Menu
AWS WAF and AWS Shield Advanced
Developer Guide (API Version 2015-08-24)

Working with Regex Match Conditions

If you want to allow or block web requests based on strings that match a regular expression (regex) pattern that appear in the requests, create one or more regex match conditions. A regex match condition is a type of string match condition that identifies the pattern that you want to search for and the part of web requests, such as a specified header or the query string, that you want AWS WAF to inspect for the pattern. Later in the process, when you create a web ACL, you specify whether to allow or block requests that contain the pattern.

Creating a Regex Match Condition

When you create regex match conditions, you specify pattern sets that identify the string (using a regular expression) that you want to search for. You then add those pattern sets to filters that specify the part of web requests that you want AWS WAF to inspect for that pattern set, such as the URI or the query string.

You can add multiple regular expressions to a single pattern set. If you do so, those expressions are combined with an OR. That is, a web request will match the pattern set if the appropriate part of the request matches any of the expressions listed.

When you add a regex match condition to a rule, you also can configure AWS WAF to allow or block web requests that do not match the values in the condition.

AWS WAF supports most standard Perl Compatible Regular Expressions (PCRE). However, the following are not supported:

  • Backreferences and capturing subexpressions

  • Arbitrary zero-width assertions

  • Subroutine references and recursive patterns

  • Conditional patterns

  • Backtracking control verbs

  • The \C single-byte directive

  • The \R newline match directive

  • The \K start of match reset directive

  • Callouts and embedded code

  • Atomic grouping and possessive quantifiers

To create a regex match condition

  1. Sign in to the AWS Management Console and open the AWS WAF console at https://console.aws.amazon.com/waf/.

  2. In the navigation pane, choose String and regex matching.

  3. Choose Create condition.

  4. Specify the applicable filter settings. For more information, see Values That You Specify When You Create or Edit RegEx Match Conditions.

  5. Choose Create pattern set and add filter (if you created a new pattern set) or Add filter if you used an existing pattern set.

  6. Choose Create.

Values That You Specify When You Create or Edit RegEx Match Conditions

When you create or update a regex match condition, you specify the following values:

Name

Type a name for the regex match condition. The value can contain only the characters A-Z, a-z, and 0-9. You can't change the name of a condition after you create it.

Type

Choose Regex match.

Part of the request to filter on

Choose the part of each web request that you want AWS WAF to inspect for the pattern that you specify in Value to match:

Header

A specified request header, for example, the User-Agent or Referer header. If you choose Header, specify the name of the header in the Header field.

HTTP method

The HTTP method, which indicates the type of operation that the request is asking the origin to perform. CloudFront supports the following methods: DELETE, GET, HEAD, OPTIONS, PATCH, POST, and PUT.

Query string

The part of a URL that appears after a ? character, if any.

URI

The part of a URL that identifies a resource, for example, /images/daily-ad.jpg.

Body

The part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.

Note

If you choose Body for the value of Part of the request to filter on, AWS WAF inspects only the first 8192 bytes (8 KB). To allow or block requests for which the body is longer than 8192 bytes, you can create a size constraint condition. (AWS WAF gets the length of the body from the request headers.) For more information, see Working with Size Constraint Conditions.

Header (Only When "Part of the request to filter on" is "Header")

If you chose Header from the Part of the request to filter on list, choose a header from the list of common headers, or type the name of a header that you want AWS WAF to inspect.

Transformation

A transformation reformats a web request before AWS WAF inspects the request. This eliminates some of the unusual formatting that attackers use in web requests in an effort to bypass AWS WAF. Transformations can perform the following operations:

None

AWS WAF doesn't perform any text transformations on the web request before inspecting it for the string in Value to match.

Convert to lowercase

AWS WAF converts uppercase letters (A-Z) to lowercase (a-z).

HTML decode

AWS WAF replaces HTML-encoded characters with unencoded characters:

  • Replaces " with &

  • Replaces   with a non-breaking space

  • Replaces &lt; with <

  • Replaces &gt; with >

  • Replaces characters that are represented in hexadecimal format, &#xhhhh;, with the corresponding characters

  • Replaces characters that are represented in decimal format, &#nnnn;, with the corresponding characters

Normalize whitespace

AWS WAF replaces the following characters with a space character (decimal 32):

  • \f, formfeed, decimal 12

  • \t, tab, decimal 9

  • \n, newline, decimal 10

  • \r, carriage return, decimal 13

  • \v, vertical tab, decimal 11

  • non-breaking space, decimal 160

In addition, this option replaces multiple spaces with one space.

Simplify command line

When you're concerned that attackers are injecting an operating system command line command and using unusual formatting to disguise some or all of the command, use this option to perform the following transformations:

  • Delete the following characters: \ " ' ^

  • Delete spaces before the following characters: / (

  • Replace the following characters with a space: , ;

  • Replace multiple spaces with one space

  • Convert uppercase letters (A-Z) to lowercase (a-z)

URL decode

Decode a URL-encoded request.

Regex pattern to match to request

You can choose an existing pattern set, or create a new one. If you create a new one specify the following:

New pattern set name

Type a name and then specify the regex pattern that you want AWS WAF to search for.

If you add multiple regular expressions to a pattern set, those expressions are combined with an OR. That is, a web request will match the pattern set if the appropriate part of the request matches any of the expressions listed.

The maximum length of Value to match is 70 characters. If you want to specify a base64-encoded value, the limit is 70 characters before encoding.

Editing a Regex Match Condition

You can make the following changes to an existing regex match condition:

  • Delete a pattern from an existing pattern set

  • Add a pattern to an existing pattern set

  • Delete a filter to an existing regeex match condition

  • Add a filter to an existing regeex match condition (You can have only one filter in a regex match condition. Therefore, in order to add a filter, you must delete the existing filter first.)

  • Delete an existing regeex match condition

Note

You cannot add or delete a pattern set from an existing filter. You must either edit the pattern set, or delete the filter and create a new filter with a new pattern set.

To delete a pattern from an existing pattern set

  1. Sign in to the AWS Management Console and open the AWS WAF console at https://console.aws.amazon.com/waf/.

  2. In the navigation pane, choose String and regex matching.

  3. Choose View regex pattern sets.

  4. Choose the name of the pattern set you want to edit.

  5. Choose Edit.

  6. Choose the X next to the pattern you want to delete.

  7. Choose Save.

To add a pattern to an existing pattern set

  1. Sign in to the AWS Management Console and open the AWS WAF console at https://console.aws.amazon.com/waf/.

  2. In the navigation pane, choose String and regex matching.

  3. Choose View regex pattern sets.

  4. Choose the name of the pattern set to edit.

  5. Choose Edit.

  6. Type a new regex pattern.

  7. Choose the + next to the new pattern.

  8. Choose Save.

To delete a filter from an existing regex match condition

  1. Sign in to the AWS Management Console and open the AWS WAF console at https://console.aws.amazon.com/waf/.

  2. In the navigation pane, choose String and regex matching.

  3. Choose the name of the condition with the filter you want to delete.

  4. Choose the box next to the filter you want to delete.

  5. Choose Delete filter.

To delete a regex match condition

  1. Sign in to the AWS Management Console and open the AWS WAF console at https://console.aws.amazon.com/waf/.

  2. Delete the filter from the regex condition. See To delete a filter from an existing regex match condition for instructions to do this.)

  3. Remove the regex match condition from the rules that are using it:

    1. In the navigation pane, choose Rules.

    2. Choose the name of a rule that is using the regex match condition that you want to delete.

    3. In the right pane, choose Edit rule.

    4. Choose the X next to the condition you want to delete.

    5. Choose Update.

    6. Repeat for all the remaining rules that are using the regex match condition that you want to delete.

  4. In the navigation pane, choose String and regex matching.

  5. Select the button next to the condition you want to delete.

  6. Choose Delete.

To add or change a filter to an existing regex match condition

You can have only one filter in a regex match condition. If you want to add or change the filter, you must first delete the existing filter.

  1. Sign in to the AWS Management Console and open the AWS WAF console at https://console.aws.amazon.com/waf/.

  2. Delete the filter from the regex condition you want to change. See To delete a filter from an existing regex match condition for instructions to do this.)

  3. In the navigation pane, choose String and regex matching.

  4. Choose the name of the condition you want to change.

  5. Choose Add filter.

  6. Enter the appropriate values for the new filter and choose Add.