Waf Charm

Blog

Follow us

AWS WAF, Managed rules, WafCharm

How to use the label feature in AWS WAF

Table of Contents

  1. 1. Introduction
  2. 2. What is a label feature?
  3. 3. Customization examples on WafCharm
  4. 4. Exclusion using labels in managed rules
  5. 5. Conclusion

1. Introduction

On April 1st, 2021 (JST), a label feature and a bot control feature were released.

Bot Control is Now Available in AWS WAF

We’ve mentioned the label feature in the blog post above, but we will talk about the feature in depth with example usages and usages in managed rules in this post.

2. What is a label feature?

The label feature will attach a label to a request that matches a rule. Moreover, this feature will let you create a rule to determine whether a previous rule has attached a label to the request.

Before this feature was available, you could combine conditions with OR and AND conditions to serve a similar functionality. However, if you wanted to apply the same condition to multiple rules, you had to attach the same condition to each rule, consuming a lot of WCU.

With the label feature, you can conditionalize the information that a request has matched a certain condition and share that with the following rules to solve the issue explained above.

For example, you can create a rule that blocks access to “/admin.php” from countries other than Japan, as illustrated below. In the first rule, you will add a “foreign” label to access from countries outside Japan. This rule will be in COUNT mode, so it will only add a label and pass it on to the next rule to be inspected. In the next rule, the request will be blocked if it matches the condition “access to /admin.php” and “has a label “foreign” attached.”

3. Customization examples on WafCharm

The common customization requests we receive in WafCharm are explained in the post below. In those common customizations, the label feature is used in the exclusion from specific rule customization.

WafCharm AWS Version Customization Case Study

If you have a contact form, false positives could occur because it contains a relatively unrestricted input field. In such a case, sometimes false positives are taken care of by excluding a certain URI from a specific rule. Let’s take a look at an example that uses a label where “/test/contact” is the path for the contact form to be excluded.

We will exclude the path that starts with “/test/contact” from the rule A~C in the rule structure below.

  • (BLOCK) Rule A
  • (BLOCK) Rule B
  • (BLOCK) Rule C

If we are not using a label, we will have to add a condition separately to each rule like below.

  • (BLOCK) Rule A and NOT “starts with /test/contact”
  • (BLOCK) Rule B and NOT “starts with /test/contact”
  • (BLOCK) Rule C and NOT “starts with /test/contact”

Because we need to use a string match statement, each rule will consume an additional 2 WCUs (resulting in a total of 6 WCUs).
*Using text transformations will need more WCU.

If you use a label, rule structures will be as follows.

  • (COUNT) Label rule 1 “starts with /test/contact”
  • (BLOCK) Rule A and NOT label rule 1
  • (BLOCK) Rule B and NOT label rule 1
  • (BLOCK) Rule C and NOT label rule 1

The labeling rule will use a string match statement and uses 2 WCUs.
The “NOT label rule 1” statement uses a label matching statement that requires 1 WCU, meaning that 5 WCUs will be used in total.

This is a simple example, so you might think the differences are not significant, but creating more complex conditions would result in increased WCU usage creating bigger differences. In addition, you will only need to change one resource if you want to rewrite the “starts with /test/contact” condition, allowing for convenient maintenance.

4. Exclusion using labels in managed rules

If managed rules contain labels, you can use that label to exclude certain conditions in subsequent rules.

Because you cannot edit individual rules in managed ruleset, you need to do the opposite of the above by setting a specific rule in the managed ruleset to COUNT mode and setting the following labeling rule to BLOCK mode.

  • Managed Rules

    • Rule A
    • Rule B

If you want to exclude “start with /test/contact” from Rule A

  • Managed Rules

    • Rule A (COUNT)
    • Rule B
  • Rule to match the label in Rule A and “path does not start with /test/contact” condition

We will set up the rule above using AWS’s managed rules as an example.

Click on the managed ruleset and view the Labels.

*If there are no values listed in the Labels section, you cannot use label match statement.

Go to the Edit page of the ruleset and change the rule you are using to COUNT mode.

Create a rule to detect the label of the COUNT mode rule you’ve just edited using the AND condition.

In the second statement, add the excluding condition.

Place the new rule you just created after the managed ruleset.

A request that matches the rule provided by managed rules will pass through because of the COUNT mode, but the next rule will detect the request that has the label except for those that start with “/test/contact.”

Additional information

If you want to exclude a specific condition from the whole managed ruleset, use the scope-down statement.

How to set up in AWS management console

Select the managed ruleset, open the Edit page, and then enter the conditions.

5. Conclusion

If you create your own rule, you can utilize the labeling rule to lessen the amount of WCUs spent and management costs. You can also customize specific rules by using a labeling rule for managed rules. It is a tricky but necessary feature if you want to apply excluding rule customization to managed rules. We hope this post can help you use the label feature.

Back to list

Popular Post