Merge pull request #187522 from vhorne/waf-crs-drs

PRMerger5 · web-flow · commit b91aa671931b · 2022-02-07T20:05:13.000+05:30
CRS, DRS updates from Gunjan
diff --git a/articles/web-application-firewall/afds/waf-front-door-drs.md b/articles/web-application-firewall/afds/waf-front-door-drs.md
@@ -5,7 +5,7 @@ ms.service: web-application-firewall
 author: vhorne
 ms.author: victorh
 ms.topic: conceptual
-ms.date: 07/29/2021
+ms.date: 02/04/2022
 ---
 
 # Web Application Firewall DRS rule groups and rules
@@ -352,7 +352,7 @@ Front Door.
 |944130|Suspicious Java classes|
 |944200|Exploitation of Java deserialization Apache Commons|
 |944210|Possible use of Java serialization|
-|944240|Remote Command Execution: Java serialization|
+|944240|Remote Command Execution: Java serialization and Log4j vulnerability ([CVE-2021-44228](https://www.cve.org/CVERecord?id=CVE-2021-44228), [CVE-2021-45046](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046))|
 |944250|Remote Command Execution: Suspicious Java method detected|
 
 ### <a name="drs9905-20"></a> MS-ThreatIntel-WebShells
@@ -531,7 +531,7 @@ Front Door.
 |944130|Suspicious Java class detected|
 |944200|Magic bytes Detected, probable java serialization in use|
 |944210|Magic bytes Detected Base64 Encoded, probable java serialization in use|
-|944240|Remote Command Execution: Java serialization (CVE-2015-5842)|
+|944240|Remote Command Execution: Java serialization and Log4j vulnerability ([CVE-2021-44228](https://www.cve.org/CVERecord?id=CVE-2021-44228), [CVE-2021-45046](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046))|
 |944250|Remote Command Execution: Suspicious Java method detected|
 
 ### <a name="drs9905-11"></a> MS-ThreatIntel-WebShells
@@ -712,7 +712,7 @@ Front Door.
 |944130|Suspicious Java classes|
 |944200|Exploitation of Java deserialization Apache Commons|
 |944210|Possible use of Java serialization|
-|944240|Remote Command Execution: Java serialization|
+|944240|Remote Command Execution: Java serialization and Log4j vulnerability ([CVE-2021-44228](https://www.cve.org/CVERecord?id=CVE-2021-44228), [CVE-2021-45046](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046))|
 |944250|Remote Command Execution: Suspicious Java method detected|
 
 # [Bot rules](#tab/bot)
diff --git a/articles/web-application-firewall/ag/application-gateway-crs-rulegroups-rules.md b/articles/web-application-firewall/ag/application-gateway-crs-rulegroups-rules.md
@@ -5,7 +5,7 @@ description: This page provides information on web application firewall CRS rule
 services: web-application-firewall
 author: vhorne
 ms.service: web-application-firewall
-ms.date: 01/11/2022
+ms.date: 02/04/2022
 ms.author: victorh
 ms.topic: conceptual
 ---
@@ -36,16 +36,17 @@ The WAF protects against the following web vulnerabilities:
 - Bots, crawlers, and scanners
 - Common application misconfigurations (for example, Apache and IIS)
 
-### OWASP CRS 3.2 (public preview)
+### OWASP CRS 3.2 (preview)
 
-CRS 3.2 includes 13 rule groups, as shown in the following table. Each group contains multiple rules, which can be disabled.
+CRS 3.2 includes 14 rule groups, as shown in the following table. Each group contains multiple rules, which can be disabled.
 
 > [!NOTE]
 > CRS 3.2 is only available on the WAF_v2 SKU.
 
 |Rule group|Description|
 |---|---|
 |**[General](#general-32)**|General group|
+|**[KNOWN-CVES](#crs800-32)**|Help detect new and known CVEs|
 |**[REQUEST-911-METHOD-ENFORCEMENT](#crs911-32)**|Lock-down methods (PUT, PATCH)|
 |**[REQUEST-913-SCANNER-DETECTION](#crs913-32)**|Protect against port and environment scanners|
 |**[REQUEST-920-PROTOCOL-ENFORCEMENT](#crs920-32)**|Protect against protocol and encoding issues|
@@ -62,14 +63,15 @@ CRS 3.2 includes 13 rule groups, as shown in the following table. Each group con
 
 ### OWASP CRS 3.1
 
-CRS 3.1 includes 13 rule groups, as shown in the following table. Each group contains multiple rules, which can be disabled.
+CRS 3.1 includes 14 rule groups, as shown in the following table. Each group contains multiple rules, which can be disabled.
 
 > [!NOTE]
 > CRS 3.1 is only available on the WAF_v2 SKU.
 
 |Rule group|Description|
 |---|---|
 |**[General](#general-31)**|General group|
+|**[KNOWN-CVES](#crs800-31)**|Help detect new and known CVEs|
 |**[REQUEST-911-METHOD-ENFORCEMENT](#crs911-31)**|Lock-down methods (PUT, PATCH)|
 |**[REQUEST-913-SCANNER-DETECTION](#crs913-31)**|Protect against port and environment scanners|
 |**[REQUEST-920-PROTOCOL-ENFORCEMENT](#crs920-31)**|Protect against protocol and encoding issues|
@@ -85,11 +87,12 @@ CRS 3.1 includes 13 rule groups, as shown in the following table. Each group con
 
 ### OWASP CRS 3.0
 
-CRS 3.0 includes 12 rule groups, as shown in the following table. Each group contains multiple rules, which can be disabled.
+CRS 3.0 includes 13 rule groups, as shown in the following table. Each group contains multiple rules, which can be disabled.
 
 |Rule group|Description|
 |---|---|
 |**[General](#general-30)**|General group|
+|**[KNOWN-CVES](#crs800-30)**|Help detect new and known CVEs|
 |**[REQUEST-911-METHOD-ENFORCEMENT](#crs911-30)**|Lock-down methods (PUT, PATCH)|
 |**[REQUEST-913-SCANNER-DETECTION](#crs913-30)**|Protect against port and environment scanners|
 |**[REQUEST-920-PROTOCOL-ENFORCEMENT](#crs920-30)**|Protect against protocol and encoding issues|
@@ -121,7 +124,7 @@ CRS 2.2.9 includes 10 rule groups, as shown in the following table. Each group c
 
 The following rule groups and rules are available when using Web Application Firewall on Application Gateway.
 
-# [OWASP 3.2 (public preview)](#tab/owasp32)
+# [OWASP 3.2 (preview)](#tab/owasp32)
 
 ## <a name="owasp32"></a> 3.2 rule sets
 
@@ -130,6 +133,11 @@ The following rule groups and rules are available when using Web Application Fir
 |---|---|
 |200004|Possible Multipart Unmatched Boundary.|
 
+### <a name="crs800-32"></a> KNOWN-CVES
+|RuleId|Description|
+|---|---|
+|800100|Rule to help detect and mitigate log4j vulnerability [CVE-2021-44228](https://www.cve.org/CVERecord?id=CVE-2021-44228), [CVE-2021-45046](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046)|
+
 ### <a name="crs911-32"></a> REQUEST-911-METHOD-ENFORCEMENT
 |RuleId|Description|
 |---|---|
@@ -366,6 +374,12 @@ The following rule groups and rules are available when using Web Application Fir
 |---|---|
 |200004|Possible Multipart Unmatched Boundary.|
 
+### <a name="crs800-31"></a> KNOWN-CVES
+|RuleId|Description|
+|---|---|
+|800100|Rule to help detect and mitigate log4j vulnerability [CVE-2021-44228](https://www.cve.org/CVERecord?id=CVE-2021-44228), [CVE-2021-45046](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046)|
+
+
 ### <a name="crs911-31"></a> REQUEST-911-METHOD-ENFORCEMENT
 
 |RuleId|Description|
@@ -608,6 +622,12 @@ The following rule groups and rules are available when using Web Application Fir
 |---|---|
 |200004|Possible Multipart Unmatched Boundary.|
 
+### <a name="crs800-30"></a> KNOWN-CVES
+|RuleId|Description|
+|---|---|
+|800100|Rule to help detect and mitigate log4j vulnerability [CVE-2021-44228](https://www.cve.org/CVERecord?id=CVE-2021-44228), [CVE-2021-45046](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046)|
+
+
 ### <a name="crs911-30"></a> REQUEST-911-METHOD-ENFORCEMENT
 
 |RuleId|Description|
