Web Application Firewall DRS and CRS rule groups and rules
The Azure-managed Default Rule Set (DRS) in the Application Gateway web application firewall (WAF) actively protect web applications from common vulnerabilities and exploits. These rule sets, managed by Azure, receive updates as necessary to guard against new attack signatures. The default rule set also incorporates the Microsoft Threat Intelligence Collection rules. The Microsoft Intelligence team collaborates in writing these rules, ensuring enhanced coverage, specific vulnerability patches, and improved false positive reduction.
You also have the option of using rules that are defined based on the OWASP core rule set 3.2 (CRS 3.2).
You can disable rules individually, or set specific actions for each rule. This article lists the current rules and rule sets available. If a published rule set requires an update, we'll document it here.
Note
When you change a ruleset version in a WAF Policy, any existing customizations you made to your ruleset will be reset to the defaults for the new ruleset. See: Upgrading or changing ruleset version.
Default rule set 2.1
Default rule set (DRS) 2.1 is baselined off the Open Web Application Security Project (OWASP) Core Rule Set (CRS) 3.3.2 and includes additional proprietary protections rules developed by Microsoft Threat Intelligence team and updates to signatures to reduce false positives. It also supports transformations beyond just URL decoding.
DRS 2.1 offers a new engine and new rule sets defending against Java injections, an initial set of file upload checks, and fewer false positives compared with CRS versions. You can also customize rules to suit your needs. Learn more about the new Azure WAF engine.
DRS 2.1 includes 17 rule groups, as shown in the following table. Each group contains multiple rules, and you can customize behavior for individual rules, rule groups, or entire rule set.
| Threat Type | Rule Group Name |
|---|---|
| General | General |
| Lock-down methods (PUT, PATCH) | METHOD-ENFORCEMENT |
| Protocol and encoding issues | PROTOCOL-ENFORCEMENT |
| Header injection, request smuggling, and response splitting | PROTOCOL-ATTACK |
| File and path attacks | LFI |
| Remote file inclusion (RFI) attacks | RFI |
| Remote code execution attacks | RCE |
| PHP-injection attacks | PHP |
| Node JS attacks | NodeJS |
| Cross-site scripting attacks | XSS |
| SQL-injection attacks | SQLI |
| Session-fixation attacks | SESSION-FIXATION |
| JAVA attacks | SESSION-JAVA |
| Web shell attacks (MS) | MS-ThreatIntel-WebShells |
| AppSec attacks (MS) | MS-ThreatIntel-AppSec |
| SQL-injection attacks (MS) | MS-ThreatIntel-SQLI |
| CVE attacks (MS) | MS-ThreatIntel-CVEs |
Fine-tuning guidance for DRS 2.1
Use the following guidance to tune WAF while you get started with DRS 2.1 on Application Gateway WAF:
| Rule ID | Rule Group | Description | Recommendation |
|---|---|---|---|
| 942110 | SQLI | SQL Injection Attack: Common Injection Testing Detected | Disable rule 942110, replaced by MSTIC rule 99031001 |
| 942150 | SQLI | SQL Injection Attack | Disable rule 942150, replaced by MSTIC rule 99031003 |
| 942260 | SQLI | Detects basic SQL authentication bypass attempts 2/3 | Disable rule 942260, replaced by MSTIC rule 99031004 |
| 942430 | SQLI | Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12) | Disable rule 942430, it triggers too many false positives |
| 942440 | SQLI | SQL Comment Sequence Detected | Disable rule 942440, replaced by MSTIC rule 99031002 |
| 99005006 | MS-ThreatIntel-WebShells | Spring4Shell Interaction Attempt | Keep the rule enabled to prevent against SpringShell vulnerability |
| 99001014 | MS-ThreatIntel-CVEs | Attempted Spring Cloud routing-expression injection CVE-2022-22963 | Keep the rule enabled to prevent against SpringShell vulnerability |
| 99001015 | MS-ThreatIntel-WebShells | Attempted Spring Framework unsafe class object exploitation CVE-2022-22965 | Keep the rule enabled to prevent against SpringShell vulnerability |
| 99001016 | MS-ThreatIntel-WebShells | Attempted Spring Cloud Gateway Actuator injection CVE-2022-22947 | Keep the rule enabled to prevent against SpringShell vulnerability |
| 99001017 | MS-ThreatIntel-CVEs | Attempted Apache Struts file upload exploitation CVE-2023-50164 | Set action to Block to prevent against Apache Struts vulnerability. Anomaly Score not supported for this rule |
Core rule set 3.2
The recommended managed rule set is the Default Rule Set 2.1, which is baselined off the Open Web Application Security Project (OWASP) Core Rule Set (CRS) 3.3.2 and includes additional proprietary protections rules developed by Microsoft Threat Intelligence team and updates to signatures to reduce false positives. As an alternative to DRS 2.1, you can use CRS 3.2 which is based off OWASP CRS 3.2.0 version.
CRS 3.2 includes 14 rule groups, as shown in the following table. Each group contains multiple rules, which can be disabled.
Note
CRS 3.2 is only available on the WAF_v2 SKU. Because CRS 3.2 runs on the new Azure WAF engine, you can't downgrade to CRS 3.1 or earlier. If you need to downgrade, contact Azure Support.
| Rule group name | Threat Type |
|---|---|
| General | General |
| New and known CVEs | KNOWN-CVES |
| Lock-down methods (PUT, PATCH) | REQUEST-911-METHOD-ENFORCEMENT |
| Port and environment scanners | REQUEST-913-SCANNER-DETECTION |
| Protocol and encoding issues | REQUEST-920-PROTOCOL-ENFORCEMENT |
| Header injection, request smuggling, and response splitting | REQUEST-921-PROTOCOL-ATTACK |
| File and path attacks | REQUEST-930-APPLICATION-ATTACK-LFI |
| Remote file inclusion (RFI) attacks | REQUEST-931-APPLICATION-ATTACK-RFI |
| Remote code execution attacks | REQUEST-932-APPLICATION-ATTACK-RCE |
| PHP-injection attacks | REQUEST-933-APPLICATION-ATTACK-PHP |
| Cross-site scripting attacks | REQUEST-941-APPLICATION-ATTACK-XSS |
| SQL-injection attacks | REQUEST-942-APPLICATION-ATTACK-SQLI |
| Session-fixation attacks | REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION |
| JAVA attacks | REQUEST-944-APPLICATION-ATTACK-JAVA |
Tuning of Managed rule sets
Both DRS and CRS are enabled by default in Detection mode in your WAF policies. You can disable or enable individual rules within the Managed Rule Set to meet your application requirements. You can also set specific actions per rule. The DRS/CRS supports block, log and anomaly score actions. The Bot Manager ruleset supports the allow, block, and log actions.
Sometimes you might need to omit certain request attributes from a WAF evaluation. A common example is Active Directory-inserted tokens that are used for authentication. You can configure exclusions to apply when specific WAF rules are evaluated, or to apply globally to the evaluation of all WAF rules. Exclusion rules apply to your whole web application. For more information, see Web Application Firewall (WAF) with Application Gateway exclusion lists.
By default, DRS version 2.1 / CRS version 3.2 and above uses anomaly scoring when a request matches a rule. CRS 3.1 and below blocks matching requests by default. Additionally, custom rules can be configured in the same WAF policy if you want to bypass any of the preconfigured rules in the Core Rule Set.
Custom rules are always applied before rules in the Core Rule Set are evaluated. If a request matches a custom rule, the corresponding rule action is applied. The request is either blocked or passed through to the back-end. No other custom rules or the rules in the Core Rule Set are processed.
Anomaly scoring
When you use CRS or DRS 2.1 and later, your WAF is configured to use anomaly scoring by default. Traffic that matches any rule isn't immediately blocked, even when your WAF is in prevention mode. Instead, the OWASP rule sets define a severity for each rule: Critical, Error, Warning, or Notice. The severity affects a numeric value for the request, which is called the anomaly score:
| Rule severity | Value contributed to anomaly score |
|---|---|
| Critical | 5 |
| Error | 4 |
| Warning | 3 |
| Notice | 2 |
If the anomaly score is 5 or greater, and the WAF is in Prevention mode, the request is blocked. If the anomaly score is 5 or greater, and the WAF is in Detection mode, the request is logged but not blocked.
For example, a single Critical rule match is enough for the WAF to block a request when in Prevention mode, because the overall anomaly score is 5. However, one Warning rule match only increases the anomaly score by 3, which isn't enough by itself to block the traffic. When an anomaly rule is triggered, it shows a "Matched" action in the logs. If the anomaly score is 5 or greater, there's a separate rule triggered with either "Blocked" or "Detected" action depending on whether WAF policy is in Prevention or Detection mode. For more information, please see Anomaly Scoring mode.
Paranoia level
Each rule is asigned in a specific Paranoia Level (PL). Rules configured in Paranoia Level 1 (PL1) are less aggressive and hardly ever trigger a false positive. They provide baseline security with minimal need for fine tuning. Rules in PL2 detect more attacks, but they are expected to trigger false positives which should be fine-tuned.
By default, DRS 2.1 and CRS 3.2 rule versions are pre-configured in Paranoia Level 2, including rules assigned in both PL1 and in PL2. If you want to use WAF exclusively with PL1, you can disable any or all PL2 rules or change their action to 'log'. PL3 and PL4 are currently not supported in Azure WAF.
Note
CRS 3.2 ruleset includes rules in PL3 and PL4, but these rules are always inactive and can't be enabled, regardless of their configured state or action.
Upgrading or changing ruleset version
If you're upgrading, or assigning a new ruleset version, and would like to preserve existing rule overrides and exclusions, it's recommended to use PowerShell, CLI, REST API, or a template to make ruleset version changes. A new version of a ruleset can have newer rules, additional rule groups, and may have updates to existing signatures to enforce better security and reduce false positives. It's recommended to validate changes in a test environment, fine tune if necessary, and then deploy in a production environment.
Note
If you're using the Azure portal to assign a new managed ruleset to a WAF policy, all the previous customizations from the existing managed ruleset such as rule state, rule actions, and rule level exclusions will be reset to the new managed ruleset's defaults. However, any custom rules, policy settings, and global exclusions will remain unaffected during the new ruleset assignment. You'll need to redefine rule overrides and validate changes before deploying in a production environment.
OWASP CRS 3.1
CRS 3.1 includes 14 rule groups, as shown in the following table. Each group contains multiple rules, which can be disabled. The ruleset is based off OWASP CRS 3.1.1 version.
Note
CRS 3.1 is only available on the WAF_v2 SKU.
| Rule group name | Description |
|---|---|
| General | General group |
| KNOWN-CVES | Help detect new and known CVEs |
| REQUEST-911-METHOD-ENFORCEMENT | Lock-down methods (PUT, PATCH) |
| REQUEST-913-SCANNER-DETECTION | Protect against port and environment scanners |
| REQUEST-920-PROTOCOL-ENFORCEMENT | Protect against protocol and encoding issues |
| REQUEST-921-PROTOCOL-ATTACK | Protect against header injection, request smuggling, and response splitting |
| REQUEST-930-APPLICATION-ATTACK-LFI | Protect against file and path attacks |
| REQUEST-931-APPLICATION-ATTACK-RFI | Protect against remote file inclusion (RFI) attacks |
| REQUEST-932-APPLICATION-ATTACK-RCE | Protect again remote code execution attacks |
| REQUEST-933-APPLICATION-ATTACK-PHP | Protect against PHP-injection attacks |
| REQUEST-941-APPLICATION-ATTACK-XSS | Protect against cross-site scripting attacks |
| REQUEST-942-APPLICATION-ATTACK-SQLI | Protect against SQL-injection attacks |
| REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION | Protect against session-fixation attacks |
| REQUEST-944-APPLICATION-ATTACK-SESSION-JAVA | Protect against JAVA attacks |
Bot Manager 1.0
The Bot Manager 1.0 rule set provides protection against malicious bots and detection of good bots. The rules provide granular control over bots detected by WAF by categorizing bot traffic as Good, Bad, or Unknown bots.
| Rule group | Description |
|---|---|
| BadBots | Protect against bad bots |
| GoodBots | Identify good bots |
| UnknownBots | Identify unknown bots |
Bot Manager 1.1
The Bot Manager 1.1 rule set is an enhancement to Bot Manager 1.0 rule set. It provides enhanced protection against malicious bots, and increases good bot detection.
| Rule group | Description |
|---|---|
| BadBots | Protect against bad bots |
| GoodBots | Identify good bots |
| UnknownBots | Identify unknown bots |
The following rule groups and rules are available when using Web Application Firewall on Application Gateway.
2.1 rule sets
General
| Rule ID | Anomaly score severity | Paranoia Level | Description |
|---|---|---|---|
| 200002 | Critical - 5 | PL1 | Failed to parse request body |
| 200003 | Critical - 5 | PL1 | Multipart request body failed strict validation |
METHOD ENFORCEMENT
| Rule ID | Anomaly score severity | Paranoia Level | Description |
|---|---|---|---|
| 911100 | Critical - 5 | PL1 | Method isn't allowed by policy |
PROTOCOL-ENFORCEMENT
| Rule ID | Anomaly score severity | Paranoia Level | Description |
|---|---|---|---|
| 920100 | Notice - 2 | PL1 | Invalid HTTP Request Line |
| 920120 | Critical - 5 | PL1 | Attempted multipart/form-data bypass |
| 920121 | Critical - 5 | PL2 | Attempted multipart/form-data bypass |
| 920160 | Critical - 5 | PL1 | Content-Length HTTP header isn't numeric |
| 920170 | Critical - 5 | PL1 | GET or HEAD Request with Body Content |
| 920171 | Critical - 5 | PL1 | GET or HEAD Request with Transfer-Encoding |
| 920180 | Notice - 2 | PL1 | POST request missing Content-Length Header |
| 920181 | Warning - 3 | PL1 | Content-Length and Transfer-Encoding headers present 99001003 |
| 920190 | Warning - 3 | PL1 | Range: Invalid Last Byte Value |
| 920200 | Warning - 3 | PL2 | Range: Too many fields (6 or more) |
| 920201 | Warning - 3 | PL2 | Range: Too many fields for pdf request (35 or more) |
| 920210 | Critical - 5 | PL1 | Multiple/Conflicting Connection Header Data Found |
| 920220 | Warning - 3 | PL1 | URL Encoding Abuse Attack Attempt |
| 920230 | Warning - 3 | PL2 | Multiple URL Encoding Detected |
| 920240 | Warning - 3 | PL1 | URL Encoding Abuse Attack Attempt |
| 920260 | Warning - 3 | PL1 | Unicode Full/Half Width Abuse Attack Attempt |
| 920270 | Error - 4 | PL1 | Invalid character in request (null character) |
| 920271 | Critical - 5 | PL2 | Invalid character in request (non printable characters) |
| 920280 | Warning - 3 | PL1 | Request Missing a Host Header |
| 920290 | Warning - 3 | PL1 | Empty Host Header |
| 920300 | Notice - 2 | PL2 | Request Missing an Accept Header |
| 920310 | Notice - 2 | PL1 | Request Has an Empty Accept Header |
| 920311 | Notice - 2 | PL1 | Request Has an Empty Accept Header |
| 920320 | Notice - 2 | PL2 | Missing User Agent Header |
| 920330 | Notice - 2 | PL1 | Empty User Agent Header |
| 920340 | Notice - 2 | PL1 | Request Containing Content, but Missing Content-Type header |
| 920341 | Critical - 5 | PL1 | Request containing content requires Content-Type header |
| 920350 | Warning - 3 | PL1 | Host header is a numeric IP address |
| 920420 | Critical - 5 | PL1 | Request content type isn't allowed by policy |
| 920430 | Critical - 5 | PL1 | HTTP protocol version isn't allowed by policy |
| 920440 | Critical - 5 | PL1 | URL file extension is restricted by policy |
| 920450 | Critical - 5 | PL1 | HTTP header is restricted by policy |
| 920470 | Critical - 5 | PL1 | Illegal Content-Type header |
| 920480 | Critical - 5 | PL1 | Request content type charset isn't allowed by policy |
| 920500 | Critical - 5 | PL1 | Attempt to access a backup or working file |
PROTOCOL-ATTACK
| Rule ID | Anomaly score severity | Paranoia Level | Description |
|---|---|---|---|
| 921110 | Critical - 5 | PL1 | HTTP Request Smuggling Attack |
| 921120 | Critical - 5 | PL1 | HTTP Response Splitting Attack |
| 921130 | Critical - 5 | PL1 | HTTP Response Splitting Attack |
| 921140 | Critical - 5 | PL1 | HTTP Header Injection Attack via headers |
| 921150 | Critical - 5 | PL1 | HTTP Header Injection Attack via payload (CR/LF detected) |
| 921151 | Critical - 5 | PL2 | HTTP Header Injection Attack via payload (CR/LF detected) |
| 921160 | Critical - 5 | PL1 | HTTP Header Injection Attack via payload (CR/LF and header-name detected) |
| 921190 | Critical - 5 | PL1 | HTTP Splitting (CR/LF in request filename detected) |
| 921200 | Critical - 5 | PL1 | LDAP Injection Attack |
LFI - Local File Inclusion
| Rule ID | Anomaly score severity | Paranoia Level | Description |
|---|---|---|---|
| 930100 | Critical - 5 | PL1 | Path Traversal Attack (/../) |
| 930110 | Critical - 5 | PL1 | Path Traversal Attack (/../) |
| 930120 | Critical - 5 | PL1 | OS File Access Attempt |
| 930130 | Critical - 5 | PL1 | Restricted File Access Attempt |
RFI - Remote File Inclusion
| Rule ID | Anomaly score severity | Paranoia Level | Description |
|---|---|---|---|
| 931100 | Critical - 5 | PL1 | Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address |
| 931110 | Critical - 5 | PL1 | Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload |
| 931120 | Critical - 5 | PL1 | Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?) |
| 931130 | Critical - 5 | PL1 | Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link |
RCE - Remote Command Execution
| Rule ID | Anomaly score severity | Paranoia Level | Description |
|---|---|---|---|
| 932100 | Critical - 5 | PL1 | Remote Command Execution: Unix Command Injection |
| 932105 | Critical - 5 | PL1 | Remote Command Execution: Unix Command Injection |
| 932110 | Critical - 5 | PL1 | Remote Command Execution: Windows Command Injection |
| 932115 | Critical - 5 | PL1 | Remote Command Execution: Windows Command Injection |
| 932120 | Critical - 5 | PL1 | Remote Command Execution: Windows PowerShell Command Found |
| 932130 | Critical - 5 | PL1 | Remote Command Execution: Unix Shell Expression or Confluence Vulnerability (CVE-2022-26134) Found |
| 932140 | Critical - 5 | PL1 | Remote Command Execution: Windows FOR/IF Command Found |
| 932150 | Critical - 5 | PL1 | Remote Command Execution: Direct Unix Command Execution |
| 932160 | Critical - 5 | PL1 | Remote Command Execution: Unix Shell Code Found |
| 932170 | Critical - 5 | PL1 | Remote Command Execution: Shellshock (CVE-2014-6271) |
| 932171 | Critical - 5 | PL1 | Remote Command Execution: Shellshock (CVE-2014-6271) |
| 932180 | Critical - 5 | PL1 | Restricted File Upload Attempt |
PHP Attacks
| Rule ID | Anomaly score severity | Paranoia Level | Description |
|---|---|---|---|
| 933100 | Critical - 5 | PL1 | PHP Injection Attack: Opening/Closing Tag Found |
| 933110 | Critical - 5 | PL1 | PHP Injection Attack: PHP Script File Upload Found |
| 933120 | Critical - 5 | PL1 | PHP Injection Attack: Configuration Directive Found |
| 933130 | Critical - 5 | PL1 | PHP Injection Attack: Variables Found |
| 933140 | Critical - 5 | PL1 | PHP Injection Attack: I/O Stream Found |
| 933150 | Critical - 5 | PL1 | PHP Injection Attack: High-Risk PHP Function Name Found |
| 933151 | Critical - 5 | PL2 | PHP Injection Attack: Medium-Risk PHP Function Name Found |
| 933160 | Critical - 5 | PL1 | PHP Injection Attack: High-Risk PHP Function Call Found |
| 933170 | Critical - 5 | PL1 | PHP Injection Attack: Serialized Object Injection |
| 933180 | Critical - 5 | PL1 | PHP Injection Attack: Variable Function Call Found |
| 933200 | Critical - 5 | PL1 | PHP Injection Attack: Wrapper scheme detected |
| 933210 | Critical - 5 | PL1 | PHP Injection Attack: Variable Function Call Found |
Node JS Attacks
| Rule ID | Anomaly score severity | Paranoia Level | Description |
|---|---|---|---|
| 934100 | Critical - 5 | PL1 | Node.js Injection Attack |
XSS - Cross-site Scripting
| Rule ID | Anomaly score severity | Paranoia Level | Description |
|---|---|---|---|
| 941100 | Critical - 5 | PL1 | XSS Attack Detected via libinjection |
| 941101 | Critical - 5 | PL2 | XSS Attack Detected via libinjection. This rule detects requests with a Referer header |
| 941110 | Critical - 5 | PL1 | XSS Filter - Category 1: Script Tag Vector |
| 941120 | Critical - 5 | PL1 | XSS Filter - Category 2: Event Handler Vector |
| 941130 | Critical - 5 | PL1 | XSS Filter - Category 3: Attribute Vector |
| 941140 | Critical - 5 | PL1 | XSS Filter - Category 4: JavaScript URI Vector |
| 941150 | Critical - 5 | PL2 | XSS Filter - Category 5: Disallowed HTML Attributes |
| 941160 | Critical - 5 | PL1 | NoScript XSS InjectionChecker: HTML Injection |
| 941170 | Critical - 5 | PL1 | NoScript XSS InjectionChecker: Attribute Injection |
| 941180 | Critical - 5 | PL1 | Node-Validator Blocklist Keywords |
| 941190 | Critical - 5 | PL1 | XSS Using style sheets |
| 941200 | Critical - 5 | PL1 | XSS using VML frames |
| 941210 | Critical - 5 | PL1 | XSS using obfuscated JavaScript |
| 941220 | Critical - 5 | PL1 | XSS using obfuscated VB Script |
| 941230 | Critical - 5 | PL1 | XSS using 'embed' tag |
| 941240 | Critical - 5 | PL1 | XSS using 'import' or 'implementation' attribute |
| 941250 | Critical - 5 | PL1 | IE XSS Filters - Attack Detected |
| 941260 | Critical - 5 | PL1 | XSS using 'meta' tag |
| 941270 | Critical - 5 | PL1 | XSS using 'link' href |
| 941280 | Critical - 5 | PL1 | XSS using 'base' tag |
| 941290 | Critical - 5 | PL1 | XSS using 'applet' tag |
| 941300 | Critical - 5 | PL1 | XSS using 'object' tag |
| 941310 | Critical - 5 | PL1 | US-ASCII Malformed Encoding XSS Filter - Attack Detected |
| 941320 | Critical - 5 | PL2 | Possible XSS Attack Detected - HTML Tag Handler |
| 941330 | Critical - 5 | PL2 | IE XSS Filters - Attack Detected |
| 941340 | Critical - 5 | PL2 | IE XSS Filters - Attack Detected |
| 941350 | Critical - 5 | PL1 | UTF-7 Encoding IE XSS - Attack Detected |
| 941360 | Critical - 5 | PL1 | JavaScript obfuscation detected |
| 941370 | Critical - 5 | PL1 | JavaScript global variable found |
| 941380 | Critical - 5 | PL2 | AngularJS client side template injection detected |
SQLI - SQL Injection
| Rule ID | Anomaly score severity | Paranoia Level | Description |
|---|---|---|---|
| 942100 | Critical - 5 | PL1 | SQL Injection Attack Detected via libinjection |
| 942110 | Warning - 3 | PL2 | SQL Injection Attack: Common Injection Testing Detected |
| 942120 | Critical - 5 | PL2 | SQL Injection Attack: SQL Operator Detected |
| 942130 | Critical - 5 | PL2 | SQL Injection Attack: SQL Tautology Detected |
| 942140 | Critical - 5 | PL1 | SQL Injection Attack: Common DB Names Detected |
| 942150 | Critical - 5 | PL2 | SQL Injection Attack |
| 942160 | Critical - 5 | PL1 | Detects blind sqli tests using sleep() or benchmark() |
| 942170 | Critical - 5 | PL1 | Detects SQL benchmark and sleep injection attempts including conditional queries |
| 942180 | Critical - 5 | PL2 | Detects basic SQL authentication bypass attempts 1/3 |
| 942190 | Critical - 5 | PL1 | Detects MSSQL code execution and information gathering attempts |
| 942200 | Critical - 5 | PL2 | Detects MySQL comment-/space-obfuscated injections and backtick termination |
| 942210 | Critical - 5 | PL2 | Detects chained SQL injection attempts 1/2 |
| 942220 | Critical - 5 | PL1 | Looking for integer overflow attacks, these are taken from skipfish, except 3.0.00738585072007e-308 is the "magic number" crash |
| 942230 | Critical - 5 | PL1 | Detects conditional SQL injection attempts |
| 942240 | Critical - 5 | PL1 | Detects MySQL charset switch and MSSQL DoS attempts |
| 942250 | Critical - 5 | PL1 | Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections |
| 942260 | Critical - 5 | PL2 | Detects basic SQL authentication bypass attempts 2/3 |
| 942270 | Critical - 5 | PL1 | Looking for basic sql injection. Common attack string for mysql, oracle, and others |
| 942280 | Critical - 5 | PL1 | Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts |
| 942290 | Critical - 5 | PL1 | Finds basic MongoDB SQL injection attempts |
| 942300 | Critical - 5 | PL2 | Detects MySQL comments, conditions, and ch(a)r injections |
| 942310 | Critical - 5 | PL2 | Detects chained SQL injection attempts 2/2 |
| 942320 | Critical - 5 | PL1 | Detects MySQL and PostgreSQL stored procedure/function injections |
| 942330 | Critical - 5 | PL2 | Detects classic SQL injection probings 1/2 |
| 942340 | Critical - 5 | PL2 | Detects basic SQL authentication bypass attempts 3/3 |
| 942350 | Critical - 5 | PL1 | Detects MySQL UDF injection and other data/structure manipulation attempts |
| 942360 | Critical - 5 | PL1 | Detects concatenated basic SQL injection and SQLLFI attempts |
| 942361 | Critical - 5 | PL2 | Detects basic SQL injection based on keyword alter or union |
| 942370 | Critical - 5 | PL2 | Detects classic SQL injection probings 2/2 |
| 942380 | Critical - 5 | PL2 | SQL Injection Attack |
| 942390 | Critical - 5 | PL2 | SQL Injection Attack |
| 942400 | Critical - 5 | PL2 | SQL Injection Attack |
| 942410 | Critical - 5 | PL2 | SQL Injection Attack |
| 942430 | Warning - 3 | PL2 | Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12) |
| 942440 | Critical - 5 | PL2 | SQL Comment Sequence Detected |
| 942450 | Critical - 5 | PL2 | SQL Hex Encoding Identified |
| 942470 | Critical - 5 | PL2 | SQL Injection Attack |
| 942480 | Critical - 5 | PL2 | SQL Injection Attack |
| 942500 | Critical - 5 | PL1 | MySQL in-line comment detected |
| 942510 | Critical - 5 | PL2 | SQLi bypass attempt by ticks or backticks detected |
SESSION-FIXATION
| Rule ID | Anomaly score severity | Paranoia Level | Description |
|---|---|---|---|
| 943100 | Critical - 5 | PL1 | Possible Session Fixation Attack: Setting Cookie Values in HTML |
| 943110 | Critical - 5 | PL1 | Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referrer |
| 943120 | Critical - 5 | PL1 | Possible Session Fixation Attack: SessionID Parameter Name with No Referrer |
JAVA Attacks
| Rule ID | Anomaly score severity | Paranoia Level | Description |
|---|---|---|---|
| 944100 | Critical - 5 | PL1 | Remote Command Execution: Apache Struts, Oracle WebLogic |
| 944110 | Critical - 5 | PL1 | Detects potential payload execution |
| 944120 | Critical - 5 | PL1 | Possible payload execution and remote command execution |
| 944130 | Critical - 5 | PL1 | Suspicious Java classes |
| 944200 | Critical - 5 | PL2 | Exploitation of Java deserialization Apache Commons |
| 944210 | Critical - 5 | PL2 | Possible use of Java serialization |
| 944240 | Critical - 5 | PL2 | Remote Command Execution: Java serialization and Log4j vulnerability (CVE-2021-44228, CVE-2021-45046) |
| 944250 | Critical - 5 | PL2 | Remote Command Execution: Suspicious Java method detected |
MS-ThreatIntel-WebShells
| Rule ID | Anomaly score severity | Paranoia Level | Description |
|---|---|---|---|
| 99005002 | Critical - 5 | PL2 | Web Shell Interaction Attempt (POST) |
| 99005003 | Critical - 5 | PL2 | Web Shell Upload Attempt (POST) - CHOPPER PHP |
| 99005004 | Critical - 5 | PL2 | Web Shell Upload Attempt (POST) - CHOPPER ASPX |
| 99005005 | Critical - 5 | PL2 | Web Shell Interaction Attempt |
| 99005006 | Critical - 5 | PL2 | Spring4Shell Interaction Attempt |
MS-ThreatIntel-AppSec
| Rule ID | Anomaly score severity | Paranoia Level | Description |
|---|---|---|---|
| 99030001 | Critical - 5 | PL2 | Path Traversal Evasion in Headers (/.././../) |
| 99030002 | Critical - 5 | PL2 | Path Traversal Evasion in Request Body (/.././../) |
MS-ThreatIntel-SQLI
| Rule ID | Anomaly score severity | Paranoia Level | Description |
|---|---|---|---|
| 99031001 | Warning - 3 | PL2 | SQL Injection Attack: Common Injection Testing Detected |
| 99031002 | Critical - 5 | PL2 | SQL Comment Sequence Detected |
| 99031003 | Critical - 5 | PL2 | SQL Injection Attack |
| 99031004 | Critical - 5 | PL2 | Detects basic SQL authentication bypass attempts 2/3 |
MS-ThreatIntel-CVEs
| Rule ID | Anomaly score severity | Paranoia Level | Description |
|---|---|---|---|
| 99001001 | Critical - 5 | PL2 | Attempted F5 tmui (CVE-2020-5902) REST API Exploitation with known credentials |
| 99001002 | Critical - 5 | PL2 | Attempted Citrix NSC_USER directory traversal CVE-2019-19781 |
| 99001003 | Critical - 5 | PL2 | Attempted Atlassian Confluence Widget Connector exploitation CVE-2019-3396 |
| 99001004 | Critical - 5 | PL2 | Attempted Pulse Secure custom template exploitation CVE-2020-8243 |
| 99001005 | Critical - 5 | PL2 | Attempted SharePoint type converter exploitation CVE-2020-0932 |
| 99001006 | Critical - 5 | PL2 | Attempted Pulse Connect directory traversal CVE-2019-11510 |
| 99001007 | Critical - 5 | PL2 | Attempted Junos OS J-Web local file inclusion CVE-2020-1631 |
| 99001008 | Critical - 5 | PL2 | Attempted Fortinet path traversal CVE-2018-13379 |
| 99001009 | Critical - 5 | PL2 | Attempted Apache struts ognl injection CVE-2017-5638 |
| 99001010 | Critical - 5 | PL2 | Attempted Apache struts ognl injection CVE-2017-12611 |
| 99001011 | Critical - 5 | PL2 | Attempted Oracle WebLogic path traversal CVE-2020-14882 |
| 99001012 | Critical - 5 | PL2 | Attempted Telerik WebUI insecure deserialization exploitation CVE-2019-18935 |
| 99001013 | Critical - 5 | PL2 | Attempted SharePoint insecure XML deserialization CVE-2019-0604 |
| 99001014 | Critical - 5 | PL2 | Attempted Spring Cloud routing-expression injection CVE-2022-22963 |
| 99001015 | Critical - 5 | PL2 | Attempted Spring Framework unsafe class object exploitation CVE-2022-22965 |
| 99001016 | Critical - 5 | PL2 | Attempted Spring Cloud Gateway Actuator injection CVE-2022-22947 |
| 99001017* | N/A | N/A | Attempted Apache Struts file upload exploitation CVE-2023-50164 |
*This rule's action is set to log by default. Set action to Block to prevent against Apache Struts vulnerability. Anomaly Score not supported for this rule.
Note
When reviewing your WAF's logs, you might see rule ID 949110. The description of the rule might include Inbound Anomaly Score Exceeded.
This rule indicates that the total anomaly score for the request exceeded the maximum allowable score. For more information, see Anomaly scoring.
The following rule groups and rules are no longer supported on Web Application Firewall on Application Gateway.
Note
CRS 3.0 and CRS 2.2.9 are no longer supported in Azure WAF. We recommend you upgrade to DRS 2.1 / CRS 3.2
3.0 rule sets
General
| RuleId | Description |
|---|---|
| 200004 | Possible Multipart Unmatched Boundary |
KNOWN-CVES
| RuleId | Description |
|---|---|
| 800100 | Rule to help detect and mitigate log4j vulnerability CVE-2021-44228, CVE-2021-45046 |
| 800110 | Spring4Shell Interaction Attempt |
| 800111 | Attempted Spring Cloud routing-expression injection - CVE-2022-22963 |
| 800112 | Attempted Spring Framework unsafe class object exploitation - CVE-2022-22965 |
| 800113 | Attempted Spring Cloud Gateway Actuator injection - CVE-2022-22947 |
REQUEST-911-METHOD-ENFORCEMENT
| RuleId | Description |
|---|---|
| 911100 | Method isn't allowed by policy |
REQUEST-913-SCANNER-DETECTION
| RuleId | Description |
|---|---|
| 913100 | Found User-Agent associated with security scanner |
| 913110 | Found request header associated with security scanner |
| 913120 | Found request filename/argument associated with security scanner |
| 913101 | Found User-Agent associated with scripting/generic HTTP client |
| 913102 | Found User-Agent associated with web crawler/bot |
REQUEST-920-PROTOCOL-ENFORCEMENT
| RuleId | Description |
|---|---|
| 920100 | Invalid HTTP Request Line |
| 920130 | Failed to parse request body |
| 920140 | Multipart request body failed strict validation |
| 920160 | Content-Length HTTP header isn't numeric |
| 920170 | GET or HEAD Request with Body Content |
| 920180 | POST request missing Content-Length Header |
| 920190 | Range = Invalid Last Byte Value |
| 920210 | Multiple/Conflicting Connection Header Data Found |
| 920220 | URL Encoding Abuse Attack Attempt |
| 920240 | URL Encoding Abuse Attack Attempt |
| 920250 | UTF8 Encoding Abuse Attack Attempt |
| 920260 | Unicode Full/Half Width Abuse Attack Attempt |
| 920270 | Invalid character in request (null character) |
| 920280 | Request Missing a Host Header |
| 920290 | Empty Host Header |
| 920310 | Request Has an Empty Accept Header |
| 920311 | Request Has an Empty Accept Header |
| 920330 | Empty User Agent Header |
| 920340 | Request Containing Content but Missing Content-Type header |
| 920350 | Host header is a numeric IP address |
| 920380 | Too many arguments in request |
| 920360 | Argument name too long |
| 920370 | Argument value too long |
| 920390 | Total arguments size exceeded |
| 920400 | Uploaded file size too large |
| 920410 | Total uploaded files size too large |
| 920420 | Request content type isn't allowed by policy |
| 920430 | HTTP protocol version isn't allowed by policy |
| 920440 | URL file extension is restricted by policy |
| 920450 | HTTP header is restricted by policy (%@{MATCHED_VAR}) |
| 920200 | Range = Too many fields (6 or more) |
| 920201 | Range = Too many fields for pdf request (35 or more) |
| 920230 | Multiple URL Encoding Detected |
| 920300 | Request Missing an Accept Header |
| 920271 | Invalid character in request (non printable characters) |
| 920320 | Missing User Agent Header |
| 920272 | Invalid character in request (outside of printable chars below ascii 127) |
| 920202 | Range = Too many fields for pdf request (6 or more) |
| 920273 | Invalid character in request (outside of very strict set) |
| 920274 | Invalid character in request headers (outside of very strict set) |
| 920460 | Abnormal escape characters |
REQUEST-921-PROTOCOL-ATTACK
| RuleId | Description |
|---|---|
| 921100 | HTTP Request Smuggling Attack |
| 921110 | HTTP Request Smuggling Attack |
| 921120 | HTTP Response Splitting Attack |
| 921130 | HTTP Response Splitting Attack |
| 921140 | HTTP Header Injection Attack via headers |
| 921150 | HTTP Header Injection Attack via payload (CR/LF detected) |
| 921160 | HTTP Header Injection Attack via payload (CR/LF and header-name detected) |
| 921151 | HTTP Header Injection Attack via payload (CR/LF detected) |
| 921170 | HTTP Parameter Pollution |
| 921180 | HTTP Parameter Pollution (%@{TX.1}) |
REQUEST-930-APPLICATION-ATTACK-LFI
| RuleId | Description |
|---|---|
| 930100 | Path Traversal Attack (/../) |
| 930110 | Path Traversal Attack (/../) |
| 930120 | OS File Access Attempt |
| 930130 | Restricted File Access Attempt |
REQUEST-931-APPLICATION-ATTACK-RFI
| RuleId | Description |
|---|---|
| 931100 | Possible Remote File Inclusion (RFI) Attack = URL Parameter using IP Address |
| 931110 | Possible Remote File Inclusion (RFI) Attack = Common RFI Vulnerable Parameter Name used w/URL Payload |
| 931120 | Possible Remote File Inclusion (RFI) Attack = URL Payload Used w/Trailing Question Mark Character (?) |
| 931130 | Possible Remote File Inclusion (RFI) Attack = Off-Domain Reference/Link |
REQUEST-932-APPLICATION-ATTACK-RCE
| RuleId | Description |
|---|---|
| 932120 | Remote Command Execution = Windows PowerShell Command Found |
| 932130 | Application Gateway WAF v2: Remote Command Execution: Unix Shell Expression or Confluence Vulnerability (CVE-2022-26134) or Text4Shell (CVE-2022-42889) Found Application Gateway WAF v1: Remote Command Execution: Unix Shell Expression |
| 932140 | Remote Command Execution = Windows FOR/IF Command Found |
| 932160 | Remote Command Execution = Unix Shell Code Found |
| 932170 | Remote Command Execution = Shellshock (CVE-2014-6271) |
| 932171 | Remote Command Execution = Shellshock (CVE-2014-6271) |
REQUEST-933-APPLICATION-ATTACK-PHP
| RuleId | Description |
|---|---|
| 933100 | PHP Injection Attack = Opening/Closing Tag Found |
| 933110 | PHP Injection Attack = PHP Script File Upload Found |
| 933120 | PHP Injection Attack = Configuration Directive Found |
| 933130 | PHP Injection Attack = Variables Found |
| 933150 | PHP Injection Attack = High-Risk PHP Function Name Found |
| 933160 | PHP Injection Attack = High-Risk PHP Function Call Found |
| 933180 | PHP Injection Attack = Variable Function Call Found |
| 933151 | PHP Injection Attack = Medium-Risk PHP Function Name Found |
| 933131 | PHP Injection Attack = Variables Found |
| 933161 | PHP Injection Attack = Low-Value PHP Function Call Found |
| 933111 | PHP Injection Attack = PHP Script File Upload Found |
REQUEST-941-APPLICATION-ATTACK-XSS
| RuleId | Description |
|---|---|
| 941100 | XSS Attack Detected via libinjection |
| 941110 | XSS Filter - Category 1 = Script Tag Vector |
| 941130 | XSS Filter - Category 3 = Attribute Vector |
| 941140 | XSS Filter - Category 4 = JavaScript URI Vector |
| 941150 | XSS Filter - Category 5 = Disallowed HTML Attributes |
| 941180 | Node-Validator Blocklist Keywords |
| 941190 | XSS using style sheets |
| 941200 | XSS using VML frames |
| 941210 | XSS using obfuscated JavaScript or Text4Shell (CVE-2022-42889) |
| 941220 | XSS using obfuscated VB Script |
| 941230 | XSS using 'embed' tag |
| 941240 | XSS using 'import' or 'implementation' attribute |
| 941260 | XSS using 'meta' tag |
| 941270 | XSS using 'link' href |
| 941280 | XSS using 'base' tag |
| 941290 | XSS using 'applet' tag |
| 941300 | XSS using 'object' tag |
| 941310 | US-ASCII Malformed Encoding XSS Filter - Attack Detected |
| 941330 | IE XSS Filters - Attack Detected |
| 941340 | IE XSS Filters - Attack Detected |
| 941350 | UTF-7 Encoding IE XSS - Attack Detected |
| 941320 | Possible XSS Attack Detected - HTML Tag Handler |
REQUEST-942-APPLICATION-ATTACK-SQLI
| RuleId | Description |
|---|---|
| 942100 | SQL Injection Attack Detected via libinjection |
| 942110 | SQL Injection Attack: Common Injection Testing Detected |
| 942130 | SQL Injection Attack: SQL Tautology Detected |
| 942140 | SQL Injection Attack = Common DB Names Detected |
| 942160 | Detects blind sqli tests using sleep() or benchmark() |
| 942170 | Detects SQL benchmark and sleep injection attempts including conditional queries |
| 942190 | Detects MSSQL code execution and information gathering attempts |
| 942200 | Detects MySQL comment-/space-obfuscated injections and backtick termination |
| 942230 | Detects conditional SQL injection attempts |
| 942260 | Detects basic SQL authentication bypass attempts 2/3 |
| 942270 | Looking for basic sql injection. Common attack string for mysql oracle and others |
| 942290 | Finds basic MongoDB SQL injection attempts |
| 942300 | Detects MySQL comments, conditions and ch(a)r injections |
| 942310 | Detects chained SQL injection attempts 2/2 |
| 942320 | Detects MySQL and PostgreSQL stored procedure/function injections |
| 942330 | Detects classic SQL injection probings 1/2 |
| 942340 | Detects basic SQL authentication bypass attempts 3/3 |
| 942350 | Detects MySQL UDF injection and other data/structure manipulation attempts |
| 942360 | Detects concatenated basic SQL injection and SQLLFI attempts |
| 942370 | Detects classic SQL injection probings 2/2 |
| 942150 | SQL Injection Attack |
| 942410 | SQL Injection Attack |
| 942430 | Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12) |
| 942440 | SQL Comment Sequence Detected |
| 942450 | SQL Hex Encoding Identified |
| 942251 | Detects HAVING injections |
| 942460 | Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters |
REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION
| RuleId | Description |
|---|---|
| 943100 | Possible Session Fixation Attack = Setting Cookie Values in HTML |
| 943110 | Possible Session Fixation Attack = SessionID Parameter Name with Off-Domain Referrer |
| 943120 | Possible Session Fixation Attack = SessionID Parameter Name with No Referrer |