AWS Managed Rules changelog - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced

AWS Managed Rules changelog

This section lists changes to the AWS Managed Rules for AWS WAF since their release in November, 2019.

Note

This changelog reports changes to the rules and rule groups in AWS Managed Rules for AWS WAF.

For the IP reputation rule groups, this changelog reports changes to the rules and rule group, and it reports significant changes to the sources of the IP address lists that the rules use. It does not report changes to the IP address lists themselves, due to the dynamic nature of those lists. If you have questions about the IP address lists, contact your account manager or open a case at AWS Support Center.

Rule group and rules Description Date
AWS WAF Bot Control rule group

New rules:

  • TGT_TokenAbsent

  • TGT_VolumetricSessionMaximum

  • TGT_SignalBrowserAutomationExtension

  • TGT_ML_CoordinatedActivityLow, TGT_ML_CoordinatedActivityMedium, and TGT_ML_CoordinatedActivityHigh

  • TGT_TokenReuseIpLow, TGT_TokenReuseIpMedium, and TGT_TokenReuseIpHigh

  • TGT_TokenReuseAsnLow, TGT_TokenReuseAsnMedium, and TGT_TokenReuseAsnHigh

  • TGT_TokenReuseCountryLow, TGT_TokenReuseCountryMedium, and TGT_TokenReuseCountryHigh

Deleted rules:

  • TGT_TokenReuseIp. Replaced with the corresponding new low, medium, and high rules.

New labels:

  • HTTP Library bots:

    • awswaf:managed:aws:bot-control:bot:name:fasthttp

  • AI bots:

    • awswaf:managed:aws:bot-control:bot:name:bedrockbot

    • awswaf:managed:aws:bot-control:bot:name:claudebot

    • awswaf:managed:aws:bot-control:bot:name:anthropic

    • awswaf:managed:aws:bot-control:bot:name:metaexternalagent

    • awswaf:managed:aws:bot-control:bot:name:bytespider

    • awswaf:managed:aws:bot-control:bot:name:omgili

    • awswaf:managed:aws:bot-control:bot:name:diffbot

    • awswaf:managed:aws:bot-control:bot:name:perplexitybot

    • awswaf:managed:aws:bot-control:bot:name:timpibot

    • awswaf:managed:aws:bot-control:bot:name:cohere

  • Search engine bots:

    • awswaf:managed:aws:bot-control:bot:name:naver

  • Advertising bots:

    • awswaf:managed:aws:bot-control:bot:name:naver_ads

  • Social media bots:

    • awswaf:managed:aws:bot-control:bot:name:snapchat

  • Content fetcher bots:

    • awswaf:managed:aws:bot-control:bot:name:naver_preview

    • awswaf:managed:aws:bot-control:bot:name:censys

    • awswaf:managed:aws:bot-control:bot:name:imessage_preview

    • awswaf:managed:aws:bot-control:bot:name:imagesift

  • Cloud service provider signals:

    • awswaf:managed:aws:bot-control:signal:cloud_service_provider:aws

    • awswaf:managed:aws:bot-control:signal:cloud_service_provider:azure

    • awswaf:managed:aws:bot-control:signal:cloud_service_provider:gcp

    • awswaf:managed:aws:bot-control:signal:cloud_service_provider:oracle

    • awswaf:managed:aws:bot-control:signal:cloud_service_provider:digital_ocean

    • awswaf:managed:aws:bot-control:signal:cloud_service_provider:akamai

    • awswaf:managed:aws:bot-control:signal:cloud_service_provider:cloudflare

    • awswaf:managed:aws:bot-control:signal:cloud_service_provider:ibm_cloud

Additional labeling in existing rules.

Released static versions 2.0 and 3.0 of this rule group. Version 2.0 is the same as version 3.0, but with rule actions for all new rules set to Count. This guide documents the latest version of each rule group.

Added the listed new rules.

Updated labeling so that all rules apply a label with the pattern awswaf:managed:aws:bot-control:<RuleName>.

Added cloud service provider labels to the Bot Control signal labels.

Added new bot name labels that are inspected for by bot category rules.

2024-09-13
AWS WAF Fraud Control account takeover prevention (ATP) rule group

All rules

Released static version 1.1 of this rule group.

Updated labeling so that all rules apply a label with the pattern awswaf:managed:aws:atp:<RuleName>.

2024-09-13
AWS WAF Fraud Control account creation fraud prevention (ACFP) rule group

All rules

Released static version 1.1 of this rule group.

Updated labeling so that all rules apply a label with the pattern awswaf:managed:aws:acfp:<RuleName>.

2024-09-13
Linux operating system managed rule group

All rules

Released static version 2.5 of this rule group.

Added signatures to improve detection.

2024-09-02
Core rule set (CRS) managed rule group
  • GenericLFI_QUERYARGUMENTS

  • GenericLFI_URIPATH

  • GenericLFI_BODY

Released static version 1.15 of this rule group.

Improved detection signatures for the generic LFI rules.

2024-08-30
Windows operating system managed rule group
  • WindowsShellCommands_QUERYARGUMENTS

  • WindowsShellCommands_BODY

  • WindowsShellCommands_COOKIE

Released static version 2.3 of this rule group.

Adjusted detection signatures in the listed rules to reduce false positives.

2024-08-28
WordPress application managed rule group
  • WordPressExploitableCommands_QUERYSTRING

Released static version 1.3 of this rule group.

Added the JS_DECODE text transformation to the listed rule.

2024-07-15
Linux operating system managed rule group
  • LFI_QUERYSTRING

Released static version 2.4 of this rule group.

Added the JS_DECODE text transformation to the listed rule.

2024-07-12
Core rule set (CRS) managed rule group
  • EC2MetaDataSSRF_BODY

  • EC2MetaDataSSRF_QUERYARGUMENTS

  • GenericLFI_QUERYARGUMENTS

  • GenericLFI_BODY

  • RestrictedExtensions_QUERYARGUMENTS

  • GenericRFI_QUERYARGUMENTS

  • GenericRFI_BODY

  • CrossSiteScripting_QUERYARGUMENTS

  • CrossSiteScripting_BODY

  • CrossSiteScripting_COOKIE

  • CrossSiteScripting_URIPATH

Released static version 1.14 of this rule group.

Added the JS_DECODE text transformation to the listed rules.

2024-07-09
PHP application managed rule group
  • PHPHighRiskMethodsVariables_BODY

  • PHPHighRiskMethodsVariables_QUERYSTRING

Released static version 2.1 of this rule group.

Added the JS_DECODE text transformation to the listed rules.

2024-07-03
Windows operating system managed rule group
  • WindowsShellCommands_QUERYARGUMENTS

  • WindowsShellCommands_BODY

  • PowerShellCommands_QUERYARGUMENTS

  • PowerShellCommands_BODY

Released static version 2.2 of this rule group.

Added the JS_DECODE text transformation to the listed rules.

2024-07-03
Linux operating system managed rule group

All rules

Released static version 2.3 of this rule group.

Added signatures to improve detection.

2024-06-06

AWS WAF Bot Control rule group

AWS WAF Fraud Control account takeover prevention (ATP) rule group

AWS WAF Fraud Control account creation fraud prevention (ACFP) rule group

The bot and fraud rule groups are now versioned. If you're using any of these rule groups, this update doesn't change how they handle your web traffic.

This update sets the current rule group version to static version 1.0 and sets the default version to point to it.

For more information about versioned managed rules, see the following:

2024-05-29
POSIX operating system managed rule group
  • UNIXShellCommandsVariables_QUERYARGUMENTS

  • UNIXShellCommandsVariables_QUERYSTRING

  • UNIXShellCommandsVariables_HEADER

  • UNIXShellCommandsVariables_BODY

Released static version 3.0 of this rule group.

Removed UNIXShellCommandsVariables_QUERYARGUMENTS and replaced it with UNIXShellCommandsVariables_QUERYSTRING. If you have rules that match on the label for UNIXShellCommandsVariables_QUERYARGUMENTS, when you use this version, switch them to match on the label for UNIXShellCommandsVariables_QUERYSTRING. The new label is awswaf:managed:aws:posix-os:UNIXShellCommandsVariables_QueryString.

Added the rule UNIXShellCommandsVariables_HEADER, which matches on all headers.

Updated all the rules in the managed rule group with improved detection logic.

Corrected the documented capitalization of the label for UNIXShellCommandsVariables_BODY.

2024-05-28
Core rule set (CRS) managed rule group
  • CrossSiteScripting*

Released static version 1.12 of this rule group.

Added signatures to all of the cross site scripting rules to improve detection and reduce false positives.

2024-05-21
SQL database managed rule group
  • SQLi_BODY

  • SQLi_QUERYARGUMENTS

  • SQLiExtendedPatterns_QUERYARGUMENTS

Released static version 1.2 of this rule group.

Added the JS_DECODE text transformation to the listed rules.

2024-05-14
Known bad inputs managed rule group
  • JavaDeserializationRCE_BODY

  • JavaDeserializationRCE_QUERYSTRING

  • Log4JRCE_QUERYSTRING

  • Log4JRCE_BODY

  • Log4JRCE_HEADER

Released static version 1.22 of this rule group.

Added the JS_DECODE text transformation to the listed rules.

2024-05-08
POSIX operating system managed rule group

Released static version 2.2 of this rule group.

Added the JS_DECODE text transformation to both rules.

2024-05-08
Windows operating system managed rule group
  • PowerShellCommands_BODY

Released static version 2.1 of this rule group.

Added signatures to PowerShellCommands_BODY to improve detection.

2024-05-03
Amazon IP reputation list managed rule group
  • AWSManagedIPReputationList

Updated the sources of the IP reputation list, to improve identification of addresses that are actively engaging in malicious activities and to reduce false positives.

This update doesn't involve a new version because this rule group isn't versioned.

2024-03-13
Known bad inputs managed rule group

Released static version 1.21 of this rule group.

Added signatures to improve detection and reduce false positives.

2023-12-16
Known bad inputs managed rule group
  • ExploitablePaths_URIPATH

Released static version 1.20 of this rule group.

Updated the ExploitablePaths_URIPATH rule to add detection for requests that match the Atlassian Confluence CVE-2023-22518 Improper Authorization vulnerability. This vulnerability affects all versions of Confluence Data Center and Server. For more information, see NIST: National Vulnerability Database: CVE-2023-22518 Detail.

2023-12-14
Core rule set (CRS) managed rule group
  • CrossSiteScripting*

Released static version 1.11 of this rule group.

Added signatures to all of the cross site scripting rules to improve detection and reduce false positives.

2023-12-06
AWS WAF Bot Control rule group
  • New label: awswaf:managed:aws:bot-control:targeted:aggregate:coordinated_activity:low

Added the coordinated activity low label to the rule group's targeted protection level labels. This label isn't associated with any rule. This labeling is in addition to the medium and high level rules and labels.

2023-12-05
Bot Control labels
  • Label: awswaf:managed:aws:bot-control:targeted:signal:browser_automation_extension

Added a signal label to the rule group that indicates the detection of a browser extension that assists in automation. This label isn't specific to an individual rule.

2023-11-14
Core rule set (CRS) managed rule group
  • EC2MetaDataSSRF_QUERYARGUMENTS

Released static version 1.10 of this rule group.

Updated one rule to improve detection and reduce false positives.

2023-11-02
Core rule set (CRS) managed rule group
  • EC2MetaDataSSRF_BODY

  • EC2MetaDataSSRF_COOKIE

  • EC2MetaDataSSRF_URIPATH

  • EC2MetaDataSSRF_QUERYARGUMENTS

Released static version 1.9 of this rule group.

Updated rules to improve detection and reduce false positives.

2023-10-30
POSIX operating system managed rule group
  • UNIXShellCommandsVariables_QUERYARGUMENTS

Released static version 2.1 of this rule group.

Updated the query arguments rule to improve detection.

2023-10-12
Core rule set (CRS) managed rule group
  • GenericLFI_QUERYARGUMENTS

  • GenericLFI_URIPATH

  • RestrictedExtensions_URIPATH

  • RestrictedExtensions_QUERYARGUMENTS

Released static version 1.8 of this rule group.

Updated rules to improve detection.

2023-10-11
Known bad inputs managed rule group
  • ExploitablePaths_URIPATH

Exception deployment: released static version 1.19 of this rule group. Updated the default version to use version 1.19.

Updated the ExploitablePaths_URIPATH rule to add detection for requests matching the Atlassian Confluence CVE-2023-22515 Privilege Escalation Vulnerability. This vulnerability affects some versions of Atlassian Confluence. For more information, see NIST: National Vulnerability Database: CVE-2023-22515 Detail and Atlassian Support: FAQ for CVE-2023-22515.

For information about this deployment type, see Exception deployments for AWS Managed Rules.

2023-10-04
Known bad inputs managed rule group
  • Host_localhost_HEADER

  • Log4J*

  • JavaDeserialization*

Exception deployment: released static version 1.18 of this rule group. This is a quick rollout of this static version to accommodate the creation and rollout of version 1.19.

Updated the Host_localhost_HEADER rule and all Log4J and Java deserialization rules for improved detection.

For information about this deployment type, see Exception deployments for AWS Managed Rules.

2023-10-04
AWS WAF Bot Control rule group
  • TGT_TokenReuseIp

  • TGT_ML_CoordinatedActivityMedium

  • TGT_ML_CoordinatedActivityHigh

Added rules to the rule group with Count action.

The token reuse IP rule detects and counts token sharing across IP addresses.

The coordinated activity rules use automated, machine-learning (ML) analysis of website traffic to detect bot-related activity. In your rule group configuration, you can opt out of the use of ML. With this release, customers who are currently using the targeted protection level are opted in to the use of ML. Opting out disables the coordinated activity rules.

2023-09-06
AWS WAF Bot Control rule group
  • CategoryAI

Added the rule CategoryAI to the rule group.

2023-08-30
Core rule set (CRS) managed rule group
  • RestrictedExtensions_URIPATH

  • RestrictedExtensions_QUERYARGUMENTS

  • EC2MetaDataSSRF_COOKIE

  • EC2MetaDataSSRF_QUERYARGUMENTS

  • EC2MetaDataSSRF_BODY

  • EC2MetaDataSSRF_URIPATH

Released static version 1.7 of this rule group.

Updated restricted extensions and EC2 metadata SSRF rules to improve detection and reduce false positives.

2023-07-26
AWS WAF Fraud Control account creation fraud prevention (ACFP) rule group

All rules in new rule group

Added the rule group AWSManagedRulesACFPRuleSet. 2023-06-13
Linux operating system managed rule group
  • LFI_HEADER

  • LFI_URIPATH

  • LFI_QUERYSTRING

Released static version 2.2 of this rule group.

Added signatures to improve detection.

2023-05-22
Core rule set (CRS) managed rule group
  • RestrictedExtensions_URIPATH

  • RestrictedExtensions_QUERYARGUMENTS

  • CrossSiteScripting_COOKIE

  • CrossSiteScripting_QUERYARGUMENTS

  • CrossSiteScripting_BODY

  • CrossSiteScripting_URIPATH

Released static version 1.6 of this rule group.

Updated cross-site scripting (XSS) and restricted extension rules to improve detection and reduce false positives.

2023-04-28
PHP application managed rule group
  • Updated PHPHighRiskMethodsVariables_BODY

  • Removed PHPHighRiskMethodsVariables_QUERYARGUMENTS

  • Added PHPHighRiskMethodsVariables_QUERYSTRING

  • Added PHPHighRiskMethodsVariables_HEADER

Released static version 2.0 of this rule group.

Added signatures to improve detection in all rules.

Replaced the rule PHPHighRiskMethodsVariables_QUERYARGUMENTS with PHPHighRiskMethodsVariables_QUERYSTRING, which inspects the entire query string instead of just the query arguments.

Added the rule PHPHighRiskMethodsVariables_HEADER, to expand coverage to include all headers.

Updated the following labels to align with standard AWS Managed Rules labeling:

  • Old name: PHPHighRiskMethodsVariables_BODY New name: PHPHighRiskMethodsVariables_Body

  • Old name: PHPHighRiskMethodsVariables_QUERYARGUMENTS New name: PHPHighRiskMethodsVariables_QueryString

2023-02-27
AWS WAF Fraud Control account takeover prevention (ATP) rule group
  • VolumetricIpFailedLoginResponseHigh

  • VolumetricSessionFailedLoginResponseHigh

Added login response inspection rules for use with protected Amazon CloudFront distributions. These rules can block new login attempts from IP addresses and client sessions that have recently been the source of too many failed login attempts.

2023-02-15
Core rule set (CRS) managed rule group
  • NoUserAgent_HEADER

  • CrossSiteScripting_COOKIE

  • CrossSiteScripting_QUERYARGUMENTS

  • CrossSiteScripting_BODY

  • CrossSiteScripting_URIPATH

Released static version 1.5 of this rule group.

Updated Cross Site Scripting (XSS) filters to improve detection.

2023-01-25
Linux operating system managed rule group
  • LFI_COOKIE - removed

  • LFI_HEADER - added

  • LFI_URIPATH

  • LFI_QUERYSTRING

Released static version 2.1 of this rule group.

Removed the rule LFI_COOKIE and its label awswaf:managed:aws:linux-os:LFI_Cookie, and replaced them with the new rule LFI_HEADER and its label awswaf:managed:aws:linux-os:LFI_Header. This change expands inspection to multiple headers.

Added text transformations and signatures to all rules to improve detection.

2022-12-15
Core rule set (CRS) managed rule group
  • NoUserAgent_HEADER

  • CrossSiteScripting_COOKIE

  • CrossSiteScripting_QUERYARGUMENTS

  • CrossSiteScripting_BODY

  • CrossSiteScripting_URIPATH

Released static version 1.4 of this rule group.

Added a text transformation to NoUserAgent_HEADER to remove all null bytes. Updated the filters in the cross-site scripting rules to improve detection.

2022-12-05
Known bad inputs managed rule group
  • JavaDeserializationRCE_BODY

  • JavaDeserializationRCE_URIPATH

  • JavaDeserializationRCE_HEADER

  • JavaDeserializationRCE_QUERYSTRING

  • Host_localhost_HEADER

Released static version 1.17 of this rule group.

Updated the Java deserialization rules to add detection for requests matching Apache CVE-2022-42889, a remote code execution (RCE) vulnerability in Apache Commons Text versions prior to 1.10.0. For more information, see NIST: National Vulnerability Database: CVE-2022-42889 Detail and CVE-2022-42889: Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults.

Improved detection in Host_localhost_HEADER.

2022-10-20
Known bad inputs managed rule group
  • Log4JRCE_HEADER

  • Log4JRCE_QUERYSTRING

  • Log4JRCE_URIPATH

  • Log4JRCE_BODY

Released static version 1.16 of this rule group.

Removed false positives that AWS identified in version 1.15.

2022-10-05

POSIX operating system managed rule group

PHP application managed rule group

WordPress application managed rule group

Corrected the documented label names.

2022-09-19
IP reputation rule groups
  • AWSManagedIPDDoSList

This change doesn't alter how the rule group handles web traffic.

Added a new rule with Count action to inspect for IP addresses that are actively engaging in DDoS activities, according to Amazon threat intelligence.

2022-08-30
Known bad inputs managed rule group
  • Log4JRCE

  • Log4JRCE_HEADER

  • Log4JRCE_QUERYSTRING

  • Log4JRCE_URIPATH

  • Log4JRCE_BODY

  • JavaDeserializationRCE_HEADER

  • JavaDeserializationRCE_BODY

  • JavaDeserializationRCE_URIPATH

  • JavaDeserializationRCE_QUERYSTRING

  • Host_localhost_HEADER

  • PROPFIND_METHOD

Released static version 1.15 of this rule group.

Removed Log4JRCE and replaced it with Log4JRCE_HEADER, Log4JRCE_QUERYSTRING, Log4JRCE_URI, and Log4JRCE_BODY, for more granular monitoring and management of false positives.

Added signatures for improved detection and blocking to PROPFIND_METHOD and to all JavaDeserializationRCE* and Log4JRCE* rules.

Updated labels to correct capitalization in Host_localhost_HEADER and in all JavaDeserializationRCE* rules.

Corrected the description of JavaDeserializationRCE_HEADER.

2022-08-22
AWS WAF Fraud Control account takeover prevention (ATP) rule group
  • UnsupportedCognitoIDP

Added a rule to prevent the use of the account takeover prevention managed rule group for Amazon Cognito user pool web traffic.

2022-08-11
Core rule set (CRS) managed rule group

AWS has scheduled expiration for versions Version_1.2 and Version_2.0 of the rule group. The versions will expire on September 9, 2022. For information about version expiration, see Using versioned managed rule groups in AWS WAF.

2022-06-09
Core rule set (CRS) managed rule group
  • GenericLFI_URIPATH

    GenericRFI_URIPATH

Released version 1.3 of this rule group. This release updates the match signatures in the rules GenericLFI_URIPATH and GenericRFI_URIPATH, to improve detection.

2022-05-24
AWS WAF Bot Control rule group
  • CategoryEmailClient

Added the rule CategoryEmailClient to the rule group.

2022-04-06
Known bad inputs managed rule group
  • JavaDeserializationRCE_HEADER

  • JavaDeserializationRCE_BODY

  • JavaDeserializationRCE_URI

  • JavaDeserializationRCE_QUERYSTRING

Released version 1.14 of this rule group. The four JavaDeserializtionRCE rules are moved to Block mode.

2022-03-31
Known bad inputs managed rule group
  • JavaDeserializationRCE_HEADER_RC_COUNT

  • JavaDeserializationRCE_BODY_RC_COUNT

  • JavaDeserializationRCE_URI_RC_COUNT

  • JavaDeserializationRCE_QUERYSTRING_RC_COUNT

Released version 1.13 of this rule group. Updated the text transformation for Spring Core and Cloud Function RCE vulnerabilities. These rules are in count mode to gather metrics and evaluate matched patterns. The label can be used to block requests in a custom rule. A subsequent version will be deployed with these rules in block mode.

2022-03-31
Known bad inputs managed rule group
  • JavaDeserializationRCE_HEADER_RC_COUNT

  • JavaDeserializationRCE_BODY_RC_COUNT

  • JavaDeserializationRCE_URI_RC_COUNT

  • JavaDeserializationRCE_QUERYSTRING_RC_COUNT

  • Log4JRCE_HEADER

  • Log4JRCE_QUERYSTRING

  • Log4JRCE_URI

  • Log4JRCE_BODY

  • Log4JRCE

Released version 1.12 of this rule group. Added signatures for Spring Core and Cloud Function RCE vulnerabilities. These rules are in count mode to gather metrics and evaluate matched patterns. The label can be used to block requests in a custom rule. A subsequent version will be deployed with these rules in block mode.

Removed the rules Log4JRCE_HEADER, Log4JRCE_QUERYSTRING, Log4JRCE_URI, and Log4JRCE_BODY and replaced them with the rule Log4JRCE.

2022-03-30
IP reputation rule groups
  • AWSManagedReconnaissanceList

Updated the AWSManagedReconnaissanceList rule to change the action from count to block. 2022-02-15
AWS WAF Fraud Control account takeover prevention (ATP) rule group

All rules in new rule group

Added the rule group AWSManagedRulesATPRuleSet. 2022-02-11
Known bad inputs managed rule group
  • Log4JRCE

  • Log4JRCE_HEADER

  • Log4JRCE_QUERYSTRING

  • Log4JRCE_URI

  • Log4JRCE_BODY

Released version 1.9 of this rule group. Removed the rule Log4JRCE and replaced it with the rules Log4JRCE_HEADER, Log4JRCE_QUERYSTRING, Log4JRCE_URI, and Log4JRCE_BODY, for flexibility in the use of this functionality. Added signatures to improve detection and blocking.

2022-01-28
Core rule set (CRS)
  • CrossSiteScripting_URIPATH

  • CrossSiteScripting_BODY

  • CrossSiteScripting_QUERYARGUMENTS

  • CrossSiteScripting_COOKIE

Released version 2.0 of this rule group. For these rules, tuned detection signatures to reduce false positives. Replaced the URL_DECODE text transformation with the double URL_DECODE_UNI text transformation. Added the HTML_ENTITY_DECODE text transformation.

2022-01-10
Core rule set (CRS)
  • RestrictedExtensions_URIPATH

  • RestrictedExtensions_QUERYARGUMENTS

As part of the release of version 2.0 of this rule group, added the URL_DECODE_UNI text transformation. Removed the URL_DECODE text transformation from RestrictedExtensions_URIPATH.

2022-01-10
SQL database
  • SQLi_BODY

  • SQLi_QUERYARGUMENTS

  • SQLi_COOKIE

  • SQLi_URIPATH

  • SQLiExtendedPatterns_BODY

  • SQLiExtendedPatterns_QUERYARGUMENTS

Released version 2.0 of this rule group. Replaced the URL_DECODE text transformation with the double URL_DECODE_UNI text transformation and added the COMPRESS_WHITE_SPACE text transformation.

Added more detection signatures to SQLiExtendedPatterns_QUERYARGUMENTS.

Added JSON inspection to SQLi_BODY.

Added the rule SQLiExtendedPatterns_BODY.

Removed the rule SQLi_URIPATH.

2022-01-10
Known bad inputs
  • Log4JRCE

Released version 1.8 of the rule Log4JRCE to improve header inspection and matching criteria.

2021-12-17
Known bad inputs
  • Log4JRCE

Released version 1.4 of the rule Log4JRCE to tune the matching criteria and to inspect additional headers. Released version 1.5 to tune the matching criteria.

2021-12-11
Known bad inputs
  • Log4JRCE

  • BadAuthToken_COOKIE_AUTHORIZATION

Added the rule Log4JRCE version 1.2 in response to the recently disclosed security issue within Log4j. For information see CVE-2021-44228. This rule inspects common URI paths, query strings, the first 8KB of the request body, and common headers. The rule uses double URL_DECODE_UNI text transformations. Released version 1.3 of Log4JRCE to tune the matching criteria and to inspect additional headers.

Removed the rule BadAuthToken_COOKIE_AUTHORIZATION.

2021-12-10

The following table lists changes prior to December, 2021.

Rule group and rules Description Date
Amazon IP reputation list

AWSManagedReconnaissanceList

Added the AWSManagedReconnaissanceList rule in monitoring/count mode. This rule contains IP addresses that are performing reconnaissance against AWS resources. 2021-11-23
Windows operating system

WindowsShellCommands

PowerShellCommands

Added three new rules for WindowsShell commands: WindowsShellCommands_COOKIE, WindowsShellCommands_QUERYARGUMENTS, and WindowsShellCommands_BODY.

Added a new PowerShell rule: PowerShellCommands_COOKIE.

Restructured the PowerShellComands rules naming by removing the string _Set1 and _Set2.

Added more comprehensive detection signatures to PowerShellRules.

Added URL_DECODE_UNI text transformation to all Windows operating system rules.

2021-11-23
Linux operating system

LFI_URIPATH

LFI_QUERYSTRING

LFI_BODY

LFI_COOKIE

Replaced double URL_DECODE text transformation with double URL_DECODE_UNI.

Added NORMALIZE_PATH_WIN as a second text transformation.

Replaced the LFI_BODY rule with the LFI_COOKIE rule.

Added more comprehensive detection signatures for all LFI rules.

2021-11-23
Core rule set (CRS)

SizeRestrictions_BODY

Reduced the size limit to block web requests with body payloads larger than 8 KB. Previously, the limit was 10 KB. 2021-10-27
Core rule set (CRS)

EC2MetaDataSSRF_BODY

EC2MetaDataSSRF_COOKIE

EC2MetaDataSSRF_URIPATH

EC2MetaDataSSRF_QUERYARGUMENTS

Added more detection signatures. Added double unicode URL decode to improve blocking. 2021-10-27
Core rule set (CRS)

GenericLFI_QUERYARGUMENTS

GenericLFI_URIPATH

RestrictedExtensions_URIPATH

RestrictedExtensions_QUERYARGUMENTS

Added double unicode URL decode to improve blocking. 2021-10-27
Core rule set (CRS)

GenericRFI_QUERYARGUMENTS

GenericRFI_BODY

GenericRFI_URIPATH

Updated the rule signatures to reduce false positives, based on customer feedback. Added double unicode URL decode to improve blocking. 2021-10-27
All

All rules

Added support for AWS WAF labels to all rules that didn't already support labeling. 2021-10-25
Amazon IP reputation list

AWSManagedIPReputationList_xxxx

Restructured the IP reputation list, removed suffixes from rule name, and added support for AWS WAF labels. 2021-05-04
Anonymous IP list

AnonymousIPList

HostingProviderList

Added support for AWS WAF labels. 2021-05-04
Bot Control All Added the Bot Control rule set. 2021-04-01
Core rule set (CRS)

GenericRFI_QUERYARGUMENTS

Added double URL decode. 2021-03-03
Core rule set (CRS)

RestrictedExtensions_URIPATH

Improved the configuration of the rules and added an extra URL decode. 2021-03-03
Admin protection

AdminProtection_URIPATH

Added double URL decode. 2021-03-03
Known bad inputs

ExploitablePaths_URIPATH

Improved the configuration of the rules and added an extra URL decode. 2021-03-03
Linux operating system

LFI_QUERYARGUMENTS

Improved the configuration of the rules and added an extra URL decode. 2021-03-03
Windows operating system All Improved the configuration of the rules. 2020-09-23
PHP application

PHPHighRiskMethodsVariables_QUERYARGUMENTS

PHPHighRiskMethodsVariables_BODY

Changed the text transformation from HTML decode to URL decode, to improve blocking. 2020-09-16
POSIX operating system

UNIXShellCommandsVariables_QUERYARGUMENTS

UNIXShellCommandsVariables_BODY

Changed the text transformation from HTML decode to URL decode, to improve blocking. 2020-09-16
Core rule set

GenericLFI_QUERYARGUMENTS

GenericLFI_URIPATH

GenericLFI_BODY

Changed the text transformation from HTML decode to URL decode, to improve blocking. 2020-08-07
Linux operating system

LFI_URIPATH

LFI_QUERYARGUMENTS

LFI_BODY

Changed the text transformation from HTML entity decode to URL decode, to improve detection and blocking. 2020-05-19
Anonymous IP List All New rule group in IP reputation rule groups to block requests from services that permit the obfuscation of viewer identity, to help mitigate bots and evasion of geographic restrictions. 2020-03-06
WordPress application

WordPressExploitableCommands_QUERYSTRING

New rule that checks for exploitable commands in the query string. 2020-03-03
Core rule set (CRS)

SizeRestrictions_QUERYSTRING

SizeRestrictions_Cookie_HEADER

SizeRestrictions_BODY

SizeRestrictions_URIPATH

Adjusted the size value constraints for improved accuracy. 2020-03-03
SQL database

SQLi_URIPATH

The rules now check the message URI. 2020-01-23
SQL database

SQLi_BODY

SQLi_QUERYARGUMENTS

SQLi_COOKIE

Updated text transformations. 2019-12-20
Core rule set (CRS)

CrossSiteScripting_URIPATH

CrossSiteScripting_BODY

CrossSiteScripting_QUERYARGUMENTS

CrossSiteScripting_COOKIE

Updated text transformations. 2019-12-20