Skip to content

Update override-expressions.mdx #22824

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Jun 5, 2025
+4 −1
Merged

Update override-expressions.mdx #22824

Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
1233fb1
Update override-expressions.mdx
omer-cloudflare Jun 2, 2025
221dbf8
Update override-expressions.mdx
omer-cloudflare Jun 2, 2025
fbaec66
Update src/content/docs/ddos-protection/managed-rulesets/network/over…
patriciasantaana Jun 2, 2025
acdd253
Apply suggestions from code review
patriciasantaana Jun 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion src/content/docs/ddos-protection/managed-rulesets/network/override-expressions.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ Refer to the [Fields reference](/ruleset-engine/rules-language/fields/reference/
## Important remarks

- Each expression is limited to 4,000 characters, which means you can enter approximately a maximum of 200 IP addresses in a single expression. However, you can enter IP addresses in CIDR format, which allows you to include a larger number of IP addresses. For example, you can use `192.0.0.0/24` to match IP addresses from `192.0.0.0` to `192.0.0.255`.
- An expression is not an <GlossaryTooltip term="allowlist">allowlist</GlossaryTooltip> and does not become part of the attack fingerprint. The expression applies to the scope of the override and is used right before applying a mitigation action, to determine if the sensitivity level and action need to be adjusted.<br/>
- An expression is not an <GlossaryTooltip term="allowlist">allowlist</GlossaryTooltip>. The expression is applied to the the mitigation and not to the detection. This means that only if the attack fingerprint that was generated to mitigate the attack contains a field from the user expression, it will take affect. A most common case is the desire to allowlist source IP addresses. But unfortunately, in most cases, the fingerprint does not contain the source IP addressess as DDoS attacks tend to be distributed.
<br/>

For example, if you have an expression matching <GlossaryTooltip term="data packet">packets</GlossaryTooltip> with a specific source IP address and the override sets the sensitivity level to low, this override will only lower the sensitivity level for traffic that comes directly from that source IP address. If the DDoS protection system detects an attack coming from many source IP addresses targeted at a single destination IP and port, the generated fingerprint will only match the common criteria of the attack which, in this example, does not include the source IP address. The system will trigger the required mitigation actions at the default high sensitivity level because the traffic did not come from the user-provided source IP address. Therefore, traffic from the source IP in the override expression may still be blocked because the fingerprint only contains the destination IP address and port of the attack.