You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/content/docs/ddos-protection/managed-rulesets/http/override-expressions.mdx
+22-1Lines changed: 22 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -21,26 +21,47 @@ For example, you can set different sensitivity levels for different request URI
21
21
22
22
You can use the following fields in override expressions:
23
23
24
+
-`cf.bot_management.ja3_hash`
25
+
-`cf.bot_management.ja4`
24
26
-`cf.client.bot`
25
27
-`cf.threat_score`
28
+
-`cf.tls_cipher`
29
+
-`cf.tls_client_auth.cert_verified`
30
+
-`cf.tls_version`
31
+
-`cf.verified_bot_category`
26
32
-`http.cookie`
27
33
-`http.host`
28
34
-`http.referer`
35
+
-`http.request.headers`
36
+
-`http.request.headers.names`
37
+
-`http.request.headers.truncated`
38
+
-`http.request.headers.values`
29
39
-`http.request.uri`
30
40
-`http.request.uri.path`
41
+
-`http.request.uri.path.extension`
31
42
-`http.request.uri.query`
32
43
-`http.request.full_uri`
33
44
-`http.request.method`
34
45
-`http.request.version`
35
46
-`http.request.cookies`
36
47
-`http.user_agent`
37
48
-`http.x_forwarded_for`
49
+
-`ip.geoip.asnum`
50
+
-`ip.geoip.continent`
51
+
-`ip.geoip.country`
52
+
-`ip.geoip.is_in_european_union`
38
53
-`ip.src`
39
54
-`ip.src.asnum`
40
55
-`ip.src.continent`
41
56
-`ip.src.country`
42
57
-`ip.src.is_in_european_union`
43
58
-`ssl`
44
-
-`cf.tls_client_auth.cert_verified`
45
59
46
60
Refer to the [Fields reference](/ruleset-engine/rules-language/fields/reference/) in the Rules language documentation for more information.
61
+
62
+
## Important remarks
63
+
64
+
- Each expression is limited to 4,000 characters, which means you can enter approximately a maximum of 200 IP addresses in a single expression. However, you can enter IP addresses in CIDR format, which allows you to include a larger number of IP addresses. For example, you can use `192.0.0.0/24` to match IP addresses from `192.0.0.0` to `192.0.0.255`.
65
+
- An expression is not an <GlossaryTooltipterm="allowlist">allowlist</GlossaryTooltip> and does not become part of the attack fingerprint. The expression applies to the scope of the override and is used right before applying a mitigation action, to determine if the sensitivity level and action need to be adjusted.<br/>
66
+
67
+
For example, if you have an expression matching <GlossaryTooltipterm="data packet">packets</GlossaryTooltip> with a specific source IP address and the override sets the sensitivity level to low, this override will only lower the sensitivity level for traffic that comes directly from that source IP address. If the DDoS protection system detects an attack coming from many source IP addresses targeted at a single destination IP and port, the generated fingerprint will only match the common criteria of the attack which, in this example, does not include the source IP address. The system will trigger the required mitigation actions at the default high sensitivity level because the traffic did not come from the user-provided source IP address. Therefore, traffic from the source IP in the override expression may still be blocked because the fingerprint only contains the destination IP address and port of the attack.
0 commit comments