Google Cloud Armor preconfigured rules are complex web application firewall (WAF)
rules with dozens of signatures that are compiled from open source industry
standards. Google offers these rules as-is. The rules allow
Google Cloud Armor to evaluate dozens of distinct traffic signatures by
referring to conveniently-named rules, rather than requiring you to define
each signature manually.
The following table contains a comprehensive list of preconfigured WAF rules
that are available for use in a Google Cloud Armor security policy. The
rule source is
ModSecurity Core Rule Set (CRS) 3.0
and CRS 3.3.
We recommend that you use version 3.3 for increased sensitivity, and for an
increased breadth of protected attack types.
CRS 3.3
Google Cloud Armor rule name
ModSecurity rule name
Current status
SQL injection (public preview)
sqli-v33-stable
In sync with sqli-v33-canary
sqli-v33-canary
Latest
Cross-site scripting (public preview)
xss-v33-stable
In sync with xss-v33-canary
xss-v33-canary
Latest
Local file inclusion (public preview)
lfi-v33-stable
In sync with lfi-v33-canary
lfi-v33-canary
Latest
Remote file inclusion (public preview)
rfi-v33-stable
In sync with rfi-v33-canary
rfi-v33-canary
Latest
Remote code execution (public preview)
rce-v33-stable
In sync with rce-v33-canary
rce-v33-canary
Latest
Method enforcement (public preview)
methodenforcement-v33-stable
In sync with methodenforcement-v33-canary
methodenforcement-v33-canary
Latest
Scanner detection (public preview)
scannerdetection-v33-stable
In sync with scannerdetection-v33-canary
scannerdetection-v33-canary
Latest
Protocol attack (public preview)
protocolattack-v33-stable
In sync with protocolattack-v33-canary
protocolattack-v33-canary
Latest
PHP injection attack (public preview)
php-v33-stable
In sync with php-v33-canary
php-v33-canary
Latest
Session fixation attack (public preview)
sessionfixation-v33-stable
In sync with sessionfixation-v33-canary
sessionfixation-v33-canary
Latest
CRS 3.0
Google Cloud Armor rule name
ModSecurity rule name
Current status
SQL injection
sqli-stable
In sync with sqli-canary
sqli-canary
Latest
Cross-site scripting
xss-stable
In sync with xss-canary
xss-canary
Latest
Local file inclusion
lfi-stable
In sync with lfi-canary
lfi-canary
Latest
Remote file inclusion
rfi-stable
In sync with rfi-canary
rfi-canary
Latest
Remote code execution
rce-stable
In sync with rce-canary
rce-canary
Latest
Method enforcement (public preview)
methodenforcement-stable
In sync with methodenforcement-canary
methodenforcement-canary
Latest
Scanner detection
scannerdetection-stable
In sync with scannerdetection-canary
scannerdetection-canary
Latest
Protocol attack
protocolattack-stable
In sync with protocolattack-canary
protocolattack-canary
Latest
PHP injection attack
php-stable
In sync with php-canary
php-canary
Latest
Session fixation attack
sessionfixation-stable
In sync with sessionfixation-canary
sessionfixation-canary
Latest
In addition, the following cve-canary rule is available to all
Google Cloud Armor customers to help detect and optionally block exploit
attempts of the CVE-2021-44228 and CVE-2021-45046 vulnerabilities.
Google Cloud Armor rule name
Rule content
Covered vulnerability types
cve-canary
Newly discovered vulnerabilities
Log4j vulnerability
Each preconfigured rule consists of multiple signatures. Incoming requests are
evaluated against the preconfigured rules. A request matches a preconfigured
rule if the request matches any of the signatures that are associated with the
preconfigured rule. A match is made when the evaluatePreconfiguredExpr()
command returns the value true.
If you decide that a preconfigured rule matches more traffic than is necessary,
or if the rule is blocking traffic that needs to be allowed, the rule can be
tuned to disable noisy or otherwise unnecessary signatures. To disable signatures
in a particular preconfigured rule, you provide a list of IDs of the unwanted
signatures to the evaluatePreconfiguredExpr() command.
The following example excludes two CRS rule IDs from the preconfigured
xss-v33-stable (CRS 3.3) WAF rule:
When you exclude signature IDs from preconfigured CRS rule sets, you must match
the signature ID version with the rule set version (CRS 3.0 or 3.3) to avoid
configuration errors.
The preceding example is an expression in the custom rules language.
The general syntax is:
Each preconfigured rule has a sensitivity level that corresponds to a
ModSecurity
paranoia level.
A lower sensitivity level indicates a higher confidence signature, which is less
likely to generate a false positive. A higher sensitivity level increases
security, but also increases the risk of generating a false positive.
SQL injection (SQLi)
The following table provides the signature ID, sensitivity level, and
description of each supported signature in the SQLi preconfigured rule.
CRS 3.3
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030301-id942140-sqli
1
SQL injection attack: Common DB Names Detected
owasp-crs-v030301-id942160-sqli
1
Detects blind SQLi tests using sleep() or benchmark()
owasp-crs-v030301-id942170-sqli
1
Detects SQL benchmark and sleep injection attempts including
conditional queries
owasp-crs-v030301-id942190-sqli
1
Detects MSSQL code execution and information gathering attempts
owasp-crs-v030301-id942220-sqli
1
Looks for integer overflow attacks
owasp-crs-v030301-id942230-sqli
1
Detects conditional SQL injection attempts
owasp-crs-v030301-id942240-sqli
1
Detects MySQL charset switch and MSSQL DoS attempts
owasp-crs-v030301-id942250-sqli
1
Detects MATCH AGAINST
owasp-crs-v030301-id942270-sqli
1
Looks for basic SQL injection; common attack string for MySql
owasp-crs-v030301-id942280-sqli
1
Detects Postgres pg_sleep injection
owasp-crs-v030301-id942290-sqli
1
Finds basic MongoDB SQL injection attempts
owasp-crs-v030301-id942320-sqli
1
Detects MySQL and PostgreSQL stored procedure/function injections
owasp-crs-v030301-id942350-sqli
1
Detects MySQL UDF injection and other data/structure manipulation
attempts
owasp-crs-v030301-id942360-sqli
1
Detects concatenated basic SQL injection and SQLLFI attempts
owasp-crs-v030301-id942500-sqli
1
MySQL in-line comment detected
owasp-crs-v030301-id942110-sqli
2
SQL injection attack: Common Injection Testing Detected
All signatures for RFI are below sensitivity level 2. The following
configuration works for other sensitivity levels:
RFI sensitivity level 2
evaluatePreconfiguredExpr('rfi-v33-stable')
Method enforcement
The following table provides the signature ID, sensitivity level, and
description of each supported signature in the method enforcement preconfigured
rule.
CRS 3.3
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030301-id911100-methodenforcement
1
Method is not allowed by policy
CRS 3.0
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030001-id911100-methodenforcement
1
Method is not allowed by policy
All signatures for Method Enforcement are below sensitivity level 2. The following
configuration works for other sensitivity levels:
The following table provides the signature ID, sensitivity level, and
description of each supported signature in the scanner detection preconfigured
rule.
CRS 3.3
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030301-id913100-scannerdetection
1
Found User-Agent associated with security scanner
owasp-crs-v030301-id913110-scannerdetection
1
Found request header associated with security scanner
owasp-crs-v030301-id913120-scannerdetection
1
Found request filename/argument associated with security scanner
owasp-crs-v030301-id913101-scannerdetection
2
Found User-Agent associated with scripting/generic HTTP client
owasp-crs-v030301-id913102-scannerdetection
2
Found User-Agent associated with web crawler/bot
CRS 3.0
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030001-id913100-scannerdetection
1
Found User-Agent associated with security scanner
owasp-crs-v030001-id913110-scannerdetection
1
Found request header associated with security scanner
owasp-crs-v030001-id913120-scannerdetection
1
Found request filename/argument associated with security scanner
owasp-crs-v030001-id913101-scannerdetection
2
Found User-Agent associated with scripting/generic HTTP client
owasp-crs-v030001-id913102-scannerdetection
2
Found User-Agent associated with web crawler/bot
To configure a rule at a particular sensitivity level, disable the signatures
at greater sensitivity levels.
The following table provides the signature ID, sensitivity level, and
description of each supported signature in the protocol attack preconfigured
rule.
CRS 3.3
Signature ID (Rule ID)
Sensitivity level
Description
Not included
1
HTTP Request Smuggling Attack
owasp-crs-v030301-id921110-protocolattack
1
HTTP Request Smuggling Attack
owasp-crs-v030301-id921120-protocolattack
1
HTTP Response Splitting Attack
owasp-crs-v030301-id921130-protocolattack
1
HTTP Response Splitting Attack
owasp-crs-v030301-id921140-protocolattack
1
HTTP Header Injection Attack via headers
owasp-crs-v030301-id921150-protocolattack
1
HTTP Header Injection Attack via payload (CR/LF detected)
owasp-crs-v030301-id921160-protocolattack
1
HTTP Header Injection Attack via payload (CR/LF and header-name detected)
owasp-crs-v030301-id921190-protocolattack
1
HTTP Splitting (CR/LF in request filename detected)
owasp-crs-v030301-id921200-protocolattack
1
LDAP Injection Attack
owasp-crs-v030301-id921151-protocolattack
2
HTTP Header Injection Attack via payload (CR/LF detected)
owasp-crs-v030301-id921170-protocolattack
3
HTTP Parameter Pollution
CRS 3.0
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030001-id921100-protocolattack
1
HTTP Request Smuggling Attack
owasp-crs-v030001-id921110-protocolattack
1
HTTP Request Smuggling Attack
owasp-crs-v030001-id921120-protocolattack
1
HTTP Response Splitting Attack
owasp-crs-v030001-id921130-protocolattack
1
HTTP Response Splitting Attack
owasp-crs-v030001-id921140-protocolattack
1
HTTP Header Injection Attack via headers
owasp-crs-v030001-id921150-protocolattack
1
HTTP Header Injection Attack via payload (CR/LF detected)
owasp-crs-v030001-id921160-protocolattack
1
HTTP Header Injection Attack via payload (CR/LF and header-name detected)
Not included
1
HTTP Splitting (CR/LF in request filename detected)
Not included
1
LDAP Injection Attack
owasp-crs-v030001-id921151-protocolattack
2
HTTP Header Injection Attack via payload (CR/LF detected)
owasp-crs-v030001-id921170-protocolattack
3
HTTP Parameter Pollution
To configure a rule at a particular sensitivity level, disable the signatures
at greater sensitivity levels.
The following table provides the signature ID, sensitivity level, and
description of each supported signature in the session fixation preconfigured
rule.
CRS 3.3
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030301-id943100-sessionfixation
1
Possible Session Fixation Attack: Setting Cookie Values in HTML
owasp-crs-v030301-id943110-sessionfixation
1
Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer
owasp-crs-v030301-id943120-sessionfixation
1
Possible Session Fixation Attack: SessionID Parameter Name with No Referer
CRS 3.0
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030001-id943100-sessionfixation
1
Possible Session Fixation Attack: Setting Cookie Values in HTML
owasp-crs-v030001-id943110-sessionfixation
1
Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer
owasp-crs-v030001-id943120-sessionfixation
1
Possible Session Fixation Attack: SessionID Parameter Name with No Referer
All signatures for Session Fixation are below sensitivity level 2. The following
configuration works for other sensitivity levels:
The following signatures cover the CVE-2021-44228 and CVE-2021-45046 Log4j
RCE Vulnerabilities.
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030001-id044228-cve
1
Base rule to help detect exploit attempts of CVE-2021-44228
& CVE-2021-45046
owasp-crs-v030001-id144228-cve
1
Google-provided enhancements to cover more bypass and obfuscation attempts
owasp-crs-v030001-id244228-cve
3
Increased sensitivity of detection to target even more bypass and
obfuscation attempts, with nominal increase in risk of false positive detection
owasp-crs-v030001-id344228-cve
3
Increased sensitivity of detection to target even more bypass and
obfuscation attempts using base64 encoding, with nominal increase in risk of false positive detection
To configure a rule at a particular sensitivity level, disable the signatures at greater sensitivity levels.
Google Cloud Armor preconfigured rules have the following limitations:
Among the HTTP request types with a request body, Google Cloud Armor
processes only POST requests. Google Cloud Armor evaluates preconfigured
rules against the first 8 KB of POST body content. For more information, see
POST body inspection limitation.
Google Cloud Armor can parse and apply preconfigured WAF rules for default
URL-encoded and JSON-formatted POST bodies (Content-Type='application/json').
However, Google Cloud Armor does not parse or decode other HTTP Content-Type
and Content-Encoding formats.
Google Cloud Armor security policies are available only for backend services
behind a load balancer. Therefore, load balancing quotas and limits apply to
your deployment. See the load balancing
quotas page for more information.
The following ModSecurity CRS rule IDs are not supported by
Google Cloud Armor.
