Tuning Google Cloud Armor WAF rules

Preconfigured rules

Google Cloud Armor preconfigured rules are complex web application firewall (WAF) rules with dozens of signatures that are compiled from open source industry standards. Google offers these rules as-is. The rules enable Google Cloud Armor to evaluate dozens of distinct traffic signatures by referring to conveniently-named rules, rather than requiring you to define each signature manually.

The following table contains a comprehensive list of preconfigured WAF rules that are available for use in a Google Cloud Armor security policy. The rule source is ModSecurity Core Rule Set 3.0.2.

Google Cloud Armor rule name ModSecurity rule name Current Status
sqli-stable SQL injection In sync with sqli-canary
sqli-canary SQL injection Latest
xss-stable Cross-site scripting In sync with xss-canary
xss-canary Cross-site scripting Latest
lfi-stable (Beta) Local file inclusion In sync with lfi-canary
lfi-canary (Beta) Local file inclusion Latest
rfi-stable (Beta) Remote file inclusion In sync with rfi-canary
rfi-canary (Beta) Remote file inclusion Latest
rce-stable (Beta) Remote code execution In sync with rce-canary
rce-canary (Beta) Remote code execution Latest

About rule tuning

Each preconfigured rule consists of multiple signatures. Incoming requests are evaluated against the preconfigured rules. A request matches a preconfigured rule if the request matches any of the signatures that are associated with the preconfigured rule. A match is made when the evaluatePreconfiguredExpr() command returns the value true.

If you decide that a preconfigured rule matches more traffic than is necessary or if the rule is blocking traffic that needs to be allowed, the rule can be tuned to disable noisy or otherwise unnecessary signatures. To disable signatures in a particular preconfigured rule, you provide a list of IDs of the unwanted signatures to the evaluatePreconfiguredExpr() command. For example, here is an example match condition in the rules language with a tuned rule:

evaluatePreconfiguredExpr('xss-stable', ['owasp-crs-v020901-id981136-xss', 'owasp-crs-v020901-id981138-xss'])

Preconfigured ModSecurity rules

SQL injection

Signature ID (CRS Rule ID) Sensitivity Level Description
owasp-crs-v030001-id942140-sqli 1 SQL Injection Attack: Common DB Names Detected
owasp-crs-v030001-id942160-sqli 1 Detects blind sqli tests using sleep() or benchmark().
owasp-crs-v030001-id942170-sqli 1 Detects SQL benchmark and sleep injection attempts including conditional queries
owasp-crs-v030001-id942190-sqli 1 Detects MSSQL code execution and information gathering attempts
owasp-crs-v030001-id942220-sqli 1 Looking for integer overflow attacks
owasp-crs-v030001-id942230-sqli 1 Detects conditional SQL injection attempts
owasp-crs-v030001-id942240-sqli 1 Detects MySQL charset switch and MSSQL DoS attempts
owasp-crs-v030001-id942250-sqli 1 Detects MATCH AGAINST
owasp-crs-v030001-id942270-sqli 1 Looking for basic sql injection. Common attack string for mysql
owasp-crs-v030001-id942280-sqli 1 Detects Postgres pg_sleep injection
owasp-crs-v030001-id942290-sqli 1 Finds basic MongoDB SQL injection attempts
owasp-crs-v030001-id942320-sqli 1 Detects MySQL and PostgreSQL stored procedure/function injections
owasp-crs-v030001-id942350-sqli 1 Detects MySQL UDF injection and other data/structure manipulation attempts
owasp-crs-v030001-id942360-sqli 1 Detects concatenated basic SQL injection and SQLLFI attempts
owasp-crs-v030001-id942110-sqli 2 SQL Injection Attack: Common Injection Testing Detected
owasp-crs-v030001-id942120-sqli 2 SQL Injection Attack: SQL Operator Detected
owasp-crs-v030001-id942150-sqli 2 SQL Injection Attack
owasp-crs-v030001-id942180-sqli 2 Detects basic SQL authentication bypass attempts 1/3
owasp-crs-v030001-id942200-sqli 2 Detects MySQL comment-/space-obfuscated injections and backtick termination
owasp-crs-v030001-id942210-sqli 2 Detects chained SQL injection attempts 1/2
owasp-crs-v030001-id942260-sqli 2 Detects basic SQL authentication bypass attempts 2/3
owasp-crs-v030001-id942300-sqli 2 Detects MySQL comments
owasp-crs-v030001-id942310-sqli 2 Detects chained SQL injection attempts 2/2
owasp-crs-v030001-id942330-sqli 2 Detects classic SQL injection probings 1/2
owasp-crs-v030001-id942340-sqli 2 Detects basic SQL authentication bypass attempts 3/3
owasp-crs-v030001-id942380-sqli 2 SQL Injection Attack
owasp-crs-v030001-id942390-sqli 2 SQL Injection Attack
owasp-crs-v030001-id942400-sqli 2 SQL Injection Attack
owasp-crs-v030001-id942410-sqli 2 SQL Injection Attack
owasp-crs-v030001-id942430-sqli 2 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)
owasp-crs-v030001-id942440-sqli 2 SQL Comment Sequence Detected.
owasp-crs-v030001-id942450-sqli 2 SQL Hex Encoding Identified
owasp-crs-v030001-id942251-sqli 3 Detects HAVING injections
owasp-crs-v030001-id942420-sqli 3 Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (8)
owasp-crs-v030001-id942431-sqli 3 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6)
owasp-crs-v030001-id942460-sqli 3 Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters
owasp-crs-v030001-id942421-sqli 4 Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3)
owasp-crs-v030001-id942432-sqli 4 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)

To configure a rule at a particular sensitivity level, disable the signatures at greater sensitivity levels:

SQLi Sensitivity Level 1 

evaluatePreconfiguredExpr('sqli-stable', ['owasp-crs-v030001-id942110-sqli',
 'owasp-crs-v030001-id942120-sqli',
 'owasp-crs-v030001-id942150-sqli',
 'owasp-crs-v030001-id942180-sqli',
 'owasp-crs-v030001-id942200-sqli',
 'owasp-crs-v030001-id942210-sqli',
 'owasp-crs-v030001-id942260-sqli',
 'owasp-crs-v030001-id942300-sqli',
 'owasp-crs-v030001-id942310-sqli',
 'owasp-crs-v030001-id942330-sqli',
 'owasp-crs-v030001-id942340-sqli',
 'owasp-crs-v030001-id942380-sqli',
 'owasp-crs-v030001-id942390-sqli',
 'owasp-crs-v030001-id942400-sqli',
 'owasp-crs-v030001-id942410-sqli',
 'owasp-crs-v030001-id942430-sqli',
 'owasp-crs-v030001-id942440-sqli',
 'owasp-crs-v030001-id942450-sqli',
 'owasp-crs-v030001-id942251-sqli',
 'owasp-crs-v030001-id942420-sqli',
 'owasp-crs-v030001-id942431-sqli',
 'owasp-crs-v030001-id942460-sqli',
 'owasp-crs-v030001-id942421-sqli',
 'owasp-crs-v030001-id942432-sqli']
)
SQLi Sensitivity Level 2 
evaluatePreconfiguredExpr('sqli-stable', ['owasp-crs-v030001-id942251-sqli',
 'owasp-crs-v030001-id942420-sqli',
 'owasp-crs-v030001-id942431-sqli',
 'owasp-crs-v030001-id942460-sqli',
 'owasp-crs-v030001-id942421-sqli',
 'owasp-crs-v030001-id942432-sqli']
)
SQLi Sensitivity Level 3 

evaluatePreconfiguredExpr('sqli-stable', ['owasp-crs-v030001-id942421-sqli',
 'owasp-crs-v030001-id942432-sqli']
)
SQLi Sensitivity Level 4 

evaluatePreconfiguredExpr('sqli-stable')

Cross-Site Scripting (XSS)

Signature ID (Rule ID) Sensitivity Level Description
owasp-crs-v030001-id941110-xss 1 XSS Filter - Category 1: Script Tag Vector
owasp-crs-v030001-id941120-xss 1 XSS Filter - Category 2: Event Handler Vector
owasp-crs-v030001-id941130-xss 1 XSS Filter - Category 3: Attribute Vector
owasp-crs-v030001-id941140-xss 1 XSS Filter - Category 4: JavaScript URI Vector
owasp-crs-v030001-id941160-xss 1 NoScript XSS InjectionChecker: HTML Injection
owasp-crs-v030001-id941170-xss 1 NoScript XSS InjectionChecker: Attribute Injection
owasp-crs-v030001-id941180-xss 1 Node-Validator Blacklist Keywords
owasp-crs-v030001-id941190-xss 1 IE XSS Filters - Attack Detected.
owasp-crs-v030001-id941200-xss 1 IE XSS Filters - Attack Detected.
owasp-crs-v030001-id941210-xss 1 IE XSS Filters - Attack Detected.
owasp-crs-v030001-id941220-xss 1 IE XSS Filters - Attack Detected.
owasp-crs-v030001-id941230-xss 1 IE XSS Filters - Attack Detected.
owasp-crs-v030001-id941240-xss 1 IE XSS Filters - Attack Detected.
owasp-crs-v030001-id941250-xss 1 IE XSS Filters - Attack Detected.
owasp-crs-v030001-id941260-xss 1 IE XSS Filters - Attack Detected.
owasp-crs-v030001-id941270-xss 1 IE XSS Filters - Attack Detected.
owasp-crs-v030001-id941280-xss 1 IE XSS Filters - Attack Detected.
owasp-crs-v030001-id941290-xss 1 IE XSS Filters - Attack Detected.
owasp-crs-v030001-id941300-xss 1 IE XSS Filters - Attack Detected.
owasp-crs-v030001-id941310-xss 1 US-ASCII Malformed Encoding XSS Filter - Attack Detected.
owasp-crs-v030001-id941350-xss 1 UTF-7 Encoding IE XSS - Attack Detected.
owasp-crs-v030001-id941150-xss 2 XSS Filter - Category 5: Disallowed HTML Attributes
owasp-crs-v030001-id941320-xss 2 Possible XSS Attack Detected - HTML Tag Handler
owasp-crs-v030001-id941330-xss 2 IE XSS Filters - Attack Detected.
owasp-crs-v030001-id941340-xss 2 IE XSS Filters - Attack Detected.

To configure a rule at a particular sensitivity level, disable the signatures at greater sensitivity levels:

XSS Sensitivity Level 1 

evaluatePreconfiguredExpr('xss-stable', ['owasp-crs-v030001-id941150-xss',
 'owasp-crs-v030001-id941320-xss',
 'owasp-crs-v030001-id941330-xss',
 'owasp-crs-v030001-id941340-xss'])

All signatures for XSS are below sensitivity level 2. The following configuration works for other sensitivity levels:

XSS Sensitivity Level 2/3/4 

evaluatePreconfiguredExpr('xss-stable')

Local file inclusion (LFI) (beta)

Signature ID (Rule ID) Sensitivity Level Description
owasp-crs-v030001-id930100-lfi 1 Path Traversal Attack (/../)
owasp-crs-v030001-id930110-lfi 1 Path Traversal Attack (/../)
owasp-crs-v030001-id930120-lfi 1 OS File Access Attempt
owasp-crs-v030001-id930130-lfi 1 Restricted File Access Attempt

All signatures for LFI are at sensitivity level 1. The following configuration works for all sensitivity levels:

LFI Sensitivity Levels 1/2/3/4 

evaluatePreconfiguredExpr('lfi-canary')

Remote Code Execution (RCE)

Signature ID (Rule ID) Sensitivity Level Description
owasp-crs-v030001-id932100-rce 1 UNIX Command Injection
owasp-crs-v030001-id932105-rce 1 UNIX Command Injection
owasp-crs-v030001-id932110-rce 1 Windows Command Injection
owasp-crs-v030001-id932115-rce 1 Windows Command Injection
owasp-crs-v030001-id932120-rce 1 Windows PowerShell Command Found
owasp-crs-v030001-id932130-rce 1 Unix Shell Expression Found
owasp-crs-v030001-id932140-rce 1 Windows FOR/IF Command Found
owasp-crs-v030001-id932150-rce 1 Direct UNIX Command Execution
owasp-crs-v030001-id932160-rce 1 UNIX Shell Code Found
owasp-crs-v030001-id932170-rce 1 Shellshock (CVE-2014-6271)
owasp-crs-v030001-id932171-rce 1 Shellshock (CVE-2014-6271)

All signatures for RCE are at sensitivity level 1. The following configuration works for all sensitivity levels:

RCE Sensitivity Levels 1/2/3/4 

evaluatePreconfiguredExpr('rce-canary')

Remote File Inclusion (RFI)

Signature ID (Rule ID) Sensitivity Level Description
owasp-crs-v030001-id931100-rfi 1 URL Parameter using IP Address
owasp-crs-v030001-id931110-rfi 1 Common RFI Vulnerable Parameter Name used w/URL Payload
owasp-crs-v030001-id931120-rfi 1 URL Payload Used w/Trailing Question Mark Character (?)
owasp-crs-v030001-id931130-rfi 2 Off-Domain Reference/Link

To configure a rule at a particular sensitivity level, disable the signatures at greater sensitivity levels:

RFI Sensitivity Level 1 

evaluatePreconfiguredExpr('rfi-canary', ['owasp-crs-v030001-id931130-rfi'])
RFI Sensitivity Level 2/3/4 

evaluatePreconfiguredExpr('rfi-canary')

What's next