From c8a3f84cbeb57e74d728863eb59e9d27f236f73e Mon Sep 17 00:00:00 2001
From: omer-cloudflare <103426341+omer-cloudflare@users.noreply.github.com>
Date: Fri, 6 Jun 2025 01:08:57 +0100
Subject: [PATCH 1/2] Update override-expressions.mdx

Clarified the expressions section.
---
 .../managed-rulesets/network/override-expressions.mdx      | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/src/content/docs/ddos-protection/managed-rulesets/network/override-expressions.mdx b/src/content/docs/ddos-protection/managed-rulesets/network/override-expressions.mdx
index 04ba2eabfe9552..5bd3a2a5885266 100644
--- a/src/content/docs/ddos-protection/managed-rulesets/network/override-expressions.mdx
+++ b/src/content/docs/ddos-protection/managed-rulesets/network/override-expressions.mdx
@@ -39,9 +39,8 @@ Refer to the [Fields reference](/ruleset-engine/rules-language/fields/reference/
 ## Important remarks
 
 - Each expression is limited to 4,000 characters, which means you can enter approximately a maximum of 200 IP addresses in a single expression. However, you can enter IP addresses in CIDR format, which allows you to include a larger number of IP addresses. For example, you can use `192.0.0.0/24` to match IP addresses from `192.0.0.0` to `192.0.0.255`.
-Rather than being applied when attacks are detected, the override is applied to the mitigation rule that is created to block malicious packets. This means the override will only take effect if the attack fingerprint generated for mitigation includes the specific fields referenced in your override expression.
+- Override expressions are not allowlists. They apply to the mitigation, not detection. This means an override only takes effect if the attack fingerprint—as generated by the DDoS Managed Rules—includes the same fields specified in your expression.
 
-You may create an override to allowlist certain source IP addresses. However, since DDoS attacks are typically distributed across many different source IPs, the attack fingerprint may not include source IP addresses as a distinguishing characteristic. In such cases, the override is not be applied.
-<br/>
+For example, if you create an override with sensitivity set to `Essentially Off` for `ip.src eq 192.0.2.1`, it only applies if the fingerprint includes ip.src. However, because DDoS attacks are often distributed across many source IPs, the fingerprint may not include ip.src at all. In such cases, your override is ignored.
 
-  For example, if you have an expression matching <GlossaryTooltip term="data packet">packets</GlossaryTooltip> with a specific source IP address and the override sets the sensitivity level to low, this override will only lower the sensitivity level for traffic that comes directly from that source IP address. If the DDoS protection system detects an attack coming from many source IP addresses targeted at a single destination IP and port, the generated fingerprint will only match the common criteria of the attack which, in this example, does not include the source IP address. The system will trigger the required mitigation actions at the default high sensitivity level because the traffic did not come from the user-provided source IP address. Therefore, traffic from the source IP in the override expression may still be blocked because the fingerprint only contains the destination IP address and port of the attack.
+In a common scenario an attack originating from thousands of IPs targeting can target a single destination IP and port. The fingerprint would focus on the shared attributes—likely just the destination IP and port and additional packet fields that represent the strong signals of the attack pattern. Even if your override matches a specific source IP, it won’t apply if that field isn't in the fingerprint. As a result, the system will mitigate the attack using the default high sensitivity, and traffic from your specified IP could still be blocked. It is therefore recommended to use more stable expressions such as protocol, destination IP and destination port.

From 1ad92cc31ba33fff791ebd0ea66308890bb9e41d Mon Sep 17 00:00:00 2001
From: Patricia Santa Ana <103445940+patriciasantaana@users.noreply.github.com>
Date: Fri, 6 Jun 2025 08:18:52 -0700
Subject: [PATCH 2/2] Apply suggestions from code review

---
 .../managed-rulesets/network/override-expressions.mdx       | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/content/docs/ddos-protection/managed-rulesets/network/override-expressions.mdx b/src/content/docs/ddos-protection/managed-rulesets/network/override-expressions.mdx
index 5bd3a2a5885266..b2f0cdcdb742a0 100644
--- a/src/content/docs/ddos-protection/managed-rulesets/network/override-expressions.mdx
+++ b/src/content/docs/ddos-protection/managed-rulesets/network/override-expressions.mdx
@@ -39,8 +39,8 @@ Refer to the [Fields reference](/ruleset-engine/rules-language/fields/reference/
 ## Important remarks
 
 - Each expression is limited to 4,000 characters, which means you can enter approximately a maximum of 200 IP addresses in a single expression. However, you can enter IP addresses in CIDR format, which allows you to include a larger number of IP addresses. For example, you can use `192.0.0.0/24` to match IP addresses from `192.0.0.0` to `192.0.0.255`.
-- Override expressions are not allowlists. They apply to the mitigation, not detection. This means an override only takes effect if the attack fingerprint—as generated by the DDoS Managed Rules—includes the same fields specified in your expression.
+- Override expressions are not allowlists. They apply to the mitigation, not during detection. This means an override only takes effect if the attack fingerprint — as generated by the DDoS managed rules — includes the same fields specified in your expression.
 
-For example, if you create an override with sensitivity set to `Essentially Off` for `ip.src eq 192.0.2.1`, it only applies if the fingerprint includes ip.src. However, because DDoS attacks are often distributed across many source IPs, the fingerprint may not include ip.src at all. In such cases, your override is ignored.
+For example, if you create an override with sensitivity set to `Essentially Off` for `ip.src eq 192.0.2.1`, it only applies if the fingerprint includes `ip.src`. However, because DDoS attacks are often distributed across many source IPs, the fingerprint may not include `ip.src` at all. In such cases, your override is not applied.
 
-In a common scenario an attack originating from thousands of IPs targeting can target a single destination IP and port. The fingerprint would focus on the shared attributes—likely just the destination IP and port and additional packet fields that represent the strong signals of the attack pattern. Even if your override matches a specific source IP, it won’t apply if that field isn't in the fingerprint. As a result, the system will mitigate the attack using the default high sensitivity, and traffic from your specified IP could still be blocked. It is therefore recommended to use more stable expressions such as protocol, destination IP and destination port.
+In a common scenario, an attack originating from thousands of IPs can target a single destination IP and port. The fingerprint would focus on the shared attributes, such as the destination IP, port, and additional packet fields that represent strong signals of the attack pattern. Even if your override matches a specific source IP, it will not apply if that field is not present in the fingerprint. As a result, the system will mitigate the attack using the default high sensitivity, and traffic from your specified IP could still be blocked. It is recommended to use more stable expressions such as protocol, destination IP, and destination port.