LOG IN SIGN UP
Documentation

Fastly WAF rule set updates and maintenance

  Last updated August 06, 2018

Fastly provides rule set updates to the Fastly WAF in a prompt manner to help protect customers against attacks.

For OWASP and Trustwave rules changes we use the following process:

  1. We regularly review the rule changes as they happen in both the OWASP Core Rule Set and the Trustwave Rule Set.
  2. We translate the rules into Varnish Configuration Language (VCL) to run inside our cache nodes.
  3. We test the rules in our platform to ensure they perform adequately. We try to maximize performance and rule efficacy while reducing false positives.
  4. We correct bugs, if any are found.
  5. We propagate the rule set changes to our platform worldwide.
  6. Finally, we will provide customers with a notification and instructions on how to make rule updates.

Rule set maintenance

The following table describes updates and changes to the provided rule sets:

ID Date Type of Change Affected Rule Sets
67LUkBwzFzESzumlU2L0T8 2018/08/05
  • Introduced new Fastly internal rule 4134010, which mitigates common XXE attacks
  • Introduced new Fastly internal rule 4112019, which mitigates CtrlFunc Botnet Attack
  • Introduced new Fastly internal rule 4113001, which mitigates suspicious X-Forwarded-Host headers
  • Introduced new Fastly internal rule 4113002, which mitigates X-Forwarded-Host and Host headers that do not match
  • Introduced new Fastly internal rule 4120010, which detects illegal characters found in the client X-Forwarded-Host header
  • Introduced new Fastly internal rule 4120011, which detects illegal characters found in the client X-Forwarded-For header
  • Updated OWASP rule 930130 to include additional restricted files
  • OWASP
  • Fastly Rules
552NEtnDyzucKd3vTjLgFC 2018/05/15
  • Added logdata fields to OWASP rules 920230, 920260, 920270, 920271, 920272, 920273, 920274, 920360
  • Introduce new Fastly internal rule 4170001, which mitigates Drupal sa-core-2018-004 attack
  • Adjust threshold rule 1010090 message
  • OWASP
  • Fastly Rules
6LG4xleIDKWLblCJczGpi9 2018/03/28
  • Introduce new Fastly internal rule 4170000, which mitigates Drupal sa-core-2018-002 attack
  • Updated Fastly internal 4112060 Wordpress PingBack rule
  • Updated Fastly internal rules that protect against DDoS bots (Rule IDs: 4112013 and 4112016)
  • Fastly Rules
1D0OPmXjm6ZMOe9rMGAeQj 2018/01/25
  • Update Trustwave rules to latest available
  • Introduce new Fastly internal rules to protect against DDoS bots (Rule IDs: 4112010-4112018, 4112030, 4112031, and 4112060)
  • Introduce new Fastly internal rule 10041 (which complements existing rule 10040) to block any HTTP POST body greater than 2 kibibytes in size that uses chunked encoding
  • Trustwave
  • Fastly Rules
2YXlqZJQxMkWyAjM4kggR3 2017/11/13
  • Global update to OWASP 3.0.2 CRS release
  • Update Trustwave rules to latest available
  • Introduce new Fastly internal rule 10040 to block any HTTP POST body greater than 2 kibibytes in size.
  • OWASP
  • Trustwave
  • Fastly Rules
2vyJNHO7fngQYJXU8UGUY6 2017/10/11
  • Updates to rule 932140 to account for SAML false positives in Windows
  • Reintroduction of missing transforms on some OWASP rules
  • Introduction of Fastly internal rule to protect against CVE-2017-9805
  • OWASP
  • Fastly Rules
4Z09wgjp7do8NrOIzlckFS 2017/08/15
  • Reintroduction of individual threshold variables: http_violation_score_threshold, lfi_score_threshold, php_injection_score_threshold, rce_score_threshold, rfi_score_threshold, session_fixation_score_threshold, sql_injection_score_threshold, xss_score_threshold
  • Removal of unused threshold variables: brute_force_counter_threshold, dos_counter_threshold, outbound_anomaly_score_threshold, trojan_score_threshold
  • Additional bug fixes in OWASP rule set
  • OWASP
  • Trustwave
39EE4tZnEM9Q8hxFJMHYU5 2017/04/27
  • OWASP
  • Trustwave
  • Fastly Rules

Updating to the newest rule set

Follow these instructions to update a WAF to use the newest rule set.

Reviewing the current rule set

Before updating your WAF to a new rule set, we recommend that you record the value of your WAF's currently active rule set. You can use this information to revert your WAF to its previous state.

Run the following cURL command in a terminal application to find the currently active rule set:

curl -s -H Fastly-Key: <your Fastly API token> -H Accept:application/vnd.api+json \
      https://api.fastly.com/service/<your Fastly service ID>/version/<your service version number>/wafs/<your WAF ID>

The output from the cURL command is shown below. In the relationships object, notice that this WAF is using <ID of your active configuration set>. Remember the ID.

{
    "data": {
        "attributes": {
            "last_push": null,
            "prefetch_condition": null,
            "response": null,
            "version": "1"
        },
        "id": "<your WAF ID>",
        "relationships": {
            "configuration_set": {
                "data": {
                    "id": "<ID of your active configuration set>",
                    "type": "configuration_set"
                }
            }
        },
        "type": "waf"
    }
}

Changing the rule set version

Follow these instructions to change the rule set version for a WAF:

  1. Find the ID of the new rule set version you want to use in the rule set maintenance section.
  2. On your computer, create a new file called updated_relationship.json.
  3. Copy and paste the following JSON into the file, replacing <your rules ID> with the ID of the rule set version you want to use:

    {
        "data": {
            "id": "<your WAF ID>",
            "relationships": {
                "configuration_set": {
                    "data": {
                        "id": "<your rules ID>",
                        "type": "configuration_set"
                    }
                }
            },
            "type": "waf"
        }
    }
    
  4. Save the changes to the updated_relationship.json file.
  5. In the directory you saved the file, run the following cURL command in a terminal application to change the rule set version for a WAF:

    curl -s -X PATCH -H Fastly-Key: <your Fastly API token> -H Accept:application/vnd.api+json \
      -H Content-Type:application/vnd.api+json -d @updated_relationship.json \
      https://api.fastly.com/service/<your Fastly service ID>/version/<your service version number>/wafs/<your WAF ID>
    
  6. Changing the rule set version for a WAF can take some time. Run the following cURL command in a terminal application to monitor the status of the process:

    curl -s -H Fastly-Key: <your Fastly API token> -H Accept:application/vnd.api+json \
          https://api.fastly.com/service/<your Fastly service ID>/version/<your service version number>/wafs/<your WAF ID>
    

    The process is complete when the output displays the ID of the new rule set version.

Updating to the latest rules

After you've verified that the rule set for the WAF has successfully been changed, follow these rules to update your WAF with the latest rules:

  1. Run the following cURL command in a terminal application to update the rule set:

    curl -s -X PATCH -H Fastly-Key: <your Fastly API token> -H Accept:application/vnd.api+json \
      -H Content-Type:application/vnd.api+json -d '{"data":{"id":"<your WAF ID>","type":"ruleset"}}' \
      https://api.fastly.com/service/<your Fastly service ID>/wafs/<your WAF ID>/ruleset
    

    The response will look like this:

    {
        "data": {
            "id": "WAF_ID",
            "type": "ruleset"
        },
        "links": {
            "related": {
                "href": "https://api.fastly.com/service/<your Fastly service ID>/wafs/<your WAF ID>/update_statuses/<update status ID>"
            }
        }
    }
    
  2. Updating the WAF with the latest rules can take some time. Using the URL in the response in the previous step, run the following cURL command in a terminal application to monitor the status of the process:

    curl -s -H Fastly-Key: FASTLY_API_TOKEN -H Accept:application/vnd.api+json \
    https://api.fastly.com/service/<your Fastly service ID>/wafs/<your WAF ID>/update_statuses/<update status ID>
    

    The response for the waf_update_status will have a status of complete when the process is complete.

    {
        "data": {
            "attributes": {
                "completed_at": "2017-04-05 18:47:28 UTC",
                "created_at": "2017-04-05 18:47:27 UTC",
                "message": null,
                "status": "complete",
                "updated_at": "2017-04-05 18:47:28 UTC"
            },
            "id": "<update status ID>",
            "type": "waf_update_status"
        }
    }
    

Reverting to a previous rule set version

If a WAF rule set update doesn't go as planned, you can revert to the previous rule set version. Using the previous rule set ID you recorded in the reviewing the current rule set section, follow the instructions in changing the rule set version and updating to the latest rules.


Additional resources:


Back to Top