Blog Post

Azure Network Security Blog
2 MIN READ

DRS 2.1 for Azure FrontDoor WAF General Availability

tobiotolorin's avatar
tobiotolorin
Icon for Microsoft rankMicrosoft
Dec 09, 2022

The Default Rule Set 2.1 (DRS 2.1) on Azure's global Web Application Firewall (WAF) with updated rules against new attack signatures is now available to Web Application Firewall customers. This ruleset is available on the Azure Front Door Premium tier.

DRS 2.1 is baselined off the Open Web Application Security Project (OWASP) Core Rule Set (CRS) 3.3.2 and includes the Microsoft Threat Intelligence (MSTIC) rules that are written in partnership with the Microsoft Intelligence team.

 

 

 

 

As with the previous DRS 2.0, the MSTIC team analyzes Common Vulnerabilities and Exposures (CVEs) and adapts the CRS ruleset to provide increased coverage, patches for specific vulnerabilities, and better false positive reduction. Also, Azure Front Door WAF with DRS 2.1 uses anomaly scoring mode, hence rule matches are not considered independently. 

There are 17 rule groups in DRS 2.1, each group containing multiple rules customizable at rule group and rule set levels.

DRS is enabled by default in Detection mode in WAF policies. You can disable or enable individual rules within the default Rule and enable specific actions per rule. However, some rules are disabled upon deployment- these rules have been improved upon by the Microsoft Threat Intelligence team and replaced with MSTIC signatures (Identified by the 8-digit IDs) with improved signatures.
You can also enable the following rules to detect and protect SpringShell vulnerability

 

 

For additional information on the disabled rules and signature replacement, see Disabled rules table.

Improvements in WAF with Default Rule Set 2.1

  • Baselined off the latest CRS 3.3.2 version
  • A set of vulnerabilities addressed in the new DRS prevent partial ruleset bypass- an occurrence where a payload disables a rule set and allows an attacker to transmit a payload as part of a requestbody, without detection by the Web Application Firewall. Other ruleset bypass addressed in the DRS 2.1 is WAF bypass using Path info as seen in CVE-2021-35368
  • Detection for more vulnerability scanners and crawlers/bots from previous DRS 2.0
  • Improved Cross site scripting (XSS) and SQL injection attack detection
  • Reduced false positives for injection-based rules
  • Protection against common web shell exploitation and additional CVEs
  • Support for more content-types compatibility

These updates are not available in the WAF for Azure Front Door classic and standard tiers. Consider migrating to Premium Tier to take advantage of these security improvements.

 

 

Resources:

Updated Dec 09, 2022
Version 1.0
Azure Front Door
azure network security
Azure WAF
  • WayneIRE's avatar
    WayneIRE
    Copper Contributor
    Jan 18, 2024

    Hi tobiotolorin 

    For those of us who have existing WAF policies using DRS 2.0, and wanting to upgrade to 2.1, will doing so require having to reapply any exclusions and overrides we had for DRS 2.0? I'm guessing from the warning in Azure Portal ("Removing a rule set will also remove the exclusions and overrides for that rule set.") and a bit of knowledge of updating an nginx+CRS deployment, "upgrading" to 2.1 will basically be removing and readding the policy just with the new version?

    If we do need to reapply the exclusions and overrides, are there any existing scripts available (before I go and cobble together my own) that can export and reimport those (hopefully accounting for the CRS rules that were disabled)? Looking around I haven't seen much from anyone on doing a DRS upgrade (aside from pre 2.0), and nothing in the Azure/Azure-Network-Security Github repo either.