Google Cloud Armor preconfigured WAF rules are complex web application firewall (WAF)
rules with dozens of signatures that are compiled from open source industry
standards. Each signature corresponds to an attack detection
rule in the ruleset. Google offers these rules as-is. The rules allow
Google Cloud Armor to evaluate dozens of distinct traffic signatures by
referring to conveniently named rules rather than requiring you to define
each signature manually.
Google Cloud Armor preconfigured WAF rules can be tuned to best suit your needs. For more
information about how to tune the rules, see
Tune Google Cloud Armor preconfigured WAF rules .
The following table contains a comprehensive list of preconfigured WAF rules
that are available for use in a Google Cloud Armor security policy. The
rule sources are OWASP Core Rule Set (CRS) 3.0 and
CRS 3.3.2 .
We recommend that you use version 3.3 for increased sensitivity and for an
increased breadth of protected attack types. Support for CRS 3.0 is ongoing.
Google Cloud Armor rule name
OWASP rule name
Current status
SQL injection
sqli-v33-stable
In sync with sqli-v33-canary
sqli-v33-canary
Latest
Cross-site scripting
xss-v33-stable
In sync with xss-v33-canary
xss-v33-canary
Latest
Local file inclusion
lfi-v33-stable
In sync with lfi-v33-canary
lfi-v33-canary
Latest
Remote file inclusion
rfi-v33-stable
In sync with rfi-v33-canary
rfi-v33-canary
Latest
Remote code execution
rce-v33-stable
In sync with rce-v33-canary
rce-v33-canary
Latest
Method enforcement
methodenforcement-v33-stable
In sync with methodenforcement-v33-canary
methodenforcement-v33-canary
Latest
Scanner detection
scannerdetection-v33-stable
In sync with scannerdetection-v33-canary
scannerdetection-v33-canary
Latest
Protocol attack
protocolattack-v33-stable
In sync with protocolattack-v33-canary
protocolattack-v33-canary
Latest
PHP injection attack
php-v33-stable
In sync with php-v33-canary
php-v33-canary
Latest
Session fixation attack
sessionfixation-v33-stable
In sync with sessionfixation-v33-canary
sessionfixation-v33-canary
Latest
Java attack
java-v33-stable
In sync with java-v33-canary
java-v33-canary
Latest
NodeJS attack
nodejs-v33-stable
In sync with nodejs-v33-canary
nodejs-v33-canary
Latest
Google Cloud Armor rule name
OWASP rule name
Current status
SQL injection
sqli-stable
In sync with sqli-canary
sqli-canary
Latest
Cross-site scripting
xss-stable
In sync with xss-canary
xss-canary
Latest
Local file inclusion
lfi-stable
In sync with lfi-canary
lfi-canary
Latest
Remote file inclusion
rfi-stable
In sync with rfi-canary
rfi-canary
Latest
Remote code execution
rce-stable
In sync with rce-canary
rce-canary
Latest
Method enforcement
methodenforcement-stable
In sync with methodenforcement-canary
methodenforcement-canary
Latest
Scanner detection
scannerdetection-stable
In sync with scannerdetection-canary
scannerdetection-canary
Latest
Protocol attack
protocolattack-stable
In sync with protocolattack-canary
protocolattack-canary
Latest
PHP injection attack
php-stable
In sync with php-canary
php-canary
Latest
Session fixation attack
sessionfixation-stable
In sync with sessionfixation-canary
sessionfixation-canary
Latest
Java attack
Not included
NodeJS attack
Not included
In addition, the following cve-canary
rules are available to all
Google Cloud Armor customers to help detect and optionally block the
following vulnerabilities:
CVE-2021-44228
and CVE-2021-45046
Log4j RCE vulnerabilities
942550-sqli
JSON-formatted content vulnerability
Google Cloud Armor rule name
Covered vulnerability types
cve-canary
Log4j vulnerability
json-sqli-canary
JSON-based SQL injection bypass vulnerability
Each preconfigured WAF rule has a sensitivity level that corresponds to a
OWASP CRS
paranoia level .
A lower sensitivity level indicates a higher confidence signature, which is less
likely to generate a false positive. A higher sensitivity level increases
security, but also increases the risk of generating a false positive.
SQL injection (SQLi)
The following table provides the signature ID, sensitivity level, and
description of each supported signature in the SQLi preconfigured WAF rule.
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030301-id942100-sqli
1
SQL Injection Attack Detected via libinjection
owasp-crs-v030301-id942140-sqli
1
SQL injection attack: Common DB Names Detected
owasp-crs-v030301-id942160-sqli
1
Detects blind SQLi tests using sleep() or benchmark()
owasp-crs-v030301-id942170-sqli
1
Detects SQL benchmark and sleep injection attempts including
conditional queries
owasp-crs-v030301-id942190-sqli
1
Detects MSSQL code execution and information gathering attempts
owasp-crs-v030301-id942220-sqli
1
Looks for integer overflow attacks
owasp-crs-v030301-id942230-sqli
1
Detects conditional SQL injection attempts
owasp-crs-v030301-id942240-sqli
1
Detects MySQL charset switch and MSSQL DoS attempts
owasp-crs-v030301-id942250-sqli
1
Detects MATCH AGAINST
owasp-crs-v030301-id942270-sqli
1
Looks for basic SQL injection; common attack string for MySql
owasp-crs-v030301-id942280-sqli
1
Detects Postgres pg_sleep injection
owasp-crs-v030301-id942290-sqli
1
Finds basic MongoDB SQL injection attempts
owasp-crs-v030301-id942320-sqli
1
Detects MySQL and PostgreSQL stored procedure/function injections
owasp-crs-v030301-id942350-sqli
1
Detects MySQL UDF injection and other data/structure manipulation
attempts
owasp-crs-v030301-id942360-sqli
1
Detects concatenated basic SQL injection and SQLLFI attempts
owasp-crs-v030301-id942500-sqli
1
MySQL in-line comment detected
owasp-crs-v030301-id942110-sqli
2
SQL injection attack: Common Injection Testing Detected
owasp-crs-v030301-id942120-sqli
2
SQL injection attack: SQL Operator Detected
owasp-crs-v030301-id942130-sqli
2
SQL Injection Attack: SQL Tautology Detected
owasp-crs-v030301-id942150-sqli
2
SQL injection attack
owasp-crs-v030301-id942180-sqli
2
Detects basic SQL authentication bypass attempts 1/3
owasp-crs-v030301-id942200-sqli
2
Detects MySQL comment-/space-obfuscated injections and backtick
termination
owasp-crs-v030301-id942210-sqli
2
Detects chained SQL injection attempts 1/2
owasp-crs-v030301-id942260-sqli
2
Detects basic SQL authentication bypass attempts 2/3
owasp-crs-v030301-id942300-sqli
2
Detects MySQL comments
owasp-crs-v030301-id942310-sqli
2
Detects chained SQL injection attempts 2/2
owasp-crs-v030301-id942330-sqli
2
Detects classic SQL injection probings 1/2
owasp-crs-v030301-id942340-sqli
2
Detects basic SQL authentication bypass attempts 3/3
owasp-crs-v030301-id942361-sqli
2
Detects basic SQL injection based on keyword alter or union
owasp-crs-v030301-id942370-sqli
2
Detects classic SQL injection probings 2/3
owasp-crs-v030301-id942380-sqli
2
SQL injection attack
owasp-crs-v030301-id942390-sqli
2
SQL injection attack
owasp-crs-v030301-id942400-sqli
2
SQL injection attack
owasp-crs-v030301-id942410-sqli
2
SQL injection attack
owasp-crs-v030301-id942470-sqli
2
SQL injection attack
owasp-crs-v030301-id942480-sqli
2
SQL injection attack
owasp-crs-v030301-id942430-sqli
2
Restricted SQL Character Anomaly Detection (args): # of special
characters exceeded (12)
owasp-crs-v030301-id942440-sqli
2
SQL Comment Sequence Detected
owasp-crs-v030301-id942450-sqli
2
SQL Hex Encoding Identified
owasp-crs-v030301-id942510-sqli
2
SQLi bypass attempt by ticks or backticks detected
owasp-crs-v030301-id942251-sqli
3
Detects HAVING injections
owasp-crs-v030301-id942490-sqli
3
Detects classic SQL injection probings 3/3
owasp-crs-v030301-id942420-sqli
3
Restricted SQL Character Anomaly Detection (cookies): # of special
characters exceeded (8)
owasp-crs-v030301-id942431-sqli
3
Restricted SQL Character Anomaly Detection (args): # of special
characters exceeded (6)
owasp-crs-v030301-id942460-sqli
3
Meta-Character Anomaly Detection Alert - Repetitive Non-Word
Characters
owasp-crs-v030301-id942101-sqli
3
SQL Injection Attack Detected via libinjection
owasp-crs-v030301-id942511-sqli
3
SQLi bypass attempt by ticks detected
owasp-crs-v030301-id942421-sqli
4
Restricted SQL Character Anomaly Detection (cookies): # of special
characters exceeded (3)
owasp-crs-v030301-id942432-sqli
4
Restricted SQL Character Anomaly Detection (args): # of special
characters exceeded (2)
Signature ID (Rule ID)
Sensitivity level
Description
Not included
1
SQL Injection Attack Detected via libinjection
owasp-crs-v030001-id942140-sqli
1
SQL injection attack: Common DB Names Detected
owasp-crs-v030001-id942160-sqli
1
Detects blind SQLi tests using sleep() or benchmark()
owasp-crs-v030001-id942170-sqli
1
Detects SQL benchmark and sleep injection attempts including
conditional queries
owasp-crs-v030001-id942190-sqli
1
Detects MSSQL code execution and information gathering attempts
owasp-crs-v030001-id942220-sqli
1
Looks for integer overflow attacks
owasp-crs-v030001-id942230-sqli
1
Detects conditional SQL injection attempts
owasp-crs-v030001-id942240-sqli
1
Detects MySQL charset switch and MSSQL DoS attempts
owasp-crs-v030001-id942250-sqli
1
Detects MATCH AGAINST
owasp-crs-v030001-id942270-sqli
1
Looks for basic SQL injection; common attack string for MySql
owasp-crs-v030001-id942280-sqli
1
Detects Postgres pg_sleep injection
owasp-crs-v030001-id942290-sqli
1
Finds basic MongoDB SQL injection attempts
owasp-crs-v030001-id942320-sqli
1
Detects MySQL and PostgreSQL stored procedure/function injections
owasp-crs-v030001-id942350-sqli
1
Detects MySQL UDF injection and other data/structure manipulation
attempts
owasp-crs-v030001-id942360-sqli
1
Detects concatenated basic SQL injection and SQLLFI attempts
Not included
1
MySQL in-line comment detected
owasp-crs-v030001-id942110-sqli
2
SQL injection attack: Common Injection Testing Detected
owasp-crs-v030001-id942120-sqli
2
SQL injection attack: SQL Operator Detected
Not included
2
SQL Injection Attack: SQL Tautology Detected
owasp-crs-v030001-id942150-sqli
2
SQL injection attack
owasp-crs-v030001-id942180-sqli
2
Detects basic SQL authentication bypass attempts 1/3
owasp-crs-v030001-id942200-sqli
2
Detects MySQL comment-/space-obfuscated injections and backtick
termination
owasp-crs-v030001-id942210-sqli
2
Detects chained SQL injection attempts 1/2
owasp-crs-v030001-id942260-sqli
2
Detects basic SQL authentication bypass attempts 2/3
owasp-crs-v030001-id942300-sqli
2
Detects MySQL comments
owasp-crs-v030001-id942310-sqli
2
Detects chained SQL injection attempts 2/2
owasp-crs-v030001-id942330-sqli
2
Detects classic SQL injection probings 1/2
owasp-crs-v030001-id942340-sqli
2
Detects basic SQL authentication bypass attempts 3/3
Not included
2
Detects basic SQL injection based on keyword alter or union
Not included
2
Detects classic SQL injection probings 2/3
owasp-crs-v030001-id942380-sqli
2
SQL injection attack
owasp-crs-v030001-id942390-sqli
2
SQL injection attack
owasp-crs-v030001-id942400-sqli
2
SQL injection attack
owasp-crs-v030001-id942410-sqli
2
SQL injection attack
Not included
2
SQL injection attack
Not included
2
SQL injection attack
owasp-crs-v030001-id942430-sqli
2
Restricted SQL Character Anomaly Detection (args): # of special
characters exceeded (12)
owasp-crs-v030001-id942440-sqli
2
SQL Comment Sequence Detected
owasp-crs-v030001-id942450-sqli
2
SQL Hex Encoding Identified
Not included
2
SQLi bypass attempt by ticks or backticks detected
owasp-crs-v030001-id942251-sqli
3
Detects HAVING injections
Not included
2
Detects classic SQL injection probings 3/3
owasp-crs-v030001-id942420-sqli
3
Restricted SQL Character Anomaly Detection (cookies): # of special
characters exceeded (8)
owasp-crs-v030001-id942431-sqli
3
Restricted SQL Character Anomaly Detection (args): # of special
characters exceeded (6)
owasp-crs-v030001-id942460-sqli
3
Meta-Character Anomaly Detection Alert - Repetitive Non-Word
Characters
Not included
3
SQL Injection Attack Detected via libinjection
Not included
3
SQLi bypass attempt by ticks detected
owasp-crs-v030001-id942421-sqli
4
Restricted SQL Character Anomaly Detection (cookies): # of special
characters exceeded (3)
owasp-crs-v030001-id942432-sqli
4
Restricted SQL Character Anomaly Detection (args): # of special
characters exceeded (2)
You can configure a rule at a particular sensitivity level by using
evaluatePreconfiguredWaf()
with a preset sensitivity parameter. By
default, without configuring rule set sensitivity, Google Cloud Armor
evaluates all signatures.
Sensitivity level
Expression
1
evaluatePreconfiguredWaf('sqli-v33-stable', {'sensitivity': 1})
2
evaluatePreconfiguredWaf('sqli-v33-stable', {'sensitivity': 2})
3
evaluatePreconfiguredWaf('sqli-v33-stable', {'sensitivity': 3})
4
evaluatePreconfiguredWaf('sqli-v33-stable', {'sensitivity': 4})
Sensitivity level
Expression
1
evaluatePreconfiguredWaf('sqli-stable', {'sensitivity': 1})
2
evaluatePreconfiguredWaf('sqli-stable', {'sensitivity': 2})
3
evaluatePreconfiguredWaf('sqli-stable', {'sensitivity': 3})
4
evaluatePreconfiguredWaf('sqli-stable', {'sensitivity': 4})
Cross-site scripting (XSS)
The following table provides the signature ID, sensitivity level, and
description of each supported signature in the XSS preconfigured WAF rule.
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030301-id941100-xss
1
XSS Attack Detected via libinjection
owasp-crs-v030301-id941110-xss
1
XSS Filter - Category 1: Script Tag Vector
owasp-crs-v030301-id941120-xss
1
XSS Filter - Category 2: Event Handler Vector
owasp-crs-v030301-id941130-xss
1
XSS Filter - Category 3: Attribute Vector
owasp-crs-v030301-id941140-xss
1
XSS Filter - Category 4: JavaScript URI Vector
owasp-crs-v030301-id941160-xss
1
NoScript XSS InjectionChecker: HTML Injection
owasp-crs-v030301-id941170-xss
1
NoScript XSS InjectionChecker: Attribute Injection
owasp-crs-v030301-id941180-xss
1
Node-Validator Blacklist Keywords
owasp-crs-v030301-id941190-xss
1
IE XSS Filters - Attack Detected
owasp-crs-v030301-id941200-xss
1
IE XSS Filters - Attack Detected
owasp-crs-v030301-id941210-xss
1
IE XSS Filters - Attack Detected
owasp-crs-v030301-id941220-xss
1
IE XSS Filters - Attack Detected
owasp-crs-v030301-id941230-xss
1
IE XSS Filters - Attack Detected
owasp-crs-v030301-id941240-xss
1
IE XSS Filters - Attack Detected
owasp-crs-v030301-id941250-xss
1
IE XSS Filters - Attack Detected
owasp-crs-v030301-id941260-xss
1
IE XSS Filters - Attack Detected
owasp-crs-v030301-id941270-xss
1
IE XSS Filters - Attack Detected
owasp-crs-v030301-id941280-xss
1
IE XSS Filters - Attack Detected
owasp-crs-v030301-id941290-xss
1
IE XSS Filters - Attack Detected
owasp-crs-v030301-id941300-xss
1
IE XSS Filters - Attack Detected
owasp-crs-v030301-id941310-xss
1
US-ASCII Malformed Encoding XSS Filter - Attack Detected
owasp-crs-v030301-id941350-xss
1
UTF-7 Encoding IE XSS - Attack Detected
owasp-crs-v030301-id941360-xss
1
Hieroglyphy obfuscation detected
owasp-crs-v030301-id941370-xss
1
JavaScript global variable found
owasp-crs-v030301-id941101-xss
2
XSS Attack Detected via libinjection
owasp-crs-v030301-id941150-xss
2
XSS Filter - Category 5: Disallowed HTML Attributes
owasp-crs-v030301-id941320-xss
2
Possible XSS Attack Detected - HTML Tag Handler
owasp-crs-v030301-id941330-xss
2
IE XSS Filters - Attack Detected
owasp-crs-v030301-id941340-xss
2
IE XSS Filters - Attack Detected
owasp-crs-v030301-id941380-xss
2
AngularJS client side template injection detected
Signature ID (Rule ID)
Sensitivity level
Description
Not included
1
XSS Attack Detected via libinjection
owasp-crs-v030001-id941110-xss
1
XSS Filter - Category 1: Script Tag Vector
owasp-crs-v030001-id941120-xss
1
XSS Filter - Category 2: Event Handler Vector
owasp-crs-v030001-id941130-xss
1
XSS Filter - Category 3: Attribute Vector
owasp-crs-v030001-id941140-xss
1
XSS Filter - Category 4: JavaScript URI Vector
owasp-crs-v030001-id941160-xss
1
NoScript XSS InjectionChecker: HTML Injection
owasp-crs-v030001-id941170-xss
1
NoScript XSS InjectionChecker: Attribute Injection
owasp-crs-v030001-id941180-xss
1
Node-Validator Blacklist Keywords
owasp-crs-v030001-id941190-xss
1
IE XSS Filters - Attack Detected
owasp-crs-v030001-id941200-xss
1
IE XSS Filters - Attack Detected
owasp-crs-v030001-id941210-xss
1
IE XSS Filters - Attack Detected
owasp-crs-v030001-id941220-xss
1
IE XSS Filters - Attack Detected
owasp-crs-v030001-id941230-xss
1
IE XSS Filters - Attack Detected
owasp-crs-v030001-id941240-xss
1
IE XSS Filters - Attack Detected
owasp-crs-v030001-id941250-xss
1
IE XSS Filters - Attack Detected
owasp-crs-v030001-id941260-xss
1
IE XSS Filters - Attack Detected
owasp-crs-v030001-id941270-xss
1
IE XSS Filters - Attack Detected
owasp-crs-v030001-id941280-xss
1
IE XSS Filters - Attack Detected
owasp-crs-v030001-id941290-xss
1
IE XSS Filters - Attack Detected
owasp-crs-v030001-id941300-xss
1
IE XSS Filters - Attack Detected
owasp-crs-v030001-id941310-xss
1
US-ASCII Malformed Encoding XSS Filter - Attack Detected
owasp-crs-v030001-id941350-xss
1
UTF-7 Encoding IE XSS - Attack Detected
Not included
1
JSFuck / Hieroglyphy obfuscation detected
Not included
1
JavaScript global variable found
Not included
2
XSS Attack Detected via libinjection
owasp-crs-v030001-id941150-xss
2
XSS Filter - Category 5: Disallowed HTML Attributes
owasp-crs-v030001-id941320-xss
2
Possible XSS Attack Detected - HTML Tag Handler
owasp-crs-v030001-id941330-xss
2
IE XSS Filters - Attack Detected
owasp-crs-v030001-id941340-xss
2
IE XSS Filters - Attack Detected
Not included
2
AngularJS client side template injection detected
You can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredWaf()
with a preset sensitivity parameter. By
default, without configuring rule set sensitivity, Google Cloud Armor
evaluates all signatures.
Sensitivity level
Expression
1
evaluatePreconfiguredWaf('xss-v33-stable', {'sensitivity': 1})
2
evaluatePreconfiguredWaf('xss-v33-stable', {'sensitivity': 2})
Sensitivity level
Expression
1
evaluatePreconfiguredWaf('xss-stable', {'sensitivity': 1})
Local file inclusion (LFI)
The following table provides the signature ID, sensitivity level, and
description of each supported signature in the LFI preconfigured WAF rule.
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030301-id930100-lfi
1
Path Traversal Attack (/../)
owasp-crs-v030301-id930110-lfi
1
Path Traversal Attack (/../)
owasp-crs-v030301-id930120-lfi
1
OS File Access Attempt
owasp-crs-v030301-id930130-lfi
1
Restricted File Access Attempt
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030001-id930100-lfi
1
Path Traversal Attack (/../)
owasp-crs-v030001-id930110-lfi
1
Path Traversal Attack (/../)
owasp-crs-v030001-id930120-lfi
1
OS File Access Attempt
owasp-crs-v030001-id930130-lfi
1
Restricted File Access Attempt
You can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredWaf()
with a preset sensitivity parameter. All
signatures for LFI are at sensitivity level 1. The following configuration
works for all sensitivity levels:
Sensitivity level
Expression
1
evaluatePreconfiguredWaf('lfi-v33-stable', {'sensitivity': 1})
Sensitivity level
Expression
1
evaluatePreconfiguredWaf('lfi-stable', {'sensitivity': 1})
Remote code execution (RCE)
The following table provides the signature ID, sensitivity level, and
description of each supported signature in the RCE preconfigured WAF rule.
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030301-id932100-rce
1
UNIX Command Injection
owasp-crs-v030301-id932105-rce
1
UNIX Command Injection
owasp-crs-v030301-id932110-rce
1
Windows Command Injection
owasp-crs-v030301-id932115-rce
1
Windows Command Injection
owasp-crs-v030301-id932120-rce
1
Windows PowerShell Command Found
owasp-crs-v030301-id932130-rce
1
Unix Shell Expression Found
owasp-crs-v030301-id932140-rce
1
Windows FOR/IF Command Found
owasp-crs-v030301-id932150-rce
1
Direct UNIX Command Execution
owasp-crs-v030301-id932160-rce
1
UNIX Shell Code Found
owasp-crs-v030301-id932170-rce
1
Shellshock (CVE-2014-6271)
owasp-crs-v030301-id932171-rce
1
Shellshock (CVE-2014-6271)
owasp-crs-v030301-id932180-rce
1
Restricted File Upload Attempt
owasp-crs-v030301-id932200-rce
2
RCE Bypass Technique
owasp-crs-v030301-id932106-rce
3
Remote Command Execution: Unix Command Injection
owasp-crs-v030301-id932190-rce
3
Remote Command Execution: Wildcard bypass technique attempt
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030001-id932100-rce
1
UNIX Command Injection
owasp-crs-v030001-id932105-rce
1
UNIX Command Injection
owasp-crs-v030001-id932110-rce
1
Windows Command Injection
owasp-crs-v030001-id932115-rce
1
Windows Command Injection
owasp-crs-v030001-id932120-rce
1
Windows PowerShell Command Found
owasp-crs-v030001-id932130-rce
1
Unix Shell Expression Found
owasp-crs-v030001-id932140-rce
1
Windows FOR/IF Command Found
owasp-crs-v030001-id932150-rce
1
Direct UNIX Command Execution
owasp-crs-v030001-id932160-rce
1
UNIX Shell Code Found
owasp-crs-v030001-id932170-rce
1
Shellshock (CVE-2014-6271)
owasp-crs-v030001-id932171-rce
1
Shellshock (CVE-2014-6271)
Not included
1
Restricted File Upload Attempt
Not included
2
RCE Bypass Technique
Not included
3
Remote Command Execution: Unix Command Injection
Not included
3
Remote Command Execution: Wildcard bypass technique attempt
You can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredWaf()
with a preset sensitivity parameter. All
signatures for RCE are at sensitivity level 1. The following configuration works
for all sensitivity levels:
Sensitivity level
Expression
1
evaluatePreconfiguredWaf('rce-v33-stable', {'sensitivity': 1})
2
evaluatePreconfiguredWaf('rce-v33-stable', {'sensitivity': 2})
3
evaluatePreconfiguredWaf('rce-v33-stable', {'sensitivity': 3})
Sensitivity level
Expression
1
evaluatePreconfiguredWaf('rce-stable', {'sensitivity': 1})
2
evaluatePreconfiguredWaf('rce-stable', {'sensitivity': 2})
3
evaluatePreconfiguredWaf('rce-stable', {'sensitivity': 3})
Remote file inclusion (RFI)
The following table provides the signature ID, sensitivity level, and
description of each supported signature in the RFI preconfigured WAF rule.
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030301-id931100-rfi
1
URL Parameter using IP Address
owasp-crs-v030301-id931110-rfi
1
Common RFI Vulnerable Parameter Name used w/URL Payload
owasp-crs-v030301-id931120-rfi
1
URL Payload Used w/Trailing Question Mark Character (?)
owasp-crs-v030301-id931130-rfi
2
Off-Domain Reference/Link
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030001-id931100-rfi
1
URL Parameter using IP Address
owasp-crs-v030001-id931110-rfi
1
Common RFI Vulnerable Parameter Name used w/URL Payload
owasp-crs-v030001-id931120-rfi
1
URL Payload Used w/Trailing Question Mark Character (?)
owasp-crs-v030001-id931130-rfi
2
Off-Domain Reference/Link
You can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredWaf()
with a preset sensitivity parameter. By
default, without configuring rule set sensitivity, Google Cloud Armor
evaluates all signatures.
Sensitivity level
Expression
1
evaluatePreconfiguredWaf('rfi-v33-stable', {'sensitivity': 1})
2
evaluatePreconfiguredWaf('rfi-v33-stable', {'sensitivity': 2})
Sensitivity level
Expression
1
evaluatePreconfiguredWaf('rfi-stable', {'sensitivity': 1})
2
evaluatePreconfiguredWaf('rfi-stable', {'sensitivity': 2})
Method enforcement
Note: CRS 3.3 allows only the GET
, HEAD
, POST
, and OPTIONS
HTTP
methods.
The following table provides the signature ID, sensitivity level, and
description of each supported signature in the method enforcement preconfigured
rule.
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030301-id911100-methodenforcement
1
Method is not allowed by policy
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030001-id911100-methodenforcement
1
Method is not allowed by policy
You can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredWaf()
with a preset sensitivity parameter. By
default, without configuring rule set sensitivity, Google Cloud Armor
evaluates all signatures.
Sensitivity level
Expression
1
evaluatePreconfiguredWaf('methodenforcement-v33-stable', {'sensitivity': 1})
Sensitivity level
Expression
1
evaluatePreconfiguredWaf('methodenforcement-stable', {'sensitivity': 1})
Scanner detection
The following table provides the signature ID, sensitivity level, and
description of each supported signature in the scanner detection preconfigured
rule.
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030301-id913100-scannerdetection
1
Found User-Agent associated with security scanner
owasp-crs-v030301-id913110-scannerdetection
1
Found request header associated with security scanner
owasp-crs-v030301-id913120-scannerdetection
1
Found request filename/argument associated with security scanner
owasp-crs-v030301-id913101-scannerdetection
2
Found User-Agent associated with scripting/generic HTTP client
owasp-crs-v030301-id913102-scannerdetection
2
Found User-Agent associated with web crawler/bot
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030001-id913100-scannerdetection
1
Found User-Agent associated with security scanner
owasp-crs-v030001-id913110-scannerdetection
1
Found request header associated with security scanner
owasp-crs-v030001-id913120-scannerdetection
1
Found request filename/argument associated with security scanner
owasp-crs-v030001-id913101-scannerdetection
2
Found User-Agent associated with scripting/generic HTTP client
owasp-crs-v030001-id913102-scannerdetection
2
Found User-Agent associated with web crawler/bot
You can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredWaf()
with a preset sensitivity parameter. By
default, without configuring rule set sensitivity, Google Cloud Armor
evaluates all signatures.
Sensitivity level
Expression
1
evaluatePreconfiguredWaf('scannerdetection-v33-stable', {'sensitivity': 1})
2
evaluatePreconfiguredWaf('scannerdetection-v33-stable', {'sensitivity': 2})
Sensitivity level
Expression
1
evaluatePreconfiguredWaf('scannerdetection-stable', {'sensitivity': 1})
2
evaluatePreconfiguredWaf('scannerdetection-stable', {'sensitivity': 2})
Protocol attack
The following table provides the signature ID, sensitivity level, and
description of each supported signature in the protocol attack preconfigured
rule.
Signature ID (Rule ID)
Sensitivity level
Description
Not included
1
HTTP Request Smuggling Attack
owasp-crs-v030301-id921110-protocolattack
1
HTTP Request Smuggling Attack
owasp-crs-v030301-id921120-protocolattack
1
HTTP Response Splitting Attack
owasp-crs-v030301-id921130-protocolattack
1
HTTP Response Splitting Attack
owasp-crs-v030301-id921140-protocolattack
1
HTTP Header Injection Attack via headers
owasp-crs-v030301-id921150-protocolattack
1
HTTP Header Injection Attack via payload (CR/LF detected)
owasp-crs-v030301-id921160-protocolattack
1
HTTP Header Injection Attack via payload (CR/LF and header-name detected)
owasp-crs-v030301-id921190-protocolattack
1
HTTP Splitting (CR/LF in request filename detected)
owasp-crs-v030301-id921200-protocolattack
1
LDAP Injection Attack
owasp-crs-v030301-id921151-protocolattack
2
HTTP Header Injection Attack via payload (CR/LF detected)
owasp-crs-v030301-id921170-protocolattack
3
HTTP Parameter Pollution
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030001-id921100-protocolattack
1
HTTP Request Smuggling Attack
owasp-crs-v030001-id921110-protocolattack
1
HTTP Request Smuggling Attack
owasp-crs-v030001-id921120-protocolattack
1
HTTP Response Splitting Attack
owasp-crs-v030001-id921130-protocolattack
1
HTTP Response Splitting Attack
owasp-crs-v030001-id921140-protocolattack
1
HTTP Header Injection Attack via headers
owasp-crs-v030001-id921150-protocolattack
1
HTTP Header Injection Attack via payload (CR/LF detected)
owasp-crs-v030001-id921160-protocolattack
1
HTTP Header Injection Attack via payload (CR/LF and header-name detected)
Not included
1
HTTP Splitting (CR/LF in request filename detected)
Not included
1
LDAP Injection Attack
owasp-crs-v030001-id921151-protocolattack
2
HTTP Header Injection Attack via payload (CR/LF detected)
owasp-crs-v030001-id921170-protocolattack
3
HTTP Parameter Pollution
You can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredWaf()
with a preset sensitivity parameter. By
default, without configuring rule set sensitivity, Google Cloud Armor
evaluates all signatures.
Sensitivity level
Expression
1
evaluatePreconfiguredWaf('protocolattack-v33-stable', {'sensitivity': 1})
2
evaluatePreconfiguredWaf('protocolattack-v33-stable', {'sensitivity': 2})
3
evaluatePreconfiguredWaf('protocolattack-v33-stable', {'sensitivity': 3})
Sensitivity level
Expression
1
evaluatePreconfiguredWaf('protocolattack-stable', {'sensitivity': 1})
2
evaluatePreconfiguredWaf('protocolattack-stable', {'sensitivity': 2})
3
evaluatePreconfiguredWaf('protocolattack-stable', {'sensitivity': 3})
PHP
The following table provides the signature ID, sensitivity level, and
description of each supported signature in the PHP preconfigured WAF rule.
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030301-id933100-php
1
PHP Injection Attack: PHP Open Tag Found
owasp-crs-v030301-id933110-php
1
PHP Injection Attack: PHP Script File Upload Found
owasp-crs-v030301-id933120-php
1
PHP Injection Attack: Configuration Directive Found
owasp-crs-v030301-id933130-php
1
PHP Injection Attack: Variables Found
owasp-crs-v030301-id933140-php
1
PHP Injection Attack: I/O Stream Found
owasp-crs-v030301-id933200-php
1
PHP Injection Attack: Wrapper scheme detected
owasp-crs-v030301-id933150-php
1
PHP Injection Attack: High-Risk PHP Function Name Found
owasp-crs-v030301-id933160-php
1
PHP Injection Attack: High-Risk PHP Function Call Found
owasp-crs-v030301-id933170-php
1
PHP Injection Attack: Serialized Object Injection
owasp-crs-v030301-id933180-php
1
PHP Injection Attack: Variable Function Call Found
owasp-crs-v030301-id933210-php
1
PHP Injection Attack: Variable Function Call Found
owasp-crs-v030301-id933151-php
2
PHP Injection Attack: Medium-Risk PHP Function Name Found
owasp-crs-v030301-id933131-php
3
PHP Injection Attack: Variables Found
owasp-crs-v030301-id933161-php
3
PHP Injection Attack: Low-Value PHP Function Call Found
owasp-crs-v030301-id933111-php
3
PHP Injection Attack: PHP Script File Upload Found
owasp-crs-v030301-id933190-php
3
PHP Injection Attack: PHP Closing Tag Found
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030001-id933100-php
1
PHP Injection Attack: PHP Open Tag Found
owasp-crs-v030001-id933110-php
1
PHP Injection Attack: PHP Script File Upload Found
owasp-crs-v030001-id933120-php
1
PHP Injection Attack: Configuration Directive Found
owasp-crs-v030001-id933130-php
1
PHP Injection Attack: Variables Found
owasp-crs-v030001-id933140-php
1
PHP Injection Attack: I/O Stream Found
Not included
1
PHP Injection Attack: Wrapper scheme detected
owasp-crs-v030001-id933150-php
1
PHP Injection Attack: High-Risk PHP Function Name Found
owasp-crs-v030001-id933160-php
1
PHP Injection Attack: High-Risk PHP Function Call Found
owasp-crs-v030001-id933170-php
1
PHP Injection Attack: Serialized Object Injection
owasp-crs-v030001-id933180-php
1
PHP Injection Attack: Variable Function Call Found
Not included
1
PHP Injection Attack: Variable Function Call Found
owasp-crs-v030001-id933151-php
2
PHP Injection Attack: Medium-Risk PHP Function Name Found
owasp-crs-v030001-id933131-php
3
PHP Injection Attack: Variables Found
owasp-crs-v030001-id933161-php
3
PHP Injection Attack: Low-Value PHP Function Call Found
owasp-crs-v030001-id933111-php
3
PHP Injection Attack: PHP Script File Upload Found
Not included
3
PHP Injection Attack: PHP Closing Tag Found
You can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredWaf()
with a preset sensitivity parameter. By
default, without configuring rule set sensitivity, Google Cloud Armor
evaluates all signatures.
Sensitivity level
Expression
1
evaluatePreconfiguredWaf('php-v33-stable', {'sensitivity': 1})
2
evaluatePreconfiguredWaf('php-v33-stable', {'sensitivity': 2})
3
evaluatePreconfiguredWaf('php-v33-stable', {'sensitivity': 3})
Sensitivity level
Expression
1
evaluatePreconfiguredWaf('php-stable', {'sensitivity': 1})
2
evaluatePreconfiguredWaf('php-stable', {'sensitivity': 2})
3
evaluatePreconfiguredWaf('php-stable', {'sensitivity': 3})
Session fixation
The following table provides the signature ID, sensitivity level, and
description of each supported signature in the session fixation preconfigured
rule.
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030301-id943100-sessionfixation
1
Possible Session Fixation Attack: Setting Cookie Values in HTML
owasp-crs-v030301-id943110-sessionfixation
1
Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer
owasp-crs-v030301-id943120-sessionfixation
1
Possible Session Fixation Attack: SessionID Parameter Name with No Referer
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030001-id943100-sessionfixation
1
Possible Session Fixation Attack: Setting Cookie Values in HTML
owasp-crs-v030001-id943110-sessionfixation
1
Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer
owasp-crs-v030001-id943120-sessionfixation
1
Possible Session Fixation Attack: SessionID Parameter Name with No Referer
You can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredWaf()
with a preset sensitivity parameter. All
signatures for session fixation are at sensitivity level 1. The following
configuration works for all sensitivity levels:
Sensitivity level
Expression
1
evaluatePreconfiguredWaf('sessionfixation-v33-stable', {'sensitivity': 1})
Sensitivity level
Expression
1
evaluatePreconfiguredWaf('sessionfixation-stable', {'sensitivity': 1})
Java attack
The following table provides the signature ID, sensitivity level, and
description of each supported signature in the Java attack preconfigured
rule.
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030301-id944100-java
1
Remote Command Execution: Suspicious Java class detected
owasp-crs-v030301-id944110-java
1
Remote Command Execution: Java process spawn (CVE-2017-9805)
owasp-crs-v030301-id944120-java
1
Remote Command Execution: Java serialization (CVE-2015-4852)
owasp-crs-v030301-id944130-java
1
Suspicious Java class detected
owasp-crs-v030301-id944200-java
2
Magic bytes detected, probable Java serialization in use
owasp-crs-v030301-id944210-java
2
Magic bytes detected Base64 encoded, probable Java serialization in use
owasp-crs-v030301-id944240-java
2
Remote Command Execution: Java serialization (CVE-2015-4852)
owasp-crs-v030301-id944250-java
2
Remote Command Execution: Suspicious Java method detected
owasp-crs-v030301-id944300-java
3
Base64 encoded string matched suspicious keyword
Signature ID (Rule ID)
Sensitivity level
Description
Not included
1
Remote Command Execution: Suspicious Java class detected
Not included
1
Remote Command Execution: Java process spawn (CVE-2017-9805)
Not included
1
Remote Command Execution: Java serialization (CVE-2015-4852)
Not included
1
Suspicious Java class detected
Not included
2
Magic bytes detected, probable Java serialization in use
Not included
2
Magic bytes detected Base64 encoded, probable Java serialization in use
Not included
2
Remote Command Execution: Java serialization (CVE-2015-4852)
Not included
2
Remote Command Execution: Suspicious Java method detected
Not included
3
Base64 encoded string matched suspicious keyword
You can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredWaf()
with a preset sensitivity parameter. By
default, without configuring rule set sensitivity, Google Cloud Armor
evaluates all signatures.
Sensitivity level
Expression
1
evaluatePreconfiguredWaf('java-v33-stable', {'sensitivity': 1})
2
evaluatePreconfiguredWaf('java-v33-stable', {'sensitivity': 2})
3
evaluatePreconfiguredWaf('java-v33-stable', {'sensitivity': 3})
NodeJS attack
The following table provides the signature ID, sensitivity level, and
description of each supported signature in the NodeJS attack preconfigured
rule.
The following preconfigured WAF rule signatures are only included in CRS
3.3.
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030301-id934100-nodejs
1
Node.js Injection Attack
Signature ID (Rule ID)
Sensitivity level
Description
Not included
1
Node.js Injection Attack
You can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredWaf()
with a preset sensitivity parameter. All
signatures for NodeJS attack are at sensitivity level 1. The following
configuration works for other sensitivity levels:
Sensitivity level
Expression
1
evaluatePreconfiguredWaf('nodejs-v33-stable', {'sensitivity': 1})
CVEs and other vulnerabilities
The following table provides the signature ID, sensitivity level, and
description of each supported signature in the CVE Log4j RCE vulnerability
preconfigured rule.
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030001-id044228-cve
1
Base rule to help detect exploit attempts of CVE-2021-44228
& CVE-2021-45046
owasp-crs-v030001-id144228-cve
1
Google-provided enhancements to cover more bypass and obfuscation attempts
owasp-crs-v030001-id244228-cve
3
Increased sensitivity of detection to target even more bypass and
obfuscation attempts, with nominal increase in risk of false positive detection
owasp-crs-v030001-id344228-cve
3
Increased sensitivity of detection to target even more bypass and
obfuscation attempts using base64 encoding, with nominal increase in risk of false positive detection
You can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredWaf()
with a preset sensitivity parameter. By
default, without configuring rule set sensitivity, Google Cloud Armor
evaluates all signatures.
Sensitivity level
Expression
1
evaluatePreconfiguredWaf('cve-canary', {'sensitivity': 1})
2
evaluatePreconfiguredWaf('cve-canary', {'sensitivity': 2})
3
evaluatePreconfiguredWaf('cve-canary', {'sensitivity': 3})
JSON-formatted content SQLi vulnerability
The following table provides the signature ID, sensitivity level, and
description of the supported signature
942550-sqli
,
which covers the vulnerability in which malicious attackers can
bypass WAF by appending JSON syntax to SQL injection payloads.
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-id942550-sqli
2
Detects all JSON-based SQLi vectors, including SQLi signatures
found in the URL
Use the following expression to deploy the signature:
evaluatePreconfiguredWaf('json-sqli-canary', {'sensitivity':0, 'opt_in_rule_ids': ['owasp-crs-id942550-sqli']})
We recommend that you also enable sqli-v33-stable
at sensitivity level 2 to
fully address JSON-based SQL injection bypasses.
Limitations
Google Cloud Armor preconfigured WAF rules have the following limitations:
WAF rule changes typically take several minutes to propagate.
Among the HTTP request types with a request body, Google Cloud Armor
processes only POST
requests. Google Cloud Armor evaluates preconfigured
rules against the first 8 KB of POST
body content. For more information, see
POST
body inspection limitation .
Google Cloud Armor can parse and apply preconfigured WAF rules when JSON
parsing is enabled with a matching Content-Type
header value. For more
information, see
JSON parsing .
When you have a request field exclusion attached to a preconfigured WAF rule, you can't
use the allow
action. Requests matching the exception are automatically
allowed.
What's next