The Default Rule Set 2.1 (DRS 2.1) on Azure's global Web Application Firewall (WAF) with updated rules against new attack signatures is now available to Web Application Firewall customers. This ruleset is available on the Azure Front Door Premium tier.
DRS 2.1 is baselined off the Open Web Application Security Project (OWASP) Core Rule Set (CRS) 3.3.2 and includes the Microsoft Threat Intelligence (MSTIC) rules that are written in partnership with the Microsoft Intelligence team.
As with the previous DRS 2.0, the MSTIC team analyzes Common Vulnerabilities and Exposures (CVEs) and adapts the CRS ruleset to provide increased coverage, patches for specific vulnerabilities, and better false positive reduction. Also, Azure Front Door WAF with DRS 2.1 uses anomaly scoring mode, hence rule matches are not considered independently.
There are 17 rule groups in DRS 2.1, each group containing multiple rules customizable at rule group and rule set levels.
DRS is enabled by default in Detection mode in WAF policies. You can disable or enable individual rules within the default Rule and enable specific actions per rule. However, some rules are disabled upon deployment- these rules have been improved upon by the Microsoft Threat Intelligence team and replaced with MSTIC signatures (Identified by the 8-digit IDs) with improved signatures.
You can also enable the following rules to detect and protect SpringShell vulnerability
For additional information on the disabled rules and signature replacement, see Disabled rules table.
Improvements in WAF with Default Rule Set 2.1
- Baselined off the latest CRS 3.3.2 version
- A set of vulnerabilities addressed in the new DRS prevent partial ruleset bypass- an occurrence where a payload disables a rule set and allows an attacker to transmit a payload as part of a requestbody, without detection by the Web Application Firewall. Other ruleset bypass addressed in the DRS 2.1 is WAF bypass using Path info as seen in CVE-2021-35368
- Detection for more vulnerability scanners and crawlers/bots from previous DRS 2.0
- Improved Cross site scripting (XSS) and SQL injection attack detection
- Reduced false positives for injection-based rules
- Protection against common web shell exploitation and additional CVEs
- Support for more content-types compatibility
These updates are not available in the WAF for Azure Front Door classic and standard tiers. Consider migrating to Premium Tier to take advantage of these security improvements.
Resources: