DOSarrest Security Services

Web Application Firewall

WAF Rules: Reference Table

The table below outlines all WAF rules (ID) and associated patterns. Please use this guide when seeking
to understand WAF whitelist functionality, or when troubleshooting 469 errors. This list will change
periodically, and we will keep you up-to-date on any future changes before they happen. If any of the
below patterns match patterns you use in legitimate requests then these patterns will need to be
whitelisted or they will be blocked by DOSarrest's WAF.

The table provides a breakdown in terms of category. For each category the patterns column details what
the WAF module is matching on, the scoring column details the numeric value assigned to each match,
and the zone column details the area in the request where the pattern matching is performed.

For each category there is a check rule; the check rule is essentially a threshold value that will result in a
block should the value be matched or exceeded. The default check rules are as follows:

SQL Injection: 8 Remote

File Inclusion: 8 Directory
Traversal: 4
Evading Action: 4
Cross Site Scripting: 8
File Upload:8

These check rule values can be modified in the DSS; however, it is recommended to use the default
values unless you have expert level knowledge of your site behavior and interaction patterns.

Category Patterns Score ID Zones

Body URL Arguments HTTP Header: File
(X = Cookie) Upload
Whitelist All Whitelist all Rules 0 X X X All
Internal Rules Invalid hex encoding, null 10 X X X
bytes
Unknown content-type 11 X
Invalid formatted url. 12 X X
Invalid POST format. 13 X
Empty POST. 16 X
Evading Tricks Only allow: 4 1402 Content-type
multipart/form-
data|application/x-www-
form-urlencoded
 %U 4 1401 X X X X
&# 4 1400 X X X X
Directory Traversal \\ 4 1205 X X X X
cmd.exe 4 1204 X X X X
c:\\ 4 1203 X X X X
/etc/passwd 4 1202 X X X X
.. 4 1200 X X X X
Remote File file:// 8 1109 X X X
Inclusion phar:// 8 1108 X X X
glob:// 8 1107 X X X
data:// 8 1106 X X X
zlib:// 8 1105 X X X
sftp:// 8 1104 X X X
php:// 8 1103 X X X
ftp:// 8 1102 X X X
https:// 8 1101 X X X
http:// 8 1100 X X X
XSS Double encoding (eg. URL 8 1315 X X X
decoded to %2 or %3)
` 8 1314 X X X
~ 4 1312 X X X X
] 4 1311 X X X X
[ 4 1310 X X X X
> 8 1303 X X X X
< 8 1302 X X X X
SQL # 4 1016 X X X X
, 4 1015 X X X X
= 2 1009 X X
-- 4 1007 X X X X
&& 8 1006 X X X X
| 8 1005 X X X X
*/ 8 1004 X X X X
/* 8 1003 X X X X
0x 2 1002 X X X X
select|union|update|delete| 4 1000 X X X X
insert|table|from|ascii|hex|
unhex|drop
SQL & XSS " SQL:8, 1001 X X X X
XSS:8
; SQL:4, 1008 X X X
XSS:8
( SQL:4, 1010 X X X X
XSS:8
) SQL:4, 1011 X X X X
XSS:8
' SQL:4, 1013 X X X X
XSS:8
FILE UPLOAD file upload Upload:8 1500 FILE_EXT