Working with signals on the Essentials platform

  Last updated 2024-04-02

IMPORTANT

This guide only applies to the Essential platform. If you are on the Premier or Professional platform, check out our Working with templated rules and Configuring custom site alerts guides.

To help protect your web application against Common Vulnerabilities and Exposures (CVE) and other attacks and anomalies, you can enable and adjust the partially pre-constructed configurations that are associated with system signals.

Configuring attack and anomaly signals

With attack and anomaly signals, you can:

  • add exclusions to prevent requests with a particular pattern from being tagged with the signal.
  • add alerts that define how to monitor and handle requests from IP addresses that contain the signal.

Adding exclusions

Exclusions prevent requests with a particular pattern from being tagged with the signal. You can use exclusions to help avoid false positives. For example, you may want to prevent requests that are from internal IP addresses and that failed to access an admin page from being tagged with the FORCEFULBROWSING signal.

To add an exclusion to an attack or anomaly signal, complete the following steps:

  1. Log in to the Next-Gen WAF console.
  2. From the Sites menu, select a site if you have more than one site.
  3. Click the Signals tab.
  4. On the Signals page, click View in the row of the CVE signal that you want to enable.
  5. Click the Configuration tab.
  6. Click the Exclusions tab and then Add exclusion.
  7. Fill out the fields in the Conditions section as follows:
    • From the Field menu, select the request field that the condition is based on.
    • In the Value field, enter a value for the specified field.
    • From the Operator menu, select an operator to specify how the selected field and value relate.
    • (Optional) Click Add condition to add another condition, or click Add group to create a group of conditions.
    • Select All to specify that a request must meet every condition to be excluded or Any to specify that a request must meet only one condition to be excluded.
  8. Fill out the fields in the Details section as follows:
    • Leave the Status switch enabled.
    • In the Description field, enter a description of the exclusion.
  9. Click Create exclusion.

Adding alerts

Alerts define how to monitor and handle requests from IP addresses that contain the associated signal. Specifically, they outline:

  • the criteria that must be met for an IP address to be flagged. For example, flag an IP address when there are 25 SQL Injection attack signals in 1 minute.
  • how to handle requests from IP addresses that are flagged. You can either log subsequent requests or block subsequent requests containing attack signals from the IP address.
  • how long to block or log subsequent requests from flagged IP addresses.
TIP

You can use alerts to override the system site alerts for an individual signal.

To add an alert to an attack or anomaly signal, complete the following steps:

  1. Log in to the Next-Gen WAF console.
  2. From the Sites menu, select a site if you have more than one site.

  3. Click the Signals tab.

  4. On the Signals page, click View in the row of the CVE signal that you want to enable.

  5. Click the Configuration tab.

  6. Click the Alerts tab and then Add alert.

  7. Fill out the alert fields as follows:

    • In the Long name field, enter a descriptive name for the alert (e.g., Increase in failed logins).
    • In the Threshold field, enter how many requests containing the signal should be detected before the IP address is flagged.
    • From the Interval menu, select the number of minutes during which signals from the IP address are counted to determine if the threshold has been met.
    • Under When an IP hits the threshold, select whether the alert should log subsequent requests or block subsequent requests containing attack signals from the IP address.
    • Under Take action for, select how long the IP address should be flagged. By default, IP addresses are flagged for 24 hours. You can set a custom duration by selecting Custom duration and choosing a duration.
    • Leave the Notifications checkbox selected to send an external notification (e.g., email and Slack) when the site alert is triggered. Deselect the checkbox to not send any external notifications.
    • Click the Status switch to enable the site alert.

  8. Click Save alert.

Enabling CVE signals

To enable a CVE signal, complete the following steps:

  1. Log in to the Next-Gen WAF console.
  2. From the Sites menu, select a site if you have more than one site.

  3. Click the Signals tab.

  4. On the Signals page, click View in the row of the CVE signal that you want to enable.

  5. Click the Configuration tab.

  6. Click the Detections tab and then Add detection.

    Add detection for the CVE-2022-26134 virtual patching rule.

  7. Verify the switch is set to Enabled.

  8. Click Create detection.

  9. Click the Alerts tab and then Add alert.

    Enable the CVE-2022-26134 virtual patching rule.

  10. In the Status area, set the switch to Enabled.

  11. Click Save alert. The signal is enabled and requests that match the signal are assigned the tag associated with the rule.

Was this guide helpful?

Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Fastly
© Fastly 2024