Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Cloud credits to scale your IT product
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
    • Yandex Cloud Partner program
  • Blog
  • Pricing
  • Documentation
© 2025 Direct Cursus Technology L.L.C.
Yandex Smart Web Security
  • Getting started
    • Overview
    • Security profiles
    • WAF
    • ARL (request limit)
    • Rules
    • Conditions
    • Lists
    • Quotas and limits
  • Access management
  • Pricing policy
  • Terraform reference
  • Monitoring metrics
  • Audit Trails events
  • Release notes

In this article:

  • Basic rule set
  • Anomaly
  • Paranoia level
  • Exclusion rules
  • See also
  1. Concepts
  2. WAF

WAF profiles

Written by
Yandex Cloud
Updated at February 7, 2025
  • Basic rule set
    • Anomaly
    • Paranoia level
  • Exclusion rules
  • See also

To protect your web apps from external threats, Yandex Smart Web Security implements a Web Application Firewall (WAF).

WAF analyzes a web app's incoming HTTP requests according to pre-configured rules. Based on the analysis results, certain actions are applied to HTTP requests.

You can manage WAF using a WAF profile, which connects to the security profile as a separate rule.

For more information about connecting to a security profile, see Create and connect a WAF profile.

The following settings are available in the WAF profile:

  • Basic rule set
  • Exclusion rules

Basic rule setBasic rule set

The WAF profile offers a basic rule set called OWASP Core Rule Set. The set was developed by the Open Worldwide Application Security Project (OWASP) to ensure protection against vulnerabilities listed in the OWASP TOP‑10. The OWASP Core Rule Set consists of rules aimed to detect malicious actions, including malicious file uploads, potential SQL injection attacks, DoS attempts, code injection attempts, and many more. For more information, see the OWASP Core Rule Set repository on GitHub.

Other basic rule sets will become available soon.

In the basic rule set settings, you can select specific request analysis rules. Each rule has an anomaly value and a paranoia level assigned.

AnomalyAnomaly

Each rule from the set is assigned a numeric anomaly value, i.e., a potential attack indicator. The higher this value, the more likely it is that the request that satisfies this rule is in fact an attack.

You can set an anomaly threshold for the whole rule set, i.e., the sum of anomaly values of the triggered rules that will block the request. The possible threshold values are from 2 to 10,000.

We recommend to start with the anomaly threshold of 25 and gradually reduce it to 5. To reduce the anomaly threshold, address WAF false positives triggered by legitimate requests. To do so, select rules from the basic set and configure exclusion rules. You can use the Only logging (dry-run) mode in the security profile to test various anomaly thresholds.

You can turn any rule from the set into a blocking one. A request that satisfies such a rule will be blocked regardless of the anomaly threshold you specified. If the Only logging (dry-run) mode is enabled in the security profile, requests will not be blocked even when if they satisfy the blocking rules.

Paranoia levelParanoia level

Paranoia level classifies rules based on how aggressive they are. The higher the paranoia level, the better the protection, but also the higher the probability of WAF false positives.

In the basic rule set settings, you can configure the overall paranoia level and thus quickly engage a collection of rules with this or lower paranoia level.

Exclusion rulesExclusion rules

Exclusion rules are intended to prevent WAF false positives triggered by legitimate requests.

You can configure skipping specific rules or all rules in a given set.

You can configure trigger conditions for each exclusion rule. If you use several conditions of different types, they all must be satisfied for the exclusion rule to trigger. If no conditions are specified, the exclusion rule will apply to all traffic.

See alsoSee also

  • Create and connect a WAF profile

Was the article helpful?

Previous
Security profiles
Next
ARL (request limit)
© 2025 Direct Cursus Technology L.L.C.