AppTrana WAAP Platform
Web Application Firewalls (WAFs) play a critical role in securing websites and web apps from a wide range of cyber threats. One of the core features of modern WAFs is security rules — the instructions that define what kind of web traffic should be allowed or blocked.
What Are WAF Rules?
WAF rules are sets of conditions or instructions that dictate how a Web Application Firewall handles incoming traffic. They help the WAF decide which requests to allow, which to block, and which to challenge (like asking the user to prove they are human through CAPTCHA).
Proper configuration of WAF rules can drastically reduce the risk of a successful attack. By analyzing HTTP/HTTPS traffic patterns and inspecting various data points (like URLs, request headers, and bodies), WAF rules play a pivotal role in identifying potential threats. They help stop common attack vectors such as
- SQL Injection (SQLi)
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- Remote File Inclusion (RFI)
- Denial-of-Service (DoS) Attacks
Key Elements of WAF Rules
WAF rules are structured with several critical components that determine how they behave in real-time threat detection:
Rule Metadata
Every rule includes:
- Rule ID: Unique identifier for reference and tuning.
- Category: Type of threat (e.g., SQLi, XSS, CSRF).
- Description: Summary of the threat it mitigates.
- Severity: Indicates how serious the threat is if triggered (e.g., High for SQLi, Medium for Directory Listing). Severity helps security teams prioritize incidents based on potential impact.
Match Conditions
These specify what part of an incoming request to inspect:
- Request Headers (e.g., abnormal user-agent values)
- Request URL (e.g., query strings)
- Request Body (e.g., malicious input in form submissions)
Match conditions help identify known patterns like SQL keywords or script tags that indicate an attack.
Rule Actions
Once a rule matches, the WAF can:
- Allow: Let the request through
- Block: Stop the request completely
- Log: Record for visibility and analysis
- Challenge: Present CAPTCHA or other tests (mainly for bots)
Rule Priority
Priority defines the order in which rules are evaluated. Rules with higher priority are checked first, ensuring critical security checks are applied before less urgent ones. Priority governs execution order, while severity helps assess risk.
Types of WAF Rules
1. Predefined WAF Rules (Standard Rules)
Predefined WAF rules (also called default or out-of-the-box rules) are a collection of security rules developed by security vendors based on known vulnerabilities, threat intelligence, and OWASP Top 10 risks. These rules are ready-to-use and can be immediately applied to protect web apps from common threats without manual configuration.
Example:
Rule to Detect SQL Injection in Request Parameters
SecRule ARGS "@rx select.+from" \
"id:1001,phase:2,deny,status:403,log,msg:'SQL Injection Attempt Detected – SELECT statement in ARGS'"
Explanation:
- SecRule ARGS “@rx select.+from”: Checks request parameters (ARGS) for a pattern resembling SQL queries, such as select * from users.
- id:1001: Uniquely identifies this rule for logging and updates.
- phase:2: Executes after the complete request body is read.
- deny,status:403: Blocks the request and responds with HTTP 403 Forbidden.
- log: Ensures the event is logged for further analysis.
- msg: A descriptive message that makes the log entry understandable.
A login form on your website receives a malicious input that attempts to bypass authentication using SQLi. The WAF blocks this request before it reaches your server.
In managed WAF like AppTrana – security experts actively monitor new threat patterns and fine-tune these rules in real-time to keep your applications secure.
Predefined rules are a great start, but they can’t account for every unique behavior or threat pattern in your application. That’s where custom WAF rules step in.
Check out the overview of AppTrana’s rule coverage.
2. Custom WAF Rules
Custom rules are designed to meet the distinct needs of the organization’s environment. These rules can be created on demand to address particular attack vectors, ensuring that security measures are as effective as possible.
These rules are especially useful if you have special functionality on your site or if you’re worried about particular types of attacks that predefined rules don’t address.
For instance, if your application has an endpoint like /admin/update-price – meant only for internal users. A generic rule wouldn’t detect misuse here. But a custom rule can be set to allow access only with specific roles or IPs, blocking anything unusual immediately.
Custom rules can also be used for virtual patching, where organizations can quickly mitigate the impact of open vulnerabilities and/or zero-day vulnerabilities and other emerging threats, without waiting for a code update.
Each custom rule is identified by a rule ID and includes details like name, description, severity, and a list of applications it applies to.
By tailoring the rules to the application’s requirements, custom WAF rules enhance protection, minimize false positives, and ensure that security responses are aligned with the specific threat landscape.
For example: A standard WAF rule detects these tags as potential XSS and blocks the request.
<iframe src=”promo.html”></iframe>
However, these actions are normal for an admin interface. A custom rule can be added to specifically allow these actions in trusted paths (e.g., /wp-admin/editor) while blocking them in public-facing areas, thus preventing false positives without compromising security.
SecRule REQUEST_URI "@beginsWith /wp-admin/editor" \
"id:20001, phase:2, pass, nolog, ctl:ruleRemoveById=981173"
Check out how to reduce false postives in WAF.
Advanced Web Application Firewall Rules with AppTrana WAAP
Not all web applications are the same—and neither are their security requirements. AppTrana, a fully managed WAAP platform, offers layered and intelligent rule management to safeguard applications from both known and emerging threats.
It includes a comprehensive set of predefined (core) WAF rules, designed and maintained by security experts. They provide immediate protection against attacks like SQL Injection, Cross-Site Scripting (XSS), Remote File Inclusion, and more—without requiring manual configuration.
For more nuanced protection, especially in complex or high-risk environments, custom rules can be created to match specific business logic, access patterns, or application behavior. These rules go beyond generic protections to secure sensitive endpoints, enforce role-based access, and prevent business logic abuse.
A Powerful Combination: Managed + Self-Service
AppTrana combines 24×7 managed security, expert-driven rule creation, and real-time threat monitoring with self-service rule capabilities. This hybrid approach allows users to take control when needed while still benefiting from expert oversight.
With self-service WAF rules, users can build, modify, and deploy security rules directly from the AppTrana portal. Rule logic, conditions, and actions can be configured through a user-friendly dashboard and applied instantly across selected applications—offering both flexibility and speed in responding to evolving threats.
