From 1b222f08bee39a019020d002a71517cd2ea4d7db Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Tue, 26 Nov 2024 12:43:14 +0000
Subject: [PATCH 1/5] [WAF] Add attack score rule recommendations
---
src/content/docs/waf/detections/attack-score.mdx | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/content/docs/waf/detections/attack-score.mdx b/src/content/docs/waf/detections/attack-score.mdx
index 08fc433ec13c700..c1e6a7c987f6971 100644
--- a/src/content/docs/waf/detections/attack-score.mdx
+++ b/src/content/docs/waf/detections/attack-score.mdx
@@ -53,6 +53,14 @@ Requests with an attack score of `100` will have a class of _Unscored_ in the Cl
Attack score automatically detects and decodes Base64, JavaScript (Unicode escape sequences), and URL encoded content anywhere in the request: URL, headers, and body.
+## Rule recommendations
+
+Cloudflare does not recommend that you block traffic solely based on the WAF Attack Score for all values below `50`, since the _Likely attack_ range (scores between `21` and `50`) tends to have false positives. If you want to block traffic based on this score, do one of the following:
+
+- Use a more strict WAF Attack Score value in your expression. For example, block traffic with a WAF attack score below `20` or below `15` (you may need to adjust the exact threshold).
+
+- Combine a filter such as `WAF Attack Score less than 50` with other filters when blocking incoming traffic. For example, check for a specific URI path in your expression or use bot score.
+
---
## Start using WAF attack score
From 26e50da1cfdf0da689ba097429c0b72ad992a2f1 Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Tue, 26 Nov 2024 12:43:36 +0000
Subject: [PATCH 2/5] Review get started instructions
---
.../docs/waf/detections/attack-score.mdx | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/src/content/docs/waf/detections/attack-score.mdx b/src/content/docs/waf/detections/attack-score.mdx
index c1e6a7c987f6971..72fc1e353fac557 100644
--- a/src/content/docs/waf/detections/attack-score.mdx
+++ b/src/content/docs/waf/detections/attack-score.mdx
@@ -67,13 +67,23 @@ Cloudflare does not recommend that you block traffic solely based on the WAF Att
### 1. Create a custom rule
-If you are an Enterprise customer:
+If you are an Enterprise customer, create a [WAF custom rule](/waf/custom-rules/create-dashboard/) that blocks requests with a **WAF Attack Score** less than or equal to 20 (recommended initial threshold). For example:
-- Create a [WAF custom rule](/waf/custom-rules/create-dashboard/) that logs all requests with a WAF Attack Score below 40 (recommended initial threshold). For example, set the rule expression to `cf.waf.score lt 40` and the rule action to _Log_.
+| Field | Operator | Value |
+| ---------------- | --------------------- | ----- |
+| WAF Attack Score | less than or equal to | `20` |
-If you are a Business customer:
+- Equivalent rule expression: `cf.waf.score le 20`
+- Action: _Block_
-- Create a [WAF custom rule](/waf/custom-rules/create-dashboard/) matching requests with a WAF Attack Score Class of _Attack_. For example, set the rule expression to `cf.waf.score.class eq "attack"` and the rule action to a challenge action (such as _Managed Challenge_) or _Block_.
+Business customers must create a custom rule with the **WAF Attack Score Class** field instead. For example, use this field to block incoming requests with a score class of _Attack_:
+
+| Field | Operator | Value |
+| ---------------------- | -------- | -------- |
+| WAF Attack Score Class | equals | `Attack` |
+
+- Equivalent rule expression: `cf.waf.score.class eq "attack"`
+- Action: _Block_
### 2. Monitor domain traffic
From aa7a5f43505f31c3674288b732e5a6a1ffb580ac Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Tue, 26 Nov 2024 15:24:50 +0000
Subject: [PATCH 3/5] Clarify scores
---
src/content/docs/waf/detections/attack-score.mdx | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/content/docs/waf/detections/attack-score.mdx b/src/content/docs/waf/detections/attack-score.mdx
index 72fc1e353fac557..7cc38bb3770a614 100644
--- a/src/content/docs/waf/detections/attack-score.mdx
+++ b/src/content/docs/waf/detections/attack-score.mdx
@@ -38,7 +38,7 @@ You can use these fields in expressions of [custom rules](/waf/custom-rules/) an
- A score of `99` indicates that the request is likely clean.
- A score of `100` indicates that the Cloudflare WAF did not score the request.
-The available scores are independent of each other. Namely, the WAF Attack Score is not a sum of the other scores.
+The individual attack scores (such as WAF SQLi Attack Score and XSS Attack Score) are independent of each other. Additionally, the global WAF Attack Score is related to individual scores, but does not result from a direct calculation.
The WAF Attack Score Class field can have one of the following values, depending on the calculated request attack score:
@@ -59,7 +59,7 @@ Cloudflare does not recommend that you block traffic solely based on the WAF Att
- Use a more strict WAF Attack Score value in your expression. For example, block traffic with a WAF attack score below `20` or below `15` (you may need to adjust the exact threshold).
-- Combine a filter such as `WAF Attack Score less than 50` with other filters when blocking incoming traffic. For example, check for a specific URI path in your expression or use bot score.
+- Combine a higher WAF Attack Score threshold with additional filters when blocking incoming traffic. For example, include a check for a specific URI path in your expression or use bot score as part of your criteria.
---
From 4b3bed4ec1a53f98eadbfd44ca9dfa120da27fdd Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Tue, 26 Nov 2024 15:52:56 +0000
Subject: [PATCH 4/5] Updates based on feedback
---
.../rules-language/fields/dynamic-fields.mdx | 8 +++---
.../docs/waf/detections/attack-score.mdx | 25 ++++++++++---------
2 files changed, 17 insertions(+), 16 deletions(-)
diff --git a/src/content/docs/ruleset-engine/rules-language/fields/dynamic-fields.mdx b/src/content/docs/ruleset-engine/rules-language/fields/dynamic-fields.mdx
index 5f69290abdba06b..b98bc4c9c7c4f10 100644
--- a/src/content/docs/ruleset-engine/rules-language/fields/dynamic-fields.mdx
+++ b/src/content/docs/ruleset-engine/rules-language/fields/dynamic-fields.mdx
@@ -436,25 +436,25 @@ For more details, refer to [Malicious uploads detection](/waf/detections/malicio
`cf.waf.score`
-A global score from 1 to 99 that combines the score of each WAF attack vector into a single score. This is the standard [WAF attack score](/waf/detections/attack-score/) to detect variants of attack patterns.
+A global score from `1` to `99` that combines the score of each WAF attack vector into a single score. The special score `100` indicates that the Cloudflare WAF did not score the request. This is the standard [WAF attack score](/waf/detections/attack-score/) to detect variants of attack patterns.
## `cf.waf.score.sqli`
`cf.waf.score.sqli`
-An attack score from 1 to 99 classifying the SQL injection (SQLi) attack vector.
+An attack score from `1` to `99` classifying the SQL injection (SQLi) attack vector. The special score `100` indicates that the Cloudflare WAF did not score the request.
## `cf.waf.score.xss`
`cf.waf.score.xss`
-An attack score from 1 to 99 classifying the cross-site scripting (XSS) attack vector.
+An attack score from `1` to `99` classifying the cross-site scripting (XSS) attack vector. The special score `100` indicates that the Cloudflare WAF did not score the request.
## `cf.waf.score.rce`
`cf.waf.score.rce`
-An attack score from 1 to 99 classifying the command injection or Remote Code Execution (RCE) attack vector.
+An attack score from `1` to `99` classifying the command injection or Remote Code Execution (RCE) attack vector. The special score `100` indicates that the Cloudflare WAF did not score the request.
## `cf.waf.score.class`
diff --git a/src/content/docs/waf/detections/attack-score.mdx b/src/content/docs/waf/detections/attack-score.mdx
index 7cc38bb3770a614..a36c824d67b9fa2 100644
--- a/src/content/docs/waf/detections/attack-score.mdx
+++ b/src/content/docs/waf/detections/attack-score.mdx
@@ -22,23 +22,24 @@ This feature is available to Enterprise customers. Business plans have access to
## Available scores
-The Cloudflare WAF provides the following attack scores:
+The Cloudflare WAF provides the following attack score fields:
-| Score | Minimum plan required | Attack vector | Field |
-| ---------------------- | --------------------- | --------------------------- | --------------------------------------------------------------------------------------------- |
-| WAF Attack Score | Enterprise | N/A (global score) | [`cf.waf.score`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafscore) |
-| WAF SQLi Attack Score | Enterprise | SQL injection (SQLi) | [`cf.waf.score.sqli`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafscoresqli) |
-| WAF XSS Attack Score | Enterprise | Cross-site scripting (XSS) | [`cf.waf.score.xss`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafscorexss) |
-| WAF RCE Attack Score | Enterprise | Remote Code Execution (RCE) | [`cf.waf.score.rce`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafscorerce) |
-| WAF Attack Score Class | Business | N/A (global classification) | [`cf.waf.score.class`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafscoreclass) |
+| Score | Data type | Minimum plan required | Attack vector | Field |
+| ---------------------- | --------- | --------------------- | --------------------------- | --------------------------------------------------------------------------------------------- |
+| WAF Attack Score | Number | Enterprise | N/A (global score) | [`cf.waf.score`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafscore) |
+| WAF SQLi Attack Score | Number | Enterprise | SQL injection (SQLi) | [`cf.waf.score.sqli`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafscoresqli) |
+| WAF XSS Attack Score | Number | Enterprise | Cross-site scripting (XSS) | [`cf.waf.score.xss`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafscorexss) |
+| WAF RCE Attack Score | Number | Enterprise | Remote Code Execution (RCE) | [`cf.waf.score.rce`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafscorerce) |
+| WAF Attack Score Class | String | Business | N/A (global classification) | [`cf.waf.score.class`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafscoreclass) |
-You can use these fields in expressions of [custom rules](/waf/custom-rules/) and [rate limiting rules](/waf/rate-limiting-rules/) where:
+You can use these fields in expressions of [custom rules](/waf/custom-rules/) and [rate limiting rules](/waf/rate-limiting-rules/). Attack score fields of data type `Number` vary between `1` and `99` with the following meaning:
- A score of `1` indicates that the request is almost certainly malicious.
- A score of `99` indicates that the request is likely clean.
-- A score of `100` indicates that the Cloudflare WAF did not score the request.
-The individual attack scores (such as WAF SQLi Attack Score and XSS Attack Score) are independent of each other. Additionally, the global WAF Attack Score is related to individual scores, but does not result from a direct calculation.
+The special score `100` indicates that the Cloudflare WAF did not score the request.
+
+The global WAF Attack Score is mathematically derived from individual attack scores (for example, from SQLi Attack Score and XSS Attack Score), reflecting their interdependence. However, the global score is not a sum of individual scores. A low global score usually indicates medium to low individual scores, while a high global score suggests higher individual scores.
The WAF Attack Score Class field can have one of the following values, depending on the calculated request attack score:
@@ -49,7 +50,7 @@ The WAF Attack Score Class field can have one of the following values, depending
| _Likely clean_ | `likely_clean` | Attack score between `51` and `80`. |
| _Clean_ | `clean` | Attack score between `81` and `99`. |
-Requests with an attack score of `100` will have a class of _Unscored_ in the Cloudflare dashboard, but you cannot use this class value in rule expressions.
+Requests with the special attack score `100` will show a WAF Attack Score Class of _Unscored_ in the Cloudflare dashboard, but you cannot use this class value in rule expressions.
Attack score automatically detects and decodes Base64, JavaScript (Unicode escape sequences), and URL encoded content anywhere in the request: URL, headers, and body.
From 44808c3dfdbc6fb5aac1fad6ac2b20b1be0f58d9 Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Tue, 26 Nov 2024 16:49:50 +0000
Subject: [PATCH 5/5] Remove sentence
---
.../rules-language/fields/dynamic-fields.mdx | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/content/docs/ruleset-engine/rules-language/fields/dynamic-fields.mdx b/src/content/docs/ruleset-engine/rules-language/fields/dynamic-fields.mdx
index b98bc4c9c7c4f10..919c7cf619fd3fa 100644
--- a/src/content/docs/ruleset-engine/rules-language/fields/dynamic-fields.mdx
+++ b/src/content/docs/ruleset-engine/rules-language/fields/dynamic-fields.mdx
@@ -436,25 +436,25 @@ For more details, refer to [Malicious uploads detection](/waf/detections/malicio
`cf.waf.score`
-A global score from `1` to `99` that combines the score of each WAF attack vector into a single score. The special score `100` indicates that the Cloudflare WAF did not score the request. This is the standard [WAF attack score](/waf/detections/attack-score/) to detect variants of attack patterns.
+A global score from `1` to `99` that combines the score of each WAF attack vector into a single score. This is the standard [WAF attack score](/waf/detections/attack-score/) to detect variants of attack patterns.
## `cf.waf.score.sqli`
`cf.waf.score.sqli`
-An attack score from `1` to `99` classifying the SQL injection (SQLi) attack vector. The special score `100` indicates that the Cloudflare WAF did not score the request.
+An attack score from `1` to `99` classifying the SQL injection (SQLi) attack vector.
## `cf.waf.score.xss`
`cf.waf.score.xss`
-An attack score from `1` to `99` classifying the cross-site scripting (XSS) attack vector. The special score `100` indicates that the Cloudflare WAF did not score the request.
+An attack score from `1` to `99` classifying the cross-site scripting (XSS) attack vector.
## `cf.waf.score.rce`
`cf.waf.score.rce`
-An attack score from `1` to `99` classifying the command injection or Remote Code Execution (RCE) attack vector. The special score `100` indicates that the Cloudflare WAF did not score the request.
+An attack score from `1` to `99` classifying the command injection or Remote Code Execution (RCE) attack vector.
## `cf.waf.score.class`