity levels 1/2/3/4 |
evaluatePreconfiguredExpr('lfi-canary')
|
Remote code execution (RCE)
| Signature ID (Rule ID) |
Sensitivity level |
Description |
owasp-crs-v030001-id932100-rce |
1 |
UNIX Command Injection |
owasp-crs-v030001-id932105-rce |
1 |
UNIX Command Injection |
owasp-crs-v030001-id932110-rce |
1 |
Windows Command Injection |
owasp-crs-v030001-id932115-rce |
1 |
Windows Command Injection |
owasp-crs-v030001-id932120-rce |
1 |
Windows PowerShell Command Found |
owasp-crs-v030001-id932130-rce |
1 |
Unix Shell Expression Found |
owasp-crs-v030001-id932140-rce |
1 |
Windows FOR/IF Command Found |
owasp-crs-v030001-id932150-rce |
1 |
Direct UNIX Command Execution |
owasp-crs-v030001-id932160-rce |
1 |
UNIX Shell Code Found |
owasp-crs-v030001-id932170-rce |
1 |
Shellshock (CVE-2014-6271) |
owasp-crs-v030001-id932171-rce |
1 |
Shellshock (CVE-2014-6271) |
All signatures for RCE are at sensitivity level 1. The following configuration
works for all sensitivity levels:
| RCE sensitivity levels 1/2/3/4 |
evaluatePreconfiguredExpr('rce-canary')
|
Remote file inclusion (RFI)
| Signature ID (Rule ID) |
Sensitivity level |
Description |
owasp-crs-v030001-id931100-rfi |
1 |
URL Parameter using IP Address |
owasp-crs-v030001-id931110-rfi |
1 |
Common RFI Vulnerable Parameter Name used w/URL Payload |
owasp-crs-v030001-id931120-rfi |
1 |
URL Payload Used w/Trailing Question Mark Character (?) |
owasp-crs-v030001-id931130-rfi |
2 |
Off-Domain Reference/Link |
To configure a rule at a particular sensitivity level, disable the signatures
at greater sensitivity levels.
| RFI sensitivity level 1 |
evaluatePreconfiguredExpr('rfi-canary', ['owasp-crs-v030001-id931130-rfi'])
|
All signatures for RFI are below sensitivity level 2. The following
configuration works for other sensitivity levels:
| RFI sensitivity levels 2/3/4 |
evaluatePreconfiguredExpr('rfi-canary')
|
Method enforcement
This rule is in public preview.
| Signature ID (Rule ID) |
Sensitivity level |
Description |
owasp-crs-v030001-id911100-methodenforcement |
1 |
Method is not allowed by policy |
All signatures for Method Enforcement are below sensitivity level 2. The following
configuration works for other sensitivity levels:
| Method Enforcement sensitivity levels 2/3/4 |
evaluatePreconfiguredExpr('methodenforcement-canary')
|
Scanner Detection
| Signature ID (Rule ID) |
Sensitivity level |
Description |
owasp-crs-v030001-id913100-scannerdetection |
1 |
Found User-Agent associated with security scanner |
owasp-crs-v030001-id913110-scannerdetection |
1 |
Found request header associated with security scanner |
owasp-crs-v030001-id913120-scannerdetection |
1 |
Found request filename/argument associated with security scanner |
owasp-crs-v030001-id913101-scannerdetection |
2 |
Found User-Agent associated with scripting/generic HTTP client |
owasp-crs-v030001-id913102-scannerdetection |
2 |
Found User-Agent associated with web crawler/bot |
To configure a rule at a particular sensitivity level, disable the signatures
at greater sensitivity levels.
| Scanner Detection sensitivity level 1 |
evaluatePreconfiguredExpr('scannerdetection-stable',
['owasp-crs-v030001-id913101-scannerdetection',
'owasp-crs-v030001-id913102-scannerdetection']
)
|
| Scanner Detection sensitivity level 2 |
evaluatePreconfiguredExpr('scannerdetection-stable')
|
Protocol Attack
| Signature ID (Rule ID) |
Sensitivity level |
Description |
owasp-crs-v030001-id921100-protocolattack |
1 |
HTTP Request Smuggling Attack |
owasp-crs-v030001-id921110-protocolattack |
1 |
HTTP Request Smuggling Attack |
owasp-crs-v030001-id921120-protocolattack |
1 |
HTTP Response Splitting Attack |
owasp-crs-v030001-id921130-protocolattack |
1 |
HTTP Response Splitting Attack |
owasp-crs-v030001-id921140-protocolattack |
1 |
HTTP Header Injection Attack via headers |
owasp-crs-v030001-id921150-protocolattack |
1 |
HTTP Header Injection Attack via payload (CR/LF detected) |
owasp-crs-v030001-id921160-protocolattack |
1 |
HTTP Header Injection Attack via payload (CR/LF and header-name detected) |
owasp-crs-v030001-id921151-protocolattack |
2 |
HTTP Header Injection Attack via payload (CR/LF detected) |
owasp-crs-v030001-id921170-protocolattack |
3 |
HTTP Parameter Pollution |
To configure a rule at a particular sensitivity level, disable the signatures
at greater sensitivity levels.
| Protocol Attack sensitivity level 1 |
evaluatePreconfiguredExpr('protocolattack-stable',
['owasp-crs-v030001-id921151-protocolattack',
'owasp-crs-v030001-id921170-protocolattack']
)
|
| Protocol Attack sensitivity level 2 |
evaluatePreconfiguredExpr('protocolattack-stable',
['owasp-crs-v030001-id921170-protocolattack']
)
|
| Protocol Attack sensitivity level 3 |
evaluatePreconfiguredExpr('protocolattack-stable')
|
PHP
| Signature ID (Rule ID) |
Sensitivity level |
Description |
owasp-crs-v030001-id933100-php |
1 |
PHP Injection Attack: PHP Open Tag Found |
owasp-crs-v030001-id933110-php |
1 |
PHP Injection Attack: PHP Script File Upload Found |
owasp-crs-v030001-id933120-php |
1 |
PHP Injection Attack: Configuration Directive Found |
owasp-crs-v030001-id933130-php |
1 |
PHP Injection Attack: Variables Found |
owasp-crs-v030001-id933140-php |
1 |
PHP Injection Attack: I/O Stream Found |
owasp-crs-v030001-id933150-php |
1 |
PHP Injection Attack: High-Risk PHP Function Name Found |
owasp-crs-v030001-id933160-php |
1 |
PHP Injection Attack: High-Risk PHP Function Call Found |
owasp-crs-v030001-id933170-php |
1 |
PHP Injection Attack: Serialized Object Injection |
owasp-crs-v030001-id933180-php |
1 |
PHP Injection Attack: Variable Function Call Found |
owasp-crs-v030001-id933151-php |
2 |
PHP Injection Attack: Medium-Risk PHP Function Name Found |
owasp-crs-v030001-id933131-php |
3 |
PHP Injection Attack: Variables Found |
owasp-crs-v030001-id933161-php |
3 |
PHP Injection Attack: Low-Value PHP Function Call Found |
owasp-crs-v030001-id933111-php |
3 |
PHP Injection Attack: PHP Script File Upload Found |
To configure a rule at a particular sensitivity level, disable the signatures
at greater sensitivity levels.
| PHP Injection Attack sensitivity level 1 |
evaluatePreconfiguredExpr('php-stable', ['owasp-crs-v030001-id933151-php',
'owasp-crs-v030001-id933131-php',
'owasp-crs-v030001-id933161-php',
'owasp-crs-v030001-id933111-php']
)
|
| PHP Injection Attack sensitivity level 2 |
evaluatePreconfiguredExpr('php-stable', ['owasp-crs-v030001-id933131-php',
'owasp-crs-v030001-id933161-php',
'owasp-crs-v030001-id933111-php']
)
|
| PHP Injection Attack sensitivity level 3 |
evaluatePreconfiguredExpr('php-stable')
|
Session Fixation
| Signature ID (Rule ID) |
Sensitivity level |
Description |
owasp-crs-v030001-id943100-sessionfixation |
1 |
Possible Session Fixation Attack: Setting Cookie Values in HTML |
owasp-crs-v030001-id943110-sessionfixation |
1 |
Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer |
owasp-crs-v030001-id943120-sessionfixation |
1 |
Possible Session Fixation Attack: SessionID Parameter Name with No Referer |
All signatures for Session Fixation are below sensitivity level 2. The following
configuration works for other sensitivity levels:
| Session Fixation sensitivity levels 2/3/4 |
evaluatePreconfiguredExpr('sessionfixation-canary')
|
CVEs and other vulnerabilities
The following signatures cover the CVE-2021-44228 and CVE-2021-45046 Log4j
RCE Vulnerabilities.
| Signature ID (Rule ID) |
Sensitivity level |
Description |
owasp-crs-v030001-id044228-cve |
1 |
Base rule to help detect exploit attempts of CVE-2021-44228
& CVE-2021-45046 |
owasp-crs-v030001-id144228-cve |
1 |
Google-provided enhancements to cover more bypass and obfuscation attempts |
owasp-crs-v030001-id244228-cve |
3 |
Increased sensitivity of detection to target even more bypass and
obfuscation attempts, with nominal increase in risk of false positive detection |
owasp-crs-v030001-id344228-cve |
3 |
Increased sensitivity of detection to target even more bypass and
obfuscation attempts using base64 encoding, with nominal increase in risk of false positive detection |
To configure a rule at a particular sensitivity level, disable the signatures at greater sensitivity levels.
| CVE sensitivity levels 1/2 |
evaluatePreconfiguredExpr('cve-canary', ['owasp-crs-v030001-id244228-cve',
'owasp-crs-v030001-id344228-cve'])
|
| CVE sensitivity levels 3/4 |
evaluatePreconfiguredExpr('cve-canary')
|
What's next
