Configuring a WAF basic rule set

Written by

Updated at December 20, 2024

Management console

Terraform

In the management console, select the folder the WAF profile is in.
In the list of services, select Smart Web Security.
In the left-hand panel, select WAF profiles.
Select the profile to configure a basic rule set in.
Click Configure basic rule set.
Set the Anomaly threshold, which is the sum of anomaly values of the triggered rules that will block the request.

We recommend to start with the anomaly threshold of 25 and gradually reduce it to 5. To reduce the anomaly threshold, address WAF false positives triggered by legitimate requests. To do so, select rules from the basic set and configure exclusion rules.

Use Only logging (dry run) mode to test anomaly thresholds. The mode is activated when you add a WAF rule to the security profile.
Install Paranoia level.

Paranoia level classifies rules according to their aggression. The higher the paranoia level, the better your protection, but also the higher the probability of WAF false positives.
Check the rules you included in the set. Add or delete them as needed. When using rules, pay attention to their anomaly values and paranoia levels.

You can turn any rule from the set into a blocking rule. A request that satisfies such a rule will be blocked regardless of the anomaly threshold you specified. To turn a rule into a blocking rule, click to the right of it. If Only logging (dry run) mode is enabled in the security profile, requests will not get blocked.
Click Save settings.

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the documentation on the Terraform website or mirror website.

If you don't have Terraform, install it and configure the Yandex Cloud provider.

You can dynamically activate all the basic set rules if their paranoia level is not higher than specified in the user variable. You can manually edit the parameters of dynamically configured rules. For example, you can turn a rule into a blocking one and activate a rule with paranoia level higher than specified in the variable.

Open the Terraform configuration file and edit the fragment with yandex_sws_waf_profile description: add either a section named rule with a security rule or a section named dynamic "rule" with dynamically configured rules.

# In the basic set, rules of this paranoia level and below will be active
locals {
  waf_paranoia_level = 1
}

# OWASP Core Rule Set data source
data "yandex_sws_waf_rule_set_descriptor" "owasp4" {
  name    = "OWASP Core Ruleset"
  version = "4.0.0"
}

# WAF profile
resource "yandex_sws_waf_profile" "default" {
  name = "<WAF_profile_name>"

  # Basic rule set
  core_rule_set {
    inbound_anomaly_score = 2
    paranoia_level        = local.waf_paranoia_level
    rule_set {
      name    = "OWASP Core Ruleset"
      version = "4.0.0"
    }
  }

  # Turning the rule into a blocking one: the request will be blocked regardless of the anomaly threshold
  rule {
    rule_id     = "owasp-crs-v4.0.0-id942330-attack-sqli"
    is_enabled  = true
    is_blocking = true
  }

  # Turning the rule with paranoia level 4 into an active one
  rule {
    rule_id     = "owasp-crs-v4.0.0-id920202-protocol-enforcement"
    is_enabled  = true
    is_blocking = false
  }

  # Activating rules from the basic set if their paranoia level is not higher than specified in the waf_paranoia_level variable
  dynamic "rule" {
    for_each = [
      for rule in data.yandex_sws_waf_rule_set_descriptor.owasp4.rules : rule
      if rule.paranoia_level <= local.waf_paranoia_level
    ]
    content {
      rule_id     = rule.value.id
      is_enabled  = true
      is_blocking = false
    }
  }

  analyze_request_body {
    is_enabled        = true
    size_limit        = 8
    size_limit_action = "IGNORE"
  }
}

Where:

dynamic "rule": Dynamic activation of rules from the basic set if their paranoia level is not higher than specified in the waf_paranoia_level variable. You can manually edit the parameters of dynamically configured rules. For example, you can turn a rule into a blocking one or activate a rule with paranoia level higher than specified in the variable.
- rule_id: Rule ID.
- is_enabled: Flag to enable or disable a rule.
- is_blocking: Blocking rule flag.

For more information about the sws_waf_profile resource parameters in Terraform, see the relevant provider documentation.

Create resources:
1. In the terminal, change to the folder where you edited the configuration file.
2. Make sure the configuration file is correct using the command:
```
terraform validate
```
  If the configuration is correct, the following message is returned:
```
Success! The configuration is valid.
```
3. Run the command:
```
terraform plan
```
  The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
4. Apply the configuration changes:
```
terraform apply
```
5. Confirm the changes: type yes in the terminal and press Enter.

You can check the updates of your resources in the management console.

Configuring a WAF basic rule set

See also

Was the article helpful?

Configuring a WAF basic rule set

See alsoSee also

Was the article helpful?

See also