Google Cloud Armor preconfigured WAF rules overview
Stay organized with collections
Save and categorize content based on your preferences.
Google Cloud Armor preconfigured WAF rules are complex web application firewall (WAF)
rules with dozens of signatures that are compiled from open source industry
standards. Each signature corresponds to an attack detection
rule in the ruleset. Google offers these rules as-is. The rules allow
Google Cloud Armor to evaluate dozens of distinct traffic signatures by
referring to conveniently named rules rather than requiring you to define
each signature manually.
The following table contains a comprehensive list of preconfigured WAF rules
that are available for use in a Google Cloud Armor security policy. The
rule sources are ModSecurity Core Rule Set (CRS) 3.0 and
CRS 3.3.
We recommend that you use version 3.3 for increased sensitivity and for an
increased breadth of protected attack types. Support for CRS 3.0 is ongoing.
CRS 3.3
Google Cloud Armor rule name
ModSecurity rule name
Current status
SQL injection
sqli-v33-stable
In sync with sqli-v33-canary
sqli-v33-canary
Latest
Cross-site scripting
xss-v33-stable
In sync with xss-v33-canary
xss-v33-canary
Latest
Local file inclusion
lfi-v33-stable
In sync with lfi-v33-canary
lfi-v33-canary
Latest
Remote file inclusion
rfi-v33-stable
In sync with rfi-v33-canary
rfi-v33-canary
Latest
Remote code execution
rce-v33-stable
In sync with rce-v33-canary
rce-v33-canary
Latest
Method enforcement
methodenforcement-v33-stable
In sync with methodenforcement-v33-canary
methodenforcement-v33-canary
Latest
Scanner detection
scannerdetection-v33-stable
In sync with scannerdetection-v33-canary
scannerdetection-v33-canary
Latest
Protocol attack
protocolattack-v33-stable
In sync with protocolattack-v33-canary
protocolattack-v33-canary
Latest
PHP injection attack
php-v33-stable
In sync with php-v33-canary
php-v33-canary
Latest
Session fixation attack
sessionfixation-v33-stable
In sync with sessionfixation-v33-canary
sessionfixation-v33-canary
Latest
Java attack
java-v33-stable
In sync with java-v33-canary
java-v33-canary
Latest
NodeJS attack
nodejs-v33-stable
In sync with nodejs-v33-canary
nodejs-v33-canary
Latest
CRS 3.0
Google Cloud Armor rule name
ModSecurity rule name
Current status
SQL injection
sqli-stable
In sync with sqli-canary
sqli-canary
Latest
Cross-site scripting
xss-stable
In sync with xss-canary
xss-canary
Latest
Local file inclusion
lfi-stable
In sync with lfi-canary
lfi-canary
Latest
Remote file inclusion
rfi-stable
In sync with rfi-canary
rfi-canary
Latest
Remote code execution
rce-stable
In sync with rce-canary
rce-canary
Latest
Method enforcement
methodenforcement-stable
In sync with methodenforcement-canary
methodenforcement-canary
Latest
Scanner detection
scannerdetection-stable
In sync with scannerdetection-canary
scannerdetection-canary
Latest
Protocol attack
protocolattack-stable
In sync with protocolattack-canary
protocolattack-canary
Latest
PHP injection attack
php-stable
In sync with php-canary
php-canary
Latest
Session fixation attack
sessionfixation-stable
In sync with sessionfixation-canary
sessionfixation-canary
Latest
Java attack
Not included
NodeJS attack
Not included
In addition, the following cve-canary rules are available to all
Google Cloud Armor customers to help detect and optionally block the
following vulnerabilities:
CVE-2021-44228 and CVE-2021-45046 Log4j RCE vulnerabilities
942550-sqli JSON-formatted content vulnerability
Google Cloud Armor rule name
Covered vulnerability types
cve-canary
Log4j vulnerability
json-sqli-canary
JSON-based SQL injection bypass vulnerability
Preconfigured ModSecurity rules
Each preconfigured WAF rule has a sensitivity level that corresponds to a
ModSecurity
paranoia level.
A lower sensitivity level indicates a higher confidence signature, which is less
likely to generate a false positive. A higher sensitivity level increases
security, but also increases the risk of generating a false positive.
SQL injection (SQLi)
The following table provides the signature ID, sensitivity level, and
description of each supported signature in the SQLi preconfigured WAF rule.
CRS 3.3
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030301-id942100-sqli
1
SQL Injection Attack Detected via libinjection
owasp-crs-v030301-id942140-sqli
1
SQL injection attack: Common DB Names Detected
owasp-crs-v030301-id942160-sqli
1
Detects blind SQLi tests using sleep() or benchmark()
owasp-crs-v030301-id942170-sqli
1
Detects SQL benchmark and sleep injection attempts including
conditional queries
owasp-crs-v030301-id942190-sqli
1
Detects MSSQL code execution and information gathering attempts
owasp-crs-v030301-id942220-sqli
1
Looks for integer overflow attacks
owasp-crs-v030301-id942230-sqli
1
Detects conditional SQL injection attempts
owasp-crs-v030301-id942240-sqli
1
Detects MySQL charset switch and MSSQL DoS attempts
owasp-crs-v030301-id942250-sqli
1
Detects MATCH AGAINST
owasp-crs-v030301-id942270-sqli
1
Looks for basic SQL injection; common attack string for MySql
owasp-crs-v030301-id942280-sqli
1
Detects Postgres pg_sleep injection
owasp-crs-v030301-id942290-sqli
1
Finds basic MongoDB SQL injection attempts
owasp-crs-v030301-id942320-sqli
1
Detects MySQL and PostgreSQL stored procedure/function injections
owasp-crs-v030301-id942350-sqli
1
Detects MySQL UDF injection and other data/structure manipulation
attempts
owasp-crs-v030301-id942360-sqli
1
Detects concatenated basic SQL injection and SQLLFI attempts
owasp-crs-v030301-id942500-sqli
1
MySQL in-line comment detected
owasp-crs-v030301-id942110-sqli
2
SQL injection attack: Common Injection Testing Detected
Alternatively, you can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredWaf() with a preset sensitivity parameter. By
default, without configuring rule set sensitivity, Google Cloud Armor
evaluates all signatures.
All signatures for XSS are below sensitivity level 2. The following
configuration works for other sensitivity levels:
XSS sensitivity level 2
evaluatePreconfiguredExpr('xss-v33-stable')
Alternatively, you can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredWaf() with a preset sensitivity parameter. By
default, without configuring rule set sensitivity, Google Cloud Armor
evaluates all signatures.
The following table provides the signature ID, sensitivity level, and
description of each supported signature in the LFI preconfigured WAF rule.
CRS 3.3
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030301-id930100-lfi
1
Path Traversal Attack (/../)
owasp-crs-v030301-id930110-lfi
1
Path Traversal Attack (/../)
owasp-crs-v030301-id930120-lfi
1
OS File Access Attempt
owasp-crs-v030301-id930130-lfi
1
Restricted File Access Attempt
CRS 3.0
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030001-id930100-lfi
1
Path Traversal Attack (/../)
owasp-crs-v030001-id930110-lfi
1
Path Traversal Attack (/../)
owasp-crs-v030001-id930120-lfi
1
OS File Access Attempt
owasp-crs-v030001-id930130-lfi
1
Restricted File Access Attempt
You can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredExpr() to disable signatures at greater sensitivity
levels. All signatures for LFI are at sensitivity level 1. The following
configuration works for all sensitivity levels:
LFI sensitivity level 1
evaluatePreconfiguredExpr('lfi-v33-stable')
Alternatively, you can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredWaf() with a preset sensitivity parameter. All
signatures for LFI are at sensitivity level 1. The following configuration
works for all sensitivity levels:
You can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredExpr() to disable signatures at greater sensitivity
levels. The following configuration works for all sensitivity levels:
Alternatively, you can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredWaf() with a preset sensitivity parameter. All
signatures for RCE are at sensitivity level 1. The following configuration works
for all sensitivity levels:
All signatures for RFI are below sensitivity level 2. The following
configuration works for other sensitivity levels:
RFI sensitivity level 2
evaluatePreconfiguredExpr('rfi-v33-stable')
Alternatively, you can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredWaf() with a preset sensitivity parameter. By
default, without configuring rule set sensitivity, Google Cloud Armor
evaluates all signatures.
The following table provides the signature ID, sensitivity level, and
description of each supported signature in the method enforcement preconfigured
rule.
CRS 3.3
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030301-id911100-methodenforcement
1
Method is not allowed by policy
CRS 3.0
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030001-id911100-methodenforcement
1
Method is not allowed by policy
You can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredExpr() to disable signatures at greater sensitivity
levels. All signatures for Method Enforcement are at sensitivity level 1. The
following configuration works for other sensitivity levels:
Alternatively, you can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredWaf() with a preset sensitivity parameter. By
default, without configuring rule set sensitivity, Google Cloud Armor
evaluates all signatures.
The following table provides the signature ID, sensitivity level, and
description of each supported signature in the scanner detection preconfigured
rule.
CRS 3.3
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030301-id913100-scannerdetection
1
Found User-Agent associated with security scanner
owasp-crs-v030301-id913110-scannerdetection
1
Found request header associated with security scanner
owasp-crs-v030301-id913120-scannerdetection
1
Found request filename/argument associated with security scanner
owasp-crs-v030301-id913101-scannerdetection
2
Found User-Agent associated with scripting/generic HTTP client
owasp-crs-v030301-id913102-scannerdetection
2
Found User-Agent associated with web crawler/bot
CRS 3.0
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030001-id913100-scannerdetection
1
Found User-Agent associated with security scanner
owasp-crs-v030001-id913110-scannerdetection
1
Found request header associated with security scanner
owasp-crs-v030001-id913120-scannerdetection
1
Found request filename/argument associated with security scanner
owasp-crs-v030001-id913101-scannerdetection
2
Found User-Agent associated with scripting/generic HTTP client
owasp-crs-v030001-id913102-scannerdetection
2
Found User-Agent associated with web crawler/bot
You can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredExpr() to disable signatures at greater sensitivity
levels.
Alternatively, you can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredWaf() with a preset sensitivity parameter. By
default, without configuring rule set sensitivity, Google Cloud Armor
evaluates all signatures.
The following table provides the signature ID, sensitivity level, and
description of each supported signature in the protocol attack preconfigured
rule.
CRS 3.3
Signature ID (Rule ID)
Sensitivity level
Description
Not included
1
HTTP Request Smuggling Attack
owasp-crs-v030301-id921110-protocolattack
1
HTTP Request Smuggling Attack
owasp-crs-v030301-id921120-protocolattack
1
HTTP Response Splitting Attack
owasp-crs-v030301-id921130-protocolattack
1
HTTP Response Splitting Attack
owasp-crs-v030301-id921140-protocolattack
1
HTTP Header Injection Attack via headers
owasp-crs-v030301-id921150-protocolattack
1
HTTP Header Injection Attack via payload (CR/LF detected)
owasp-crs-v030301-id921160-protocolattack
1
HTTP Header Injection Attack via payload (CR/LF and header-name detected)
owasp-crs-v030301-id921190-protocolattack
1
HTTP Splitting (CR/LF in request filename detected)
owasp-crs-v030301-id921200-protocolattack
1
LDAP Injection Attack
owasp-crs-v030301-id921151-protocolattack
2
HTTP Header Injection Attack via payload (CR/LF detected)
owasp-crs-v030301-id921170-protocolattack
3
HTTP Parameter Pollution
CRS 3.0
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030001-id921100-protocolattack
1
HTTP Request Smuggling Attack
owasp-crs-v030001-id921110-protocolattack
1
HTTP Request Smuggling Attack
owasp-crs-v030001-id921120-protocolattack
1
HTTP Response Splitting Attack
owasp-crs-v030001-id921130-protocolattack
1
HTTP Response Splitting Attack
owasp-crs-v030001-id921140-protocolattack
1
HTTP Header Injection Attack via headers
owasp-crs-v030001-id921150-protocolattack
1
HTTP Header Injection Attack via payload (CR/LF detected)
owasp-crs-v030001-id921160-protocolattack
1
HTTP Header Injection Attack via payload (CR/LF and header-name detected)
Not included
1
HTTP Splitting (CR/LF in request filename detected)
Not included
1
LDAP Injection Attack
owasp-crs-v030001-id921151-protocolattack
2
HTTP Header Injection Attack via payload (CR/LF detected)
owasp-crs-v030001-id921170-protocolattack
3
HTTP Parameter Pollution
You can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredExpr() to disable signatures at greater sensitivity
levels.
Alternatively, you can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredWaf() with a preset sensitivity parameter. By
default, without configuring rule set sensitivity, Google Cloud Armor
evaluates all signatures.
Alternatively, you can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredWaf() with a preset sensitivity parameter. By
default, without configuring rule set sensitivity, Google Cloud Armor
evaluates all signatures.
The following table provides the signature ID, sensitivity level, and
description of each supported signature in the session fixation preconfigured
rule.
CRS 3.3
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030301-id943100-sessionfixation
1
Possible Session Fixation Attack: Setting Cookie Values in HTML
owasp-crs-v030301-id943110-sessionfixation
1
Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer
owasp-crs-v030301-id943120-sessionfixation
1
Possible Session Fixation Attack: SessionID Parameter Name with No Referer
CRS 3.0
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030001-id943100-sessionfixation
1
Possible Session Fixation Attack: Setting Cookie Values in HTML
owasp-crs-v030001-id943110-sessionfixation
1
Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer
owasp-crs-v030001-id943120-sessionfixation
1
Possible Session Fixation Attack: SessionID Parameter Name with No Referer
You can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredExpr() to disable signatures at greater sensitivity
levels. All signatures for session fixation are at sensitivity level 1. The following
configuration works for all sensitivity levels:
Alternatively, you can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredWaf() with a preset sensitivity parameter. All
signatures for session fixation are at sensitivity level 1. The following
configuration works for all sensitivity levels:
Alternatively, you can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredWaf() with a preset sensitivity parameter. By
default, without configuring rule set sensitivity, Google Cloud Armor
evaluates all signatures.
The following table provides the signature ID, sensitivity level, and
description of each supported signature in the NodeJS attack preconfigured
rule.
The following preconfigured WAF rule signatures are only included in CRS
3.3.
CRS 3.3
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030301-id934100-nodejs
1
Node.js Injection Attack
CRS 3.0
Signature ID (Rule ID)
Sensitivity level
Description
Not included
1
Node.js Injection Attack
You can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredExpr() to disable signatures at greater sensitivity
levels. All signatures for NodeJS attack are at sensitivity level 1. The
following configuration works for other sensitivity levels:
NodeJS sensitivity level 1
evaluatePreconfiguredExpr('nodejs-v33-stable')
Alternatively, you can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredWaf() with a preset sensitivity parameter. All
signatures for NodeJS attack are at sensitivity level 1. The following
configuration works for other sensitivity levels:
The following table provides the signature ID, sensitivity level, and
description of each supported signature in the CVE Log4j RCE vulnerability
preconfigured rule.
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-v030001-id044228-cve
1
Base rule to help detect exploit attempts of CVE-2021-44228
& CVE-2021-45046
owasp-crs-v030001-id144228-cve
1
Google-provided enhancements to cover more bypass and obfuscation attempts
owasp-crs-v030001-id244228-cve
3
Increased sensitivity of detection to target even more bypass and
obfuscation attempts, with nominal increase in risk of false positive detection
owasp-crs-v030001-id344228-cve
3
Increased sensitivity of detection to target even more bypass and
obfuscation attempts using base64 encoding, with nominal increase in risk of false positive detection
You can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredExpr() to disable signatures at greater sensitivity
levels.
Alternatively, you can configure a rule at a particular sensitivity level by
using evaluatePreconfiguredWaf() with a preset sensitivity parameter. By
default, without configuring rule set sensitivity, Google Cloud Armor
evaluates all signatures.
The following table provides the signature ID, sensitivity level, and
description of the supported signature
942550-sqli,
which covers the vulnerability in which malicious attackers can
bypass WAF by appending JSON syntax to SQL injection payloads.
Signature ID (Rule ID)
Sensitivity level
Description
owasp-crs-id942550-sqli
2
Detects all JSON-based SQLi vectors, including SQLi signatures
found in the URL
Use the following expression to deploy the signature:
We recommend that you also enable sqli-v33-stable
at sensitivity level 2 to fully address JSON-based
SQL injection bypasses.
Limitations
Google Cloud Armor preconfigured WAF rules have the following limitations:
Among the HTTP request types with a request body, Google Cloud Armor
processes only POST requests. Google Cloud Armor evaluates preconfigured
rules against the first 8 KB of POST body content. For more information, see
POST body inspection limitation.
Google Cloud Armor can parse and apply preconfigured WAF rules when JSON
parsing is enabled with a matching Content-Type header value. For more
information, see
JSON parsing.
