Tuning Google Cloud Armor WAF rules

Preconfigured rules

Google Cloud Armor preconfigured rules are complex web application firewall (WAF) rules with dozens of signatures that are compiled from open source industry standards. Google offers these rules as-is. The rules allow Google Cloud Armor to evaluate dozens of distinct traffic signatures by referring to conveniently-named rules, rather than requiring you to define each signature manually.

The following tables contain a comprehensive list of preconfigured WAF rules that are available for use in a Google Cloud Armor security policy. The rule sources are ModSecurity Core Rule Set (CRS) 3.0 and CRS 3.3. We recommend that you use version 3.3 for increased sensitivity, and for an increased breadth of protected attack types.

CRS 3.3

Google Cloud Armor rule name ModSecurity rule name Current status
SQL injection (public preview) sqli-v33-stable Out of sync with sqli-v33-canary
sqli-v33-canary Latest, including two additional signatures
Cross-site scripting (public preview) xss-v33-stable Out of sync with xss-v33-canary
xss-v33-canary Latest, including two additional signatures
Local file inclusion (public preview) lfi-v33-stable In sync with lfi-v33-canary
lfi-v33-canary Latest
Remote file inclusion (public preview) rfi-v33-stable In sync with rfi-v33-canary
rfi-v33-canary Latest
Remote code execution (public preview) rce-v33-stable In sync with rce-v33-canary
rce-v33-canary Latest
Method enforcement (public preview) methodenforcement-v33-stable In sync with methodenforcement-v33-canary
methodenforcement-v33-canary Latest
Scanner detection (public preview) scannerdetection-v33-stable In sync with scannerdetection-v33-canary
scannerdetection-v33-canary Latest
Protocol attack (public preview) protocolattack-v33-stable In sync with protocolattack-v33-canary
protocolattack-v33-canary Latest
PHP injection attack (public preview) php-v33-stable In sync with php-v33-canary
php-v33-canary Latest
Session fixation attack (public preview) sessionfixation-v33-stable In sync with sessionfixation-v33-canary
sessionfixation-v33-canary Latest
Java attack (public preview) java-v33-stable In sync with java-v33-canary
java-v33-canary Latest
NodeJS attack (public preview) nodejs-v33-stable In sync with nodejs-v33-canary
nodejs-v33-canary Latest

CRS 3.0

Google Cloud Armor rule name ModSecurity rule name Current status
SQL injection sqli-stable In sync with sqli-canary
sqli-canary Latest
Cross-site scripting xss-stable In sync with xss-canary
xss-canary Latest
Local file inclusion lfi-stable In sync with lfi-canary
lfi-canary Latest
Remote file inclusion rfi-stable In sync with rfi-canary
rfi-canary Latest
Remote code execution rce-stable In sync with rce-canary
rce-canary Latest
Method enforcement (public preview) methodenforcement-stable In sync with methodenforcement-canary
methodenforcement-canary Latest
Scanner detection scannerdetection-stable In sync with scannerdetection-canary
scannerdetection-canary Latest
Protocol attack protocolattack-stable In sync with protocolattack-canary
protocolattack-canary Latest
PHP injection attack php-stable In sync with php-canary
php-canary Latest
Session fixation attack sessionfixation-stable In sync with sessionfixation-canary
sessionfixation-canary Latest
Java attack Not included
NodeJS attack Not included

In addition, the following cve-canary rule is available to all Google Cloud Armor customers to help detect and optionally block exploit attempts of the CVE-2021-44228 and CVE-2021-45046 vulnerabilities.

Google Cloud Armor rule name Rule content Covered vulnerability types
cve-canary Newly discovered vulnerabilities Log4j vulnerability

Each preconfigured rule consists of multiple signatures. Incoming requests are evaluated against the preconfigured rules. A request matches a preconfigured rule if the request matches any of the signatures that are associated with the preconfigured rule. A match is made when the evaluatePreconfiguredExpr() command returns the value true.

If you decide that a preconfigured rule matches more traffic than is necessary, or if the rule is blocking traffic that needs to be allowed, the rule can be tuned to disable noisy or otherwise unnecessary signatures. To disable signatures in a particular preconfigured rule, you provide a list of IDs of the unwanted signatures to the evaluatePreconfiguredExpr() command.

The following example excludes two CRS rule IDs from the preconfigured xss-v33-stable (CRS 3.3) WAF rule:

evaluatePreconfiguredExpr('xss-v33-stable', ['owasp-crs-v030301-id941330-xss', 'owasp-crs-v030301-id941340-xss'])

When you exclude signature IDs from preconfigured CRS rule sets, you must match the signature ID version with the rule set version (CRS 3.0 or 3.3) to avoid configuration errors.

The preceding example is an expression in the custom rules language. The general syntax is:

evaluatePreconfiguredExpr(RULE, ['SIGNATURE1', 'SIGNATURE2', 'SIGNATURE3'])

Preconfigured ModSecurity rules

Each preconfigured rule has a sensitivity level that corresponds to a ModSecurity paranoia level. A lower sensitivity level indicates a higher confidence signature, which is less likely to generate a false positive. A higher sensitivity level increases security, but also increases the risk of generating a false positive.

SQL injection (SQLi)

The following tables provide the signature ID, sensitivity level, and description of each supported signature in the SQLi preconfigured rule.

CRS 3.3

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030301-id942100-sqli 1 SQL Injection Attack Detected via libinjection (only available in sqli-v33-canary)
owasp-crs-v030301-id942140-sqli 1 SQL injection attack: Common DB Names Detected
owasp-crs-v030301-id942160-sqli 1 Detects blind SQLi tests using sleep() or benchmark()
owasp-crs-v030301-id942170-sqli 1 Detects SQL benchmark and sleep injection attempts including conditional queries
owasp-crs-v030301-id942190-sqli 1 Detects MSSQL code execution and information gathering attempts
owasp-crs-v030301-id942220-sqli 1 Looks for integer overflow attacks
owasp-crs-v030301-id942230-sqli 1 Detects conditional SQL injection attempts
owasp-crs-v030301-id942240-sqli 1 Detects MySQL charset switch and MSSQL DoS attempts
owasp-crs-v030301-id942250-sqli 1 Detects MATCH AGAINST
owasp-crs-v030301-id942270-sqli 1 Looks for basic SQL injection; common attack string for MySql
owasp-crs-v030301-id942280-sqli 1 Detects Postgres pg_sleep injection
owasp-crs-v030301-id942290-sqli 1 Finds basic MongoDB SQL injection attempts
owasp-crs-v030301-id942320-sqli 1 Detects MySQL and PostgreSQL stored procedure/function injections
owasp-crs-v030301-id942350-sqli 1 Detects MySQL UDF injection and other data/structure manipulation attempts
owasp-crs-v030301-id942360-sqli 1 Detects concatenated basic SQL injection and SQLLFI attempts
owasp-crs-v030301-id942500-sqli 1 MySQL in-line comment detected
owasp-crs-v030301-id942110-sqli 2 SQL injection attack: Common Injection Testing Detected
owasp-crs-v030301-id942120-sqli 2 SQL injection attack: SQL Operator Detected
owasp-crs-v030301-id942130-sqli 2 SQL Injection Attack: SQL Tautology Detected
owasp-crs-v030301-id942150-sqli 2 SQL injection attack
owasp-crs-v030301-id942180-sqli 2 Detects basic SQL authentication bypass attempts 1/3
owasp-crs-v030301-id942200-sqli 2 Detects MySQL comment-/space-obfuscated injections and backtick termination
owasp-crs-v030301-id942210-sqli 2 Detects chained SQL injection attempts 1/2
owasp-crs-v030301-id942260-sqli 2 Detects basic SQL authentication bypass attempts 2/3
owasp-crs-v030301-id942300-sqli 2 Detects MySQL comments
owasp-crs-v030301-id942310-sqli 2 Detects chained SQL injection attempts 2/2
owasp-crs-v030301-id942330-sqli 2 Detects classic SQL injection probings 1/2
owasp-crs-v030301-id942340-sqli 2 Detects basic SQL authentication bypass attempts 3/3
owasp-crs-v030301-id942361-sqli 2 Detects basic SQL injection based on keyword alter or union
owasp-crs-v030301-id942370-sqli 2 Detects classic SQL injection probings 2/3
owasp-crs-v030301-id942380-sqli 2 SQL injection attack
owasp-crs-v030301-id942390-sqli 2 SQL injection attack
owasp-crs-v030301-id942400-sqli 2 SQL injection attack
owasp-crs-v030301-id942410-sqli 2 SQL injection attack
owasp-crs-v030301-id942470-sqli 2 SQL injection attack
owasp-crs-v030301-id942480-sqli 2 SQL injection attack
owasp-crs-v030301-id942430-sqli 2 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)
owasp-crs-v030301-id942440-sqli 2 SQL Comment Sequence Detected
owasp-crs-v030301-id942450-sqli 2 SQL Hex Encoding Identified
owasp-crs-v030301-id942510-sqli 2 SQLi bypass attempt by ticks or backticks detected
owasp-crs-v030301-id942251-sqli 3 Detects HAVING injections
owasp-crs-v030301-id942490-sqli 3 Detects classic SQL injection probings 3/3
owasp-crs-v030301-id942420-sqli 3 Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (8)
owasp-crs-v030301-id942431-sqli 3 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6)
owasp-crs-v030301-id942460-sqli 3 Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters
owasp-crs-v030301-id942101-sqli 3 SQL Injection Attack Detected via libinjection (only available in sqli-v33-canary)
owasp-crs-v030301-id942511-sqli 3 SQLi bypass attempt by ticks detected
owasp-crs-v030301-id942421-sqli 4 Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3)
owasp-crs-v030301-id942432-sqli 4 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)

CRS 3.0

Signature ID (Rule ID) Sensitivity level Description
Not included 1 SQL Injection Attack Detected via libinjection (only available in sqli-v33-canary)
owasp-crs-v030001-id942140-sqli 1 SQL injection attack: Common DB Names Detected
owasp-crs-v030001-id942160-sqli 1 Detects blind SQLi tests using sleep() or benchmark()
owasp-crs-v030001-id942170-sqli 1 Detects SQL benchmark and sleep injection attempts including conditional queries
owasp-crs-v030001-id942190-sqli 1 Detects MSSQL code execution and information gathering attempts
owasp-crs-v030001-id942220-sqli 1 Looks for integer overflow attacks
owasp-crs-v030001-id942230-sqli 1 Detects conditional SQL injection attempts
owasp-crs-v030001-id942240-sqli 1 Detects MySQL charset switch and MSSQL DoS attempts
owasp-crs-v030001-id942250-sqli 1 Detects MATCH AGAINST
owasp-crs-v030001-id942270-sqli 1 Looks for basic SQL injection; common attack string for MySql
owasp-crs-v030001-id942280-sqli 1 Detects Postgres pg_sleep injection
owasp-crs-v030001-id942290-sqli 1 Finds basic MongoDB SQL injection attempts
owasp-crs-v030001-id942320-sqli 1 Detects MySQL and PostgreSQL stored procedure/function injections
owasp-crs-v030001-id942350-sqli 1 Detects MySQL UDF injection and other data/structure manipulation attempts
owasp-crs-v030001-id942360-sqli 1 Detects concatenated basic SQL injection and SQLLFI attempts
Not included 1 MySQL in-line comment detected
owasp-crs-v030001-id942110-sqli 2 SQL injection attack: Common Injection Testing Detected
owasp-crs-v030001-id942120-sqli 2 SQL injection attack: SQL Operator Detected
Not included 2 SQL Injection Attack: SQL Tautology Detected
owasp-crs-v030001-id942150-sqli 2 SQL injection attack
owasp-crs-v030001-id942180-sqli 2 Detects basic SQL authentication bypass attempts 1/3
owasp-crs-v030001-id942200-sqli 2 Detects MySQL comment-/space-obfuscated injections and backtick termination
owasp-crs-v030001-id942210-sqli 2 Detects chained SQL injection attempts 1/2
owasp-crs-v030001-id942260-sqli 2 Detects basic SQL authentication bypass attempts 2/3
owasp-crs-v030001-id942300-sqli 2 Detects MySQL comments
owasp-crs-v030001-id942310-sqli 2 Detects chained SQL injection attempts 2/2
owasp-crs-v030001-id942330-sqli 2 Detects classic SQL injection probings 1/2
owasp-crs-v030001-id942340-sqli 2 Detects basic SQL authentication bypass attempts 3/3
Not included 2 Detects basic SQL injection based on keyword alter or union
Not included 2 Detects classic SQL injection probings 2/3
owasp-crs-v030001-id942380-sqli 2 SQL injection attack
owasp-crs-v030001-id942390-sqli 2 SQL injection attack
owasp-crs-v030001-id942400-sqli 2 SQL injection attack
owasp-crs-v030001-id942410-sqli 2 SQL injection attack
Not included 2 SQL injection attack
Not included 2 SQL injection attack
owasp-crs-v030001-id942430-sqli 2 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)
owasp-crs-v030001-id942440-sqli 2 SQL Comment Sequence Detected
owasp-crs-v030001-id942450-sqli 2 SQL Hex Encoding Identified
Not included 2 SQLi bypass attempt by ticks or backticks detected
owasp-crs-v030001-id942251-sqli 3 Detects HAVING injections
Not included 2 Detects classic SQL injection probings 3/3
owasp-crs-v030001-id942420-sqli 3 Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (8)
owasp-crs-v030001-id942431-sqli 3 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6)
owasp-crs-v030001-id942460-sqli 3 Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters
Not included 3 SQL Injection Attack Detected via libinjection (only available in sqli-v33-canary)
Not included 3 SQLi bypass attempt by ticks detected
owasp-crs-v030001-id942421-sqli 4 Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3)
owasp-crs-v030001-id942432-sqli 4 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)

To configure a rule at a particular sensitivity level, disable the signatures at greater sensitivity levels.

SQLi sensitivity level 1

evaluatePreconfiguredExpr('sqli-v33-stable',
['owasp-crs-v030301-id942100-sqli',
  'owasp-crs-v030301-id942110-sqli',
  'owasp-crs-v030301-id942120-sqli',
  'owasp-crs-v030301-id942130-sqli',
  'owasp-crs-v030301-id942150-sqli',
  'owasp-crs-v030301-id942180-sqli',
  'owasp-crs-v030301-id942200-sqli',
  'owasp-crs-v030301-id942210-sqli',
  'owasp-crs-v030301-id942260-sqli',
  'owasp-crs-v030301-id942300-sqli',
  'owasp-crs-v030301-id942310-sqli',
  'owasp-crs-v030301-id942330-sqli',
  'owasp-crs-v030301-id942340-sqli',
  'owasp-crs-v030301-id942361-sqli',
  'owasp-crs-v030301-id942370-sqli',
  'owasp-crs-v030301-id942380-sqli',
  'owasp-crs-v030301-id942390-sqli',
  'owasp-crs-v030301-id942400-sqli',
  'owasp-crs-v030301-id942410-sqli',
  'owasp-crs-v030301-id942470-sqli',
  'owasp-crs-v030301-id942480-sqli',
  'owasp-crs-v030301-id942430-sqli',
  'owasp-crs-v030301-id942440-sqli',
  'owasp-crs-v030301-id942450-sqli',
  'owasp-crs-v030301-id942510-sqli',
  'owasp-crs-v030301-id942251-sqli',
  'owasp-crs-v030301-id942490-sqli',
  'owasp-crs-v030301-id942420-sqli',
  'owasp-crs-v030301-id942431-sqli',
  'owasp-crs-v030301-id942460-sqli',
  'owasp-crs-v030301-id942101-sqli',
  'owasp-crs-v030301-id942511-sqli',
  'owasp-crs-v030301-id942421-sqli',
  'owasp-crs-v030301-id942432-sqli']
)
          
SQLi sensitivity level 2

evaluatePreconfiguredExpr('sqli-v33-stable',
 ['owasp-crs-v030301-id942251-sqli',
  'owasp-crs-v030301-id942490-sqli',
  'owasp-crs-v030301-id942420-sqli',
  'owasp-crs-v030301-id942431-sqli',
  'owasp-crs-v030301-id942460-sqli',
  'owasp-crs-v030301-id942101-sqli',
  'owasp-crs-v030301-id942511-sqli',
  'owasp-crs-v030301-id942421-sqli',
  'owasp-crs-v030301-id942432-sqli']
)
SQLi sensitivity level 3

evaluatePreconfiguredExpr('sqli-v33-stable',
        ['owasp-crs-v030301-id942421-sqli',
         'owasp-crs-v030301-id942432-sqli']
         )
SQLi sensitivity level 4

evaluatePreconfiguredExpr('sqli-v33-stable')

Cross-site scripting (XSS)

The following tables provide the signature ID, sensitivity level, and description of each supported signature in the XSS preconfigured rule.

CRS 3.3

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030301-id941100-xss 1 XSS Attack Detected via libinjection (only available in xss-v33-canary)
owasp-crs-v030301-id941110-xss 1 XSS Filter - Category 1: Script Tag Vector
owasp-crs-v030301-id941120-xss 1 XSS Filter - Category 2: Event Handler Vector
owasp-crs-v030301-id941130-xss 1 XSS Filter - Category 3: Attribute Vector
owasp-crs-v030301-id941140-xss 1 XSS Filter - Category 4: JavaScript URI Vector
owasp-crs-v030301-id941160-xss 1 NoScript XSS InjectionChecker: HTML Injection
owasp-crs-v030301-id941170-xss 1 NoScript XSS InjectionChecker: Attribute Injection
owasp-crs-v030301-id941180-xss 1 Node-Validator Blacklist Keywords
owasp-crs-v030301-id941190-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030301-id941200-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030301-id941210-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030301-id941220-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030301-id941230-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030301-id941240-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030301-id941250-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030301-id941260-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030301-id941270-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030301-id941280-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030301-id941290-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030301-id941300-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030301-id941310-xss 1 US-ASCII Malformed Encoding XSS Filter - Attack Detected
owasp-crs-v030301-id941350-xss 1 UTF-7 Encoding IE XSS - Attack Detected
owasp-crs-v030301-id941360-xss 1 Hieroglyphy obfuscation detected
owasp-crs-v030301-id941370-xss 1 JavaScript global variable found
owasp-crs-v030301-id941101-xss 2 XSS Attack Detected via libinjection (only available in xss-v33-canary)
owasp-crs-v030301-id941150-xss 2 XSS Filter - Category 5: Disallowed HTML Attributes
owasp-crs-v030301-id941320-xss 2 Possible XSS Attack Detected - HTML Tag Handler
owasp-crs-v030301-id941330-xss 2 IE XSS Filters - Attack Detected
owasp-crs-v030301-id941340-xss 2 IE XSS Filters - Attack Detected
owasp-crs-v030301-id941380-xss 2 AngularJS client side template injection detected

CRS 3.0

Signature ID (Rule ID) Sensitivity level Description
Not included 1 XSS Attack Detected via libinjection (only available in xss-v33-canary)
owasp-crs-v030001-id941110-xss 1 XSS Filter - Category 1: Script Tag Vector
owasp-crs-v030001-id941120-xss 1 XSS Filter - Category 2: Event Handler Vector
owasp-crs-v030001-id941130-xss 1 XSS Filter - Category 3: Attribute Vector
owasp-crs-v030001-id941140-xss 1 XSS Filter - Category 4: JavaScript URI Vector
owasp-crs-v030001-id941160-xss 1 NoScript XSS InjectionChecker: HTML Injection
owasp-crs-v030001-id941170-xss 1 NoScript XSS InjectionChecker: Attribute Injection
owasp-crs-v030001-id941180-xss 1 Node-Validator Blacklist Keywords
owasp-crs-v030001-id941190-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030001-id941200-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030001-id941210-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030001-id941220-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030001-id941230-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030001-id941240-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030001-id941250-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030001-id941260-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030001-id941270-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030001-id941280-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030001-id941290-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030001-id941300-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030001-id941310-xss 1 US-ASCII Malformed Encoding XSS Filter - Attack Detected
owasp-crs-v030001-id941350-xss 1 UTF-7 Encoding IE XSS - Attack Detected
Not included 1 JSFuck / Hieroglyphy obfuscation detected
Not included 1 JavaScript global variable found
Not included 2 XSS Attack Detected via libinjection (only available in xss-v33-canary)
owasp-crs-v030001-id941150-xss 2 XSS Filter - Category 5: Disallowed HTML Attributes
owasp-crs-v030001-id941320-xss 2 Possible XSS Attack Detected - HTML Tag Handler
owasp-crs-v030001-id941330-xss 2 IE XSS Filters - Attack Detected
owasp-crs-v030001-id941340-xss 2 IE XSS Filters - Attack Detected
Not included 2 AngularJS client side template injection detected

To configure a rule at a particular sensitivity level, disable the signatures at greater sensitivity levels.

XSS sensitivity level 1

evaluatePreconfiguredExpr('xss-v33-stable',
['owasp-crs-v030301-id941101-xss',
  'owasp-crs-v030301-id941150-xss',
  'owasp-crs-v030301-id941320-xss',
  'owasp-crs-v030301-id941330-xss',
  'owasp-crs-v030301-id941340-xss',
  'owasp-crs-v030301-id941380-xss'
])
          


All signatures for XSS are below sensitivity level 2. The following configuration works for other sensitivity levels:

XSS sensitivity level 2

evaluatePreconfiguredExpr('xss-v33-stable')

Local file inclusion (LFI)

The following tables provide the signature ID, sensitivity level, and description of each supported signature in the LFI preconfigured rule.

CRS 3.3

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030301-id930100-lfi 1 Path Traversal Attack (/../)
owasp-crs-v030301-id930110-lfi 1 Path Traversal Attack (/../)
owasp-crs-v030301-id930120-lfi 1 OS File Access Attempt
owasp-crs-v030301-id930130-lfi 1 Restricted File Access Attempt

CRS 3.0

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030001-id930100-lfi 1 Path Traversal Attack (/../)
owasp-crs-v030001-id930110-lfi 1 Path Traversal Attack (/../)
owasp-crs-v030001-id930120-lfi 1 OS File Access Attempt
owasp-crs-v030001-id930130-lfi 1 Restricted File Access Attempt

All signatures for LFI are at sensitivity level 1. The following configuration works for all sensitivity levels:

LFI sensitivity level 1

evaluatePreconfiguredExpr('lfi-v33-canary')

Remote code execution (RCE)

The following tables provide the signature ID, sensitivity level, and description of each supported signature in the RCE preconfigured rule.

CRS 3.3

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030301-id932100-rce 1 UNIX Command Injection
owasp-crs-v030301-id932105-rce 1 UNIX Command Injection
owasp-crs-v030301-id932110-rce 1 Windows Command Injection
owasp-crs-v030301-id932115-rce 1 Windows Command Injection
owasp-crs-v030301-id932120-rce 1 Windows PowerShell Command Found
owasp-crs-v030301-id932130-rce 1 Unix Shell Expression Found
owasp-crs-v030301-id932140-rce 1 Windows FOR/IF Command Found
owasp-crs-v030301-id932150-rce 1 Direct UNIX Command Execution
owasp-crs-v030301-id932160-rce 1 UNIX Shell Code Found
owasp-crs-v030301-id932170-rce 1 Shellshock (CVE-2014-6271)
owasp-crs-v030301-id932171-rce 1 Shellshock (CVE-2014-6271)
owasp-crs-v030301-id932180-rce 1 Restricted File Upload Attempt
owasp-crs-v030301-id932200-rce 2 RCE Bypass Technique
owasp-crs-v030301-id932106-rce 3 Remote Command Execution: Unix Command Injection
owasp-crs-v030301-id932190-rce 3 Remote Command Execution: Wildcard bypass technique attempt

CRS 3.0

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030001-id932100-rce 1 UNIX Command Injection
owasp-crs-v030001-id932105-rce 1 UNIX Command Injection
owasp-crs-v030001-id932110-rce 1 Windows Command Injection
owasp-crs-v030001-id932115-rce 1 Windows Command Injection
owasp-crs-v030001-id932120-rce 1 Windows PowerShell Command Found
owasp-crs-v030001-id932130-rce 1 Unix Shell Expression Found
owasp-crs-v030001-id932140-rce 1 Windows FOR/IF Command Found
owasp-crs-v030001-id932150-rce 1 Direct UNIX Command Execution
owasp-crs-v030001-id932160-rce 1 UNIX Shell Code Found
owasp-crs-v030001-id932170-rce 1 Shellshock (CVE-2014-6271)
owasp-crs-v030001-id932171-rce 1 Shellshock (CVE-2014-6271)
Not included 1 Restricted File Upload Attempt
Not included 2 RCE Bypass Technique
Not included 3 Remote Command Execution: Unix Command Injection
Not included 3 Remote Command Execution: Wildcard bypass technique attempt

All signatures for RCE are at sensitivity level 1. The following configuration works for all sensitivity levels:

RCE sensitivity level 1

evaluatePreconfiguredExpr('rce-v33-stable',
          ['owasp-crs-v030301-id932200-rce',
           'owasp-crs-v030301-id932106-rce',
           'owasp-crs-v030301-id932190-rce'])
          )

The following configuration works for other sensitivity levels:

RCE sensitivity level 2

evaluatePreconfiguredExpr('rce-v33-stable',
          ['owasp-crs-v030301-id932106-rce',
           'owasp-crs-v030301-id932190-rce'])
          )
          
RCE sensitivity level 3

evaluatePreconfiguredExpr('rce-v33-stable')
          

Remote file inclusion (RFI)

The following tables provide the signature ID, sensitivity level, and description of each supported signature in the RFI preconfigured rule.

CRS 3.3

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030301-id931100-rfi 1 URL Parameter using IP Address
owasp-crs-v030301-id931110-rfi 1 Common RFI Vulnerable Parameter Name used w/URL Payload
owasp-crs-v030301-id931120-rfi 1 URL Payload Used w/Trailing Question Mark Character (?)
owasp-crs-v030301-id931130-rfi 2 Off-Domain Reference/Link

CRS 3.0

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030001-id931100-rfi 1 URL Parameter using IP Address
owasp-crs-v030001-id931110-rfi 1 Common RFI Vulnerable Parameter Name used w/URL Payload
owasp-crs-v030001-id931120-rfi 1 URL Payload Used w/Trailing Question Mark Character (?)
owasp-crs-v030001-id931130-rfi 2 Off-Domain Reference/Link

To configure a rule at a particular sensitivity level, disable the signatures at greater sensitivity levels.

RFI sensitivity level 1

evaluatePreconfiguredExpr('rfi-v33-canary', ['owasp-crs-v030301-id931130-rfi'])

All signatures for RFI are below sensitivity level 2. The following configuration works for other sensitivity levels:

RFI sensitivity level 2

evaluatePreconfiguredExpr('rfi-v33-stable')

Method enforcement

The following tables provide the signature ID, sensitivity level, and description of each supported signature in the method enforcement preconfigured rule.

CRS 3.3

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030301-id911100-methodenforcement 1 Method is not allowed by policy

CRS 3.0

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030001-id911100-methodenforcement 1 Method is not allowed by policy

All signatures for Method Enforcement are below sensitivity level 2. The following configuration works for other sensitivity levels:

Method Enforcement sensitivity level 1

evaluatePreconfiguredExpr('methodenforcement-v33-stable')

Scanner detection

The following tables provide the signature ID, sensitivity level, and description of each supported signature in the scanner detection preconfigured rule.

CRS 3.3

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030301-id913100-scannerdetection 1 Found User-Agent associated with security scanner
owasp-crs-v030301-id913110-scannerdetection 1 Found request header associated with security scanner
owasp-crs-v030301-id913120-scannerdetection 1 Found request filename/argument associated with security scanner
owasp-crs-v030301-id913101-scannerdetection 2 Found User-Agent associated with scripting/generic HTTP client
owasp-crs-v030301-id913102-scannerdetection 2 Found User-Agent associated with web crawler/bot

CRS 3.0

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030001-id913100-scannerdetection 1 Found User-Agent associated with security scanner
owasp-crs-v030001-id913110-scannerdetection 1 Found request header associated with security scanner
owasp-crs-v030001-id913120-scannerdetection 1 Found request filename/argument associated with security scanner
owasp-crs-v030001-id913101-scannerdetection 2 Found User-Agent associated with scripting/generic HTTP client
owasp-crs-v030001-id913102-scannerdetection 2 Found User-Agent associated with web crawler/bot

To configure a rule at a particular sensitivity level, disable the signatures at greater sensitivity levels.

Scanner Detection sensitivity level 1

evaluatePreconfiguredExpr('scannerdetection-v33-stable',
  ['owasp-crs-v030301-id913101-scannerdetection',
  'owasp-crs-v030301-id913102-scannerdetection']
)
          
Scanner Detection sensitivity level 2

evaluatePreconfiguredExpr('scannerdetection-v33-stable')
          

Protocol attack

The following tables provide the signature ID, sensitivity level, and description of each supported signature in the protocol attack preconfigured rule.

CRS 3.3

Signature ID (Rule ID) Sensitivity level Description
Not included 1 HTTP Request Smuggling Attack
owasp-crs-v030301-id921110-protocolattack 1 HTTP Request Smuggling Attack
owasp-crs-v030301-id921120-protocolattack 1 HTTP Response Splitting Attack
owasp-crs-v030301-id921130-protocolattack 1 HTTP Response Splitting Attack
owasp-crs-v030301-id921140-protocolattack 1 HTTP Header Injection Attack via headers
owasp-crs-v030301-id921150-protocolattack 1 HTTP Header Injection Attack via payload (CR/LF detected)
owasp-crs-v030301-id921160-protocolattack 1 HTTP Header Injection Attack via payload (CR/LF and header-name detected)
owasp-crs-v030301-id921190-protocolattack 1 HTTP Splitting (CR/LF in request filename detected)
owasp-crs-v030301-id921200-protocolattack 1 LDAP Injection Attack
owasp-crs-v030301-id921151-protocolattack 2 HTTP Header Injection Attack via payload (CR/LF detected)
owasp-crs-v030301-id921170-protocolattack 3 HTTP Parameter Pollution

CRS 3.0

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030001-id921100-protocolattack 1 HTTP Request Smuggling Attack
owasp-crs-v030001-id921110-protocolattack 1 HTTP Request Smuggling Attack
owasp-crs-v030001-id921120-protocolattack 1 HTTP Response Splitting Attack
owasp-crs-v030001-id921130-protocolattack 1 HTTP Response Splitting Attack
owasp-crs-v030001-id921140-protocolattack 1 HTTP Header Injection Attack via headers
owasp-crs-v030001-id921150-protocolattack 1 HTTP Header Injection Attack via payload (CR/LF detected)
owasp-crs-v030001-id921160-protocolattack 1 HTTP Header Injection Attack via payload (CR/LF and header-name detected)
Not included 1 HTTP Splitting (CR/LF in request filename detected)
Not included 1 LDAP Injection Attack
owasp-crs-v030001-id921151-protocolattack 2 HTTP Header Injection Attack via payload (CR/LF detected)
owasp-crs-v030001-id921170-protocolattack 3 HTTP Parameter Pollution

To configure a rule at a particular sensitivity level, disable the signatures at greater sensitivity levels.

Protocol Attack sensitivity level 1

evaluatePreconfiguredExpr('protocolattack-v33-stable',
  ['owasp-crs-v030301-id921151-protocolattack',
  'owasp-crs-v030301-id921170-protocolattack']
)
          
Protocol Attack sensitivity level 2

evaluatePreconfiguredExpr('protocolattack-v33-stable',
  ['owasp-crs-v030301-id921170-protocolattack']
)
          
Protocol Attack sensitivity level 3

evaluatePreconfiguredExpr('protocolattack-v33-stable')
          

PHP

The following tables provide the signature ID, sensitivity level, and description of each supported signature in the PHP preconfigured rule.

CRS 3.3

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030301-id933100-php 1 PHP Injection Attack: PHP Open Tag Found
owasp-crs-v030301-id933110-php 1 PHP Injection Attack: PHP Script File Upload Found
owasp-crs-v030301-id933120-php 1 PHP Injection Attack: Configuration Directive Found
owasp-crs-v030301-id933130-php 1 PHP Injection Attack: Variables Found
owasp-crs-v030301-id933140-php 1 PHP Injection Attack: I/O Stream Found
owasp-crs-v030301-id933200-php 1 PHP Injection Attack: Wrapper scheme detected
owasp-crs-v030301-id933150-php 1 PHP Injection Attack: High-Risk PHP Function Name Found
owasp-crs-v030301-id933160-php 1 PHP Injection Attack: High-Risk PHP Function Call Found
owasp-crs-v030301-id933170-php 1 PHP Injection Attack: Serialized Object Injection
owasp-crs-v030301-id933180-php 1 PHP Injection Attack: Variable Function Call Found
owasp-crs-v030301-id933210-php 1 PHP Injection Attack: Variable Function Call Found
owasp-crs-v030301-id933151-php 2 PHP Injection Attack: Medium-Risk PHP Function Name Found
owasp-crs-v030301-id933131-php 3 PHP Injection Attack: Variables Found
owasp-crs-v030301-id933161-php 3 PHP Injection Attack: Low-Value PHP Function Call Found
owasp-crs-v030301-id933111-php 3 PHP Injection Attack: PHP Script File Upload Found
owasp-crs-v030301-id933190-php 3 PHP Injection Attack: PHP Closing Tag Found

CRS 3.0

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030001-id933100-php 1 PHP Injection Attack: PHP Open Tag Found
owasp-crs-v030001-id933110-php 1 PHP Injection Attack: PHP Script File Upload Found
owasp-crs-v030001-id933120-php 1 PHP Injection Attack: Configuration Directive Found
owasp-crs-v030001-id933130-php 1 PHP Injection Attack: Variables Found
owasp-crs-v030001-id933140-php 1 PHP Injection Attack: I/O Stream Found
Not included 1 PHP Injection Attack: Wrapper scheme detected
owasp-crs-v030001-id933150-php 1 PHP Injection Attack: High-Risk PHP Function Name Found
owasp-crs-v030001-id933160-php 1 PHP Injection Attack: High-Risk PHP Function Call Found
owasp-crs-v030001-id933170-php 1 PHP Injection Attack: Serialized Object Injection
owasp-crs-v030001-id933180-php 1 PHP Injection Attack: Variable Function Call Found
Not included 1 PHP Injection Attack: Variable Function Call Found
owasp-crs-v030001-id933151-php 2 PHP Injection Attack: Medium-Risk PHP Function Name Found
owasp-crs-v030001-id933131-php 3 PHP Injection Attack: Variables Found
owasp-crs-v030001-id933161-php 3 PHP Injection Attack: Low-Value PHP Function Call Found
owasp-crs-v030001-id933111-php 3 PHP Injection Attack: PHP Script File Upload Found
Not included 3 PHP Injection Attack: PHP Closing Tag Found

To configure a rule at a particular sensitivity level, disable the signatures at greater sensitivity levels.

PHP Injection Attack sensitivity level 1

evaluatePreconfiguredExpr('php-v33-stable',
['owasp-crs-v030301-id933151-php',
  'owasp-crs-v030301-id933131-php',
  'owasp-crs-v030301-id933161-php',
  'owasp-crs-v030301-id933111-php',
  'owasp-crs-v030301-id933190-php']
)
          
PHP Injection Attack sensitivity level 2

evaluatePreconfiguredExpr('php-v33-stable',
  ['owasp-crs-v0303001-id933131-php',
  'owasp-crs-v0303001-id933161-php',
  'owasp-crs-v0303001-id933111-php'
  'owasp-crs-v030301-id933190-php'])
          
PHP Injection Attack sensitivity level 3

evaluatePreconfiguredExpr('php-v33-stable')
          

Session fixation

The following tables provide the signature ID, sensitivity level, and description of each supported signature in the session fixation preconfigured rule.

CRS 3.3

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030301-id943100-sessionfixation 1 Possible Session Fixation Attack: Setting Cookie Values in HTML
owasp-crs-v030301-id943110-sessionfixation 1 Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer
owasp-crs-v030301-id943120-sessionfixation 1 Possible Session Fixation Attack: SessionID Parameter Name with No Referer

CRS 3.0

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030001-id943100-sessionfixation 1 Possible Session Fixation Attack: Setting Cookie Values in HTML
owasp-crs-v030001-id943110-sessionfixation 1 Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer
owasp-crs-v030001-id943120-sessionfixation 1 Possible Session Fixation Attack: SessionID Parameter Name with No Referer

All signatures for Session Fixation are below sensitivity level 2. The following configuration works for other sensitivity levels:

Session Fixation sensitivity level 1

evaluatePreconfiguredExpr('sessionfixation-v33-canary')

Java attack

The following tables provide the signature ID, sensitivity level, and description of each supported signature in the Java attack preconfigured rule.

CRS 3.3

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030301-id944100-java 1 Remote Command Execution: Suspicious Java class detected
owasp-crs-v030301-id944110-java 1 Remote Command Execution: Java process spawn (CVE-2017-9805)
owasp-crs-v030301-id944120-java 1 Remote Command Execution: Java serialization (CVE-2015-4852)
owasp-crs-v030301-id944130-java 1 Suspicious Java class detected
owasp-crs-v030301-id944200-java 2 Magic bytes detected, probable Java serialization in use
owasp-crs-v030301-id944210-java 2 Magic bytes detected Base64 encoded, probable Java serialization in use
owasp-crs-v030301-id944240-java 2 Remote Command Execution: Java serialization (CVE-2015-4852)
owasp-crs-v030301-id944250-java 2 Remote Command Execution: Suspicious Java method detected
owasp-crs-v030301-id944300-java 3 Base64 encoded string matched suspicious keyword

CRS 3.0

Signature ID (Rule ID) Sensitivity level Description
Not included 1 Remote Command Execution: Suspicious Java class detected
Not included 1 Remote Command Execution: Java process spawn (CVE-2017-9805)
Not included 1 Remote Command Execution: Java serialization (CVE-2015-4852)
Not included 1 Suspicious Java class detected
Not included 2 Magic bytes detected, probable Java serialization in use
Not included 2 Magic bytes detected Base64 encoded, probable Java serialization in use
Not included 2 Remote Command Execution: Java serialization (CVE-2015-4852)
Not included 2 Remote Command Execution: Suspicious Java method detected
Not included 3 Base64 encoded string matched suspicious keyword

To configure a rule at a particular sensitivity level, disable the signatures at greater sensitivity levels.

Java attack sensitivity level 1

evaluatePreconfiguredExpr('java-v33-stable',
['owasp-crs-v030301-id944200-java',
 'owasp-crs-v030301-id944210-java',
 'owasp-crs-v030301-id944240-java',
 'owasp-crs-v030301-id944250-java',
 'owasp-crs-v030301-id944300-java'])
          
Java attack sensitivity level 2

evaluatePreconfiguredExpr('java-v33-stable',
['owasp-crs-v030301-id944300-java'])
          
Java attack sensitivity level 3

evaluatePreconfiguredExpr('java-v33-stable')
          

NodeJS attack

The following tables provide the signature ID, sensitivity level, and description of each supported signature in the NodeJS attack preconfigured rule.

The following preconfigured WAF rule signatures are only included in CRS 3.3.

CRS 3.3

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030301-id934100-nodejs 1 Node.js Injection Attack

CRS 3.0

Signature ID (Rule ID) Sensitivity level Description
Not included 1 Node.js Injection Attack

All signatures for NodeJS attack are below sensitivity level 2. The following configuration works for other sensitivity levels:

NodeJS sensitivity level 1

evaluatePreconfiguredExpr('nodejs-v33-stable')

CVEs and other vulnerabilities

The following signatures cover the CVE-2021-44228 and CVE-2021-45046 Log4j RCE Vulnerabilities.

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030001-id044228-cve 1 Base rule to help detect exploit attempts of CVE-2021-44228 & CVE-2021-45046
owasp-crs-v030001-id144228-cve 1 Google-provided enhancements to cover more bypass and obfuscation attempts
owasp-crs-v030001-id244228-cve 3 Increased sensitivity of detection to target even more bypass and obfuscation attempts, with nominal increase in risk of false positive detection
owasp-crs-v030001-id344228-cve 3 Increased sensitivity of detection to target even more bypass and obfuscation attempts using base64 encoding, with nominal increase in risk of false positive detection

To configure a rule at a particular sensitivity level, disable the signatures at greater sensitivity levels.

CVE sensitivity level 1

evaluatePreconfiguredExpr('cve-canary', ['owasp-crs-v030001-id244228-cve',
  'owasp-crs-v030001-id344228-cve'])
          
CVE sensitivity level 3

evaluatePreconfiguredExpr('cve-canary')

Limitations

Google Cloud Armor preconfigured rules have the following limitations:

  • Among the HTTP request types with a request body, Google Cloud Armor processes only POST requests. Google Cloud Armor evaluates preconfigured rules against the first 8 KB of POST body content. For more information, see POST body inspection limitation.
  • Google Cloud Armor can parse and apply preconfigured WAF rules for default URL-encoded and JSON-formatted POST bodies (Content-Type='application/json'). However, Google Cloud Armor does not parse or decode other HTTP Content-Type and Content-Encoding formats.
  • Google Cloud Armor security policies are available only for backend services behind a load balancer. Therefore, load balancing quotas and limits apply to your deployment. See the load balancing quotas page for more information.

What's next