【Overview】
While using AWS WAF and operating it with managed rules, inadvertently false-positives may occur. In this blog, we will introduce a method to deal with such situations by allowing or blocking requests by whitelisting or blacklisting the specific IP address. We will also introduce a method to change the specific rule that triggered the false-positive to count mode.
- 1. Creating a new Whitelist
- 2. Adding IP address to the Whitelist applied to the Web ACL
- 3. Creating a new Blacklist
- 4. Adding IP address to the Blacklist applied to the Web ACL
- 5. Changing action to Count Mode
- Summary
※Count mode is an action that detects but does not actually allow or block the request. It is generally used for rule verification.
【1. Creating a new Whitelist】
1. Select "IP addresses" from the AWS WAF console.
2. Click “Create condition”.
3. Perform the following steps:
・ Name*: Choose an arbitrary name.
※ We recommend a name that can be identified as a whitelist condition.
・ IP Version*: Select IPv4.
・ Address*: Add the IP address (CIDR notation) you want to add to the Whitelist.
※ For a single IP address, please specify "/32" after the IP address
・ Click “Add IP address or range”.
4. Make sure that the IP address you added earlier is listed in "IP address of the request to filter on", and then click “Create”.
5. Next, select "Rules" from the AWS WAF console.
6. Click “Create rule”.
7. Perform the following steps:
・ Name*: Choose an arbitrary name.
※ We recommend a name that can be identified as a whitelist rule.
・ Rule type*: Select "Regular rule".
8. Under "When a request", select "does" / "originate from an IP address in".
9. Select the condition you created earlier.
10. Make sure that the contents of the conditions is reflected.
11. Click “Create”.
12. Select “Web ACLs” from the AWS WAF console.
13. Click the target Web ACL.
14. Select the “Rules” tab.
15. Click “Edit web ACL”.
16. Select the rule you created earlier.
17. Select "Allow" for action for the added rule.
18. Change the order of the added rule to 1.
19. Click “Update”.
20. Once the created rule is applied and the order is displayed as 1, the process is complete.
【2. Adding IP address to the Whitelist applied to the Web ACL】
1. Click the target Web ACL.
2. Select the “Rules” tab.
3. Click the target rule name.
4. Click the condition name on the page opened in the new tab.
5. Click “Add IP addresses or ranges”.
6. Enter the IP address (CIDR notation) you want to add, and click "Add IP address or range".
7. Confirm "IP address of the request to filter on", and click "Add".
8. Once you confirm the IP address is added, the process is complete.
【3. Creating a new Blacklist】
1. Select "IP addresses" from the AWS WAF console.
2. Click “Create condition”.
3. Perform the following steps:
・ Name*: Choose an arbitrary name.
※ We recommend a name that can be identified as a blacklist condition.
・ IP Version*: Select IPv4.
・ Address*: Add the IP address (CIDR notation) you want to add to the Blacklist.
※ For a single IP address, please specify "/32" after the IP address.
・ Click “Add IP address or range”.
4. Make sure that the IP address you added earlier is listed in "IP address of the request to filter on", and then click “Create”.
5. Next, select "Rules" from the AWS WAF console.
6. Click “Create rule”.
7. Perform the following steps:
・ Name*: Choose an arbitrary name.
※ We recommend a name that can be identified as a blacklist rule.
・ Rule type*: Select "Regular rule".
8. Under "When a request", select "does" / "originate from an IP address in".
9. Select the condition you created earlier.
10. Make sure that the contents of the conditions is reflected.
11. Click “Create”.
12. Select “Web ACLs” from the AWS WAF console.
13. Click the target Web ACL.
14. Select the “Rules” tab.
15. Click “Edit web ACL”.
16. Select the rule you created earlier.
17. Select "Block" for action for the added rule.
18. Set the priority to any position.
19. Click “Update”.
20. Once the created rule is applied and the order is displayed in the specified position, the process is complete.
【4. Adding IP address to the Blacklist applied to the Web ACL】
1. Click the target Web ACL.
2. Select the “Rules” tab.
3. Click the target rule name.
4. Click the condition name on the page opened in the new tab.
5. Click “Add IP addresses or ranges”.
6. Enter the IP address (CIDR notation) you want to add, and click "Add IP address or range".
7. Confirm "IP address of the request to filter on", and click "Add".
8. Once you confirm the IP address is added, the process is complete.
【5. Changing action to Count Mode】
1. Click the target Web ACL.
2. Select the “Rules” tab.
3. Click “Edit web ACL”.
4. Change the action of the target rule to "Count", and click "Update".
5. Once you confirm that the action is switched to "Count" mode, the process is complete.
【Summary】
This time we introduced methods to tackle false-positives, as well as how to respond when under attack from a specific IP address. Looking at the sampling, there are often requests that may be false-positives or attacks, but this way you can temporarily correspond to false-positives and attacks.