From 232f6ba80ab6d577d9122c41613a617b94fe8987 Mon Sep 17 00:00:00 2001 From: Diego Gavinowich Date: Wed, 5 Feb 2020 16:59:49 -0800 Subject: [PATCH 1/5] Initial cmdlet to get managed rule definitions --- src/FrontDoor/FrontDoor/Az.FrontDoor.psd1 | 1 + ...eRmFrontDoorWafManagedRuleSetDefinition.cs | 47 +++++++++++++++++++ .../FrontDoor/Helpers/ModelExtensions.cs | 35 ++++++++++++++ .../Models/PSManagedRuleDefinition.cs | 29 ++++++++++++ .../Models/PSManagedRuleGroupDefinition.cs | 27 +++++++++++ .../Models/PSManagedRuleSetDefinition.cs | 29 ++++++++++++ 6 files changed, 168 insertions(+) create mode 100644 src/FrontDoor/FrontDoor/Cmdlets/GetAzureRmFrontDoorWafManagedRuleSetDefinition.cs create mode 100644 src/FrontDoor/FrontDoor/Models/PSManagedRuleDefinition.cs create mode 100644 src/FrontDoor/FrontDoor/Models/PSManagedRuleGroupDefinition.cs create mode 100644 src/FrontDoor/FrontDoor/Models/PSManagedRuleSetDefinition.cs diff --git a/src/FrontDoor/FrontDoor/Az.FrontDoor.psd1 b/src/FrontDoor/FrontDoor/Az.FrontDoor.psd1 index 5ea5edafbe57..518284d9e7ab 100644 --- a/src/FrontDoor/FrontDoor/Az.FrontDoor.psd1 +++ b/src/FrontDoor/FrontDoor/Az.FrontDoor.psd1 @@ -85,6 +85,7 @@ CmdletsToExport = 'New-AzFrontDoor', 'Get-AzFrontDoor', 'Set-AzFrontDoor', 'New-AzFrontDoorWafCustomRuleObject', 'New-AzFrontDoorWafManagedRuleObject', 'New-AzFrontDoorWafPolicy', 'Get-AzFrontDoorWafPolicy', 'Update-AzFrontDoorWafPolicy', + 'Get-AzFrontDoorWafManagedRuleSetDefinition', 'Remove-AzFrontDoorWafPolicy', 'New-AzFrontDoorWafRuleGroupOverrideObject', 'Remove-AzFrontDoorContent', 'Enable-AzFrontDoorCustomDomainHttps', diff --git a/src/FrontDoor/FrontDoor/Cmdlets/GetAzureRmFrontDoorWafManagedRuleSetDefinition.cs b/src/FrontDoor/FrontDoor/Cmdlets/GetAzureRmFrontDoorWafManagedRuleSetDefinition.cs new file mode 100644 index 000000000000..4c2e84661be1 --- /dev/null +++ b/src/FrontDoor/FrontDoor/Cmdlets/GetAzureRmFrontDoorWafManagedRuleSetDefinition.cs @@ -0,0 +1,47 @@ +// ---------------------------------------------------------------------------------- +// +// Copyright Microsoft Corporation +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// ---------------------------------------------------------------------------------- + +using Microsoft.Azure.Commands.FrontDoor.Common; +using Microsoft.Azure.Commands.FrontDoor.Helpers; +using Microsoft.Azure.Commands.FrontDoor.Models; +using Microsoft.Azure.Management.FrontDoor.Models; +using Microsoft.Rest.Azure; +using System.Collections.Generic; +using System.Linq; +using System.Management.Automation; + +namespace Microsoft.Azure.Commands.FrontDoor.Cmdlets +{ + /// + /// Defines the Get-AzFrontDoorWafManagedRuleSetDefinition cmdlet. + /// + [Cmdlet("Get", ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "FrontDoorWafManagedRuleSetDefinition"), OutputType(typeof(PSManagedRuleSetDefinition))] + public class GetAzureRmFrontDoorWafManagedRuleSetDefinition : AzureFrontDoorCmdletBase + { + public override void ExecuteCmdlet() + { + AzureOperationResponse> managedSets = FrontDoorManagementClient.ManagedRuleSets.ListWithHttpMessagesAsync().GetAwaiter().GetResult(); + List managedRuleSetDefinitions = managedSets.Body?.Select(managedRuleSetDefinition => managedRuleSetDefinition.ToPSManagedRuleSetDefinition()).ToList(); + string nextLink = managedSets.Body.NextPageLink; + while (nextLink != null) + { + var nextLinkSets = FrontDoorManagementClient.ManagedRuleSets.ListNextWithHttpMessagesAsync(nextLink).GetAwaiter().GetResult(); + managedRuleSetDefinitions.AddRange(nextLinkSets.Body?.Select(managedRuleSetDefinition => managedRuleSetDefinition.ToPSManagedRuleSetDefinition())); + nextLink = nextLinkSets.Body.NextPageLink; + } + + WriteObject(managedRuleSetDefinitions.ToArray(), true); + } + } +} diff --git a/src/FrontDoor/FrontDoor/Helpers/ModelExtensions.cs b/src/FrontDoor/FrontDoor/Helpers/ModelExtensions.cs index f244f2d8549e..078a438cf4a1 100644 --- a/src/FrontDoor/FrontDoor/Helpers/ModelExtensions.cs +++ b/src/FrontDoor/FrontDoor/Helpers/ModelExtensions.cs @@ -38,7 +38,10 @@ using SdkHttpsConfig = Microsoft.Azure.Management.FrontDoor.Models.CustomHttpsConfiguration; using SdkLoadBalancingSetting = Microsoft.Azure.Management.FrontDoor.Models.LoadBalancingSettingsModel; using SdkManagedRule = Microsoft.Azure.Management.FrontDoor.Models.ManagedRuleSet; +using SdkManagedRuleDefinition = Microsoft.Azure.Management.FrontDoor.Models.ManagedRuleDefinition; +using SdkManagedRuleGroupDefinition = Microsoft.Azure.Management.FrontDoor.Models.ManagedRuleGroupDefinition; using SdkManagedRuleList = Microsoft.Azure.Management.FrontDoor.Models.ManagedRuleSetList; +using SdkManagedRuleSetDefinition = Microsoft.Azure.Management.FrontDoor.Models.ManagedRuleSetDefinition; using sdkMatchCondition = Microsoft.Azure.Management.FrontDoor.Models.MatchCondition; using sdkPolicySetting = Microsoft.Azure.Management.FrontDoor.Models.PolicySettings; using SdkRedirectConfiguration = Microsoft.Azure.Management.FrontDoor.Models.RedirectConfiguration; @@ -431,6 +434,38 @@ public static PSPolicy ToPSPolicy(this SdkFirewallPolicy sdkPolicy) }; } + public static PSManagedRuleSetDefinition ToPSManagedRuleSetDefinition(this SdkManagedRuleSetDefinition sdkManagedRuleSetDefinition) + { + return new PSManagedRuleSetDefinition + { + ProvisioningState = sdkManagedRuleSetDefinition.ProvisioningState, + RuleSetType = sdkManagedRuleSetDefinition.RuleSetType, + RuleSetVersion = sdkManagedRuleSetDefinition.RuleSetVersion, + RuleGroups = sdkManagedRuleSetDefinition.RuleGroups?.Select(ruleGroup => ruleGroup.ToPSManagedRuleGroupDefinition()).ToList() + }; + } + + public static PSManagedRuleGroupDefinition ToPSManagedRuleGroupDefinition(this SdkManagedRuleGroupDefinition sdkManagedRuleGroupDefinition) + { + return new PSManagedRuleGroupDefinition + { + RuleGroupName = sdkManagedRuleGroupDefinition.RuleGroupName, + Description = sdkManagedRuleGroupDefinition.Description, + Rules = sdkManagedRuleGroupDefinition.Rules?.Select(rule => rule.ToPSManagedRuleDefinition()).ToList() + }; + } + + public static PSManagedRuleDefinition ToPSManagedRuleDefinition(this SdkManagedRuleDefinition sdkManagedRuleDefinition) + { + return new PSManagedRuleDefinition + { + RuleId = sdkManagedRuleDefinition.RuleId, + DefaultAction = sdkManagedRuleDefinition.DefaultAction, + DefaultState = sdkManagedRuleDefinition.DefaultState, + Description = sdkManagedRuleDefinition.Description + }; + } + public static PSMatchCondition ToPSMatchCondition(this sdkMatchCondition sdkMatchCondition) { return new PSMatchCondition diff --git a/src/FrontDoor/FrontDoor/Models/PSManagedRuleDefinition.cs b/src/FrontDoor/FrontDoor/Models/PSManagedRuleDefinition.cs new file mode 100644 index 000000000000..ec4bc2766f7a --- /dev/null +++ b/src/FrontDoor/FrontDoor/Models/PSManagedRuleDefinition.cs @@ -0,0 +1,29 @@ +// ---------------------------------------------------------------------------------- +// +// Copyright Microsoft Corporation +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// ---------------------------------------------------------------------------------- + +using System.Collections.Generic; + +namespace Microsoft.Azure.Commands.FrontDoor.Models +{ + public class PSManagedRuleDefinition + { + public string RuleId { get; set; } + + public string DefaultState { get; set; } + + public string DefaultAction { get; set; } + + public string Description { get; set; } + } +} diff --git a/src/FrontDoor/FrontDoor/Models/PSManagedRuleGroupDefinition.cs b/src/FrontDoor/FrontDoor/Models/PSManagedRuleGroupDefinition.cs new file mode 100644 index 000000000000..73dd93b08216 --- /dev/null +++ b/src/FrontDoor/FrontDoor/Models/PSManagedRuleGroupDefinition.cs @@ -0,0 +1,27 @@ +// ---------------------------------------------------------------------------------- +// +// Copyright Microsoft Corporation +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// ---------------------------------------------------------------------------------- + +using System.Collections.Generic; + +namespace Microsoft.Azure.Commands.FrontDoor.Models +{ + public class PSManagedRuleGroupDefinition + { + public string RuleGroupName { get; set; } + + public string Description { get; set; } + + public IList Rules { get; set; } + } +} diff --git a/src/FrontDoor/FrontDoor/Models/PSManagedRuleSetDefinition.cs b/src/FrontDoor/FrontDoor/Models/PSManagedRuleSetDefinition.cs new file mode 100644 index 000000000000..3de9d0a52141 --- /dev/null +++ b/src/FrontDoor/FrontDoor/Models/PSManagedRuleSetDefinition.cs @@ -0,0 +1,29 @@ +// ---------------------------------------------------------------------------------- +// +// Copyright Microsoft Corporation +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// ---------------------------------------------------------------------------------- + +using System.Collections.Generic; + +namespace Microsoft.Azure.Commands.FrontDoor.Models +{ + public class PSManagedRuleSetDefinition + { + public string ProvisioningState { get; set; } + + public string RuleSetType { get; set; } + + public string RuleSetVersion { get; set; } + + public IList RuleGroups { get; set; } + } +} From 39a573a858c1109ed84c0070eb965a4669e466b1 Mon Sep 17 00:00:00 2001 From: Diego Gavinowich Date: Wed, 5 Feb 2020 18:18:36 -0800 Subject: [PATCH 2/5] Add test cases for new cmdlet --- .../WebApplicationFireWallPolicyTests.cs | 7 ++ .../WebApplicationFireWallPolicyTests.ps1 | 27 +++++- .../TestManagedRuleSetDefinitions.json | 83 +++++++++++++++++++ 3 files changed, 116 insertions(+), 1 deletion(-) create mode 100644 src/FrontDoor/FrontDoor.Test/SessionRecords/Microsoft.Azure.Commands.FrontDoor.Test.ScenarioTests.ScenarioTest.WebApplicationFireWallPolicyTests/TestManagedRuleSetDefinitions.json diff --git a/src/FrontDoor/FrontDoor.Test/ScenarioTests/WebApplicationFireWallPolicyTests.cs b/src/FrontDoor/FrontDoor.Test/ScenarioTests/WebApplicationFireWallPolicyTests.cs index f1047d249983..6e91238e7e41 100644 --- a/src/FrontDoor/FrontDoor.Test/ScenarioTests/WebApplicationFireWallPolicyTests.cs +++ b/src/FrontDoor/FrontDoor.Test/ScenarioTests/WebApplicationFireWallPolicyTests.cs @@ -41,5 +41,12 @@ public void TestPolicyCrudWithPiping() { TestController.NewInstance.RunPowerShellTest(_logger, "Test-PolicyCrudWithPiping"); } + + [Fact] + [Trait(Category.AcceptanceType, Category.CheckIn)] + public void TestManagedRuleSetDefinitions() + { + TestController.NewInstance.RunPowerShellTest(_logger, "Test-ManagedRuleSetDefinition"); + } } } diff --git a/src/FrontDoor/FrontDoor.Test/ScenarioTests/WebApplicationFireWallPolicyTests.ps1 b/src/FrontDoor/FrontDoor.Test/ScenarioTests/WebApplicationFireWallPolicyTests.ps1 index ef39c36a1f3f..9b4d28ddb30e 100644 --- a/src/FrontDoor/FrontDoor.Test/ScenarioTests/WebApplicationFireWallPolicyTests.ps1 +++ b/src/FrontDoor/FrontDoor.Test/ScenarioTests/WebApplicationFireWallPolicyTests.ps1 @@ -114,4 +114,29 @@ function Test-PolicyCrudWithPiping $removed = Get-AzFrontDoorWafPolicy -Name $Name -ResourceGroupName $resourceGroupName | Remove-AzFrontDoorWafPolicy -PassThru Assert-True { $removed } Assert-ThrowsContains { Get-AzFrontDoorWafPolicy -Name $Name -ResourceGroupName $resourceGroupName } "does not exist." -} \ No newline at end of file +} + +<# +.SYNOPSIS +WAF managed rule set definitions retrieval +#> +function Test-ManagedRuleSetDefinition +{ + $definitions = Get-AzFrontDoorWafManagedRuleSetDefinition | sort -Property RuleSetType,RuleSetVersion + Assert-AreEqual $definitions.Count 4 + Assert-AreEqual $definitions[0].RuleSetType "BotProtection" + Assert-AreEqual $definitions[0].RuleSetVersion "preview-0.1" + Assert-AreEqual $definitions[0].RuleGroups.Count 1 + + Assert-AreEqual $definitions[1].RuleSetType "DefaultRuleSet" + Assert-AreEqual $definitions[1].RuleSetVersion "1.0" + Assert-AreEqual $definitions[1].RuleGroups.Count 9 + + Assert-AreEqual $definitions[2].RuleSetType "DefaultRuleSet" + Assert-AreEqual $definitions[2].RuleSetVersion "preview-0.1" + Assert-AreEqual $definitions[2].RuleGroups.Count 8 + + Assert-AreEqual $definitions[3].RuleSetType "Microsoft_BotManagerRuleSet" + Assert-AreEqual $definitions[3].RuleSetVersion "1.0" + Assert-AreEqual $definitions[3].RuleGroups.Count 3 +} diff --git a/src/FrontDoor/FrontDoor.Test/SessionRecords/Microsoft.Azure.Commands.FrontDoor.Test.ScenarioTests.ScenarioTest.WebApplicationFireWallPolicyTests/TestManagedRuleSetDefinitions.json b/src/FrontDoor/FrontDoor.Test/SessionRecords/Microsoft.Azure.Commands.FrontDoor.Test.ScenarioTests.ScenarioTest.WebApplicationFireWallPolicyTests/TestManagedRuleSetDefinitions.json new file mode 100644 index 000000000000..0b161c67bdb1 --- /dev/null +++ b/src/FrontDoor/FrontDoor.Test/SessionRecords/Microsoft.Azure.Commands.FrontDoor.Test.ScenarioTests.ScenarioTest.WebApplicationFireWallPolicyTests/TestManagedRuleSetDefinitions.json @@ -0,0 +1,83 @@ +{ + "Entries": [ + { + "RequestUri": "/subscriptions/47f4bc68-6fe4-43a2-be8b-dfd0e290efa2/providers/Microsoft.Network/FrontDoorWebApplicationFirewallManagedRuleSets?api-version=2019-10-01", + "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvNDdmNGJjNjgtNmZlNC00M2EyLWJlOGItZGZkMGUyOTBlZmEyL3Byb3ZpZGVycy9NaWNyb3NvZnQuTmV0d29yay9Gcm9udERvb3JXZWJBcHBsaWNhdGlvbkZpcmV3YWxsTWFuYWdlZFJ1bGVTZXRzP2FwaS12ZXJzaW9uPTIwMTktMTAtMDE=", + "RequestMethod": "GET", + "RequestBody": "", + "RequestHeaders": { + "x-ms-client-request-id": [ + "489776b6-662b-4209-b400-114d07087965" + ], + "Accept-Language": [ + "en-US" + ], + "User-Agent": [ + "FxVersion/4.6.28207.03", + "OSName/Windows", + "OSVersion/Microsoft.Windows.10.0.14393.", + "Microsoft.Azure.Management.FrontDoor.FrontDoorManagementClient/2.0.0.0" + ] + }, + "ResponseHeaders": { + "Cache-Control": [ + "no-cache" + ], + "Pragma": [ + "no-cache" + ], + "x-ms-request-id": [ + "2bbe63b0-0310-4284-9d2e-fd8f462c93ad" + ], + "x-ms-client-request-id": [ + "489776b6-662b-4209-b400-114d07087965" + ], + "OData-Version": [ + "4.0" + ], + "Strict-Transport-Security": [ + "max-age=31536000; includeSubDomains" + ], + "Server": [ + "Microsoft-IIS/8.5" + ], + "X-AspNet-Version": [ + "4.0.30319" + ], + "X-Powered-By": [ + "ASP.NET" + ], + "x-ms-ratelimit-remaining-subscription-reads": [ + "11999" + ], + "x-ms-correlation-request-id": [ + "a81b8106-0e5a-43b1-9f51-61d69d7d426b" + ], + "x-ms-routing-request-id": [ + "WESTUS:20200206T021627Z:a81b8106-0e5a-43b1-9f51-61d69d7d426b" + ], + "X-Content-Type-Options": [ + "nosniff" + ], + "Date": [ + "Thu, 06 Feb 2020 02:16:27 GMT" + ], + "Content-Length": [ + "43395" + ], + "Content-Type": [ + "application/json; odata.metadata=minimal; odata.streaming=true" + ], + "Expires": [ + "-1" + ] + }, + "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"name\": \"DefaultRuleSet_1.0\",\r\n \"id\": \"/subscriptions/47f4bc68-6fe4-43a2-be8b-dfd0e290efa2/providers/Microsoft.Network/frontdoorwebapplicationfirewallmanagedrulesets/DefaultRuleSet_1.0\",\r\n \"type\": \"Microsoft.Network/frontdoorwebapplicationfirewallmanagedrulesets\",\r\n \"properties\": {\r\n \"provisioningState\": \"Succeeded\",\r\n \"ruleSetId\": \"8125d145-ddc5-4d90-9bc3-24c5f2de69a2\",\r\n \"ruleSetType\": \"DefaultRuleSet\",\r\n \"ruleSetVersion\": \"1.0\",\r\n \"ruleGroups\": [\r\n {\r\n \"ruleGroupName\": \"PROTOCOL-ATTACK\",\r\n \"description\": \"Protocol attack\",\r\n \"rules\": [\r\n {\r\n \"ruleId\": \"921110\",\r\n \"description\": \"HTTP Request Smuggling Attack\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"921120\",\r\n \"description\": \"HTTP Response Splitting Attack\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"921130\",\r\n \"description\": \"HTTP Response Splitting Attack\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"921140\",\r\n \"description\": \"HTTP Header Injection Attack via headers\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"921150\",\r\n \"description\": \"HTTP Header Injection Attack via payload (CR/LF detected)\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"921160\",\r\n \"description\": \"HTTP Header Injection Attack via payload (CR/LF and header-name detected)\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"921151\",\r\n \"description\": \"HTTP Header Injection Attack via payload (CR/LF detected)\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n }\r\n ]\r\n },\r\n {\r\n \"ruleGroupName\": \"LFI\",\r\n \"description\": \"Local file inclusion\",\r\n \"rules\": [\r\n {\r\n \"ruleId\": \"930100\",\r\n \"description\": \"Path Traversal Attack (/../)\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"930110\",\r\n \"description\": \"Path Traversal Attack (/../)\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"930120\",\r\n \"description\": \"OS File Access Attempt\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"930130\",\r\n \"description\": \"Restricted File Access Attempt\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n }\r\n ]\r\n },\r\n {\r\n \"ruleGroupName\": \"RFI\",\r\n \"description\": \"Remote file inclusion\",\r\n \"rules\": [\r\n {\r\n \"ruleId\": \"931100\",\r\n \"description\": \"Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"931110\",\r\n \"description\": \"Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"931120\",\r\n \"description\": \"Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?)\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"931130\",\r\n \"description\": \"Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n }\r\n ]\r\n },\r\n {\r\n \"ruleGroupName\": \"RCE\",\r\n \"description\": \"Remote Command Execution attacks\",\r\n \"rules\": [\r\n {\r\n \"ruleId\": \"932100\",\r\n \"description\": \"Remote Command Execution: Unix Command Injection\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"932105\",\r\n \"description\": \"Remote Command Execution: Unix Command Injection\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"932110\",\r\n \"description\": \"Remote Command Execution: Windows Command Injection\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"932115\",\r\n \"description\": \"Remote Command Execution: Windows Command Injection\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"932120\",\r\n \"description\": \"Remote Command Execution: Windows PowerShell Command Found\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"932130\",\r\n \"description\": \"Remote Command Execution: Unix Shell Expression Found\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"932140\",\r\n \"description\": \"Remote Command Execution: Windows FOR/IF Command Found\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"932150\",\r\n \"description\": \"Remote Command Execution: Direct Unix Command Execution\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"932160\",\r\n \"description\": \"Remote Command Execution: Unix Shell Code Found\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"932170\",\r\n \"description\": \"Remote Command Execution: Shellshock (CVE-2014-6271)\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"932171\",\r\n \"description\": \"Remote Command Execution: Shellshock (CVE-2014-6271)\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"932180\",\r\n \"description\": \"Restricted File Upload Attempt\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n }\r\n ]\r\n },\r\n {\r\n \"ruleGroupName\": \"PHP\",\r\n \"description\": \"PHP attacks\",\r\n \"rules\": [\r\n {\r\n \"ruleId\": \"933100\",\r\n \"description\": \"PHP Injection Attack: PHP Open Tag Found\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"933110\",\r\n \"description\": \"PHP Injection Attack: PHP Script File Upload Found\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"933120\",\r\n \"description\": \"PHP Injection Attack: Configuration Directive Found\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"933130\",\r\n \"description\": \"PHP Injection Attack: Variables Found\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"933140\",\r\n \"description\": \"PHP Injection Attack: I/O Stream Found\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"933150\",\r\n \"description\": \"PHP Injection Attack: High-Risk PHP Function Name Found\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"933151\",\r\n \"description\": \"PHP Injection Attack: Medium-Risk PHP Function Name Found\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"933160\",\r\n \"description\": \"PHP Injection Attack: High-Risk PHP Function Call Found\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"933170\",\r\n \"description\": \"PHP Injection Attack: Serialized Object Injection\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"933180\",\r\n \"description\": \"PHP Injection Attack: Variable Function Call Found\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n }\r\n ]\r\n },\r\n {\r\n \"ruleGroupName\": \"XSS\",\r\n \"description\": \"Cross-site scripting\",\r\n \"rules\": [\r\n {\r\n \"ruleId\": \"941100\",\r\n \"description\": \"XSS Attack Detected via libinjection\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941101\",\r\n \"description\": \"XSS Attack Detected via libinjection\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941110\",\r\n \"description\": \"XSS Filter - Category 1: Script Tag Vector\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941120\",\r\n \"description\": \"XSS Filter - Category 2: Event Handler Vector\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941130\",\r\n \"description\": \"XSS Filter - Category 3: Attribute Vector\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941140\",\r\n \"description\": \"XSS Filter - Category 4: Javascript URI Vector\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941150\",\r\n \"description\": \"XSS Filter - Category 5: Disallowed HTML Attributes\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941160\",\r\n \"description\": \"NoScript XSS InjectionChecker: HTML Injection\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941170\",\r\n \"description\": \"NoScript XSS InjectionChecker: Attribute Injection\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941180\",\r\n \"description\": \"Node-Validator Blacklist Keywords\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941190\",\r\n \"description\": \"IE XSS Filters - Attack Detected.\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941200\",\r\n \"description\": \"IE XSS Filters - Attack Detected.\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941210\",\r\n \"description\": \"IE XSS Filters - Attack Detected.\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941220\",\r\n \"description\": \"IE XSS Filters - Attack Detected.\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941230\",\r\n \"description\": \"IE XSS Filters - Attack Detected.\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941240\",\r\n \"description\": \"IE XSS Filters - Attack Detected.\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941250\",\r\n \"description\": \"IE XSS Filters - Attack Detected.\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941260\",\r\n \"description\": \"IE XSS Filters - Attack Detected.\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941270\",\r\n \"description\": \"IE XSS Filters - Attack Detected.\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941280\",\r\n \"description\": \"IE XSS Filters - Attack Detected.\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941290\",\r\n \"description\": \"IE XSS Filters - Attack Detected.\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941300\",\r\n \"description\": \"IE XSS Filters - Attack Detected.\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941310\",\r\n \"description\": \"US-ASCII Malformed Encoding XSS Filter - Attack Detected.\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941320\",\r\n \"description\": \"Possible XSS Attack Detected - HTML Tag Handler\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941330\",\r\n \"description\": \"IE XSS Filters - Attack Detected.\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941340\",\r\n \"description\": \"IE XSS Filters - Attack Detected.\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941350\",\r\n \"description\": \"UTF-7 Encoding IE XSS - Attack Detected.\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n }\r\n ]\r\n },\r\n {\r\n \"ruleGroupName\": \"SQLI\",\r\n \"description\": \"SQL injection\",\r\n \"rules\": [\r\n {\r\n \"ruleId\": \"942100\",\r\n \"description\": \"SQL Injection Attack Detected via libinjection\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942110\",\r\n \"description\": \"SQL Injection Attack: Common Injection Testing Detected\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942120\",\r\n \"description\": \"SQL Injection Attack: SQL Operator Detected\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942140\",\r\n \"description\": \"SQL Injection Attack: Common DB Names Detected\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942150\",\r\n \"description\": \"SQL Injection Attack\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942160\",\r\n \"description\": \"Detects blind sqli tests using sleep() or benchmark().\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942170\",\r\n \"description\": \"Detects SQL benchmark and sleep injection attempts including conditional queries\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942180\",\r\n \"description\": \"Detects basic SQL authentication bypass attempts 1/3\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942190\",\r\n \"description\": \"Detects MSSQL code execution and information gathering attempts\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942200\",\r\n \"description\": \"Detects MySQL comment-/space-obfuscated injections and backtick termination\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942210\",\r\n \"description\": \"Detects chained SQL injection attempts 1/2\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942220\",\r\n \"description\": \"Looking for integer overflow attacks, these are taken from skipfish, except 3.0.00738585072007e-308 is the \\\"magic number\\\" crash\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942230\",\r\n \"description\": \"Detects conditional SQL injection attempts\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942240\",\r\n \"description\": \"Detects MySQL charset switch and MSSQL DoS attempts\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942250\",\r\n \"description\": \"Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942260\",\r\n \"description\": \"Detects basic SQL authentication bypass attempts 2/3\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942270\",\r\n \"description\": \"Looking for basic sql injection. Common attack string for mysql, oracle and others.\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942280\",\r\n \"description\": \"Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942290\",\r\n \"description\": \"Finds basic MongoDB SQL injection attempts\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942300\",\r\n \"description\": \"Detects MySQL comments, conditions and ch(a)r injections\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942310\",\r\n \"description\": \"Detects chained SQL injection attempts 2/2\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942320\",\r\n \"description\": \"Detects MySQL and PostgreSQL stored procedure/function injections\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942330\",\r\n \"description\": \"Detects classic SQL injection probings 1/3\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942340\",\r\n \"description\": \"Detects basic SQL authentication bypass attempts 3/3\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942350\",\r\n \"description\": \"Detects MySQL UDF injection and other data/structure manipulation attempts\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942360\",\r\n \"description\": \"Detects concatenated basic SQL injection and SQLLFI attempts\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942361\",\r\n \"description\": \"Detects basic SQL injection based on keyword alter or union\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942370\",\r\n \"description\": \"Detects classic SQL injection probings 2/3\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942380\",\r\n \"description\": \"SQL Injection Attack\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942390\",\r\n \"description\": \"SQL Injection Attack\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942400\",\r\n \"description\": \"SQL Injection Attack\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942410\",\r\n \"description\": \"SQL Injection Attack\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942430\",\r\n \"description\": \"Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942440\",\r\n \"description\": \"SQL Comment Sequence Detected.\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942450\",\r\n \"description\": \"SQL Hex Encoding Identified\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942470\",\r\n \"description\": \"SQL Injection Attack\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942480\",\r\n \"description\": \"SQL Injection Attack\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n }\r\n ]\r\n },\r\n {\r\n \"ruleGroupName\": \"FIX\",\r\n \"description\": \"Session Fixation attacks\",\r\n \"rules\": [\r\n {\r\n \"ruleId\": \"943100\",\r\n \"description\": \"Possible Session Fixation Attack: Setting Cookie Values in HTML\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"943110\",\r\n \"description\": \"Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"943120\",\r\n \"description\": \"Possible Session Fixation Attack: SessionID Parameter Name with No Referer\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n }\r\n ]\r\n },\r\n {\r\n \"ruleGroupName\": \"JAVA\",\r\n \"description\": \"Java attacks\",\r\n \"rules\": [\r\n {\r\n \"ruleId\": \"944100\",\r\n \"description\": \"Remote Command Execution: Suspicious Java class detected\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"944110\",\r\n \"description\": \"Remote Command Execution: Java process spawn (CVE-2017-9805)\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"944120\",\r\n \"description\": \"Remote Command Execution: Java serialization (CVE-2015-5842)\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"944130\",\r\n \"description\": \"Suspicious Java class detected\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"944200\",\r\n \"description\": \"Magic bytes Detected, probable java serialization in use\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"944210\",\r\n \"description\": \"Magic bytes Detected Base64 Encoded, probable java serialization in use\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"944240\",\r\n \"description\": \"Remote Command Execution: Java serialization (CVE-2015-5842)\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"944250\",\r\n \"description\": \"Remote Command Execution: Suspicious Java method detected\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n }\r\n ]\r\n }\r\n ]\r\n }\r\n },\r\n {\r\n \"name\": \"Microsoft_BotManagerRuleSet_1.0\",\r\n \"id\": \"/subscriptions/47f4bc68-6fe4-43a2-be8b-dfd0e290efa2/providers/Microsoft.Network/frontdoorwebapplicationfirewallmanagedrulesets/Microsoft_BotManagerRuleSet_1.0\",\r\n \"type\": \"Microsoft.Network/frontdoorwebapplicationfirewallmanagedrulesets\",\r\n \"properties\": {\r\n \"provisioningState\": \"Succeeded\",\r\n \"ruleSetId\": \"e44514af-018d-49e9-8070-c9edac0f3a0d\",\r\n \"ruleSetType\": \"Microsoft_BotManagerRuleSet\",\r\n \"ruleSetVersion\": \"1.0\",\r\n \"ruleGroups\": [\r\n {\r\n \"ruleGroupName\": \"BadBots\",\r\n \"description\": \"Bad bots\",\r\n \"rules\": [\r\n {\r\n \"ruleId\": \"Bot100100\",\r\n \"description\": \"Malicious bots detected by threat intelligence\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"Bot100200\",\r\n \"description\": \"Malicious bots that have falsified their identity\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n }\r\n ]\r\n },\r\n {\r\n \"ruleGroupName\": \"GoodBots\",\r\n \"description\": \"Good bots\",\r\n \"rules\": [\r\n {\r\n \"ruleId\": \"Bot200100\",\r\n \"description\": \"Search engine crawlers\",\r\n \"defaultAction\": \"Allow\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"Bot200200\",\r\n \"description\": \"Unverified search engine crawlers\",\r\n \"defaultAction\": \"Log\",\r\n \"defaultState\": \"Enabled\"\r\n }\r\n ]\r\n },\r\n {\r\n \"ruleGroupName\": \"UnknownBots\",\r\n \"description\": \"Unknown bots\",\r\n \"rules\": [\r\n {\r\n \"ruleId\": \"Bot300100\",\r\n \"description\": \"Unspecified identity\",\r\n \"defaultAction\": \"Log\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"Bot300200\",\r\n \"description\": \"Tools and frameworks for web crawling and attacks\",\r\n \"defaultAction\": \"Log\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"Bot300300\",\r\n \"description\": \"General purpose HTTP clients and SDKs\",\r\n \"defaultAction\": \"Log\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"Bot300400\",\r\n \"description\": \"Service agents\",\r\n \"defaultAction\": \"Log\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"Bot300500\",\r\n \"description\": \"Site health monitoring services\",\r\n \"defaultAction\": \"Log\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"Bot300600\",\r\n \"description\": \"Unknown bots detected by threat intelligence\",\r\n \"defaultAction\": \"Log\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"Bot300700\",\r\n \"description\": \"Other bots\",\r\n \"defaultAction\": \"Log\",\r\n \"defaultState\": \"Enabled\"\r\n }\r\n ]\r\n }\r\n ]\r\n }\r\n },\r\n {\r\n \"name\": \"DefaultRuleSet_preview-0.1\",\r\n \"id\": \"/subscriptions/47f4bc68-6fe4-43a2-be8b-dfd0e290efa2/providers/Microsoft.Network/frontdoorwebapplicationfirewallmanagedrulesets/DefaultRuleSet_preview-0.1\",\r\n \"type\": \"Microsoft.Network/frontdoorwebapplicationfirewallmanagedrulesets\",\r\n \"properties\": {\r\n \"provisioningState\": \"Succeeded\",\r\n \"ruleSetId\": \"8125d145-ddc5-4d90-9bc3-24c5f2de69a2\",\r\n \"ruleSetType\": \"DefaultRuleSet\",\r\n \"ruleSetVersion\": \"preview-0.1\",\r\n \"ruleGroups\": [\r\n {\r\n \"ruleGroupName\": \"LFI\",\r\n \"description\": \"Local file inclusion\",\r\n \"rules\": [\r\n {\r\n \"ruleId\": \"930100\",\r\n \"description\": \"Path Traversal Attack (/../) using Encoded Payloads\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"930110\",\r\n \"description\": \"Path Traversal Attack (/../) using Decoded Payloads\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"930130\",\r\n \"description\": \"Restricted File Access Attempt\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n }\r\n ]\r\n },\r\n {\r\n \"ruleGroupName\": \"RFI\",\r\n \"description\": \"Remote file inclusion\",\r\n \"rules\": [\r\n {\r\n \"ruleId\": \"931100\",\r\n \"description\": \"Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"931110\",\r\n \"description\": \"Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"931120\",\r\n \"description\": \"Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?)\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"931130\",\r\n \"description\": \"Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n }\r\n ]\r\n },\r\n {\r\n \"ruleGroupName\": \"RCE\",\r\n \"description\": \"Remote Command Execution attacks\",\r\n \"rules\": [\r\n {\r\n \"ruleId\": \"932100\",\r\n \"description\": \"Remote Command Execution: Unix Command Injection\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"932105\",\r\n \"description\": \"Remote Command Execution: Unix Command Injection\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"932106\",\r\n \"description\": \"Remote Command Execution: Unix Command Injection\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"932110\",\r\n \"description\": \"Remote Command Execution: Windows Command Injection\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"932115\",\r\n \"description\": \"Remote Command Execution: Windows Command Injection\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"932130\",\r\n \"description\": \"Remote Command Execution: Unix Shell Expression Found\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"932140\",\r\n \"description\": \"Remote Command Execution: Windows FOR/IF Command Found\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"932150\",\r\n \"description\": \"Remote Command Execution: Direct Unix Command Execution\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"932170\",\r\n \"description\": \"Remote Command Execution: Shellshock (CVE-2014-6271)\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"932171\",\r\n \"description\": \"Remote Command Execution: Shellshock (CVE-2014-6271)\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"932190\",\r\n \"description\": \"Remote Command Execution: Wildcard\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n }\r\n ]\r\n },\r\n {\r\n \"ruleGroupName\": \"PHP\",\r\n \"description\": \"PHP attacks\",\r\n \"rules\": [\r\n {\r\n \"ruleId\": \"933100\",\r\n \"description\": \"PHP Injection Attack: Opening/Closing Tag Found\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"933110\",\r\n \"description\": \"PHP Injection Attack: PHP Script File Upload Found\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"933111\",\r\n \"description\": \"PHP Injection Attack: PHP Script File Upload Found\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"933131\",\r\n \"description\": \"PHP Injection Attack: Variables Found\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"933140\",\r\n \"description\": \"PHP Injection Attack: I/O Stream Found\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"933160\",\r\n \"description\": \"PHP Injection Attack: High-Risk PHP Function Call Found\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"933161\",\r\n \"description\": \"PHP Injection Attack: Low-Value PHP Function Call Found\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"933170\",\r\n \"description\": \"PHP Injection Attack: Serialized Object Injection\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"933180\",\r\n \"description\": \"PHP Injection Attack: Variable Function Call Found\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"933190\",\r\n \"description\": \"PHP Injection Attack: PHP Closing Tag Found\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"933200\",\r\n \"description\": \"PHP Injection Attack: Abusing of PHP wrappers could lead to RCE\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"933210\",\r\n \"description\": \"PHP Injection Attack: Variable Function Call Found (bypass 933180)\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n }\r\n ]\r\n },\r\n {\r\n \"ruleGroupName\": \"XSS\",\r\n \"description\": \"Cross-site scripting\",\r\n \"rules\": [\r\n {\r\n \"ruleId\": \"941100\",\r\n \"description\": \"XSS Attack Detected via libinjection\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941101\",\r\n \"description\": \"XSS Attack Detected via libinjection\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941110\",\r\n \"description\": \"XSS Filter - Category 1: Script Tag Vector\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941120\",\r\n \"description\": \"XSS Filter - Category 2: Event Handler Vector\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941130\",\r\n \"description\": \"XSS Filter - Category 3: Attribute Vector\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941140\",\r\n \"description\": \"XSS Filter - Category 4: Javascript URI Vector\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941150\",\r\n \"description\": \"XSS Filter - Category 5: Disallowed HTML Attributes\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941160\",\r\n \"description\": \"NoScript XSS InjectionChecker: HTML Injection\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941170\",\r\n \"description\": \"NoScript XSS InjectionChecker: Attribute Injection\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941180\",\r\n \"description\": \"Node-Validator Blacklist Keywords\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941190\",\r\n \"description\": \"IE XSS Filters - Attack Detected.\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941200\",\r\n \"description\": \"IE XSS Filters - Attack Detected.\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941210\",\r\n \"description\": \"IE XSS Filters - Attack Detected.\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941220\",\r\n \"description\": \"IE XSS Filters - Attack Detected.\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941230\",\r\n \"description\": \"IE XSS Filters - Attack Detected.\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941240\",\r\n \"description\": \"IE XSS Filters - Attack Detected.\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941250\",\r\n \"description\": \"IE XSS Filters - Attack Detected.\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941260\",\r\n \"description\": \"IE XSS Filters - Attack Detected.\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941270\",\r\n \"description\": \"IE XSS Filters - Attack Detected.\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941280\",\r\n \"description\": \"IE XSS Filters - Attack Detected\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941290\",\r\n \"description\": \"IE XSS Filters - Attack Detected.\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941300\",\r\n \"description\": \"IE XSS Filters - Attack Detected.\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941310\",\r\n \"description\": \"US-ASCII Malformed Encoding XSS Filter - Attack Detected.\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941320\",\r\n \"description\": \"Possible XSS Attack Detected - HTML Tag Handler\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941330\",\r\n \"description\": \"IE XSS Filters - Attack Detected.\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941340\",\r\n \"description\": \"IE XSS Filters - Attack Detected.\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941350\",\r\n \"description\": \"UTF-7 Encoding IE XSS - Attack Detected.\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"941360\",\r\n \"description\": \"JSFuck / Hieroglyphy obfuscation detected\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n }\r\n ]\r\n },\r\n {\r\n \"ruleGroupName\": \"SQLI\",\r\n \"description\": \"SQL injection\",\r\n \"rules\": [\r\n {\r\n \"ruleId\": \"942100\",\r\n \"description\": \"SQL Injection Attack Detected via libinjection\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942110\",\r\n \"description\": \"SQL Injection Attack: Common Injection Testing Detected\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942120\",\r\n \"description\": \"SQL Injection Attack: SQL Operator Detected\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942140\",\r\n \"description\": \"SQL Injection Attack: Common DB Names Detected\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942160\",\r\n \"description\": \"Detects blind sqli tests using sleep() or benchmark().\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942170\",\r\n \"description\": \"Detects SQL benchmark and sleep injection attempts including conditional queries\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942180\",\r\n \"description\": \"Detects basic SQL authentication bypass attempts 1/3\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942190\",\r\n \"description\": \"Detects MSSQL code execution and information gathering attempts\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942200\",\r\n \"description\": \"Detects MySQL comment-/space-obfuscated injections and backtick termination\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942210\",\r\n \"description\": \"Detects chained SQL injection attempts 1/2\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942220\",\r\n \"description\": \"Looking for integer overflow attacks, these are taken from skipfish, except 3.0.00738585072007e-308 is the \\\"magic number\\\" crash\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942230\",\r\n \"description\": \"Detects conditional SQL injection attempts\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942240\",\r\n \"description\": \"Detects MySQL charset switch and MSSQL DoS attempts\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942250\",\r\n \"description\": \"Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942251\",\r\n \"description\": \"Detects HAVING injections\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942260\",\r\n \"description\": \"Detects basic SQL authentication bypass attempts 2/3\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942270\",\r\n \"description\": \"Looking for basic sql injection. Common attack string for mysql, oracle and others.\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942280\",\r\n \"description\": \"Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942290\",\r\n \"description\": \"Finds basic MongoDB SQL injection attempts\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942300\",\r\n \"description\": \"Detects MySQL comments, conditions and ch(a)r injections\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942310\",\r\n \"description\": \"Detects chained SQL injection attempts 2/2\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942320\",\r\n \"description\": \"Detects MySQL and PostgreSQL stored procedure/function injections\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942330\",\r\n \"description\": \"Detects classic SQL injection probings 1/3\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942340\",\r\n \"description\": \"Detects basic SQL authentication bypass attempts 3/3\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942350\",\r\n \"description\": \"Detects MySQL UDF injection and other data/structure manipulation attempts\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942360\",\r\n \"description\": \"Detects concatenated basic SQL injection and SQLLFI attempts\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942361\",\r\n \"description\": \"Detects basic SQL injection based on keyword alter or union\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942370\",\r\n \"description\": \"Detects classic SQL injection probings 2/3\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942380\",\r\n \"description\": \"SQL Injection Attack\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942390\",\r\n \"description\": \"SQL Injection Attack\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942400\",\r\n \"description\": \"SQL Injection Attack\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942410\",\r\n \"description\": \"SQL Injection Attack\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942430\",\r\n \"description\": \"Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942431\",\r\n \"description\": \"Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6)\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942432\",\r\n \"description\": \"Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942440\",\r\n \"description\": \"SQL Comment Sequence Detected.\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942450\",\r\n \"description\": \"SQL Hex Encoding Identified\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942470\",\r\n \"description\": \"SQL Injection Attack\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942480\",\r\n \"description\": \"SQL Injection Attack\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"942490\",\r\n \"description\": \"Detects classic SQL injection probings 3/3\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n }\r\n ]\r\n },\r\n {\r\n \"ruleGroupName\": \"FIX\",\r\n \"description\": \"Session Fixation attacks\",\r\n \"rules\": [\r\n {\r\n \"ruleId\": \"943100\",\r\n \"description\": \"Possible Session Fixation Attack: Setting Cookie Values in HTML\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n }\r\n ]\r\n },\r\n {\r\n \"ruleGroupName\": \"JAVA\",\r\n \"description\": \"Java attacks\",\r\n \"rules\": [\r\n {\r\n \"ruleId\": \"944100\",\r\n \"description\": \"Java: possible payload execution\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"944110\",\r\n \"description\": \"Java: possible payload execution\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"944120\",\r\n \"description\": \"Java: possible payload execution\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"944200\",\r\n \"description\": \"Java: deserialization that could lead to payload execution\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"944210\",\r\n \"description\": \"Java: base64 attack that could lead to payload execution\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"944240\",\r\n \"description\": \"Java: possible payload execution\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"944250\",\r\n \"description\": \"Java: possible payload execution\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n },\r\n {\r\n \"ruleId\": \"944300\",\r\n \"description\": \"Java: base64 attack that could lead to payload execution\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n }\r\n ]\r\n }\r\n ]\r\n }\r\n },\r\n {\r\n \"name\": \"BotProtection_preview-0.1\",\r\n \"id\": \"/subscriptions/47f4bc68-6fe4-43a2-be8b-dfd0e290efa2/providers/Microsoft.Network/frontdoorwebapplicationfirewallmanagedrulesets/BotProtection_preview-0.1\",\r\n \"type\": \"Microsoft.Network/frontdoorwebapplicationfirewallmanagedrulesets\",\r\n \"properties\": {\r\n \"provisioningState\": \"Succeeded\",\r\n \"ruleSetId\": \"e44514af-018d-49e9-8070-c9edac0f3a0d\",\r\n \"ruleSetType\": \"BotProtection\",\r\n \"ruleSetVersion\": \"preview-0.1\",\r\n \"ruleGroups\": [\r\n {\r\n \"ruleGroupName\": \"KnownBadBots\",\r\n \"description\": \"\",\r\n \"rules\": [\r\n {\r\n \"ruleId\": \"Bot00001\",\r\n \"description\": \"Malicious Bots\",\r\n \"defaultAction\": \"Block\",\r\n \"defaultState\": \"Enabled\"\r\n }\r\n ]\r\n }\r\n ]\r\n }\r\n }\r\n ]\r\n}", + "StatusCode": 200 + } + ], + "Names": {}, + "Variables": { + "SubscriptionId": "47f4bc68-6fe4-43a2-be8b-dfd0e290efa2" + } +} \ No newline at end of file From 6cfaf10d6a5656d034cc2bc4287370eb33ffe684 Mon Sep 17 00:00:00 2001 From: Diego Gavinowich Date: Wed, 5 Feb 2020 19:00:08 -0800 Subject: [PATCH 3/5] Update help --- src/FrontDoor/FrontDoor/help/Az.FrontDoor.md | 3 + ...-AzFrontDoorWafManagedRuleSetDefinition.md | 72 +++++++++++++++++++ 2 files changed, 75 insertions(+) create mode 100644 src/FrontDoor/FrontDoor/help/Get-AzFrontDoorWafManagedRuleSetDefinition.md diff --git a/src/FrontDoor/FrontDoor/help/Az.FrontDoor.md b/src/FrontDoor/FrontDoor/help/Az.FrontDoor.md index 0f92c82c347a..b8b175d74160 100644 --- a/src/FrontDoor/FrontDoor/help/Az.FrontDoor.md +++ b/src/FrontDoor/FrontDoor/help/Az.FrontDoor.md @@ -23,6 +23,9 @@ Get Front Door load balancer ### [Get-AzFrontDoorFrontendEndpoint](Get-AzFrontDoorFrontendEndpoint.md) Get a front door frontend endpoint. +### [Get-AzFrontDoorWafManagedRuleSetDefinition](Get-AzFrontDoorWafManagedRuleSetDefinition.md) +Get WAF managed rule set definitions + ### [Get-AzFrontDoorWafPolicy](Get-AzFrontDoorWafPolicy.md) Get WAF policy diff --git a/src/FrontDoor/FrontDoor/help/Get-AzFrontDoorWafManagedRuleSetDefinition.md b/src/FrontDoor/FrontDoor/help/Get-AzFrontDoorWafManagedRuleSetDefinition.md new file mode 100644 index 000000000000..1479b5ae6dca --- /dev/null +++ b/src/FrontDoor/FrontDoor/help/Get-AzFrontDoorWafManagedRuleSetDefinition.md @@ -0,0 +1,72 @@ +--- +external help file: Microsoft.Azure.PowerShell.Cmdlets.FrontDoor.dll-Help.xml +Module Name: Az.FrontDoor +online version: https://docs.microsoft.com/en-us/powershell/module/az.frontdoor/get-azfrontdoorwafmanagedrulesetdefinition +schema: 2.0.0 +--- + +# Get-AzFrontDoorWafManagedRuleSetDefinition + +## SYNOPSIS +Get WAF managed rule set definitions + +## SYNTAX + +``` +Get-AzFrontDoorWafManagedRuleSetDefinition [-DefaultProfile ] [] +``` + +## DESCRIPTION +Gets the list of WAF managed rule set definitions to use as reference + +## EXAMPLES + +### Example 1 +```powershell +PS C:> Get-AzFrontDoorWafManagedRuleSetDefinition + +ProvisioningState RuleSetType RuleSetVersion RuleGroups +----------------- ----------- -------------- ---------- +Succeeded DefaultRuleSet 1.0 {PROTOCOL-ATTACK, LFI, RFI, RCE...} +Succeeded Microsoft_BotManagerRuleSet 1.0 {BadBots, GoodBots, UnknownBots} +Succeeded DefaultRuleSet preview-0.1 {LFI, RFI, RCE, PHP...} +Succeeded BotProtection preview-0.1 {KnownBadBots} +``` + +{{ Add example description here }} + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer +Parameter Sets: (All) +Aliases: AzContext, AzureRmContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### None + +## OUTPUTS + +### Microsoft.Azure.Commands.FrontDoor.Models.PSManagedRuleSetDefinition + +## NOTES + +## RELATED LINKS + +[New-AzFrontDoorWafManagedRuleObject](./New-AzFrontDoorWafManagedRuleObject.md) +[New-AzFrontDoorWafManagedRuleOverrideObject](./New-AzFrontDoorWafManagedRuleOverrideObject.md) +[New-AzFrontDoorWafRuleGroupOverrideObject](./New-AzFrontDoorWafRuleGroupOverrideObject.md) From 1daa987ff49463dce385a1b75f64e0c6e9855318 Mon Sep 17 00:00:00 2001 From: Diego Gavinowich Date: Thu, 6 Feb 2020 11:53:31 -0800 Subject: [PATCH 4/5] Update changelog --- .../ScenarioTests/WebApplicationFireWallPolicyTests.ps1 | 2 +- src/FrontDoor/FrontDoor/ChangeLog.md | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/src/FrontDoor/FrontDoor.Test/ScenarioTests/WebApplicationFireWallPolicyTests.ps1 b/src/FrontDoor/FrontDoor.Test/ScenarioTests/WebApplicationFireWallPolicyTests.ps1 index 9b4d28ddb30e..b03a39332570 100644 --- a/src/FrontDoor/FrontDoor.Test/ScenarioTests/WebApplicationFireWallPolicyTests.ps1 +++ b/src/FrontDoor/FrontDoor.Test/ScenarioTests/WebApplicationFireWallPolicyTests.ps1 @@ -122,7 +122,7 @@ WAF managed rule set definitions retrieval #> function Test-ManagedRuleSetDefinition { - $definitions = Get-AzFrontDoorWafManagedRuleSetDefinition | sort -Property RuleSetType,RuleSetVersion + $definitions = Get-AzFrontDoorWafManagedRuleSetDefinition Assert-AreEqual $definitions.Count 4 Assert-AreEqual $definitions[0].RuleSetType "BotProtection" Assert-AreEqual $definitions[0].RuleSetVersion "preview-0.1" diff --git a/src/FrontDoor/FrontDoor/ChangeLog.md b/src/FrontDoor/FrontDoor/ChangeLog.md index 9e1cf94798e8..45a75fdc936c 100644 --- a/src/FrontDoor/FrontDoor/ChangeLog.md +++ b/src/FrontDoor/FrontDoor/ChangeLog.md @@ -18,6 +18,7 @@ - Additional information about change #1 --> ## Upcoming Release +* Add cmdlet to get managed rule definitions that can be used in WAF ## Version 1.3.0 * Update references in .psd1 to use relative path From 0080ad8264f86b14d446f4e9ee52acad1039b611 Mon Sep 17 00:00:00 2001 From: Diego Gavinowich Date: Thu, 6 Feb 2020 12:26:13 -0800 Subject: [PATCH 5/5] Fix test --- .../WebApplicationFireWallPolicyTests.ps1 | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/src/FrontDoor/FrontDoor.Test/ScenarioTests/WebApplicationFireWallPolicyTests.ps1 b/src/FrontDoor/FrontDoor.Test/ScenarioTests/WebApplicationFireWallPolicyTests.ps1 index b03a39332570..ffca7a6aaf4d 100644 --- a/src/FrontDoor/FrontDoor.Test/ScenarioTests/WebApplicationFireWallPolicyTests.ps1 +++ b/src/FrontDoor/FrontDoor.Test/ScenarioTests/WebApplicationFireWallPolicyTests.ps1 @@ -124,19 +124,19 @@ function Test-ManagedRuleSetDefinition { $definitions = Get-AzFrontDoorWafManagedRuleSetDefinition Assert-AreEqual $definitions.Count 4 - Assert-AreEqual $definitions[0].RuleSetType "BotProtection" - Assert-AreEqual $definitions[0].RuleSetVersion "preview-0.1" - Assert-AreEqual $definitions[0].RuleGroups.Count 1 + Assert-AreEqual $definitions[0].RuleSetType "DefaultRuleSet" + Assert-AreEqual $definitions[0].RuleSetVersion "1.0" + Assert-AreEqual $definitions[0].RuleGroups.Count 9 - Assert-AreEqual $definitions[1].RuleSetType "DefaultRuleSet" + Assert-AreEqual $definitions[1].RuleSetType "Microsoft_BotManagerRuleSet" Assert-AreEqual $definitions[1].RuleSetVersion "1.0" - Assert-AreEqual $definitions[1].RuleGroups.Count 9 + Assert-AreEqual $definitions[1].RuleGroups.Count 3 Assert-AreEqual $definitions[2].RuleSetType "DefaultRuleSet" Assert-AreEqual $definitions[2].RuleSetVersion "preview-0.1" Assert-AreEqual $definitions[2].RuleGroups.Count 8 - Assert-AreEqual $definitions[3].RuleSetType "Microsoft_BotManagerRuleSet" - Assert-AreEqual $definitions[3].RuleSetVersion "1.0" - Assert-AreEqual $definitions[3].RuleGroups.Count 3 + Assert-AreEqual $definitions[3].RuleSetType "BotProtection" + Assert-AreEqual $definitions[3].RuleSetVersion "preview-0.1" + Assert-AreEqual $definitions[3].RuleGroups.Count 1 }