Google Cloud Armor preconfigured WAF rules overview

Google Cloud Armor preconfigured WAF rules are complex web application firewall (WAF) rules with dozens of signatures that are compiled from open source industry standards. Each signature corresponds to an attack detection rule in the ruleset. Google offers these rules as-is. The rules allow Google Cloud Armor to evaluate dozens of distinct traffic signatures by referring to conveniently named rules rather than requiring you to define each signature manually.

Google Cloud Armor preconfigured WAF rules can be tuned to best suit your needs. For more information about how to tune the rules, see Tune Google Cloud Armor preconfigured WAF rules.

The following table contains a comprehensive list of preconfigured WAF rules that are available for use in a Google Cloud Armor security policy. The rule sources are ModSecurity Core Rule Set (CRS) 3.0 and CRS 3.3.2. We recommend that you use version 3.3 for increased sensitivity and for an increased breadth of protected attack types. Support for CRS 3.0 is ongoing.

CRS 3.3

Google Cloud Armor rule name ModSecurity rule name Current status
SQL injection sqli-v33-stable In sync with sqli-v33-canary
sqli-v33-canary Latest
Cross-site scripting xss-v33-stable In sync with xss-v33-canary
xss-v33-canary Latest
Local file inclusion lfi-v33-stable In sync with lfi-v33-canary
lfi-v33-canary Latest
Remote file inclusion rfi-v33-stable In sync with rfi-v33-canary
rfi-v33-canary Latest
Remote code execution rce-v33-stable In sync with rce-v33-canary
rce-v33-canary Latest
Method enforcement methodenforcement-v33-stable In sync with methodenforcement-v33-canary
methodenforcement-v33-canary Latest
Scanner detection scannerdetection-v33-stable In sync with scannerdetection-v33-canary
scannerdetection-v33-canary Latest
Protocol attack protocolattack-v33-stable In sync with protocolattack-v33-canary
protocolattack-v33-canary Latest
PHP injection attack php-v33-stable In sync with php-v33-canary
php-v33-canary Latest
Session fixation attack sessionfixation-v33-stable In sync with sessionfixation-v33-canary
sessionfixation-v33-canary Latest
Java attack java-v33-stable In sync with java-v33-canary
java-v33-canary Latest
NodeJS attack nodejs-v33-stable In sync with nodejs-v33-canary
nodejs-v33-canary Latest

CRS 3.0

Google Cloud Armor rule name ModSecurity rule name Current status
SQL injection sqli-stable In sync with sqli-canary
sqli-canary Latest
Cross-site scripting xss-stable In sync with xss-canary
xss-canary Latest
Local file inclusion lfi-stable In sync with lfi-canary
lfi-canary Latest
Remote file inclusion rfi-stable In sync with rfi-canary
rfi-canary Latest
Remote code execution rce-stable In sync with rce-canary
rce-canary Latest
Method enforcement methodenforcement-stable In sync with methodenforcement-canary
methodenforcement-canary Latest
Scanner detection scannerdetection-stable In sync with scannerdetection-canary
scannerdetection-canary Latest
Protocol attack protocolattack-stable In sync with protocolattack-canary
protocolattack-canary Latest
PHP injection attack php-stable In sync with php-canary
php-canary Latest
Session fixation attack sessionfixation-stable In sync with sessionfixation-canary
sessionfixation-canary Latest
Java attack Not included
NodeJS attack Not included

In addition, the following cve-canary rules are available to all Google Cloud Armor customers to help detect and optionally block the following vulnerabilities:

  • CVE-2021-44228 and CVE-2021-45046 Log4j RCE vulnerabilities
  • 942550-sqli JSON-formatted content vulnerability
Google Cloud Armor rule name Covered vulnerability types
cve-canary Log4j vulnerability
json-sqli-canary JSON-based SQL injection bypass vulnerability

Preconfigured ModSecurity rules

Each preconfigured WAF rule has a sensitivity level that corresponds to a ModSecurity paranoia level. A lower sensitivity level indicates a higher confidence signature, which is less likely to generate a false positive. A higher sensitivity level increases security, but also increases the risk of generating a false positive.

SQL injection (SQLi)

The following table provides the signature ID, sensitivity level, and description of each supported signature in the SQLi preconfigured WAF rule.

CRS 3.3

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030301-id942100-sqli 1 SQL Injection Attack Detected via libinjection
owasp-crs-v030301-id942140-sqli 1 SQL injection attack: Common DB Names Detected
owasp-crs-v030301-id942160-sqli 1 Detects blind SQLi tests using sleep() or benchmark()
owasp-crs-v030301-id942170-sqli 1 Detects SQL benchmark and sleep injection attempts including conditional queries
owasp-crs-v030301-id942190-sqli 1 Detects MSSQL code execution and information gathering attempts
owasp-crs-v030301-id942220-sqli 1 Looks for integer overflow attacks
owasp-crs-v030301-id942230-sqli 1 Detects conditional SQL injection attempts
owasp-crs-v030301-id942240-sqli 1 Detects MySQL charset switch and MSSQL DoS attempts
owasp-crs-v030301-id942250-sqli 1 Detects MATCH AGAINST
owasp-crs-v030301-id942270-sqli 1 Looks for basic SQL injection; common attack string for MySql
owasp-crs-v030301-id942280-sqli 1 Detects Postgres pg_sleep injection
owasp-crs-v030301-id942290-sqli 1 Finds basic MongoDB SQL injection attempts
owasp-crs-v030301-id942320-sqli 1 Detects MySQL and PostgreSQL stored procedure/function injections
owasp-crs-v030301-id942350-sqli 1 Detects MySQL UDF injection and other data/structure manipulation attempts
owasp-crs-v030301-id942360-sqli 1 Detects concatenated basic SQL injection and SQLLFI attempts
owasp-crs-v030301-id942500-sqli 1 MySQL in-line comment detected
owasp-crs-v030301-id942110-sqli 2 SQL injection attack: Common Injection Testing Detected
owasp-crs-v030301-id942120-sqli 2 SQL injection attack: SQL Operator Detected
owasp-crs-v030301-id942130-sqli 2 SQL Injection Attack: SQL Tautology Detected
owasp-crs-v030301-id942150-sqli 2 SQL injection attack
owasp-crs-v030301-id942180-sqli 2 Detects basic SQL authentication bypass attempts 1/3
owasp-crs-v030301-id942200-sqli 2 Detects MySQL comment-/space-obfuscated injections and backtick termination
owasp-crs-v030301-id942210-sqli 2 Detects chained SQL injection attempts 1/2
owasp-crs-v030301-id942260-sqli 2 Detects basic SQL authentication bypass attempts 2/3
owasp-crs-v030301-id942300-sqli 2 Detects MySQL comments
owasp-crs-v030301-id942310-sqli 2 Detects chained SQL injection attempts 2/2
owasp-crs-v030301-id942330-sqli 2 Detects classic SQL injection probings 1/2
owasp-crs-v030301-id942340-sqli 2 Detects basic SQL authentication bypass attempts 3/3
owasp-crs-v030301-id942361-sqli 2 Detects basic SQL injection based on keyword alter or union
owasp-crs-v030301-id942370-sqli 2 Detects classic SQL injection probings 2/3
owasp-crs-v030301-id942380-sqli 2 SQL injection attack
owasp-crs-v030301-id942390-sqli 2 SQL injection attack
owasp-crs-v030301-id942400-sqli 2 SQL injection attack
owasp-crs-v030301-id942410-sqli 2 SQL injection attack
owasp-crs-v030301-id942470-sqli 2 SQL injection attack
owasp-crs-v030301-id942480-sqli 2 SQL injection attack
owasp-crs-v030301-id942430-sqli 2 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)
owasp-crs-v030301-id942440-sqli 2 SQL Comment Sequence Detected
owasp-crs-v030301-id942450-sqli 2 SQL Hex Encoding Identified
owasp-crs-v030301-id942510-sqli 2 SQLi bypass attempt by ticks or backticks detected
owasp-crs-v030301-id942251-sqli 3 Detects HAVING injections
owasp-crs-v030301-id942490-sqli 3 Detects classic SQL injection probings 3/3
owasp-crs-v030301-id942420-sqli 3 Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (8)
owasp-crs-v030301-id942431-sqli 3 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6)
owasp-crs-v030301-id942460-sqli 3 Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters
owasp-crs-v030301-id942101-sqli 3 SQL Injection Attack Detected via libinjection
owasp-crs-v030301-id942511-sqli 3 SQLi bypass attempt by ticks detected
owasp-crs-v030301-id942421-sqli 4 Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3)
owasp-crs-v030301-id942432-sqli 4 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)

CRS 3.0

Signature ID (Rule ID) Sensitivity level Description
Not included 1 SQL Injection Attack Detected via libinjection
owasp-crs-v030001-id942140-sqli 1 SQL injection attack: Common DB Names Detected
owasp-crs-v030001-id942160-sqli 1 Detects blind SQLi tests using sleep() or benchmark()
owasp-crs-v030001-id942170-sqli 1 Detects SQL benchmark and sleep injection attempts including conditional queries
owasp-crs-v030001-id942190-sqli 1 Detects MSSQL code execution and information gathering attempts
owasp-crs-v030001-id942220-sqli 1 Looks for integer overflow attacks
owasp-crs-v030001-id942230-sqli 1 Detects conditional SQL injection attempts
owasp-crs-v030001-id942240-sqli 1 Detects MySQL charset switch and MSSQL DoS attempts
owasp-crs-v030001-id942250-sqli 1 Detects MATCH AGAINST
owasp-crs-v030001-id942270-sqli 1 Looks for basic SQL injection; common attack string for MySql
owasp-crs-v030001-id942280-sqli 1 Detects Postgres pg_sleep injection
owasp-crs-v030001-id942290-sqli 1 Finds basic MongoDB SQL injection attempts
owasp-crs-v030001-id942320-sqli 1 Detects MySQL and PostgreSQL stored procedure/function injections
owasp-crs-v030001-id942350-sqli 1 Detects MySQL UDF injection and other data/structure manipulation attempts
owasp-crs-v030001-id942360-sqli 1 Detects concatenated basic SQL injection and SQLLFI attempts
Not included 1 MySQL in-line comment detected
owasp-crs-v030001-id942110-sqli 2 SQL injection attack: Common Injection Testing Detected
owasp-crs-v030001-id942120-sqli 2 SQL injection attack: SQL Operator Detected
Not included 2 SQL Injection Attack: SQL Tautology Detected
owasp-crs-v030001-id942150-sqli 2 SQL injection attack
owasp-crs-v030001-id942180-sqli 2 Detects basic SQL authentication bypass attempts 1/3
owasp-crs-v030001-id942200-sqli 2 Detects MySQL comment-/space-obfuscated injections and backtick termination
owasp-crs-v030001-id942210-sqli 2 Detects chained SQL injection attempts 1/2
owasp-crs-v030001-id942260-sqli 2 Detects basic SQL authentication bypass attempts 2/3
owasp-crs-v030001-id942300-sqli 2 Detects MySQL comments
owasp-crs-v030001-id942310-sqli 2 Detects chained SQL injection attempts 2/2
owasp-crs-v030001-id942330-sqli 2 Detects classic SQL injection probings 1/2
owasp-crs-v030001-id942340-sqli 2 Detects basic SQL authentication bypass attempts 3/3
Not included 2 Detects basic SQL injection based on keyword alter or union
Not included 2 Detects classic SQL injection probings 2/3
owasp-crs-v030001-id942380-sqli 2 SQL injection attack
owasp-crs-v030001-id942390-sqli 2 SQL injection attack
owasp-crs-v030001-id942400-sqli 2 SQL injection attack
owasp-crs-v030001-id942410-sqli 2 SQL injection attack
Not included 2 SQL injection attack
Not included 2 SQL injection attack
owasp-crs-v030001-id942430-sqli 2 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)
owasp-crs-v030001-id942440-sqli 2 SQL Comment Sequence Detected
owasp-crs-v030001-id942450-sqli 2 SQL Hex Encoding Identified
Not included 2 SQLi bypass attempt by ticks or backticks detected
owasp-crs-v030001-id942251-sqli 3 Detects HAVING injections
Not included 2 Detects classic SQL injection probings 3/3
owasp-crs-v030001-id942420-sqli 3 Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (8)
owasp-crs-v030001-id942431-sqli 3 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6)
owasp-crs-v030001-id942460-sqli 3 Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters
Not included 3 SQL Injection Attack Detected via libinjection
Not included 3 SQLi bypass attempt by ticks detected
owasp-crs-v030001-id942421-sqli 4 Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3)
owasp-crs-v030001-id942432-sqli 4 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)

You can configure a rule at a particular sensitivity level by using evaluatePreconfiguredExpr() to disable signatures at greater sensitivity levels.

SQLi sensitivity level 1

evaluatePreconfiguredExpr('sqli-v33-stable',
['owasp-crs-v030301-id942110-sqli',
  'owasp-crs-v030301-id942120-sqli',
  'owasp-crs-v030301-id942130-sqli',
  'owasp-crs-v030301-id942150-sqli',
  'owasp-crs-v030301-id942180-sqli',
  'owasp-crs-v030301-id942200-sqli',
  'owasp-crs-v030301-id942210-sqli',
  'owasp-crs-v030301-id942260-sqli',
  'owasp-crs-v030301-id942300-sqli',
  'owasp-crs-v030301-id942310-sqli',
  'owasp-crs-v030301-id942330-sqli',
  'owasp-crs-v030301-id942340-sqli',
  'owasp-crs-v030301-id942361-sqli',
  'owasp-crs-v030301-id942370-sqli',
  'owasp-crs-v030301-id942380-sqli',
  'owasp-crs-v030301-id942390-sqli',
  'owasp-crs-v030301-id942400-sqli',
  'owasp-crs-v030301-id942410-sqli',
  'owasp-crs-v030301-id942470-sqli',
  'owasp-crs-v030301-id942480-sqli',
  'owasp-crs-v030301-id942430-sqli',
  'owasp-crs-v030301-id942440-sqli',
  'owasp-crs-v030301-id942450-sqli',
  'owasp-crs-v030301-id942510-sqli',
  'owasp-crs-v030301-id942251-sqli',
  'owasp-crs-v030301-id942490-sqli',
  'owasp-crs-v030301-id942420-sqli',
  'owasp-crs-v030301-id942431-sqli',
  'owasp-crs-v030301-id942460-sqli',
  'owasp-crs-v030301-id942101-sqli',
  'owasp-crs-v030301-id942511-sqli',
  'owasp-crs-v030301-id942421-sqli',
  'owasp-crs-v030301-id942432-sqli']
)
          
SQLi sensitivity level 2

evaluatePreconfiguredExpr('sqli-v33-stable',
 ['owasp-crs-v030301-id942251-sqli',
  'owasp-crs-v030301-id942490-sqli',
  'owasp-crs-v030301-id942420-sqli',
  'owasp-crs-v030301-id942431-sqli',
  'owasp-crs-v030301-id942460-sqli',
  'owasp-crs-v030301-id942101-sqli',
  'owasp-crs-v030301-id942511-sqli',
  'owasp-crs-v030301-id942421-sqli',
  'owasp-crs-v030301-id942432-sqli']
)
SQLi sensitivity level 3

evaluatePreconfiguredExpr('sqli-v33-stable',
        ['owasp-crs-v030301-id942421-sqli',
         'owasp-crs-v030301-id942432-sqli']
         )
SQLi sensitivity level 4

evaluatePreconfiguredExpr('sqli-v33-stable')

Alternatively, you can configure a rule at a particular sensitivity level by using evaluatePreconfiguredWaf() with a preset sensitivity parameter. By default, without configuring rule set sensitivity, Google Cloud Armor evaluates all signatures.

CRS 3.3

Sensitivity level Expression
1 evaluatePreconfiguredWaf('sqli-v33-stable', {'sensitivity': 1})
2 evaluatePreconfiguredWaf('sqli-v33-stable', {'sensitivity': 2})
3 evaluatePreconfiguredWaf('sqli-v33-stable', {'sensitivity': 3})
4 evaluatePreconfiguredWaf('sqli-v33-stable', {'sensitivity': 4})

CRS 3.0

Sensitivity level Expression
1 evaluatePreconfiguredWaf('sqli-stable', {'sensitivity': 1})
2 evaluatePreconfiguredWaf('sqli-stable', {'sensitivity': 2})
3 evaluatePreconfiguredWaf('sqli-stable', {'sensitivity': 3})
4 evaluatePreconfiguredWaf('sqli-stable', {'sensitivity': 4})

Cross-site scripting (XSS)

The following table provides the signature ID, sensitivity level, and description of each supported signature in the XSS preconfigured WAF rule.

CRS 3.3

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030301-id941100-xss 1 XSS Attack Detected via libinjection
owasp-crs-v030301-id941110-xss 1 XSS Filter - Category 1: Script Tag Vector
owasp-crs-v030301-id941120-xss 1 XSS Filter - Category 2: Event Handler Vector
owasp-crs-v030301-id941130-xss 1 XSS Filter - Category 3: Attribute Vector
owasp-crs-v030301-id941140-xss 1 XSS Filter - Category 4: JavaScript URI Vector
owasp-crs-v030301-id941160-xss 1 NoScript XSS InjectionChecker: HTML Injection
owasp-crs-v030301-id941170-xss 1 NoScript XSS InjectionChecker: Attribute Injection
owasp-crs-v030301-id941180-xss 1 Node-Validator Blacklist Keywords
owasp-crs-v030301-id941190-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030301-id941200-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030301-id941210-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030301-id941220-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030301-id941230-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030301-id941240-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030301-id941250-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030301-id941260-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030301-id941270-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030301-id941280-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030301-id941290-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030301-id941300-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030301-id941310-xss 1 US-ASCII Malformed Encoding XSS Filter - Attack Detected
owasp-crs-v030301-id941350-xss 1 UTF-7 Encoding IE XSS - Attack Detected
owasp-crs-v030301-id941360-xss 1 Hieroglyphy obfuscation detected
owasp-crs-v030301-id941370-xss 1 JavaScript global variable found
owasp-crs-v030301-id941101-xss 2 XSS Attack Detected via libinjection
owasp-crs-v030301-id941150-xss 2 XSS Filter - Category 5: Disallowed HTML Attributes
owasp-crs-v030301-id941320-xss 2 Possible XSS Attack Detected - HTML Tag Handler
owasp-crs-v030301-id941330-xss 2 IE XSS Filters - Attack Detected
owasp-crs-v030301-id941340-xss 2 IE XSS Filters - Attack Detected
owasp-crs-v030301-id941380-xss 2 AngularJS client side template injection detected

CRS 3.0

Signature ID (Rule ID) Sensitivity level Description
Not included 1 XSS Attack Detected via libinjection
owasp-crs-v030001-id941110-xss 1 XSS Filter - Category 1: Script Tag Vector
owasp-crs-v030001-id941120-xss 1 XSS Filter - Category 2: Event Handler Vector
owasp-crs-v030001-id941130-xss 1 XSS Filter - Category 3: Attribute Vector
owasp-crs-v030001-id941140-xss 1 XSS Filter - Category 4: JavaScript URI Vector
owasp-crs-v030001-id941160-xss 1 NoScript XSS InjectionChecker: HTML Injection
owasp-crs-v030001-id941170-xss 1 NoScript XSS InjectionChecker: Attribute Injection
owasp-crs-v030001-id941180-xss 1 Node-Validator Blacklist Keywords
owasp-crs-v030001-id941190-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030001-id941200-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030001-id941210-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030001-id941220-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030001-id941230-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030001-id941240-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030001-id941250-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030001-id941260-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030001-id941270-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030001-id941280-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030001-id941290-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030001-id941300-xss 1 IE XSS Filters - Attack Detected
owasp-crs-v030001-id941310-xss 1 US-ASCII Malformed Encoding XSS Filter - Attack Detected
owasp-crs-v030001-id941350-xss 1 UTF-7 Encoding IE XSS - Attack Detected
Not included 1 JSFuck / Hieroglyphy obfuscation detected
Not included 1 JavaScript global variable found
Not included 2 XSS Attack Detected via libinjection
owasp-crs-v030001-id941150-xss 2 XSS Filter - Category 5: Disallowed HTML Attributes
owasp-crs-v030001-id941320-xss 2 Possible XSS Attack Detected - HTML Tag Handler
owasp-crs-v030001-id941330-xss 2 IE XSS Filters - Attack Detected
owasp-crs-v030001-id941340-xss 2 IE XSS Filters - Attack Detected
Not included 2 AngularJS client side template injection detected

You can configure a rule at a particular sensitivity level by using evaluatePreconfiguredExpr() to disable signatures at greater sensitivity levels.

XSS sensitivity level 1

evaluatePreconfiguredExpr('xss-v33-stable',
['owasp-crs-v030301-id941101-xss',
  'owasp-crs-v030301-id941150-xss',
  'owasp-crs-v030301-id941320-xss',
  'owasp-crs-v030301-id941330-xss',
  'owasp-crs-v030301-id941340-xss',
  'owasp-crs-v030301-id941380-xss'
])
          


All signatures for XSS are below sensitivity level 2. The following configuration works for other sensitivity levels:

XSS sensitivity level 2

evaluatePreconfiguredExpr('xss-v33-stable')

Alternatively, you can configure a rule at a particular sensitivity level by using evaluatePreconfiguredWaf() with a preset sensitivity parameter. By default, without configuring rule set sensitivity, Google Cloud Armor evaluates all signatures.

CRS 3.3

Sensitivity level Expression
1 evaluatePreconfiguredWaf('xss-v33-stable', {'sensitivity': 1})
2 evaluatePreconfiguredWaf('xss-v33-stable', {'sensitivity': 2})

CRS 3.0

Sensitivity level Expression
1 evaluatePreconfiguredWaf('xss-stable', {'sensitivity': 1})

Local file inclusion (LFI)

The following table provides the signature ID, sensitivity level, and description of each supported signature in the LFI preconfigured WAF rule.

CRS 3.3

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030301-id930100-lfi 1 Path Traversal Attack (/../)
owasp-crs-v030301-id930110-lfi 1 Path Traversal Attack (/../)
owasp-crs-v030301-id930120-lfi 1 OS File Access Attempt
owasp-crs-v030301-id930130-lfi 1 Restricted File Access Attempt

CRS 3.0

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030001-id930100-lfi 1 Path Traversal Attack (/../)
owasp-crs-v030001-id930110-lfi 1 Path Traversal Attack (/../)
owasp-crs-v030001-id930120-lfi 1 OS File Access Attempt
owasp-crs-v030001-id930130-lfi 1 Restricted File Access Attempt

You can configure a rule at a particular sensitivity level by using evaluatePreconfiguredExpr() to disable signatures at greater sensitivity levels. All signatures for LFI are at sensitivity level 1. The following configuration works for all sensitivity levels:

LFI sensitivity level 1

evaluatePreconfiguredExpr('lfi-v33-stable')

Alternatively, you can configure a rule at a particular sensitivity level by using evaluatePreconfiguredWaf() with a preset sensitivity parameter. All signatures for LFI are at sensitivity level 1. The following configuration works for all sensitivity levels:

CRS 3.3

Sensitivity level Expression
1 evaluatePreconfiguredWaf('lfi-v33-stable', {'sensitivity': 1})

CRS 3.0

Sensitivity level Expression
1 evaluatePreconfiguredWaf('lfi-stable', {'sensitivity': 1})

Remote code execution (RCE)

The following table provides the signature ID, sensitivity level, and description of each supported signature in the RCE preconfigured WAF rule.

CRS 3.3

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030301-id932100-rce 1 UNIX Command Injection
owasp-crs-v030301-id932105-rce 1 UNIX Command Injection
owasp-crs-v030301-id932110-rce 1 Windows Command Injection
owasp-crs-v030301-id932115-rce 1 Windows Command Injection
owasp-crs-v030301-id932120-rce 1 Windows PowerShell Command Found
owasp-crs-v030301-id932130-rce 1 Unix Shell Expression Found
owasp-crs-v030301-id932140-rce 1 Windows FOR/IF Command Found
owasp-crs-v030301-id932150-rce 1 Direct UNIX Command Execution
owasp-crs-v030301-id932160-rce 1 UNIX Shell Code Found
owasp-crs-v030301-id932170-rce 1 Shellshock (CVE-2014-6271)
owasp-crs-v030301-id932171-rce 1 Shellshock (CVE-2014-6271)
owasp-crs-v030301-id932180-rce 1 Restricted File Upload Attempt
owasp-crs-v030301-id932200-rce 2 RCE Bypass Technique
owasp-crs-v030301-id932106-rce 3 Remote Command Execution: Unix Command Injection
owasp-crs-v030301-id932190-rce 3 Remote Command Execution: Wildcard bypass technique attempt

CRS 3.0

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030001-id932100-rce 1 UNIX Command Injection
owasp-crs-v030001-id932105-rce 1 UNIX Command Injection
owasp-crs-v030001-id932110-rce 1 Windows Command Injection
owasp-crs-v030001-id932115-rce 1 Windows Command Injection
owasp-crs-v030001-id932120-rce 1 Windows PowerShell Command Found
owasp-crs-v030001-id932130-rce 1 Unix Shell Expression Found
owasp-crs-v030001-id932140-rce 1 Windows FOR/IF Command Found
owasp-crs-v030001-id932150-rce 1 Direct UNIX Command Execution
owasp-crs-v030001-id932160-rce 1 UNIX Shell Code Found
owasp-crs-v030001-id932170-rce 1 Shellshock (CVE-2014-6271)
owasp-crs-v030001-id932171-rce 1 Shellshock (CVE-2014-6271)
Not included 1 Restricted File Upload Attempt
Not included 2 RCE Bypass Technique
Not included 3 Remote Command Execution: Unix Command Injection
Not included 3 Remote Command Execution: Wildcard bypass technique attempt

You can configure a rule at a particular sensitivity level by using evaluatePreconfiguredExpr() to disable signatures at greater sensitivity levels. The following configuration works for all sensitivity levels:

RCE sensitivity level 1

evaluatePreconfiguredExpr('rce-v33-stable',
          ['owasp-crs-v030301-id932200-rce',
           'owasp-crs-v030301-id932106-rce',
           'owasp-crs-v030301-id932190-rce'])
          
RCE sensitivity level 2

evaluatePreconfiguredExpr('rce-v33-stable',
           [ 'owasp-crs-v030301-id932106-rce',
           'owasp-crs-v030301-id932190-rce'])
          
RCE sensitivity level 3

evaluatePreconfiguredExpr('rce-v33-stable')

Alternatively, you can configure a rule at a particular sensitivity level by using evaluatePreconfiguredWaf() with a preset sensitivity parameter. All signatures for RCE are at sensitivity level 1. The following configuration works for all sensitivity levels:

CRS 3.3

Sensitivity level Expression
1 evaluatePreconfiguredWaf('rce-v33-stable', {'sensitivity': 1})
2 evaluatePreconfiguredWaf('rce-v33-stable', {'sensitivity': 2})
3 evaluatePreconfiguredWaf('rce-v33-stable', {'sensitivity': 3})

CRS 3.0

Sensitivity level Expression
1 evaluatePreconfiguredWaf('rce-stable', {'sensitivity': 1})
2 evaluatePreconfiguredWaf('rce-stable', {'sensitivity': 2})
3 evaluatePreconfiguredWaf('rce-stable', {'sensitivity': 3})

Remote file inclusion (RFI)

The following table provides the signature ID, sensitivity level, and description of each supported signature in the RFI preconfigured WAF rule.

CRS 3.3

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030301-id931100-rfi 1 URL Parameter using IP Address
owasp-crs-v030301-id931110-rfi 1 Common RFI Vulnerable Parameter Name used w/URL Payload
owasp-crs-v030301-id931120-rfi 1 URL Payload Used w/Trailing Question Mark Character (?)
owasp-crs-v030301-id931130-rfi 2 Off-Domain Reference/Link

CRS 3.0

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030001-id931100-rfi 1 URL Parameter using IP Address
owasp-crs-v030001-id931110-rfi 1 Common RFI Vulnerable Parameter Name used w/URL Payload
owasp-crs-v030001-id931120-rfi 1 URL Payload Used w/Trailing Question Mark Character (?)
owasp-crs-v030001-id931130-rfi 2 Off-Domain Reference/Link

You can configure a rule at a particular sensitivity level by using evaluatePreconfiguredExpr() to disable signatures at greater sensitivity levels.

RFI sensitivity level 1

evaluatePreconfiguredExpr('rfi-v33-stable', ['owasp-crs-v030301-id931130-rfi'])

All signatures for RFI are below sensitivity level 2. The following configuration works for other sensitivity levels:

RFI sensitivity level 2

evaluatePreconfiguredExpr('rfi-v33-stable')

Alternatively, you can configure a rule at a particular sensitivity level by using evaluatePreconfiguredWaf() with a preset sensitivity parameter. By default, without configuring rule set sensitivity, Google Cloud Armor evaluates all signatures.

CRS 3.3

Sensitivity level Expression
1 evaluatePreconfiguredWaf('rfi-v33-stable', {'sensitivity': 1})
2 evaluatePreconfiguredWaf('rfi-v33-stable', {'sensitivity': 2})

CRS 3.0

Sensitivity level Expression
1 evaluatePreconfiguredWaf('rfi-stable', {'sensitivity': 1})
2 evaluatePreconfiguredWaf('rfi-stable', {'sensitivity': 2})

Method enforcement

The following table provides the signature ID, sensitivity level, and description of each supported signature in the method enforcement preconfigured rule.

CRS 3.3

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030301-id911100-methodenforcement 1 Method is not allowed by policy

CRS 3.0

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030001-id911100-methodenforcement 1 Method is not allowed by policy

You can configure a rule at a particular sensitivity level by using evaluatePreconfiguredExpr() to disable signatures at greater sensitivity levels. All signatures for Method Enforcement are at sensitivity level 1. The following configuration works for other sensitivity levels:

Method Enforcement sensitivity level 1

evaluatePreconfiguredExpr('methodenforcement-v33-stable')

Alternatively, you can configure a rule at a particular sensitivity level by using evaluatePreconfiguredWaf() with a preset sensitivity parameter. By default, without configuring rule set sensitivity, Google Cloud Armor evaluates all signatures.

CRS 3.3

Sensitivity level Expression
1 evaluatePreconfiguredWaf('methodenforcement-v33-stable', {'sensitivity': 1})

CRS 3.0

Sensitivity level Expression
1 evaluatePreconfiguredWaf('methodenforcement-stable', {'sensitivity': 1})

Scanner detection

The following table provides the signature ID, sensitivity level, and description of each supported signature in the scanner detection preconfigured rule.

CRS 3.3

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030301-id913100-scannerdetection 1 Found User-Agent associated with security scanner
owasp-crs-v030301-id913110-scannerdetection 1 Found request header associated with security scanner
owasp-crs-v030301-id913120-scannerdetection 1 Found request filename/argument associated with security scanner
owasp-crs-v030301-id913101-scannerdetection 2 Found User-Agent associated with scripting/generic HTTP client
owasp-crs-v030301-id913102-scannerdetection 2 Found User-Agent associated with web crawler/bot

CRS 3.0

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030001-id913100-scannerdetection 1 Found User-Agent associated with security scanner
owasp-crs-v030001-id913110-scannerdetection 1 Found request header associated with security scanner
owasp-crs-v030001-id913120-scannerdetection 1 Found request filename/argument associated with security scanner
owasp-crs-v030001-id913101-scannerdetection 2 Found User-Agent associated with scripting/generic HTTP client
owasp-crs-v030001-id913102-scannerdetection 2 Found User-Agent associated with web crawler/bot

You can configure a rule at a particular sensitivity level by using evaluatePreconfiguredExpr() to disable signatures at greater sensitivity levels.

Scanner Detection sensitivity level 1

evaluatePreconfiguredExpr('scannerdetection-v33-stable',
  ['owasp-crs-v030301-id913101-scannerdetection',
  'owasp-crs-v030301-id913102-scannerdetection']
)
          
Scanner Detection sensitivity level 2

evaluatePreconfiguredExpr('scannerdetection-v33-stable')
          

Alternatively, you can configure a rule at a particular sensitivity level by using evaluatePreconfiguredWaf() with a preset sensitivity parameter. By default, without configuring rule set sensitivity, Google Cloud Armor evaluates all signatures.

CRS 3.3

Sensitivity level Expression
1 evaluatePreconfiguredWaf('scannerdetection-v33-stable', {'sensitivity': 1})
2 evaluatePreconfiguredWaf('scannerdetection-v33-stable', {'sensitivity': 2})

CRS 3.0

Sensitivity level Expression
1 evaluatePreconfiguredWaf('scannerdetection-stable', {'sensitivity': 1})
2 evaluatePreconfiguredWaf('scannerdetection-stable', {'sensitivity': 2})

Protocol attack

The following table provides the signature ID, sensitivity level, and description of each supported signature in the protocol attack preconfigured rule.

CRS 3.3

Signature ID (Rule ID) Sensitivity level Description
Not included 1 HTTP Request Smuggling Attack
owasp-crs-v030301-id921110-protocolattack 1 HTTP Request Smuggling Attack
owasp-crs-v030301-id921120-protocolattack 1 HTTP Response Splitting Attack
owasp-crs-v030301-id921130-protocolattack 1 HTTP Response Splitting Attack
owasp-crs-v030301-id921140-protocolattack 1 HTTP Header Injection Attack via headers
owasp-crs-v030301-id921150-protocolattack 1 HTTP Header Injection Attack via payload (CR/LF detected)
owasp-crs-v030301-id921160-protocolattack 1 HTTP Header Injection Attack via payload (CR/LF and header-name detected)
owasp-crs-v030301-id921190-protocolattack 1 HTTP Splitting (CR/LF in request filename detected)
owasp-crs-v030301-id921200-protocolattack 1 LDAP Injection Attack
owasp-crs-v030301-id921151-protocolattack 2 HTTP Header Injection Attack via payload (CR/LF detected)
owasp-crs-v030301-id921170-protocolattack 3 HTTP Parameter Pollution

CRS 3.0

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030001-id921100-protocolattack 1 HTTP Request Smuggling Attack
owasp-crs-v030001-id921110-protocolattack 1 HTTP Request Smuggling Attack
owasp-crs-v030001-id921120-protocolattack 1 HTTP Response Splitting Attack
owasp-crs-v030001-id921130-protocolattack 1 HTTP Response Splitting Attack
owasp-crs-v030001-id921140-protocolattack 1 HTTP Header Injection Attack via headers
owasp-crs-v030001-id921150-protocolattack 1 HTTP Header Injection Attack via payload (CR/LF detected)
owasp-crs-v030001-id921160-protocolattack 1 HTTP Header Injection Attack via payload (CR/LF and header-name detected)
Not included 1 HTTP Splitting (CR/LF in request filename detected)
Not included 1 LDAP Injection Attack
owasp-crs-v030001-id921151-protocolattack 2 HTTP Header Injection Attack via payload (CR/LF detected)
owasp-crs-v030001-id921170-protocolattack 3 HTTP Parameter Pollution

You can configure a rule at a particular sensitivity level by using evaluatePreconfiguredExpr() to disable signatures at greater sensitivity levels.

Protocol Attack sensitivity level 1

evaluatePreconfiguredExpr('protocolattack-v33-stable',
  ['owasp-crs-v030301-id921151-protocolattack',
  'owasp-crs-v030301-id921170-protocolattack']
)
          
Protocol Attack sensitivity level 2

evaluatePreconfiguredExpr('protocolattack-v33-stable',
  ['owasp-crs-v030301-id921170-protocolattack']
)
          
Protocol Attack sensitivity level 3

evaluatePreconfiguredExpr('protocolattack-v33-stable')
          

Alternatively, you can configure a rule at a particular sensitivity level by using evaluatePreconfiguredWaf() with a preset sensitivity parameter. By default, without configuring rule set sensitivity, Google Cloud Armor evaluates all signatures.

CRS 3.3

Sensitivity level Expression
1 evaluatePreconfiguredWaf('protocolattack-v33-stable', {'sensitivity': 1})
2 evaluatePreconfiguredWaf('protocolattack-v33-stable', {'sensitivity': 2})
3 evaluatePreconfiguredWaf('protocolattack-v33-stable', {'sensitivity': 3})

CRS 3.0

Sensitivity level Expression
1 evaluatePreconfiguredWaf('protocolattack-stable', {'sensitivity': 1})
2 evaluatePreconfiguredWaf('protocolattack-stable', {'sensitivity': 2})
3 evaluatePreconfiguredWaf('protocolattack-stable', {'sensitivity': 3})

PHP

The following table provides the signature ID, sensitivity level, and description of each supported signature in the PHP preconfigured WAF rule.

CRS 3.3

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030301-id933100-php 1 PHP Injection Attack: PHP Open Tag Found
owasp-crs-v030301-id933110-php 1 PHP Injection Attack: PHP Script File Upload Found
owasp-crs-v030301-id933120-php 1 PHP Injection Attack: Configuration Directive Found
owasp-crs-v030301-id933130-php 1 PHP Injection Attack: Variables Found
owasp-crs-v030301-id933140-php 1 PHP Injection Attack: I/O Stream Found
owasp-crs-v030301-id933200-php 1 PHP Injection Attack: Wrapper scheme detected
owasp-crs-v030301-id933150-php 1 PHP Injection Attack: High-Risk PHP Function Name Found
owasp-crs-v030301-id933160-php 1 PHP Injection Attack: High-Risk PHP Function Call Found
owasp-crs-v030301-id933170-php 1 PHP Injection Attack: Serialized Object Injection
owasp-crs-v030301-id933180-php 1 PHP Injection Attack: Variable Function Call Found
owasp-crs-v030301-id933210-php 1 PHP Injection Attack: Variable Function Call Found
owasp-crs-v030301-id933151-php 2 PHP Injection Attack: Medium-Risk PHP Function Name Found
owasp-crs-v030301-id933131-php 3 PHP Injection Attack: Variables Found
owasp-crs-v030301-id933161-php 3 PHP Injection Attack: Low-Value PHP Function Call Found
owasp-crs-v030301-id933111-php 3 PHP Injection Attack: PHP Script File Upload Found
owasp-crs-v030301-id933190-php 3 PHP Injection Attack: PHP Closing Tag Found

CRS 3.0

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030001-id933100-php 1 PHP Injection Attack: PHP Open Tag Found
owasp-crs-v030001-id933110-php 1 PHP Injection Attack: PHP Script File Upload Found
owasp-crs-v030001-id933120-php 1 PHP Injection Attack: Configuration Directive Found
owasp-crs-v030001-id933130-php 1 PHP Injection Attack: Variables Found
owasp-crs-v030001-id933140-php 1 PHP Injection Attack: I/O Stream Found
Not included 1 PHP Injection Attack: Wrapper scheme detected
owasp-crs-v030001-id933150-php 1 PHP Injection Attack: High-Risk PHP Function Name Found
owasp-crs-v030001-id933160-php 1 PHP Injection Attack: High-Risk PHP Function Call Found
owasp-crs-v030001-id933170-php 1 PHP Injection Attack: Serialized Object Injection
owasp-crs-v030001-id933180-php 1 PHP Injection Attack: Variable Function Call Found
Not included 1 PHP Injection Attack: Variable Function Call Found
owasp-crs-v030001-id933151-php 2 PHP Injection Attack: Medium-Risk PHP Function Name Found
owasp-crs-v030001-id933131-php 3 PHP Injection Attack: Variables Found
owasp-crs-v030001-id933161-php 3 PHP Injection Attack: Low-Value PHP Function Call Found
owasp-crs-v030001-id933111-php 3 PHP Injection Attack: PHP Script File Upload Found
Not included 3 PHP Injection Attack: PHP Closing Tag Found

You can configure a rule at a particular sensitivity level by using evaluatePreconfiguredExpr() to disable signatures at greater sensitivity levels.

PHP Injection Attack sensitivity level 1

evaluatePreconfiguredExpr('php-v33-stable',
['owasp-crs-v030301-id933151-php',
  'owasp-crs-v030301-id933131-php',
  'owasp-crs-v030301-id933161-php',
  'owasp-crs-v030301-id933111-php',
  'owasp-crs-v030301-id933190-php']
)
          
PHP Injection Attack sensitivity level 2

evaluatePreconfiguredExpr('php-v33-stable',
  ['owasp-crs-v0303001-id933131-php',
  'owasp-crs-v0303001-id933161-php',
  'owasp-crs-v0303001-id933111-php',
  'owasp-crs-v030301-id933190-php'])
          
PHP Injection Attack sensitivity level 3

evaluatePreconfiguredExpr('php-v33-stable')
          

Alternatively, you can configure a rule at a particular sensitivity level by using evaluatePreconfiguredWaf() with a preset sensitivity parameter. By default, without configuring rule set sensitivity, Google Cloud Armor evaluates all signatures.

CRS 3.3

Sensitivity level Expression
1 evaluatePreconfiguredWaf('php-v33-stable', {'sensitivity': 1})
2 evaluatePreconfiguredWaf('php-v33-stable', {'sensitivity': 2})
3 evaluatePreconfiguredWaf('php-v33-stable', {'sensitivity': 3})

CRS 3.0

Sensitivity level Expression
1 evaluatePreconfiguredWaf('php-stable', {'sensitivity': 1})
2 evaluatePreconfiguredWaf('php-stable', {'sensitivity': 2})
3 evaluatePreconfiguredWaf('php-stable', {'sensitivity': 3})

Session fixation

The following table provides the signature ID, sensitivity level, and description of each supported signature in the session fixation preconfigured rule.

CRS 3.3

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030301-id943100-sessionfixation 1 Possible Session Fixation Attack: Setting Cookie Values in HTML
owasp-crs-v030301-id943110-sessionfixation 1 Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer
owasp-crs-v030301-id943120-sessionfixation 1 Possible Session Fixation Attack: SessionID Parameter Name with No Referer

CRS 3.0

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030001-id943100-sessionfixation 1 Possible Session Fixation Attack: Setting Cookie Values in HTML
owasp-crs-v030001-id943110-sessionfixation 1 Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer
owasp-crs-v030001-id943120-sessionfixation 1 Possible Session Fixation Attack: SessionID Parameter Name with No Referer

You can configure a rule at a particular sensitivity level by using evaluatePreconfiguredExpr() to disable signatures at greater sensitivity levels. All signatures for session fixation are at sensitivity level 1. The following configuration works for all sensitivity levels:

Session Fixation sensitivity level 1

evaluatePreconfiguredExpr('sessionfixation-v33-stable')

Alternatively, you can configure a rule at a particular sensitivity level by using evaluatePreconfiguredWaf() with a preset sensitivity parameter. All signatures for session fixation are at sensitivity level 1. The following configuration works for all sensitivity levels:

CRS 3.3

Sensitivity level Expression
1 evaluatePreconfiguredWaf('sessionfixation-v33-stable', {'sensitivity': 1})

CRS 3.0

Sensitivity level Expression
1 evaluatePreconfiguredWaf('sessionfixation-stable', {'sensitivity': 1})

Java attack

The following table provides the signature ID, sensitivity level, and description of each supported signature in the Java attack preconfigured rule.

CRS 3.3

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030301-id944100-java 1 Remote Command Execution: Suspicious Java class detected
owasp-crs-v030301-id944110-java 1 Remote Command Execution: Java process spawn (CVE-2017-9805)
owasp-crs-v030301-id944120-java 1 Remote Command Execution: Java serialization (CVE-2015-4852)
owasp-crs-v030301-id944130-java 1 Suspicious Java class detected
owasp-crs-v030301-id944200-java 2 Magic bytes detected, probable Java serialization in use
owasp-crs-v030301-id944210-java 2 Magic bytes detected Base64 encoded, probable Java serialization in use
owasp-crs-v030301-id944240-java 2 Remote Command Execution: Java serialization (CVE-2015-4852)
owasp-crs-v030301-id944250-java 2 Remote Command Execution: Suspicious Java method detected
owasp-crs-v030301-id944300-java 3 Base64 encoded string matched suspicious keyword

CRS 3.0

Signature ID (Rule ID) Sensitivity level Description
Not included 1 Remote Command Execution: Suspicious Java class detected
Not included 1 Remote Command Execution: Java process spawn (CVE-2017-9805)
Not included 1 Remote Command Execution: Java serialization (CVE-2015-4852)
Not included 1 Suspicious Java class detected
Not included 2 Magic bytes detected, probable Java serialization in use
Not included 2 Magic bytes detected Base64 encoded, probable Java serialization in use
Not included 2 Remote Command Execution: Java serialization (CVE-2015-4852)
Not included 2 Remote Command Execution: Suspicious Java method detected
Not included 3 Base64 encoded string matched suspicious keyword

You can configure a rule at a particular sensitivity level by using evaluatePreconfiguredExpr() to disable signatures at greater sensitivity levels.

Java attack sensitivity level 1

evaluatePreconfiguredExpr('java-v33-stable',
['owasp-crs-v030301-id944200-java',
 'owasp-crs-v030301-id944210-java',
 'owasp-crs-v030301-id944240-java',
 'owasp-crs-v030301-id944250-java',
 'owasp-crs-v030301-id944300-java'])
          
Java attack sensitivity level 2

evaluatePreconfiguredExpr('java-v33-stable',
['owasp-crs-v030301-id944300-java'])
          
Java attack sensitivity level 3

evaluatePreconfiguredExpr('java-v33-stable')
          

Alternatively, you can configure a rule at a particular sensitivity level by using evaluatePreconfiguredWaf() with a preset sensitivity parameter. By default, without configuring rule set sensitivity, Google Cloud Armor evaluates all signatures.

Sensitivity level Expression
1 evaluatePreconfiguredWaf('java-v33-stable', {'sensitivity': 1})
2 evaluatePreconfiguredWaf('java-v33-stable', {'sensitivity': 2})
3 evaluatePreconfiguredWaf('java-v33-stable', {'sensitivity': 3})

NodeJS attack

The following table provides the signature ID, sensitivity level, and description of each supported signature in the NodeJS attack preconfigured rule.

The following preconfigured WAF rule signatures are only included in CRS 3.3.

CRS 3.3

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030301-id934100-nodejs 1 Node.js Injection Attack

CRS 3.0

Signature ID (Rule ID) Sensitivity level Description
Not included 1 Node.js Injection Attack

You can configure a rule at a particular sensitivity level by using evaluatePreconfiguredExpr() to disable signatures at greater sensitivity levels. All signatures for NodeJS attack are at sensitivity level 1. The following configuration works for other sensitivity levels:

NodeJS sensitivity level 1

evaluatePreconfiguredExpr('nodejs-v33-stable')

Alternatively, you can configure a rule at a particular sensitivity level by using evaluatePreconfiguredWaf() with a preset sensitivity parameter. All signatures for NodeJS attack are at sensitivity level 1. The following configuration works for other sensitivity levels:

Sensitivity level Expression
1 evaluatePreconfiguredWaf('nodejs-v33-stable', {'sensitivity': 1})

CVEs and other vulnerabilities

The following table provides the signature ID, sensitivity level, and description of each supported signature in the CVE Log4j RCE vulnerability preconfigured rule.

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-v030001-id044228-cve 1 Base rule to help detect exploit attempts of CVE-2021-44228 & CVE-2021-45046
owasp-crs-v030001-id144228-cve 1 Google-provided enhancements to cover more bypass and obfuscation attempts
owasp-crs-v030001-id244228-cve 3 Increased sensitivity of detection to target even more bypass and obfuscation attempts, with nominal increase in risk of false positive detection
owasp-crs-v030001-id344228-cve 3 Increased sensitivity of detection to target even more bypass and obfuscation attempts using base64 encoding, with nominal increase in risk of false positive detection

You can configure a rule at a particular sensitivity level by using evaluatePreconfiguredExpr() to disable signatures at greater sensitivity levels.

CVE sensitivity level 1

evaluatePreconfiguredExpr('cve-canary', ['owasp-crs-v030001-id244228-cve',
  'owasp-crs-v030001-id344228-cve'])
          
CVE sensitivity level 3

evaluatePreconfiguredExpr('cve-canary')

Alternatively, you can configure a rule at a particular sensitivity level by using evaluatePreconfiguredWaf() with a preset sensitivity parameter. By default, without configuring rule set sensitivity, Google Cloud Armor evaluates all signatures.

Sensitivity level Expression
1 evaluatePreconfiguredWaf('cve-canary', {'sensitivity': 1})
2 evaluatePreconfiguredWaf('cve-canary', {'sensitivity': 2})
3 evaluatePreconfiguredWaf('cve-canary', {'sensitivity': 3})

JSON-formatted content SQLi vulnerability

The following table provides the signature ID, sensitivity level, and description of the supported signature 942550-sqli, which covers the vulnerability in which malicious attackers can bypass WAF by appending JSON syntax to SQL injection payloads.

Signature ID (Rule ID) Sensitivity level Description
owasp-crs-id942550-sqli 2 Detects all JSON-based SQLi vectors, including SQLi signatures found in the URL

Use the following expression to deploy the signature:

  evaluatePreconfiguredWaf('json-sqli-canary', {'sensitivity':0, 'opt_in_rule_ids': ['owasp-crs-id942550-sqli']})
  

We recommend that you also enable sqli-v33-stable at sensitivity level 2 to fully address JSON-based SQL injection bypasses.

Limitations

Google Cloud Armor preconfigured WAF rules have the following limitations:

  • WAF rule changes typically take several minutes to propagate.
  • Among the HTTP request types with a request body, Google Cloud Armor processes only POST requests. Google Cloud Armor evaluates preconfigured rules against the first 8 KB of POST body content. For more information, see POST body inspection limitation.
  • Google Cloud Armor can parse and apply preconfigured WAF rules when JSON parsing is enabled with a matching Content-Type header value. For more information, see JSON parsing.
  • When you have a request field exclusion attached to a preconfigured WAF rule, you can't use the allow action. Requests matching the exception are automatically allowed.

What's next