Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Configuring WAF rule sets

Written by
Updated at September 24, 2025

  1. In the management console, select the folder containing the WAF profile.

  2. In the list of services, select Smart Web Security.

  3. In the left-hand panel, select WAF profiles.

  4. Select the profile where you want to configure rule sets.

  5. Next to the set, click Configure.

  6. To configure your OWASP set:

    1. Set the Anomaly threshold, which is the total anomaly score of triggered rules that results in blocking the request.

      We recommend that you start with an anomaly threshold of 25 and gradually reduce it to 5. To reduce the anomaly threshold, address WAF false positives triggered by legitimate requests. To do so, select rules from the basic set and configure exclusion rules.

      Use Only logging (dry run) mode to test anomaly thresholds. The mode gets activated when you add a WAF rule to the security profile.

    2. Set the Paranoia level.

      The paranoia level classifies rules based on how aggressive they are. The higher the paranoia level, the better the protection, but also the greater the risk of WAF false positives.

    3. Check the rules you included in the set. Add or delete them as needed. When using rules, pay attention to their anomaly scores and paranoia levels.

      You can configure any rule in the set to block requests. Requests matching such a rule get blocked regardless of the anomaly threshold you set. To turn a rule into a blocking one, click on its right. Still, if you enabled Only logging (dry run) mode in the security profile, requests will not get blocked.

  7. To configure your Yandex Ruleset:

    1. Enable the rule groups you want to apply as part of the set.

      In Yandex Ruleset, you can configure each rule group individually.

    2. Expand and specify the parameters for each rule group you enabled:

      1. Optionally, change Anomaly threshold from 1 to 10,000. The default value is 7, since the Yandex Ruleset produces the fewest false positives.

      2. Select the When threshold is exceeded action to perform on a request in this case. Currently, only request blocking is available.

      3. Disable the rules you do not want to apply as part of the set.

      4. If you want a rule to immediately block the request regardless of its total anomaly, click to the right of the rule.

  8. To configure your Yandex ML Ruleset:

    1. Enable the rules you want to apply as part of the set.
    2. Optionally, change Anomaly threshold from 1 to 100. The default value is 90. A low anomaly threshold may result in frequent false positives.

  9. Click Save settings.

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the relevant documentation on the Terraform website or its mirror.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

You can dynamically enable all rules in the basic set if their paranoia level is not higher than the value defined in the user variable. You can manually edit the settings of dynamically configured rules. For example, you can turn a rule into a blocking one and enable a rule with the paranoia level higher than the one defined in the variable.

  1. Open the Terraform configuration file and edit the yandex_sws_waf_profile description: add either the rule section with a security rule or the dynamic "rule" section with dynamically configured rules.

    # In the basic set, rules of this paranoia level and below will be enabled
locals {
  waf_paranoia_level = 1
}

# OWASP Core Rule Set data source
data "yandex_sws_waf_rule_set_descriptor" "owasp4" {
  name    = "OWASP Core Ruleset"
  version = "4.0.0"
}

# WAF profile
resource "yandex_sws_waf_profile" "default" {
  name = "<WAF_profile_name>"

  # Basic rule set
  core_rule_set {
    inbound_anomaly_score = 2
    paranoia_level        = local.waf_paranoia_level
    rule_set {
      name    = "OWASP Core Ruleset"
      version = "4.0.0"
    }
  }

  # Turning the rule into a blocking one: the request will be blocked regardless of the anomaly threshold
  rule {
    rule_id     = "owasp-crs-v4.0.0-id942330-attack-sqli"
    is_enabled  = true
    is_blocking = true
  }

  # Enabling the rule with paranoia level 4
  rule {
    rule_id     = "owasp-crs-v4.0.0-id920202-protocol-enforcement"
    is_enabled  = true
    is_blocking = false
  }

  # Enabling rules from the basic set if their paranoia level is not higher than the value defined in the waf_paranoia_level variable
  dynamic "rule" {
    for_each = [
      for rule in data.yandex_sws_waf_rule_set_descriptor.owasp4.rules : rule
      if rule.paranoia_level <= local.waf_paranoia_level
    ]
    content {
      rule_id     = rule.value.id
      is_enabled  = true
      is_blocking = false
    }
  }

  analyze_request_body {
    is_enabled        = true
    size_limit        = 8
    size_limit_action = "IGNORE"
  }
}

    Where:

    • dynamic "rule": Dynamically enabling the rules in the basic set if their paranoia level is not higher than the value defined in the waf_paranoia_level variable. You can manually edit the settings of dynamically configured rules. For example, you can turn a rule into a blocking one or enable a rule with the paranoia level higher than the one defined in the variable.
      • rule_id: Rule ID.
      • is_enabled: Flag to enable or disable a rule.
      • is_blocking: Blocking rule flag.

    For more information about sws_waf_profile properties, see this Terraform provider article.

  2. Create the resources:

    1. In the terminal, go to the directory where you edited the configuration file.

    2. Make sure the configuration file is correct using this command:

      terraform validate

      If the configuration is correct, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.

    4. Apply the changes:

      terraform apply

    5. Type yes and press Enter to confirm the changes.

You can check the resource update in the management console.

Use the update REST API method for the WafProfile resource or the WafProfile/Update gRPC API call.

Each time you update or add WAF profile rules, enable the Only logging mode. Activate a rule only after the logs confirm that it works correctly. This way you will avoid false positives and ensure stable operation of your website or web application.

See also

Previous
Deleting a profile
Next
Getting information about a rule set