Fastly WAF rule set updates and maintenance (original)

IMPORTANT

As announced, April 30, 2023 marks the formal retirement of the Fastly WAF (WAF Legacy and WAF 2020). Our Fastly Next-Gen WAF offers similar functionality. It monitors for suspicious and anomalous web traffic and protects, in real-time, against attacks directed at the applications and origin servers that you specify.

Fastly provides rule set updates to the Fastly WAF in a prompt manner to help protect customers against attacks.

IMPORTANT

Fastly does not publish CVE rules for this product on a regular basis. For customers looking for protection against specific CVE threats, we recommend using the Fastly Next-Gen WAF or Fastly WAF 2020.

For OWASP and Trustwave rules changes we use the following process:

  1. We regularly review the rule changes as they happen in both the OWASP Core Rule Set and the Trustwave Rule Set.
  2. We translate the rules into Varnish Configuration Language (VCL) to run inside our cache nodes.
  3. We test the rules in our platform to ensure they perform adequately. We try to maximize performance and rule efficacy while reducing false positives.
  4. We correct bugs, if any are found.
  5. We propagate the rule set changes to our platform worldwide.
  6. Finally, we will provide customers with a notification and instructions on how to make rule updates.

Rule set maintenance

The following links provide information about the updates and changes to the provided rule sets:

IDVersion/DateType of ChangeAffected Rule Sets
4fsI2JzgtoAXfwpZ89Fehxv13
2021-03-08
  • The OWASP Core Rule Set (CRS) was updated with 10 new rules and 74 updated rules.
  • Trustwave rules were updated with 213 new rules and 6 updated rules.
  • Trustwave rule 2500040 was removed.
  • Fastly rules were updated with 6 new rules and 1 updated rule.
  • OWASP
  • Fastly Rules
  • Trustwave
6wvihQHbaCG7NBPTfm20S9v12
2019-08-29
  • The OWASP Core Rule Set (CRS) was updated with 19 new rules that mitigate SQL injection, Content-Type anomalies, client side code injection, PHP injection, and remote code execution. In addition, 95 rules were updated in the OWASP CRS to enhance their effectiveness or reduce incidents of false positives.
  • The following rules were removed from the OWASP CRS: 920130, 920280, 920290, 921100, 941200, 941310, 941350, and 944220. Rules 941310, 941350, and 941200 specifically were removed due to performance issues that may impact your WAF.
  • Fastly Rules 4112012 and 4112031 have been updated to reduce incidents of false positives. Fastly Rule 4112030 was removed due to excessive false positives.
  • The Trustwave rules have been updated with 197 new rules, of which 44 are for WordPress and 94 for Joomla. These rules include better protections for customers using these platforms to publish web content.
  • Trustwave rules 217055, 2066577, and 2100097 were removed.
  • Some Fastly and Trustwave rules have been renumbered. Renumbering is handled transparently so there should be no impact to your production WAF objects.
  • OWASP
  • Fastly Rules
  • Trustwave
1PD2HFpi6qwkAsePake7pwv11
2019-03-25
  • Introduced new Fastly rule 4170010, which detects CVE-2019-6340 (Drupal 8 core Highly critical RCE)
  • Introduced new Fastly rule 4170020, which detects the Magento Magestore Store Locator extension vulnerability
  • Updated Fastly rule 4112031 to include additional user agents
  • Updated Fastly rules 4113001, 4120010, and 4120011 to show correct match data
  • Removed OWASP rules 905100 and 905110, which would never match
  • Updated OWASP rules 932100 and 932110 to avoid false positives for Windows and Unix command injection
  • OWASP
  • Fastly Rules
3vnl3cwPda9Q3WYCDRuGWv10
2018-09-05
  • Introduced new OWASP rule 932190, which mitigates RCE (OS File Access Attempt) on low paranoia level WAF
  • Introduced new OWASP rule 941110, which mitigates XSS using script tag vector
  • Introduced new OWASP rule 944100, which mitigates RCE via Java deserialization vulnerabilities (CVE-2017-9805, CVE-2017-10271)
  • Introduced new OWASP rule 944110, which mitigates RCE via Java process spawn vulnerability (CVE-2017-9805)
  • Introduced new OWASP rule 944120, which mitigates RCE via Java serialization (CVE-2015-5842)
  • Introduced new OWASP rule 944240, which mitigates RCE via Java serialization (CVE-2015-5842)
  • Introduced new OWASP rule 944130, which detects suspicious Java classes
  • Introduced new OWASP rule 944250, which detects RCE via Java method
  • Introduced new OWASP rule 944200, which detects magic bytes being used that signal Java serialization
  • Introduced new OWASP rule 944210, which detects magic bytes being Base64 encoded that signal Java serialization
  • Introduced new OWASP rule 944220, which detects vulnerable Java class in use
  • Introduced new OWASP rule 944300, which detects Base64 encoded string that matched suspicious keyword
  • Introduced new Fastly internal rule 4134010, which mitigates CVE-2018-11776 Apache Struts v2 vulnerability
  • Introduced new Fastly internal rule 4113010, which detects suspicious X-Rewrite-URL header
  • Introduced new Fastly internal rule 4113020, which detects suspicious X-Original-URL header
  • Introduced new Fastly internal rule 4113030, which detects ESI directives in request
  • Introduced new Fastly internal rule 4113050, which detects ESI directives in body
  • Removed Trustwave rule 2200000, IP blocklist
  • Removed Trustwave rule 2200002, TOR Exit Nodes blocklist
  • OWASP
  • Fastly Rules
  • Trustwave
67LUkBwzFzESzumlU2L0T8v9
2018-08-01
  • Introduced new Fastly internal rule 4134010, which mitigates common XXE attacks
  • Introduced new Fastly internal rule 4112019, which mitigates CtrlFunc Botnet Attack
  • Introduced new Fastly internal rule 4113001, which mitigates suspicious X-Forwarded-Host headers
  • Introduced new Fastly internal rule 4113002, which mitigates X-Forwarded-Host and Host headers that do not match
  • Introduced new Fastly internal rule 4120010, which detects illegal characters found in the client X-Forwarded-Host header
  • Introduced new Fastly internal rule 4120011, which detects illegal characters found in the client X-Forwarded-For header
  • Updated OWASP rule 930130 to include additional restricted files
  • OWASP
  • Fastly Rules
552NEtnDyzucKd3vTjLgFCv8
2018-05-11
  • Added logdata fields to OWASP rules 920230, 920260, 920270, 920271, 920272, 920273, 920274, 920360
  • Introduce new Fastly internal rule 4170001, which mitigates Drupal sa-core-2018-004 attack
  • Adjust threshold rule 1010090 message
  • OWASP
  • Fastly Rules
6LG4xleIDKWLblCJczGpi9v7
2018-03-28
  • Introduce new Fastly internal rule 4170000, which mitigates Drupal sa-core-2018-002 attack
  • Updated Fastly internal 4112060 Wordpress PingBack rule
  • Updated Fastly internal rules that protect against DDoS bots (Rule IDs: 4112013 and 4112016)
  • Fastly Rules
1D0OPmXjm6ZMOe9rMGAeQjv6
2018-01-25
  • Update Trustwave rules to latest available
  • Introduce new Fastly internal rules to protect against DDoS bots (Rule IDs: 4112010-4112018, 4112030, 4112031, and 4112060)
  • Introduce new Fastly internal rule 10041 (which complements existing rule 10040) to block any HTTP POST body greater than 2 kibibytes in size that uses chunked encoding
  • Trustwave
  • Fastly Rules
2YXlqZJQxMkWyAjM4kggR3v5
2017-11-13
  • Global update to OWASP 3.0.2 CRS release
  • Update Trustwave rules to latest available
  • Introduce new Fastly internal rule 10040 to block any HTTP POST body greater than 2 kibibytes in size.
  • OWASP
  • Trustwave
  • Fastly Rules
2vyJNHO7fngQYJXU8UGUY6v4
2017-10-06
  • Updates to rule 932140 to account for SAML false positives in Windows
  • Reintroduction of missing transforms on some OWASP rules
  • Introduction of Fastly internal rule to protect against CVE-2017-9805
  • OWASP
  • Fastly Rules
4Z09wgjp7do8NrOIzlckFSv3
2017-08-14
  • Reintroduction of individual threshold variables: http_violation_score_threshold, lfi_score_threshold, php_injection_score_threshold, rce_score_threshold, rfi_score_threshold, session_fixation_score_threshold, sql_injection_score_threshold, xss_score_threshold
  • Removal of unused threshold variables: brute_force_counter_threshold, dos_counter_threshold, outbound_anomaly_score_threshold, trojan_score_threshold
  • Additional bug fixes in OWASP rule set
  • OWASP
  • Trustwave
39EE4tZnEM9Q8hxFJMHYU5v2
2017-04-26
  • OWASP
  • Trustwave
  • Fastly Rules

Updating to the newest rule set

Follow these instructions to update a WAF to use the newest rule set.

Reviewing the current rule set

Before updating your WAF to a new rule set, we recommend that you record the value of your WAF's currently active rule set. You can use this information to revert your WAF to its previous state.

Run the following curl command in a terminal application to find the currently active rule set:

$ curl -s -H Fastly-Key:<your Fastly API token> -H Accept:application/vnd.api+json \
https://api.fastly.com/service/<your Fastly service ID>/version/<your service version number>/wafs/<your WAF ID>
TIP

You can use this API endpoint to find your WAF's ID.

The output from the curl command is shown below. In the relationships object, notice that this WAF is using <ID of your active configuration set>. Remember the ID.

1{
2 "data": {
3 "attributes": {
4 "last_push": null,
5 "prefetch_condition": null,
6 "response": null,
7 "version": "1"
8 },
9 "id": "<your WAF ID>",
10 "relationships": {
11 "configuration_set": {
12 "data": {
13 "id": "<ID of your active configuration set>",
14 "type": "configuration_set"
15 }
16 }
17 },
18 "type": "waf"
19 }
20}

Changing the rule set version

Follow these instructions to change the rule set version for a WAF:

  1. Find the ID of the new rule set version you want to use in the rule set maintenance section.

  2. On your computer, create a new file called updated_relationship.json.

  3. Copy and paste the following JSON into the file, replacing <your rules ID> with the ID of the rule set version you want to use:

    1{
    2 "data": {
    3 "id": "<your WAF ID>",
    4 "relationships": {
    5 "configuration_set": {
    6 "data": {
    7 "id": "<your rules ID>",
    8 "type": "configuration_set"
    9 }
    10 }
    11 },
    12 "type": "waf"
    13 }
    14}
  4. Save the changes to the updated_relationship.json file.

  5. In the directory you saved the file, run the following curl command in a terminal application to change the rule set version for a WAF:

    1$ curl -s -X PATCH -H Fastly-Key:<your Fastly API token> -H Accept:application/vnd.api+json \
    2 -H Content-Type:application/vnd.api+json -d @updated_relationship.json \
    3 https://api.fastly.com/service/<your Fastly service ID>/version/<your service version number>/wafs/<your WAF ID>
  6. Changing the rule set version for a WAF can take some time. Run the following curl command in a terminal application to monitor the status of the process:

    $ curl -s -H Fastly-Key:<your Fastly API token> -H Accept:application/vnd.api+json \
    https://api.fastly.com/service/<your Fastly service ID>/version/<your service version number>/wafs/<your WAF ID>

    The process is complete when the output displays the ID of the new rule set version.

Updating to the latest rules

After you've verified that the rule set for the WAF has successfully been changed, follow these rules to update your WAF with the latest rules:

  1. Run the following curl command in a terminal application to update the rule set:

    1$ curl -s -X PATCH -H Fastly-Key:<your Fastly API token> -H Accept:application/vnd.api+json \
    2 -H Content-Type:application/vnd.api+json -d '{"data":{"id":"<your WAF ID>","type":"ruleset"}}' \
    3 https://api.fastly.com/service/<your Fastly service ID>/wafs/<your WAF ID>/ruleset

    The response will look like this:

    1{
    2 "data": {
    3 "id": "WAF_ID",
    4 "type": "ruleset"
    5 },
    6 "links": {
    7 "related": {
    8 "href": "https://api.fastly.com/service/<your Fastly service ID>/wafs/<your WAF ID>/update_statuses/<update status ID>"
    9 }
    10 }
    11}
  2. Updating the WAF with the latest rules can take some time. Using the URL in the response in the previous step, run the following curl command in a terminal application to monitor the status of the process:

    $ curl -s -H Fastly-Key: FASTLY_API_TOKEN -H Accept:application/vnd.api+json \
    https://api.fastly.com/service/<your Fastly service ID>/wafs/<your WAF ID>/update_statuses/<update status ID>

    The response for the waf_update_status will have a status of complete when the process is complete.

    1{
    2 "data": {
    3 "attributes": {
    4 "completed_at": "2017-04-05 18:47:28 UTC",
    5 "created_at": "2017-04-05 18:47:27 UTC",
    6 "message": null,
    7 "status": "complete",
    8 "updated_at": "2017-04-05 18:47:28 UTC"
    9 },
    10 "id": "<update status ID>",
    11 "type": "waf_update_status"
    12 }
    13}

Reverting to a previous rule set version

If a WAF rule set update doesn't go as planned, you can revert to the previous rule set version. Using the previous rule set ID you recorded in the reviewing the current rule set section, follow the instructions in changing the rule set version and updating to the latest rules.

Was this guide helpful?

Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.