Web Application Firewall Rulesets
  • 28 Dec 2021
  • 2 Minutes to read
  • Dark
    Light

Web Application Firewall Rulesets

  • Dark
    Light

Snapt Aria provides a default ruleset that can be used as-is and does not need any modifications to function correctly.

We advise against changing any settings unless you are an advanced user as changes can compromise the security of your system and allow exploits. That said though, we have tried to make it as simple as possible to get you started with using the web application firewall module.

You can improve the security of your system and prevent users from attacking common security exploits by following the steps set out below.

Here are some terms you need to understand before getting started.

  • Ruleset – Global rules used across all your web accelerator front-ends;
  • Rules – Rules in the ruleset;
  • Triggers – Triggers are counters which accumulate a score when a rule has been triggered by a user – these determine how long before a user gets blocked;
  • Exceptions – Exceptions are used to define specific criteria when a rule should not be triggered (usually when there is a keyword being used that should not be triggered);
  • Weights – Weights are the scores set to each trigger.

Creating a Ruleset

Rulesets should only be created if there are rules in which you wish to modify, add or remove. In order to do this, we have made it possible to clone the default ruleset to keep current security integrity.

01-Clone-Ruleset-Snapt-Aria

Once you have created the ruleset, you can then click edit it to make any changes that you might need.

02-Edit-Ruleset

Rulesets are global configurations thus only one can be enabled at a time. Simply click on “Enable” to set the ruleset you want to activate.

Edit will allow you to modify the rules within that ruleset.

Once you have clicked edit you will then be able to edit/delete a core rule. If you delete a default rule, you can add it back from the list right at the bottom.

This was added to help reset default rules to their original state or add it back in the case that they were removed by accident.

03-Snapt-Aria-Default-Rules

When editing a core rule you will be able to define matching criteria, what message should be displayed, in which areas the check should be done and what this rule will contribute to the total block score.

04-Snapt-Aria-Match-Criteria

Creating new Rules

New rules can be created by navigating to the WAF -> WAF Management -> Rule Definitions, from the main menu.

05-Create-new-WAF-Rule-Snapt-Aria

Using Trigger sets on your Front-end Servers

Triggers define when a user should be blocked by setting up what the maximum scores should be before a user is blocked. Each rule hit will add up to make a total score for a specific trigger and when that trigger has hit its maximum score, it will block a users request.

06-Ruleset-Triggers-Snapt-Aria

You are able to create different types of triggers to be used for different front-ends. This is especially useful if you have if a front-end that is being blocked because of a certain behavior being seen as malicious. Simply disable the trigger and link it to your front-end.

If you have a specific keyword being used that is being blocked by a rule, you can then create an exception to ignore it. This is referred to as whitelisting.

07-WAF-Exceptions-Snapt-Aria

Linking trigger to front-end

From your Accelerator front-end settings, you will now see your trigger available for selection.

This will apply all the settings based on the ruleset rules to your front-end, using the trigger to determine when a user should be blocked.

08-Snapt-Aria-link-triggers

Reload your Accelerator for all changes to take effect.