You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/web-application-firewall/ag/application-gateway-crs-rulegroups-rules.md
+30-30Lines changed: 30 additions & 30 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,21 +5,21 @@ description: This page provides information on web application firewall CRS rule
5
5
services: web-application-firewall
6
6
author: vhorne
7
7
ms.service: web-application-firewall
8
-
ms.date: 11/08/2022
8
+
ms.date: 01/25/2024
9
9
ms.author: victorh
10
10
ms.topic: conceptual
11
11
---
12
12
13
13
# Web Application Firewall DRS and CRS rule groups and rules
14
14
15
-
Application Gateway web application firewall (WAF) protects web applications from common vulnerabilities and exploits. Azure-managed rule sets provide an easy way to deploy protection against a common set of security threats. Since such rule sets are managed by Azure, the rules are updated as needed to protect against new attack signatures. Default rule set also includes the Microsoft Threat Intelligence Collection rules that are written in partnership with the Microsoft Intelligence team to provide increased coverage, patches for specific vulnerabilities, and better false positive reduction.
15
+
The Azure-managed rule sets in the Application Gateway web application firewall (WAF) actively protect web applications from common vulnerabilities and exploits. These rule sets, managed by Azure, receive updates as necessary to guard against new attack signatures. The default rule set also incorporates the Microsoft Threat Intelligence Collection rules. The Microsoft Intelligence team collaborates in writing these rules, ensuring enhanced coverage, specific vulnerability patches, and improved false positive reduction.
16
16
17
-
Customers also have the option of using rules that are defined based on the OWASP core rule sets 3.2, 3.1, 3.0, or 2.2.9.
17
+
You also have the option of using rules that are defined based on the OWASP core rule sets 3.2, 3.1, 3.0, or 2.2.9.
18
18
19
-
Rules can be disabled on a rule-by-rule basis, or you can set specific actions by individual rule. This article contains the current rules and rule sets offered. In the rare occasion that a published ruleset needs to be updated, it will be documented here.
19
+
You can disable rules individually, or set specific actions for each rule. This article lists the current rules and rule sets available. If a published rule set requires an update, we'll document it here.
20
20
21
21
> [!NOTE]
22
-
> When changing from one ruleset version to another all disabled and enabled rule settings will return to the default for the ruleset your are migrating to. This means that if you previously disabled or enabled a rule, you will need to disable or enable it again once you've moved to the new ruleset version.
22
+
> When changing from one ruleset version to another all disabled and enabled rule settings will return to the default for the ruleset you're migrating to. This means that if you previously disabled or enabled a rule, you will need to disable or enable it again once you've moved to the new ruleset version.
23
23
24
24
## Default rule sets
25
25
@@ -41,7 +41,7 @@ The version number of the DRS increments when new attack signatures are added to
41
41
The Microsoft Threat Intelligence Collection rules are written in partnership with the Microsoft Threat Intelligence team to provide increased coverage, patches for specific vulnerabilities, and better false positive reduction.
42
42
43
43
> [!NOTE]
44
-
> Please follow the below guidance to tune WAF while you get started with 2.1 on Application Gateway WAF. Details of the rules are as below.
44
+
> Please use the following guidance to tune WAF while you get started with 2.1 on Application Gateway WAF. Details of the rules are described next.
45
45
46
46
|Rule ID |Rule Group|Description |Details|
47
47
|---------|---------|---------|---------|
@@ -59,7 +59,7 @@ The Microsoft Threat Intelligence Collection rules are written in partnership wi
59
59
60
60
## Core rule sets
61
61
62
-
The Application Gateway WAF comes pre-configured with CRS 3.2 by default, but you can choose to use any other supported CRS version.
62
+
The Application Gateway WAF comes preconfigured with CRS 3.2 by default, but you can choose to use any other supported CRS version.
63
63
64
64
CRS 3.2 offers a new engine and new rule sets defending against Java injections, an initial set of file upload checks, and fewer false positives compared with earlier versions of CRS. You can also [customize rules to suit your needs](application-gateway-customize-waf-rules-portal.md). Learn more about the new [Azure WAF engine](waf-engine.md).
65
65
@@ -82,7 +82,7 @@ Both DRS and CRS are enabled by default in Detection mode in your WAF policies.
82
82
83
83
Sometimes you might need to omit certain request attributes from a WAF evaluation. A common example is Active Directory-inserted tokens that are used for authentication. You can configure exclusions to apply when specific WAF rules are evaluated, or to apply globally to the evaluation of all WAF rules. Exclusion rules apply to your whole web application. For more information, see [Web Application Firewall (WAF) with Application Gateway exclusion lists](application-gateway-waf-configuration.md).
84
84
85
-
By default, DRS version 2.1 / CRS version 3.2 and above will leverage anomaly scoring when a request matches a rule, CRS 3.1 and below will block matching requests by default. Additionally, custom rules can be configured in the same WAF policy if you wish to bypass any of the pre-configured rules in the Core Rule Set.
85
+
By default, DRS version 2.1 / CRS version 3.2 and above uses anomaly scoring when a request matches a rule. CRS 3.1 and below blocks matching requests by default. Additionally, custom rules can be configured in the same WAF policy if you want to bypass any of the preconfigured rules in the Core Rule Set.
86
86
87
87
Custom rules are always applied before rules in the Core Rule Set are evaluated. If a request matches a custom rule, the corresponding rule action is applied. The request is either blocked or passed through to the back-end. No other custom rules or the rules in the Core Rule Set are processed.
88
88
@@ -103,7 +103,7 @@ For example, a single *Critical* rule match is enough for the WAF to block a req
103
103
104
104
### DRS 2.1
105
105
106
-
DRS 2.1 rules offer better protection than earlier versions of the DRS. It includes additional rules developed by the Microsoft Threat Intelligence team and updates to signatures to reduce false positives. It also supports transformations beyond just URL decoding.
106
+
DRS 2.1 rules offer better protection than earlier versions of the DRS. It includes more rules developed by the Microsoft Threat Intelligence team and updates to signatures to reduce false positives. It also supports transformations beyond just URL decoding.
107
107
108
108
DRS 2.1 includes 17 rule groups, as shown in the following table. Each group contains multiple rules, and you can customize behavior for individual rules, rule groups, or entire rule set.
109
109
@@ -243,15 +243,15 @@ The following rule groups and rules are available when using Web Application Fir
243
243
### <aname="drs911-21"></a> METHOD ENFORCEMENT
244
244
|RuleId|Description|
245
245
|---|---|
246
-
|911100|Method is not allowed by policy|
246
+
|911100|Method isn't allowed by policy|
247
247
248
248
### <aname="drs920-21"></a> PROTOCOL-ENFORCEMENT
249
249
|RuleId|Description|
250
250
|---|---|
251
251
|920100|Invalid HTTP Request Line|
252
252
|920120|Attempted multipart/form-data bypass|
253
253
|920121|Attempted multipart/form-data bypass|
254
-
|920160|Content-Length HTTP header is not numeric.|
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments