Configuring WAF Rules and Policies

Configuring WAF Rules and Policies

Effective WAF configuration balances security with application functionality. Overly restrictive rules cause false positives, blocking legitimate users, while lenient configurations miss attacks. Understanding rule configuration principles helps achieve optimal protection.

Start with a baseline configuration using pre-built rule sets:

# ModSecurity Core Rule Set (CRS) installation
git clone https://github.com/coreruleset/coreruleset.git /etc/modsecurity/crs
cp /etc/modsecurity/crs/crs-setup.conf.example /etc/modsecurity/crs/crs-setup.conf
cp /etc/modsecurity/crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example /etc/modsecurity/crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf

# Basic configuration
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess On
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072
SecPcreMatchLimit 100000
SecPcreMatchLimitRecursion 100000

Implement custom rules for specific applications:

# Block SQL injection in specific parameter
SecRule ARGS:username "@detectSQLi" \
    "id:100001,\
    phase:2,\
    block,\
    msg:'SQL Injection Attack in username parameter',\
    logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
    severity:'CRITICAL',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli'"

# Whitelist specific application behavior
SecRule REQUEST_URI "@beginsWith /api/upload" \
    "id:100002,\
    phase:1,\
    pass,\
    nolog,\
    ctl:requestBodyLimit=52428800"

# Rate limiting for login attempts
SecRule REQUEST_URI "@streq /login" \
    "id:100003,\
    phase:2,\
    pass,\
    nolog,\
    setvar:ip.login_attempt=+1,\
    expirevar:ip.login_attempt=60"

SecRule IP:login_attempt "@gt 5" \
    "id:100004,\
    phase:2,\
    block,\
    msg:'Login attempt rate limit exceeded',\
    severity:'WARNING'"