WAF commands

WAF:enable()

Enables the current session's WAF scan function.

Syntax

WAF:enable();

Arguments: N/A

Example

when WAF_REQUEST_ATTACK_DETECTED {

local s = WAF:status()

debug("test WAF_REQUEST_ATTACK_DETECTED, status %s\n", s)

WAF:enable()

}

WAF:disable()

Disables the current session's WAF scan function.

Syntax

WAF:disable();

Arguments: N/A

Example

when WAF_REQUEST_ATTACK_DETECTED {

local s = WAF:status()

debug("test WAF_REQUEST_ATTACK_DETECTED, status %s\n", s)

WAF:disable()

}

WAF:status()

Returns a status string to specify the current status of WAF detection. The status may be "enable" or "disable".

Syntax

WAF:status();

Arguments: N/A

Example

when WAF_REQUEST_ATTACK_DETECTED {

local s = WAF:status()

debug("test WAF_REQUEST_ATTACK_DETECTED, status %s\n", s)

WAF:disable()

}

WAF:action()

Returns the current session's WAF action. This can only be called in an ATTACK_DETECTED event.

The return value is a string, which may include the following values:

"pass"
"deny"
"block"
"redirect"
"captcha"

Syntax

WAF:action();

Arguments: N/A

Example

when WAF_REQUEST_ATTACK_DETECTED {

local s = WAF:action()

debug("test WAF_REQUEST_ATTACK_DETECTED, action %s\n", s)

WAF:override_action("deny", 501);

}

WAF:override_action(string)

Overrides the current stage's detected action to the specified.

Syntax

WAF:override_action(string);

Arguments

Name	Description
deny	Requires a second argument specifying the deny code. The deny code should be an integer from the following: 200, 202, 204, 205, 400, 403, 404, 405, 406, 408, 410, 500, 501, 502, 503, 504. Note: If the deny code is not specified or it is an invalid integer, then it will be defaulted to 403.
pass	The WAF stage's detected action may be allowed to pass.
captcha	Requires the client to successfully fulfill the CAPTCHA request.
block	Requires a second argument specifying the period of the block as an integer (Range: 1-2147483647, default = 3600). Note: If the period is not specified, then it will be defaulted to 3600.
redirect	Requires a second argument specifying the redirect URL, and it should be a valid string. The redirect URL must be specified, otherwise this function will fail. The return value is a bool value; when the function fails, it will return false, otherwise, it will return true.

Example

when WAF_REQUEST_ATTACK_DETECTED {

local s = WAF:action()

debug("test WAF_REQUEST_ATTACK_DETECTED, action %s\n", s)

WAF:override_action("deny", 501);

}

WAF:violations()

Returns a table that includes all the violations detected by the current WAF stage as string values.

The table fields include the following:

Name	Description
severity	Includes the values "low", "medium", and "high".
information	The information that the WAF module defined when the specific attack was detected.
signature	An integer ID that is defined by the WAF module for every different attack.
action	The defined action is a violation, including the values "pass", "deny", "block", "redirect", or "captcha".
sub-category	The violation is related to a WAF sub-category field name. The string should be from the following list: waf_web_attack_signature waf_http_protocol_const waf_heur_sqlxss_inject_detect waf_url_protect,waf_bot_detection waf_xml_check waf_json_check waf_web_scraping waf_cookie_security waf_csrf_protection waf_html_input_validation waf_brute_force,waf_data_leak_prevention waf_credential_stuffing waf_openapi_check waf_api_gateway
owasp-top10	The violation is related to the OWASP TOP10 field name.

Syntax

WAF:violations();

Arguments: N/A

Example

when WAF_REQUEST_ATTACK_DETECTED {

debug("test WAF_REQUEST_ATTACK_DETECTED\n")

local vl = WAF:violations();

for k, v in pairs(vl) do

debug("%d. Violation: signature %d, severity %s, information %s, action %s, sub-category %s, owasp-top10 %s.\n", k, v["signature"], v["severity"], v["information"], v["action"], v["sub-category"], v["owasp-top10"]);

}

WAF:abandon_violation()

Removes a violation by the specified signature ID. The signature ID should be a valid integer that is already in violations, otherwise, you can list the violations by calling WAF:violations. If the signature ID is not valid, then it will return "false", otherwise, it will return "true".

This command can only be called in the ATTACK_DETECTED event.

Syntax

WAF:abandon_violation();

Arguments: N/A

Example

when WAF_REQUEST_ATTACK_DETECTED {

debug("test WAF_REQUEST_ATTACK_DETECTED\n")

local vl = WAF:violations();

for k, v in pairs(vl) do

debug("%d. Violation: signature %d.\n", k, v["signature"]);

WAF:abandon_violation(v["signature"]);

end

v = {};

v["signature-id"] = 100010000;

v["severity"] = "high";

v["information"] = "waf raise violation test";

v["action"] = "deny";

v["sub-category"] = "waf_url_protect";

v["owasp-top10"] = "test-owasp10";

WAF:raise_violation(v);

}

WAF:raise_violation(string)

Raises a violation immediately. This function will send a log by the input arguments. If the signature ID is already raised by the WAF then this command will override it.

This function will prevent the WAF action from executing as specified. To override the WAF action, call WAF:override_action(string).

Syntax

WAF:raise_violation(string);

Arguments

Name	Description
severity	Overrides the severity string that includes the values "low", "medium", and "high". Note: If the value is not specified, then "low" will be used as the severity level for the violation.
information	The violation will show the information that the WAF module defined when the specific attack was detected. Note: If this is not specified, then it will show "N/A" as the violation's information.
signature	The attack signature string ID that WAF detected. Users can specify this if the signature ID already exists in the violation, which will override the related field of the violation by this function. Note: This argument must be specified.
action	The violation will show the defined action, including the values "pass", "deny", "block", "redirect", or "captcha". Note: If this is not specified, then the violation's action will take "pass" as default.
block-period	If the action is "block", then this argument must be specified. Otherwise, this will be defaulted to 3600. This argument should be an integer and range from 1-2147483647.
redirect-url	If the action is "redirect", then this argument must be specified. Otherwise, the "redirect" action will be ignored and will take a "deny" action instead.
deny-code	If the action is "deny", then this argument must be specified. The deny code should be an integer from the following: 200, 202, 204, 205, 400, 403, 404, 405, 406, 408, 410, 500, 501, 502, 503, 504. If the deny code is not specified or it is an invalid integer, then it will be defaulted to 403. The return value is a bool value; when the operation is successful, it will return true, otherwise, it will return false.
sub-category	This string specifies the violation's sub-category. The string should be from the following list: waf_web_attack_signature waf_http_protocol_const waf_heur_sqlxss_inject_detect waf_url_protect,waf_bot_detection waf_xml_check waf_json_check waf_web_scraping waf_cookie_security waf_csrf_protection waf_html_input_validation waf_brute_force,waf_data_leak_prevention waf_credential_stuffing waf_openapi_check waf_api_gateway Note: This argument is not required to be specified. But if this argument is not specified or if the string is not a valid sub-category, then it will default to "waf_web_attack_signature".
owasp-top10	The string will show the violation that is related to the OWASP TOP10 field name. Note: If this argument is not specified, then it will default to "unknown".

Example

when WAF_REQUEST_ATTACK_DETECTED {

debug("test WAF_REQUEST_ATTACK_DETECTED\n")

local vl = WAF:violations();

for k, v in pairs(vl) do

debug("%d. Violation: signature %d.\n", k, v["signature"]);

WAF:abandon_violation(v["signature"]);

end

v = {};

v["signature-id"] = 100010000;

v["severity"] = "high";

v["information"] = "waf raise violation test";

v["action"] = "deny";

v["sub-category"] = "waf_url_protect";

v["owasp-top10"] = "test-owasp10";

WAF:raise_violation(v);

}

WAF:abandon_all()

Abandons all of the results detected by the WAF module, including all of the violations, and resets the action to "pass".

This command can only be called in the ATTACK_DETECTED event.

Syntax

WAF:abandon_all();

Arguments: N/A

Example

when WAF_REQUEST_ATTACK_DETECTED {

debug("test WAF_REQUEST_ATTACK_DETECTED\n")

WAF:abandon_all()

}

WAF:block(integer)

Blocks the current session's client IP. Specify the period of the block in seconds as an integer (Range: 1-2147483647, default = 3600).

Syntax

WAF:block(integer);

Argument: An integer ranging from 1-2147483647.

Example

when WAF_REQUEST_ATTACK_DETECTED {

debug("test WAF_REQUEST_ATTACK_DETECTED\n")

WAF:block(3600)

}

WAF:unblock()

Unblocks the client IP of the current session if it is already blocked.

Syntax

WAF:unblock();

Argument: N/A

Example

when WAF_REQUEST_BEFORE_SCAN {

local s = WAF:status()

debug("test WAF_REQUEST_BEFORE_SCAN, status %s\n", s)

WAF:unblock()

}

WAF commands

WAF:enable()

Enables the current session's WAF scan function.

Syntax

WAF:enable();

Arguments: N/A

Example

when WAF_REQUEST_ATTACK_DETECTED {

local s = WAF:status()

debug("test WAF_REQUEST_ATTACK_DETECTED, status %s\n", s)

WAF:enable()

}

WAF:disable()

Disables the current session's WAF scan function.

Syntax

WAF:disable();

Arguments: N/A

Example

when WAF_REQUEST_ATTACK_DETECTED {

local s = WAF:status()

debug("test WAF_REQUEST_ATTACK_DETECTED, status %s\n", s)

WAF:disable()

}

WAF:status()

Returns a status string to specify the current status of WAF detection. The status may be "enable" or "disable".

Syntax

WAF:status();

Arguments: N/A

Example

when WAF_REQUEST_ATTACK_DETECTED {

local s = WAF:status()

debug("test WAF_REQUEST_ATTACK_DETECTED, status %s\n", s)

WAF:disable()

}

WAF:action()

Returns the current session's WAF action. This can only be called in an ATTACK_DETECTED event.

The return value is a string, which may include the following values:

"pass"
"deny"
"block"
"redirect"
"captcha"

Syntax

WAF:action();

Arguments: N/A

Example

when WAF_REQUEST_ATTACK_DETECTED {

local s = WAF:action()

debug("test WAF_REQUEST_ATTACK_DETECTED, action %s\n", s)

WAF:override_action("deny", 501);

}

WAF:override_action(string)

Overrides the current stage's detected action to the specified.

Syntax

WAF:override_action(string);

Arguments

Name	Description
deny	Requires a second argument specifying the deny code. The deny code should be an integer from the following: 200, 202, 204, 205, 400, 403, 404, 405, 406, 408, 410, 500, 501, 502, 503, 504. Note: If the deny code is not specified or it is an invalid integer, then it will be defaulted to 403.
pass	The WAF stage's detected action may be allowed to pass.
captcha	Requires the client to successfully fulfill the CAPTCHA request.
block	Requires a second argument specifying the period of the block as an integer (Range: 1-2147483647, default = 3600). Note: If the period is not specified, then it will be defaulted to 3600.
redirect	Requires a second argument specifying the redirect URL, and it should be a valid string. The redirect URL must be specified, otherwise this function will fail. The return value is a bool value; when the function fails, it will return false, otherwise, it will return true.

Example

when WAF_REQUEST_ATTACK_DETECTED {

local s = WAF:action()

debug("test WAF_REQUEST_ATTACK_DETECTED, action %s\n", s)

WAF:override_action("deny", 501);

}

WAF:violations()

Returns a table that includes all the violations detected by the current WAF stage as string values.

The table fields include the following:

Name	Description
severity	Includes the values "low", "medium", and "high".
information	The information that the WAF module defined when the specific attack was detected.
signature	An integer ID that is defined by the WAF module for every different attack.
action	The defined action is a violation, including the values "pass", "deny", "block", "redirect", or "captcha".
sub-category	The violation is related to a WAF sub-category field name. The string should be from the following list: waf_web_attack_signature waf_http_protocol_const waf_heur_sqlxss_inject_detect waf_url_protect,waf_bot_detection waf_xml_check waf_json_check waf_web_scraping waf_cookie_security waf_csrf_protection waf_html_input_validation waf_brute_force,waf_data_leak_prevention waf_credential_stuffing waf_openapi_check waf_api_gateway
owasp-top10	The violation is related to the OWASP TOP10 field name.

Syntax

WAF:violations();

Arguments: N/A

Example

when WAF_REQUEST_ATTACK_DETECTED {

debug("test WAF_REQUEST_ATTACK_DETECTED\n")

local vl = WAF:violations();

for k, v in pairs(vl) do

}

WAF:abandon_violation()

This command can only be called in the ATTACK_DETECTED event.

Syntax

WAF:abandon_violation();

Arguments: N/A

Example

when WAF_REQUEST_ATTACK_DETECTED {

debug("test WAF_REQUEST_ATTACK_DETECTED\n")

local vl = WAF:violations();

for k, v in pairs(vl) do

debug("%d. Violation: signature %d.\n", k, v["signature"]);

WAF:abandon_violation(v["signature"]);

end

v = {};

v["signature-id"] = 100010000;

v["severity"] = "high";

v["information"] = "waf raise violation test";

v["action"] = "deny";

v["sub-category"] = "waf_url_protect";

v["owasp-top10"] = "test-owasp10";

WAF:raise_violation(v);

}

WAF:raise_violation(string)

Raises a violation immediately. This function will send a log by the input arguments. If the signature ID is already raised by the WAF then this command will override it.

This function will prevent the WAF action from executing as specified. To override the WAF action, call WAF:override_action(string).

Syntax

WAF:raise_violation(string);

Arguments

Name	Description
severity	Overrides the severity string that includes the values "low", "medium", and "high". Note: If the value is not specified, then "low" will be used as the severity level for the violation.
information	The violation will show the information that the WAF module defined when the specific attack was detected. Note: If this is not specified, then it will show "N/A" as the violation's information.
signature	The attack signature string ID that WAF detected. Users can specify this if the signature ID already exists in the violation, which will override the related field of the violation by this function. Note: This argument must be specified.
action	The violation will show the defined action, including the values "pass", "deny", "block", "redirect", or "captcha". Note: If this is not specified, then the violation's action will take "pass" as default.
block-period	If the action is "block", then this argument must be specified. Otherwise, this will be defaulted to 3600. This argument should be an integer and range from 1-2147483647.
redirect-url	If the action is "redirect", then this argument must be specified. Otherwise, the "redirect" action will be ignored and will take a "deny" action instead.
deny-code	If the action is "deny", then this argument must be specified. The deny code should be an integer from the following: 200, 202, 204, 205, 400, 403, 404, 405, 406, 408, 410, 500, 501, 502, 503, 504. If the deny code is not specified or it is an invalid integer, then it will be defaulted to 403. The return value is a bool value; when the operation is successful, it will return true, otherwise, it will return false.
sub-category	This string specifies the violation's sub-category. The string should be from the following list: waf_web_attack_signature waf_http_protocol_const waf_heur_sqlxss_inject_detect waf_url_protect,waf_bot_detection waf_xml_check waf_json_check waf_web_scraping waf_cookie_security waf_csrf_protection waf_html_input_validation waf_brute_force,waf_data_leak_prevention waf_credential_stuffing waf_openapi_check waf_api_gateway Note: This argument is not required to be specified. But if this argument is not specified or if the string is not a valid sub-category, then it will default to "waf_web_attack_signature".
owasp-top10	The string will show the violation that is related to the OWASP TOP10 field name. Note: If this argument is not specified, then it will default to "unknown".

Example

when WAF_REQUEST_ATTACK_DETECTED {

debug("test WAF_REQUEST_ATTACK_DETECTED\n")

local vl = WAF:violations();

for k, v in pairs(vl) do

debug("%d. Violation: signature %d.\n", k, v["signature"]);

WAF:abandon_violation(v["signature"]);

end

v = {};

v["signature-id"] = 100010000;

v["severity"] = "high";

v["information"] = "waf raise violation test";

v["action"] = "deny";

v["sub-category"] = "waf_url_protect";

v["owasp-top10"] = "test-owasp10";

WAF:raise_violation(v);

}

WAF:abandon_all()

Abandons all of the results detected by the WAF module, including all of the violations, and resets the action to "pass".

This command can only be called in the ATTACK_DETECTED event.

Syntax

WAF:abandon_all();

Arguments: N/A

Example

when WAF_REQUEST_ATTACK_DETECTED {

debug("test WAF_REQUEST_ATTACK_DETECTED\n")

WAF:abandon_all()

}

WAF:block(integer)

Blocks the current session's client IP. Specify the period of the block in seconds as an integer (Range: 1-2147483647, default = 3600).

Syntax

WAF:block(integer);

Argument: An integer ranging from 1-2147483647.

Example

when WAF_REQUEST_ATTACK_DETECTED {

debug("test WAF_REQUEST_ATTACK_DETECTED\n")

WAF:block(3600)

}

WAF:unblock()

Unblocks the client IP of the current session if it is already blocked.

Syntax

WAF:unblock();

Argument: N/A

Example

when WAF_REQUEST_BEFORE_SCAN {

local s = WAF:status()

debug("test WAF_REQUEST_BEFORE_SCAN, status %s\n", s)

WAF:unblock()

}

Script Reference Guide

WAF commands

WAF commands

WAF:enable()

WAF:disable()

WAF:status()

WAF:action()

WAF:override_action(string)

WAF:violations()

WAF:abandon_violation()

WAF:raise_violation(string)

WAF:abandon_all()

WAF:block(integer)

WAF:unblock()

WAF commands

WAF:enable()

WAF:disable()

WAF:status()

WAF:action()

WAF:override_action(string)

WAF:violations()

WAF:abandon_violation()

WAF:raise_violation(string)

WAF:abandon_all()

WAF:block(integer)

WAF:unblock()