Waf Charm

Blog

AWS WAF

AWS WAF Classic Explained: Part 2 Relationship between Conditions and Filters

*This entry was originally written in Japanese in the past based on AWS WAF Classic.

Table of Contents

  1. Introduction
  2. Relationship between Conditions and Filters in AWS WAF
  3. Combinations of Condition types and Filters you can use
  4. Details of each item you can use in Filters
  5. How AWS WAF rules work in terms of Conditions and Filters
  6. Rule samples for when you operate AWS WAF
  7. Conclusion

Introduction

In Part 2 of this series, we will explain the relationship between Conditions and Filters. If you haven’t read Part 1 Basic Structure yet, you could understand the topics discussed in this post better by reading Part 1 beforehand.

Relationship between Conditions and Filters in AWS WAF

Conditions are used to specify limitations to allow or block requests on AWS WAF. We will use Filters to set specific details like string match conditions and parts of requests to match.

Combinations of Condition types and Filters you can use

Condition Filters you can use
Cross-site scripting match conditions
A condition that allows or blocks based on requests that appear to contain malicious scripts
  • Part of the request to filter on
  • Transformation
IP match conditions
A condition that allows or blocks based on the IP addresses that the requests originate from
  • IP addresses
Geo (Geographic) match conditions
A condition that allows or blocks based on the countries that the requests originate from
  • Location type
Size constraint conditions
A condition that allows or blocks based on the length of specified parts of requests
  • Part of the request to filter on
  • Size
  • Comparison operator
  • Transformation
SQL injection match conditions
A condition that allows or blocks based on requests that appear to contain malicious SQL code
  • Part of the request to filter on
  • Transformation
String match conditions
A condition that allows or blocks based on strings that appear in the requests
  • Part of the request to filter on
  • Transformation
  • Match type
  • Value to match
Regex match conditions
A condition that allows or blocks based on strings that match a regular expression (regex) pattern in the requests
  • Part of the request to filter on
  • Transformation
  • Regex patterns to match to request

IP address conditions and geographic match conditions are pretty straightforward in the list; their regulations are based on IP addresses and countries. The other conditions require you to use Filters to specify where the condition should match. Let’s take a look at the details of each item in filters.

Details of each item you can use in Filters

  • Part of the request to filter on
  • Transformation
  • IP addresses
  • Location type
  • Size (Bytes)
  • Comparison operator
  • Match type
  • Value to match
  • Regex patterns to match to request

1. Part of the request to filter on

Choose the part of each HTTP request to inspect from below.

Type Description
Header HTTP header like User-Agent
HTTP method HTTP method like GET and POST
Query string Part of a URL that appears after "?" character
Example: ?aaa=Tokyo&bbb=Yokohama
Single query parameter (value only) A parameter in a query string
Example: ?aaa=Tokyo&bbb=Yokohama
All query parameters (values only) All parameters in a query string
Example: ?aaa=Tokyo&bbb=Yokohama
URI URI path of the request which identifies the resource
Body Body of the HTTP request

*Attackers could insert malicious content in various places like query, body, and headers. It does not necessarily mean that the attacks could succeed, but it surely is suspicious access, so it is recommended to specify several values in conditions.

2. Transformation

Set transformations (ex. decoding) to apply before inspecting the request by AWS WAF Classic.

Type Description
None No transformations
Convert to lowercase Converts uppercase letters to lowercase
HTML decode Decodes HTML-encoded characters
Normalize whitespace Transform characters like line breaks and tabs to space characters
Simplify command line Deletes characters like \ " ' ^ and replace characters like ; to space characters
URL decode Decode a URL-encoded request

3. IP addresses

Set the IP address range you want to use in IP addresses conditions using CIDR notation.

There is a point to pay attention to.
AWS WAF Classic supports IPv4 address ranges: /8 and any range between /16 through /32. AWS WAF Classic supports IPv6 address ranges: /24, /32, /48, /56, /64, and /128.

4. Location type

It is used for geography match conditions and can only be Country.

5. Size (Bytes)

It is used in size constraints conditions. Set the length in bytes of query strings you want AWS WAF Classic to inspect.

6. Comparison operator

It is used in size constraints conditions. Choose a comparison operator for the threshold you set in Size (Bytes) from below.

Type Description
Equals Equals the value set in Size (Bytes)
Not equal Doesnot equal the value set in Size (Bytes)
Greater than Greater than the value set in Size (Bytes)
Greater than or equal Greater than or equal to the value set in Size (Bytes)
Less than Less than the value set in Size (Bytes)
Less than or equal Less than or equal to the value set in Size (Bytes)

7. Match type

It is used in string match conditions to set where the strings to match will appear in “Part of the request to filter on.”

Type Description
Contains The string to match appears anywhere in the specified part
Exactly matches The string to match and the value in the specified part of the request are identical
Starts with The string to match appears at the beginning of the specified part of the request
Ends with The string to match appears at the end of the specified part of the request
Contains word The string to match is included in the specified part of the request and only contains alphanumeric characters and underscore

*For example, in URIs, you could specify certain file extensions or specify a condition like begin with part of the path (ex. /wp-admin/).

8. Value to match

Set the value to inspect in HTTP requests by AWS WAF Classic.
*In string match conditions, the maximum length is 50 bytes. For regex match conditions, the maximum length is 70 bytes.

9. Regex patterns to match to request

Set the regex pattern to inspect in HTTP requests by AWS WAF Classic.

For official information, refer to the page below.
Creating and configuring a Web Access Control List (Web ACL)

How AWS WAF Classic rules work in terms of Conditions and Filters

We went over each element so far. Lastly, let’s take a look at how AWS WAF Classic rules work.

In AWS WAF Classic rules, they 1. evaluate filters, 2. evaluate conditions, and 3. decide the action.
OR/AND conditions change depending on the filters or conditions.
Also, note that behaviors change according to the order.

1. Filters’ evaluations

Filters in conditions are evaluated by OR condition.
Thus, matching one of the filters in a condition will result in TRUE for the condition.

2. Conditions’ evaluations

Conditions in rules are evaluated by AND condition.
Thus, all the conditions in a rule have to match to result in TRUE for the condition.
Conditions must be specified with “does match” or “does not match.”

3. Deciding the action

Action (Allow, Block, or Count) is decided when a rule is TRUE.
Rules are evaluated in order and terminate the evaluation once there is a TRUE statement.
If the action is Count, the evaluation moves to the next rule.
The default action (Allow or Block) will be taken if a request does not match any rules.
Please note that if the default action is not set to Allow, the request may be terminated.

Rule samples for when you operate AWS WAF

We have created sample rules that can also be used in an actual environment based on what we’ve gone through in this post.

Order Rules Action Condition Filter
0 Whitelist Allow IP Match 1. IP Adress
1 ManualIPBlockRule Block IP Match 1. IP Adress
2 LargeBodyMatchRule Count Size Constraint 1.Size Constraint
3 SqliRule Block SQL Injection
  1. Body after decoding as HTML tags
  2. Body after decoding as URL
  3. QueryString after decoding as HTML tags
  4. QueryString after decoding as URL
  5. URI after decoding as URL
4 XssRule Block Cross-Site Scripting
  1. Body after decoding as HTML tags
  2. Body after decoding as URL
  3. QueryString after decoding as HTML tags
  4. QueryString after decoding as URL
  5. URI after decoding as URL

Example structure of the rules above

1. Whitelist (Allow)

Add a trustworthy requester who completes administrative tasks.
Avoid adding a wide range of IP addresses (ex. IP addresses in Japan) in case of attacks.

2. Blacklist (Block)

Add IP addresses that try to access even if you block them, wasting the resources. Check the IP address information using WHOIS, just in case. If the clients (your target requesters) are all located in Japan, consider blocking requests from overseas.

3. Catch suspicious accesses with large requests (Count)

It depends on the architecture of your website, but large requests could contain malicious codes and be suspicious, so detect the access using Count mode.

4. SQL Injection (Block)

  • Detect in HTML-decoded body
  • Detect in URL-decoded body
  • Detect in HTML-decoded query
  • Detect in URL-decoded query
  • Detect in URL-decoded URI

5. Cross-site scripting (Block)

  • Detect in HTML-decoded body
  • Detect in URL-decoded body
  • Detect in HTML-decoded query
  • Detect in URL-decoded query
  • Detect in URL-decoded URI

You might want to leave some capacity in case of emergencies to set exclusion rules. If you have enough budget, allocating a spot to include managed rules as part of the rules is also recommended.

Conclusion

We hope you deepened your understanding of conditions and filters in AWS WAF Classic.
If you can utilize conditions and filters, you can prevent various attacks yourself!

In the next post, we will look at string and regular expression matching.

Next post: AWS WAF Classic Explained: Part 3 Structure of string and regex matching and examples usage