From 11c9d870ec61ccf55fabe612c18d97f59ed7b229 Mon Sep 17 00:00:00 2001 From: Patricia Loraine Santa Ana Date: Mon, 16 Dec 2024 10:52:01 -0800 Subject: [PATCH] sequence mitigation custom rules --- .../sequence-mitigation/configure.mdx | 2 + .../sequence-mitigation/custom-rules.mdx | 59 +++++++++++++++++++ .../docs/bots/concepts/sequence-rules.mdx | 40 +------------ .../bots/sequence-rules-availability.mdx | 44 ++++++++++++++ 4 files changed, 106 insertions(+), 39 deletions(-) create mode 100644 src/content/docs/api-shield/security/sequence-mitigation/custom-rules.mdx create mode 100644 src/content/partials/bots/sequence-rules-availability.mdx diff --git a/src/content/docs/api-shield/security/sequence-mitigation/configure.mdx b/src/content/docs/api-shield/security/sequence-mitigation/configure.mdx index 3e751e3856288a..87b3ee82e08c7a 100644 --- a/src/content/docs/api-shield/security/sequence-mitigation/configure.mdx +++ b/src/content/docs/api-shield/security/sequence-mitigation/configure.mdx @@ -2,6 +2,8 @@ title: Configure Sequence Mitigation pcx_content_type: how-to type: overview +sidebar: + order: 1 head: - tag: title content: Configure Sequence Mitigation diff --git a/src/content/docs/api-shield/security/sequence-mitigation/custom-rules.mdx b/src/content/docs/api-shield/security/sequence-mitigation/custom-rules.mdx new file mode 100644 index 00000000000000..7d638da95cd26d --- /dev/null +++ b/src/content/docs/api-shield/security/sequence-mitigation/custom-rules.mdx @@ -0,0 +1,59 @@ +--- +pcx_content_type: reference +title: Sequence Mitigation custom rules +sidebar: + order: 2 + +--- + +import { GlossaryTooltip, Render } from "~/components" + +API Shield sequence custom rules use the configured API Shield session identifier to track the order of requests a user has made and the time between requests, and makes them available via [Cloudflare Rules](/rules). This allows you to write rules that match valid or invalid sequences. + +These rules are different from [cookie sequence rules](/bots/concepts/sequence-rules/) in a few ways: + +- They only require an API Shield subscription. +- They require [session identifiers](/api-shield/get-started/#session-identifiers) to be set in API Shield. +- Because they use an API's session identifiers, they can be used for APIs designed for mobile applications. +- Because Cloudflare stores the user state in memory and not in a cookie, the session lifetime is limited to 10 minutes. + +Rules built using these custom rules are different from sequence mitigation rules built [via API or the Cloudflare dashboard](/api-shield/security/sequence-mitigation/). The custom rules syntax enables free-form logic and response options that the dashboard does not. + +## Availability + + + +## Example rules + +Each saved endpoint will have an endpoint ID visible in its details page in Endpoint Management in the form of a UUID. The references below (`aaaaaaaa`, `bbbbbbbb`, and `cccccccc`) are the first eight characters of the endpoint ID. + +The visitor must wait more than 2 seconds after requesting endpoint `aaaaaaaa` before requesting endpoint `bbbbbbbb`: + +```txt +cf.sequence.current_op eq "bbbbbbbb" and +cf.sequence.msec_since_op["aaaaaaaa"] ge 2000 +``` + +The visitor must request endpoints `aaaaaaaa`, then `bbbbbbbb`, then `cccccccc` in that exact order: + +```txt +cf.sequence.current_op eq "cccccccc" and +cf.sequence.previous_ops[0] == "bbbbbbbb" and +cf.sequence.previous_ops[1] == "aaaaaaaa" +``` + +The visitor must request endpoint `aaaaaaaa` before endpoint `bbbbbbbb`, but endpoint `aaaaaaaa` can be anywhere in the previous 10 requests: + +```txt +cf.sequence.current_op eq "bbbbbbbb" and +any(cf.sequence.previous_ops[*] == "aaaaaaaa") +``` + +The visitor must request either endpoint `aaaaaaaa` before endpoint `bbbbbbbb`, or endpoint `cccccccc` before endpoint `bbbbbbbb`: + +```txt +(cf.sequence.current_op eq "bbbbbbbb" and +any(cf.sequence.previous_ops[*] == "aaaaaaaa")) or +(cf.sequence.current_op eq "bbbbbbbb" and +any(cf.sequence.previous_ops[*] == "cccccccc")) +``` \ No newline at end of file diff --git a/src/content/docs/bots/concepts/sequence-rules.mdx b/src/content/docs/bots/concepts/sequence-rules.mdx index 0fa9e872100860..01ff6197b91e9c 100644 --- a/src/content/docs/bots/concepts/sequence-rules.mdx +++ b/src/content/docs/bots/concepts/sequence-rules.mdx @@ -56,45 +56,7 @@ Cloudflare only stores up to the 10 most recent operations in a sequence for up ## Availability -These sequence fields are available in: - -- [Custom rules](/waf/custom-rules/) (`http_request_firewall_custom` phase) -- [Rate limiting rules](/waf/rate-limiting-rules/) (`http_request_ratelimit`) -- [Bulk redirects](/workers/examples/bulk-redirects/) (`http_request_redirect`) -- [HTTP request header modification rules](/rules/transform/response-header-modification/) (`http_request_late_transform`) - - - - - - - - - - - - - - - - - - - - - - - - - - -
Field nameDescriptionExample value

cf.sequence.current_op
`String`

 -

This field contains the ID of the operation that matches the current request. If the current request does not match any operations defined in Endpoint Management, it will be an empty string.

-

c821cc00

cf.sequence.previous_ops
`Array`

 -

This field contains an array of the prior operation IDs in the sequence, ordered from most to least recent. It does not include the current request.

If an operation is repeated, it will appear multiple times in the sequence.

-

["f54dac32", "c821cc00", "a37dc89b"]

cf.sequence.msec_since_op
`Map`

 -

This field contains a map where the keys are operation IDs and the values are the number of milliseconds since that operation has most recently occurred.

This does not include the current request or operation as it only factors in previous operations in the sequence.

-

`{"f54dac32": 1000, "c821cc00": 2000}`

+ ### Example rules diff --git a/src/content/partials/bots/sequence-rules-availability.mdx b/src/content/partials/bots/sequence-rules-availability.mdx new file mode 100644 index 00000000000000..c4d5e4b814e5f3 --- /dev/null +++ b/src/content/partials/bots/sequence-rules-availability.mdx @@ -0,0 +1,44 @@ +--- +{} + +--- + +These sequence fields are available in: + +- [Custom rules](/waf/custom-rules/) (`http_request_firewall_custom` phase) +- [Rate limiting rules](/waf/rate-limiting-rules/) (`http_request_ratelimit`) +- [Bulk redirects](/workers/examples/bulk-redirects/) (`http_request_redirect`) +- [HTTP request header modification rules](/rules/transform/response-header-modification/) (`http_request_late_transform`) + + + + + + + + + + + + + + + + + + + + + + + + + + +
Field nameDescriptionExample value

cf.sequence.current_op
`String`

 +

This field contains the ID of the operation that matches the current request. If the current request does not match any operations defined in Endpoint Management, it will be an empty string.

+

c821cc00

cf.sequence.previous_ops
`Array`

 +

This field contains an array of the prior operation IDs in the sequence, ordered from most to least recent. It does not include the current request.

If an operation is repeated, it will appear multiple times in the sequence.

+

["f54dac32", "c821cc00", "a37dc89b"]

cf.sequence.msec_since_op
`Map`

 +

This field contains a map where the keys are operation IDs and the values are the number of milliseconds since that operation has most recently occurred.

This does not include the current request or operation as it only factors in previous operations in the sequence.

+

`{"f54dac32": 1000, "c821cc00": 2000}`

\ No newline at end of file