Update override-expressions.mdx

omer-cloudflare · web-flow · commit 1233fb16df1c · 2025-06-02T09:59:20.000+01:00
Added clarification about the known limitation of the usage of expression filters in Network-layer DDoS Managed Rules.
diff --git a/src/content/docs/ddos-protection/managed-rulesets/network/override-expressions.mdx b/src/content/docs/ddos-protection/managed-rulesets/network/override-expressions.mdx
@@ -39,6 +39,7 @@ Refer to the [Fields reference](/ruleset-engine/rules-language/fields/reference/
 ## Important remarks
 
 - Each expression is limited to 4,000 characters, which means you can enter approximately a maximum of 200 IP addresses in a single expression. However, you can enter IP addresses in CIDR format, which allows you to include a larger number of IP addresses. For example, you can use `192.0.0.0/24` to match IP addresses from `192.0.0.0` to `192.0.0.255`.
-- An expression is not an <GlossaryTooltip term="allowlist">allowlist</GlossaryTooltip> and does not become part of the attack fingerprint. The expression applies to the scope of the override and is used right before applying a mitigation action, to determine if the sensitivity level and action need to be adjusted.<br/>
+- An expression is not an <GlossaryTooltip term="allowlist">allowlist</GlossaryTooltip>. The expression is applied to the the mitigation and not to the detection. This means that only if the attack fingerprint that was generated to mitigate the attack contains a field from the user expression, it will take affect. A most common case is the desire to allowlist source IP addresses. But unfortunately, in most cases, the fingerprint does not contain the source IP addressess as DDoS attacks tend to be distributed. 
+<br/>
 
   For example, if you have an expression matching <GlossaryTooltip term="data packet">packets</GlossaryTooltip> with a specific source IP address and the override sets the sensitivity level to low, this override will only lower the sensitivity level for traffic that comes directly from that source IP address. If the DDoS protection system detects an attack coming from many source IP addresses targeted at a single destination IP and port, the generated fingerprint will only match the common criteria of the attack which, in this example, does not include the source IP address. The system will trigger the required mitigation actions at the default high sensitivity level because the traffic did not come from the user-provided source IP address. Therefore, traffic from the source IP in the override expression may still be blocked because the fingerprint only contains the destination IP address and port of the attack.
