Fastly WAF rule set updates and maintenance (original)
Last updated 2022-06-16
As announced, April 30, 2023 marks the formal retirement of the Fastly WAF (WAF Legacy and WAF 2020). Our Fastly Next-Gen WAF offers similar functionality. It monitors for suspicious and anomalous web traffic and protects, in real-time, against attacks directed at the applications and origin servers that you specify.
Fastly provides rule set updates to the Fastly WAF in a prompt manner to help protect customers against attacks.
Fastly does not publish CVE rules for this product on a regular basis. For customers looking for protection against specific CVE threats, we recommend using the Fastly Next-Gen WAF or Fastly WAF 2020.
For OWASP and Trustwave rules changes we use the following process:
We regularly review the rule changes as they happen in both the OWASP Core Rule Set and the Trustwave Rule Set.
The following links provide information about the updates and changes to the provided rule sets:
Type of Change
Affected Rule Sets
The OWASP Core Rule Set (CRS) was updated with 10 new rules and 74 updated rules.
Trustwave rules were updated with 213 new rules and 6 updated rules.
Trustwave rule 2500040 was removed.
Fastly rules were updated with 6 new rules and 1 updated rule.
The OWASP Core Rule Set (CRS) was updated with 19 new rules that mitigate SQL injection, Content-Type anomalies, client side code injection, PHP injection, and remote code execution. In addition, 95 rules were updated in the OWASP CRS to enhance their effectiveness or reduce incidents of false positives.
The following rules were removed from the OWASP CRS: 920130, 920280, 920290, 921100, 941200, 941310, 941350, and 944220. Rules 941310, 941350, and 941200 specifically were removed due to performance issues that may impact your WAF.
Fastly Rules 4112012 and 4112031 have been updated to reduce incidents of false positives. Fastly Rule 4112030 was removed due to excessive false positives.
The Trustwave rules have been updated with 197 new rules, of which 44 are for WordPress and 94 for Joomla. These rules include better protections for customers using these platforms to publish web content.
Trustwave rules 217055, 2066577, and 2100097 were removed.
Some Fastly and Trustwave rules have been renumbered. Renumbering is handled transparently so there should be no impact to your production WAF objects.
Introduced new Fastly rule 4170010, which detects CVE-2019-6340 (Drupal 8 core Highly critical RCE)
Introduced new Fastly rule 4170020, which detects the Magento Magestore Store Locator extension vulnerability
Updated Fastly rule 4112031 to include additional user agents
Updated Fastly rules 4113001, 4120010, and 4120011 to show correct match data
Removed OWASP rules 905100 and 905110, which would never match
Updated OWASP rules 932100 and 932110 to avoid false positives for Windows and Unix command injection
Introduced new OWASP rule 932190, which mitigates RCE (OS File Access Attempt) on low paranoia level WAF
Introduced new OWASP rule 941110, which mitigates XSS using script tag vector
Introduced new OWASP rule 944100, which mitigates RCE via Java deserialization vulnerabilities (CVE-2017-9805, CVE-2017-10271)
Introduced new OWASP rule 944110, which mitigates RCE via Java process spawn vulnerability (CVE-2017-9805)
Introduced new OWASP rule 944120, which mitigates RCE via Java serialization (CVE-2015-5842)
Introduced new OWASP rule 944240, which mitigates RCE via Java serialization (CVE-2015-5842)
Introduced new OWASP rule 944130, which detects suspicious Java classes
Introduced new OWASP rule 944250, which detects RCE via Java method
Introduced new OWASP rule 944200, which detects magic bytes being used that signal Java serialization
Introduced new OWASP rule 944210, which detects magic bytes being Base64 encoded that signal Java serialization
Introduced new OWASP rule 944220, which detects vulnerable Java class in use
Introduced new OWASP rule 944300, which detects Base64 encoded string that matched suspicious keyword
Introduced new Fastly internal rule 4134010, which mitigates CVE-2018-11776 Apache Struts v2 vulnerability
Introduced new Fastly internal rule 4113010, which detects suspicious X-Rewrite-URL header
Introduced new Fastly internal rule 4113020, which detects suspicious X-Original-URL header
Introduced new Fastly internal rule 4113030, which detects ESI directives in request
Introduced new Fastly internal rule 4113050, which detects ESI directives in body
Removed Trustwave rule 2200000, IP blocklist
Removed Trustwave rule 2200002, TOR Exit Nodes blocklist
Introduced new Fastly internal rule 4134010, which mitigates common XXE attacks
Introduced new Fastly internal rule 4112019, which mitigates CtrlFunc Botnet Attack
Introduced new Fastly internal rule 4113001, which mitigates suspicious X-Forwarded-Host headers
Introduced new Fastly internal rule 4113002, which mitigates X-Forwarded-Host and Host headers that do not match
Introduced new Fastly internal rule 4120010, which detects illegal characters found in the client X-Forwarded-Host header
Introduced new Fastly internal rule 4120011, which detects illegal characters found in the client X-Forwarded-For header
Updated OWASP rule 930130 to include additional restricted files
3 https://api.fastly.com/service/<your Fastly service ID>/wafs/<your WAF ID>/ruleset
The response will look like this:
8"href":"https://api.fastly.com/service/<your Fastly service ID>/wafs/<your WAF ID>/update_statuses/<update status ID>"
Updating the WAF with the latest rules can take some time. Using the URL in the response in the previous step, run the following curl command in a terminal application to monitor the status of the process: