Log or block requests

An In-App WAF custom rule is a tool you can use to fine-tune the behavior of your app's In-App WAF.

Where a Security Automation Playbook exists to block specific actors (IP addresses or users), a custom rule enables you to log or block specific requests. You can use these rules to track or block any request that matches a pattern you specify, whether it is matching a specific value in a field, or a combination of fields, or an absence of a value in a field.

For example, you can use a custom rule to log all requests to your app that result in a 4XX response, or use it to enforce your internal best practices and block all requests that do not contain an authentication header.

Create a custom rule

  1. From your Sqreen Dashboard, navigate to Configuration > In-App WAF, then click the "Custom rulesets" tab.
  2. Create a new ruleset first, supplying a name and description, then "Add new rule".
  3. Define a name for your rule, then set the following:
    • one or more conditions such as "URL path" "has SQL injection"
    • an action, either "Log", "Block", or "Do nothing"
  4. Use the Sample Request panel to adjust the payload values of a sample request that tests your newly created rule. Adjust your rule conditions as needed until the sample request returns the message "Rule successfully matched the sample request".
  5. Save the rule.
  6. Review and edit the rules in your ruleset to further fine-tune the way your In-App WAF logs and blocks requests.

Examine the output of the rule

In the "Custom rulesets" tab in the In-App WAF module, the table that displays the list of rules in the set includes a column for "Activity". The value in the column displays the number of times that activity in your app met the conditions of your custom rule. Click the value to drill deeper and examine the security activity details.

You can also examine the output of your rule(s) from the Sqreen Dashboard. Navigate to Security Activity and review the In-App Activity that Sqreen monitored. Any activity that meets the conditions of your custom rule(s) appears in the list of activities with a tag to indicate that it followed your rule.

Example custom rules

Monitor an actor's activity

While examining your app's security acitivity, you notice that a malicious actor directed a security scanner to scan one of your applications. A few hours later, this actor sent XSS attacks that the In-App WAF Protection blocked. Considering this information, you decide to keep a close eye on this actor's activity by logging every request this actor sends to your app, even the ones that do not trigger any Sqreen Protections.

Create an In-App WAF custom rule that logs all requests this actor sends to your app. Note: The value Client IP is only available in Sqreen Microagent for Node.js 1.56.2 and later, and Sqreen Microagent for Python 1.24.0 and later.

Field Value
Condition Field: Client IP
Condition Operator: equals value
Condition Value: 127.0.0.1
Action: Log

Block access to private files

Users of an application can access some files in your system, but other files are private and should only be accessible by the application owner. To prevent an attacker from illegitimately gaining access, the application owner wants to block all external IPs from accessing the private files.

Create an In-App WAF custom rule that blocks all IP addresses to a specific path, unless the IP address is internal. Note: The value Client IP is only available in Sqreen Microagent for Node.js 1.56.2 and later, and Sqreen Microagent for Python 1.24.0 and later.

Field Value
Condition 1 Field: Client IP
Condition 1 Operator: does not equal value
Condition 1 Value: 127.0.0.1
AND
Condition 2 Field: URI (URL-decoded)
Condition 2 Operator: matches RegEx
Condition 2 Value: /external-facing/*
Action: Block

Log requests that contain PII

Because your company rigorously adheres to and complies with Europe's General Data Protection Regulation (GDPR), you want to make sure your app does not mistakenly store Personally Identifiable Information (PII) embedded in emails that it processes.

Create an In-App WAF custom rule that logs any requests that contain email patterns in particular fields.

Field Value
Condition Field: Parameter values
Condition Operator: matches RegEx
Condition Value: ^\S+@(?:[^\s\.]+\.)+\w+$
Action: Log

Protect a vulnerable application

A recent pentest of your application revealed that it is vulnerable to Cross-Site Request Forgery (CSRF). Your Engineering team is preparing an urgent patch to address the issue, but in the meantime, you want to block attackers from exploiting this vulnerability.

Create an In-App WAF custom rule that blocks POST requests to a specific path where the request header does not contain a referer. Note: The operator value does not exist is only available in Sqreen Microagent for Node.js 1.56.2 and later, and Sqreen Microagent for Python 1.24.0 and later.

Field Value
Condition 1 Field: URI (URL-decoded)
Condition 1 Operator: matches RegEx
Condition 1 Value: ^/sensitive/path
AND
Condition 2 Field: Method
Condition 2 Operator: equals value
Condition 2 Value: POST
AND
Condition 3 Field: Referer
Condition 3 Operator: does not exist
Condition 3 Value: -
Action: Block