Baseline rule groups
Baseline managed rule groups provide general protection against a wide variety of common threats. Choose one or more of these rule groups to establish baseline protection for your resources.
Core rule set (CRS) managed rule group
VendorName: AWS
, Name:
AWSManagedRulesCommonRuleSet
, WCU: 700
The Core rule set (CRS) rule group contains rules that are generally applicable to web
applications. This provides protection against exploitation of a wide range
of vulnerabilities, including some of the high risk and commonly occurring
vulnerabilities described in OWASP publications such as OWASP Top 10
Rule name | Description and label |
---|---|
NoUserAgent_HEADER |
Blocks requests with no HTTP User-Agent
header.Label: |
UserAgent_BadBots_HEADER |
Inspects for the presence of common User-Agent header values indicating
the request to be a bad bot. Example patterns include
nessus , and nmap . For
bot management, see also AWS WAF Bot Control rule group.
Label: |
SizeRestrictions_QUERYSTRING |
Verifies that the URI query string length is at most
2,048 bytes. Label: |
SizeRestrictions_Cookie_HEADER |
Verifies that the cookie header length is at most 10,240
bytes. Label: |
SizeRestrictions_BODY |
Verifies that the request body size is at most 8 KB (8,192 bytes).
Label: |
SizeRestrictions_URIPATH |
Verifies that the URI path length is at most 1,024 bytes.
Label: |
EC2MetaDataSSRF_BODY |
Inspects for attempts to exfiltrate Amazon EC2 metadata from
the request body.
This rule only inspects the first 8 KB of the request body. For information, see Inspection of the request body, headers, and cookies. Label: |
EC2MetaDataSSRF_COOKIE |
Inspects for attempts to exfiltrate Amazon EC2 metadata from
the request cookie. Label: |
EC2MetaDataSSRF_URIPATH |
Inspects for attempts to exfiltrate Amazon EC2 metadata from
the request URI path. Label: |
EC2MetaDataSSRF_QUERYARGUMENTS |
Inspects for attempts to exfiltrate Amazon EC2 metadata from
the request query arguments. Label: |
GenericLFI_QUERYARGUMENTS |
Inspects for the presence of Local File Inclusion (LFI)
exploits in the query arguments. Examples include path
traversal attempts using techniques like
../../ . Label: |
GenericLFI_URIPATH |
Inspects for the presence of Local File Inclusion (LFI)
exploits in the URI path. Examples include path traversal
attempts using techniques like ../../ .
Label: |
GenericLFI_BODY |
Inspects for the presence of Local File Inclusion (LFI)
exploits in the request body. Examples include path
traversal attempts using techniques like
../../ .
This rule only inspects the first 8 KB of the request body. For information, see Inspection of the request body, headers, and cookies. Label: |
RestrictedExtensions_URIPATH |
Inspects requests whose URI path includes system file
extensions that the clients shouldn't read or run. Example
patterns include extensions like .log and
.ini . Label: |
RestrictedExtensions_QUERYARGUMENTS |
Inspects requests whose query arguments are system file
extensions that the clients shouldn't read or run. Example
patterns include extensions like .log and
.ini . Label: |
GenericRFI_QUERYARGUMENTS |
Inspects the values of all query parameters and blocks
requests that attempt to exploit RFI (Remote File Inclusion) in web
applications by embedding URLs that contain IPv4 addresses.
Examples include patterns like http:// , https:// ,
ftp:// , ftps:// , and file:// ,
with an IPv4 host header in the exploit attempt.
Label: |
GenericRFI_BODY |
Inspects the request body and blocks
requests that attempt to exploit RFI (Remote File Inclusion) in web
applications by embedding URLs that contain IPv4 addresses.
Examples include patterns like http:// , https:// ,
ftp:// , ftps:// , and file:// ,
with an IPv4 host header in the exploit attempt.
This rule only inspects the first 8 KB of the request body. For information, see Inspection of the request body, headers, and cookies. Label: |
GenericRFI_URIPATH |
Inspects the URI path and blocks
requests that attempt to exploit RFI (Remote File Inclusion) in web
applications by embedding URLs that contain IPv4 addresses.
Examples include patterns like http:// , https:// ,
ftp:// , ftps:// , and file:// ,
with an IPv4 host header in the exploit attempt.
Label: |
CrossSiteScripting_COOKIE |
Inspects the value of cookie headers and blocks common
cross-site scripting (XSS) patterns using the built-in XSS
detection rule in AWS WAF. Example patterns include scripts
like
<script>alert("hello")</script> .
The rule match details in the AWS WAF logs is not populated for version 2.0 of this rule group. Label: |
CrossSiteScripting_QUERYARGUMENTS |
Inspects the value of query arguments and blocks common
cross-site scripting (XSS) patterns using the built-in XSS
detection rule in AWS WAF. Example patterns include scripts
like
<script>alert("hello")</script> .
The rule match details in the AWS WAF logs is not populated for version 2.0 of this rule group. Label: |
CrossSiteScripting_BODY |
Inspects the value of the request body and blocks common
cross-site scripting (XSS) patterns using the built-in XSS
detection rule in AWS WAF. Example patterns include scripts
like
<script>alert("hello")</script> .
The rule match details in the AWS WAF logs is not populated for version 2.0 of this rule group. This rule only inspects the first 8 KB of the request body. For information, see Inspection of the request body, headers, and cookies. Label: |
CrossSiteScripting_URIPATH |
Inspects the value of the URI path and blocks common
cross-site scripting (XSS) patterns using the built-in XSS
detection rule in AWS WAF. Example patterns include scripts
like
<script>alert("hello")</script> .
The rule match details in the AWS WAF logs is not populated for version 2.0 of this rule group. Label: |
Admin protection managed rule group
VendorName: AWS
, Name:
AWSManagedRulesAdminProtectionRuleSet
, WCU:
100
The Admin protection rule group contains rules that allow you to block external access to exposed administrative pages. This might be useful if you run third-party software or want to reduce the risk of a malicious actor gaining administrative access to your application.
Rule name | Description and label |
---|---|
AdminProtection_URIPATH |
Inspects requests for URI paths that are generally
reserved for administration of a webserver or application.
Example patterns include sqlmanager . Label: |
Known bad inputs managed rule group
VendorName: AWS
, Name:
AWSManagedRulesKnownBadInputsRuleSet
, WCU: 200
The Known bad inputs rule group contains rules to block request patterns that are known to be invalid and are associated with exploitation or discovery of vulnerabilities. This can help reduce the risk of a malicious actor discovering a vulnerable application.
Rule name | Description and label |
---|---|
JavaDeserializationRCE_HEADER |
Inspects the values of common HTTP request headers for patterns indicating Java deserialization Remote Command Execution(RCE) attempts, such as the Spring Core and Cloud Function RCE vulnerabilities (CVE-2022-22963, CVE-2022-22965). Example patterns include (java.lang.Runtime).getRuntime().exec("whoami") . Label: |
JavaDeserializationRCE_BODY |
Inspects the request body for patterns indicating Java deserialization Remote Command Execution(RCE) attempts, such as the Spring Core and Cloud Function RCE vulnerabilities (CVE-2022-22963, CVE-2022-22965). Example patterns include (java.lang.Runtime).getRuntime().exec("whoami") . This rule only inspects the first 8 KB of the request body. For information, see Inspection of the request body, headers, and cookies. Label: |
JavaDeserializationRCE_URI |
Inspects the request URI for patterns indicating Java deserialization Remote Command Execution(RCE) attempts, such as the Spring Core and Cloud Function RCE vulnerabilities (CVE-2022-22963, CVE-2022-22965). Example patterns include (java.lang.Runtime).getRuntime().exec("whoami") . Label: |
JavaDeserializationRCE_QUERYSTRING |
Inspects the request query string for patterns indicating Java deserialization Remote Command Execution(RCE) attempts, such as the Spring Core and Cloud Function RCE vulnerabilities (CVE-2022-22963, CVE-2022-22965). Example patterns include (java.lang.Runtime).getRuntime().exec("whoami") . Label: |
Host_localhost_HEADER |
Inspects the host header in the request for patterns
indicating localhost. Example patterns include
localhost . Label: |
PROPFIND_METHOD |
Inspects the HTTP method in the request for
PROPFIND , which is a method similar to
HEAD , but with the extra intention to
exfiltrate XML objects. Label: |
ExploitablePaths_URIPATH |
Inspects the URI path for attempts to access exploitable
web application paths. Example patterns include paths like
web-inf . Label: |
Log4JRCE |
Inspects the query string, body, uri, and values of common HTTP request headers for the presence of the Log4j vulnerability
(CVE-2021-44228${jndi:ldap://example.com/} .
This rule only inspects the first 8 KB of the request body. For information, see Inspection of the request body, headers, and cookies. Label:
|