Use-case specific rule groups provide incremental protection for many diverse AWS WAF use cases. Choose the rule groups that apply to your application.
VendorName: AWS
, Name: AWSManagedRulesSQLiRuleSet
, WCU: 200
The SQL database rule group contains rules to block request patterns associated with exploitation of SQL databases, like SQL injection attacks. This can help prevent remote injection of unauthorized queries. Evaluate this rule group for use if your application interfaces with an SQL database.
Rule name | Description and label |
---|---|
SQLi_QUERYARGUMENTS | Uses the built-in AWS WAF SQL injection attack rule statement, with sensitivity level set to Low, to inspect the values of all query parameters for patterns that match malicious SQL code. Rule action: Block Label: awswaf:managed:aws:sql-database:SQLi_QueryArguments |
SQLiExtendedPatterns_QUERYARGUMENTS | Inspects the values of all query parameters for patterns that match malicious SQL code. The patterns this rule inspects for aren't covered by the rule SQLi_QUERYARGUMENTS . Rule action: Block awswaf:managed:aws:sql-database:SQLiExtendedPatterns_QueryArguments |
SQLi_BODY | Uses the built-in AWS WAF SQL injection attack rule statement, with sensitivity level set to Low, to inspect the request body for patterns that match malicious SQL code. This rule only inspects the first 8 KB of the request body. For information, see Inspection of the request body, headers, and cookies. Rule action: Block Label: awswaf:managed:aws:sql-database:SQLi_Body |
SQLiExtendedPatterns_BODY | Inspects the request body for patterns that match malicious SQL code. The patterns this rule inspects for aren't covered by the rule SQLi_BODY . This rule only inspects the first 8 KB of the request body. For information, see Inspection of the request body, headers, and cookies. Rule action: Block awswaf:managed:aws:sql-database:SQLiExtendedPatterns_Body |
SQLi_COOKIE | Uses the built-in AWS WAF SQL injection attack rule statement, with sensitivity level set to Low, to inspect the request cookie headers for patterns that match malicious SQL code. This rule only inspects the first 8 KB of the request cookies or the first 200 cookies, whichever limit is reached first. For information, see Inspection of the request body, headers, and cookies. Rule action: Block Label: awswaf:managed:aws:sql-database:SQLi_Cookie |
VendorName: AWS
, Name: AWSManagedRulesLinuxRuleSet
, WCU: 200
The Linux operating system rule group contains rules that block request patterns associated with the exploitation of vulnerabilities specific to Linux, including Linux-specific Local File Inclusion (LFI) attacks. This can help prevent attacks that expose file contents or run code for which the attacker should not have had access. You should evaluate this rule group if any part of your application runs on Linux. You should use this rule group in conjunction with the POSIX operating system rule group.
Rule name | Description and label |
---|---|
LFI_URIPATH | Inspects the request path for attempts to exploit Local File Inclusion (LFI) vulnerabilities in web applications. Example patterns include files like /proc/version , which could provide operating system information to attackers. Rule action: Block Label: awswaf:managed:aws:linux-os:LFI_URIPath |
LFI_QUERYSTRING | Inspects the values of querystring for attempts to exploit Local File Inclusion (LFI) vulnerabilities in web applications. Example patterns include files like /proc/version , which could provide operating system information to attackers. Rule action: Block Label: awswaf:managed:aws:linux-os:LFI_QueryString |
LFI_COOKIE | Inspects the request cookie headers for attempts to exploit Local File Inclusion (LFI) vulnerabilities in web applications. Example patterns include files like /proc/version , which could provide operating system information to attackers. This rule only inspects the first 8 KB of the request cookies or the first 200 cookies, whichever limit is reached first. For information, see Inspection of the request body, headers, and cookies. Rule action: Block Label: awswaf:managed:aws:linux-os:LFI_Cookie |
VendorName: AWS
, Name: AWSManagedRulesUnixRuleSet
, WCU: 100
The POSIX operating system rule group contains rules that block request patterns associated with the exploitation of vulnerabilities specific to POSIX and POSIX-like operating systems, including Local File Inclusion (LFI) attacks. This can help prevent attacks that expose file contents or run code for which the attacker should not have had access. You should evaluate this rule group if any part of your application runs on a POSIX or POSIX-like operating system, including Linux, AIX, HP-UX, macOS, Solaris, FreeBSD, and OpenBSD.
Rule name | Description and label |
---|---|
UNIXShellCommandsVariables_QUERYARGUMENTS | Inspects the values of all query parameters for attempts to exploit command injection, LFI, and path traversal vulnerabilities in web applications that run on Unix systems. Examples include patterns like echo $HOME and echo $PATH . Rule action: Block Label: awswaf:managed:aws:posix-os:UNIXShellCommandsVariables_QueryArguments |
UNIXShellCommandsVariables_BODY | Inspects the request body for attempts to exploit command injection, LFI, and path traversal vulnerabilities in web applications that run on Unix systems. Examples include patterns like echo $HOME and echo $PATH . This rule only inspects the first 8 KB of the request body. For information, see Inspection of the request body, headers, and cookies. Rule action: Block Label: awswaf:managed:aws:posix-os:UNIXShellCommandsVariables_Body |
VendorName: AWS
, Name: AWSManagedRulesWindowsRuleSet
, WCU: 200
The Windows operating system rule group contains rules that block request patterns associated with the exploitation of vulnerabilities specific to Windows, like remote execution of PowerShell commands. This can help prevent exploitation of vulnerabilities that allow an attacker to run unauthorized commands or run malicious code. Evaluate this rule group if any part of your application runs on a Windows operating system.
Rule name | Description and label |
---|---|
WindowsShellCommands_COOKIE | Inspects the request cookie headers for WindowsShell command injection attempts in web applications. The match patterns represent WindowsShell commands. Example patterns include ||nslookup and ;cmd . This rule only inspects the first 8 KB of the request cookies or the first 200 cookies, whichever limit is reached first. For information, see Inspection of the request body, headers, and cookies. Rule action: Block Label: awswaf:managed:aws:windows-os:WindowsShellCommands_Cookie |
WindowsShellCommands_QUERYARGUMENTS | Inspects the values of all query parameters for WindowsShell command injection attempts in web applications. The match patterns represent WindowsShell commands. Example patterns include ||nslookup and ;cmd . Rule action: Block Label: awswaf:managed:aws:windows-os:WindowsShellCommands_QueryArguments |
WindowsShellCommands_BODY | Inspects the request body for WindowsShell command injection attempts in web applications. The match patterns represent WindowsShell commands. Example patterns include ||nslookup and ;cmd . This rule only inspects the first 8 KB of the request body. For information, see Inspection of the request body, headers, and cookies. Rule action: Block Label: awswaf:managed:aws:windows-os:WindowsShellCommands_Body |
PowerShellCommands_COOKIE | Inspects the request cookie headers for PowerShell command injection attempts in web applications. The match patterns represent PowerShell commands. For example, Invoke-Expression . This rule only inspects the first 8 KB of the request cookies or the first 200 cookies, whichever limit is reached first. For information, see Inspection of the request body, headers, and cookies. Rule action: Block Label: awswaf:managed:aws:windows-os:PowerShellCommands_Cookie |
PowerShellCommands_QUERYARGUMENTS | Inspects the values of all query parameters for PowerShell command injection attempts in web applications. The match patterns represent PowerShell commands. For example, Invoke-Expression . Rule action: Block Label: awswaf:managed:aws:windows-os:PowerShellCommands_QueryArguments |
PowerShellCommands_BODY | Inspects the request body for PowerShell command injection attempts in web applications. The match patterns represent PowerShell commands. For example, Invoke-Expression . This rule only inspects the first 8 KB of the request body. For information, see Inspection of the request body, headers, and cookies. Rule action: Block Label: awswaf:managed:aws:windows-os:PowerShellCommands_Body |
VendorName: AWS
, Name: AWSManagedRulesPHPRuleSet
, WCU: 100
The PHP application rule group contains rules that block request patterns associated with the exploitation of vulnerabilities specific to the use of the PHP programming language, including injection of unsafe PHP functions. This can help prevent exploitation of vulnerabilities that allow an attacker to remotely run code or commands for which they are not authorized. Evaluate this rule group if PHP is installed on any server with which your application interfaces.
Rule name | Description and label |
---|---|
PHPHighRiskMethodsVariables_QUERYARGUMENTS | Inspects the values of all query parameters for PHP script code injection attempts. Example patterns include functions like fsockopen and the $_GET superglobal variable. Rule action: Block Label: awswaf:managed:aws:php-app:PHPHighRiskMethodsVariables_QueryArguments |
PHPHighRiskMethodsVariables_BODY | Inspects the values of the request body for PHP script code injection attempts. Example patterns include functions like fsockopen and the $_GET superglobal variable. This rule only inspects the first 8 KB of the request body. For information, see Inspection of the request body, headers, and cookies. Rule action: Block Label: awswaf:managed:aws:php-app:PHPHighRiskMethodsVariables_Body |
VendorName: AWS
, Name: AWSManagedRulesWordPressRuleSet
, WCU: 100
The WordPress application rule group contains rules that block request patterns associated with the exploitation of vulnerabilities specific to WordPress sites. You should evaluate this rule group if you are running WordPress. This rule group should be used in conjunction with the SQL database and PHP application rule groups.
Rule name | Description and label |
---|---|
WordPressExploitableCommands_QUERYSTRING | Inspects the request query string for high risk WordPress commands that can be exploited in vulnerable installations or plugins. Examples patterns include commands like do-reset-wordpress . Rule action: Block Label: awswaf:managed:aws:wordpress-app:WordPressExploitableCommands_QueryString |
WordPressExploitablePaths_URIPATH | Inspects the request URI path for WordPress files like xmlrpc.php , which are known to have easily exploitable vulnerabilities. Rule action: Block Label: awswaf:managed:aws:wordpress-app:WordPressExploitablePaths_URIPath |