Azure WAF - Resources for understanding policies

chilberto 

Hello Jeffrey, here are some resources that provide excellent guidance on how to understand WAF actions and logs for both Azure Application Gateway and Azure Front Door. The OWASP signature IDs use a set of regex pattern matching. For a particular rule ID, you can look through the glossary and see what the parameter combination the regex is looking for. For example, SQLi rule 942120 looks for a combination of is+not in a string. This regex looks for it as you can see in line 538 here

SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:(?:^|\W)in[+\s]*\([\s\d\"]+[^()]*\)|\b(?:r(?:egexp|like)|isnull|xor)\b|<(?:>(?:\s+binary)?|=>?|<)|r(?:egexp|like)\s+binary|not\s+between\s+0\s+and|(?:like|is)\s+null|>[=>]|\|\||!=|&&))" \

By enabling Diagnostic settings on the Application Gateway and Front Door resources, we're able to send WAF specific logs to a log analytics workspace that allows you to consume and identify why certain requests have been blocked due to specific regex patterns identified.

OWASP:

owasp-modsecurity-crs/rules at v3.1/dev · SpiderLabs/owasp-modsecurity-crs (github.com)
Application Gateway:

CRS rule groups and rules - Azure Web Application Firewall | Microsoft Docs
Monitoring metrics for Azure Application Gateway Web Application Firewall metrics | Microsoft Docs
Troubleshoot - Azure Web Application Firewall | Microsoft Docs
Front Door:

Azure Web Application Firewall on Azure Front Door DRS rule groups and rules | Microsoft Docs

Azure Web Application Firewall monitoring and logging | Microsoft Docs