Edge Security
  • Overview
  • DDoS Protection
    • DDoS Protection Overview
    • Exclusive DDoS Protection Usage
    • Configuration of Exclusive DDoS protection Rules
      • Increase DDoS Protection Level
      • Exclusive DDoS Traffic Alarm
      • Configuration IP blocklist/allowlist
      • Configuration Region Blocking Rule
      • Configuration Port Filtering
      • Configuration Features Filtering
      • Configuration Protocol Blocking Rule
      • Configuration Connections Attack Protection
      • Related References
        • Action
        • Related Concepts Introduction
  • Web Protection
    • Overview
    • Managed rules
    • CC attack defense
    • Custom rule
    • Custom Rate Limiting Rules
    • Exception Rules
    • Managed Custom Rules
    • Web security monitoring alarm
    • Refer
      • Web Protection Request Processing Order
      • Action
      • Match Condition
  • Bot Management
    • Overview
    • Bot Intelligent analysis
    • Bot Basic Feature Management
    • Client Reputation
    • Active Detection
    • Custom Bot Rule
    • Bot Exception Rule
    • Related References
      • Action
  • Rules Template
  • IP and IP Segment Grouping
  • Origin Protection
  • Custom Response Page
  • Alarm Notification
  • SSL/TLS
    • Overview
    • Deploying/Updating SSL Certificate for A Domain Name
    • Configuring A Free Certificate for A Domain Name
    • HTTPS Configuration
      • Forced HTTPS Access
      • Enabling HSTS
      • SSL/TLS Security Configuration
        • Configuring SSL/TLS Security
        • TLS Versions and Cipher Suites
      • Enabling OCSP Stapling

Managed rules

Overview

Exposed site vulnerabilities may lead to origin intrusion, sensitive data loss, and may further seriously damage your relationship with users. Managed rules provide comprehensive and real-time vulnerability attack protection for your website, covering common vulnerabilities and attack types in OWASP TOP 10 Note 1, such as SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), etc. Through continuous updates, this rule set can effectively deal with emerging security threats, ensuring that your site operating environment and sensitive data are reliably protected.
Note:
Note 1:OWASP TOP 10 lists common and severe security risks in web applications. These risks represent a major part of current network security threats, so covering these scenarios is crucial for protecting the security of web applications. EdgeOne's vulnerability attack protection rule set covers all OWASP Top 10 risk scenarios and automatically updates the rule list for 0-day vulnerabilities.
Note 2: By default, managed rules only scan the first 10KB of the request body. If you subscribe to the Enterprise package and need to scan more request body data, please contact your Tencent Cloud sales rep for expansion.
Note 3: Different plans support different managed rules. For details, see Comparison of EdgeOne Plans.

Optimize Managed Rule Policy

If you need to customize the configuration of protection rule policies according to your actual business situation and protection requirements, you can configure them in the following ways:
Note:
During access to new sites or creation of policy templates or security policies, the global observation mode is enabled by default for managed rules. Requests matching the rules will be only logged for observation but not actually handled.
You should complete policy evaluation and optimization as soon as possible, and then disable the global observation mode to implement the protection rules and block malicious requests.

Scenario 1: Configure global protection level policy by rule type

According to the rule types divided by managed rules, you can enable interception for all rules in that type according to the protection level. For example, the current domain name www.example.com often exposes open source component vulnerabilities, and you can intercept all rules within the open source component vulnerabilities and all rules with strict and below protection levels.
1. Log in to the EdgeOne console and click Site List in the left sidebar. In the site list, click the target site.
2. Click Security > Web Security . By default, it is a site-level security policy. Click the Domain-level security policy tab and then click the target domain name such as www.example.com, to enter the configuration page for the security policy of the target domain name.
3. In the Managed Rules - Ruleset tab, search for Open-Source component vulnerability and separately configure the protection level and action. Adjust the protection level to Strict and the action to Block , to complete the rule configuration.


Scenario 2: Customize optimization protection strategy by single rule

If you need to customize the protection strategy for a single rule, you can optimize the rule by customizing it. For example, the current domain name www.example.com has a file upload scenario, and the current protection strategy for file upload attacks is a strict blocking policy. However, normal file uploads are intercepted because the name contains .exe extensions, and you want to configure this rule separately for observation and only record logs.
1. Log in to the EdgeOne console and click Site List in the left sidebar. In the site list, click the target site.
2. Click Security > Web Security . By default, it is a site-level security policy. Click the Domain-level security policy tab and then click the target domain name such as www.example.com, to enter the configuration page for the security policy of the target domain name.
3. In the Managed Rules - Ruleset tab, search for File upload attack prevention and modify the protection level to Custom .

4. Click the Rules in the upper right corner to enter the Detailed Rules Optimization page, and customize the modification of different rules' actions. Select Rule ID: 4401214802's action as Observe, then the configuration can be completed.


Use Deep Analysis to Automatically Identify Unknown Vulnerabilities

Deep analysis uses advanced semantic analysis technology to deeply understand the intent of SQL and XSS statements. It can not only effectively deal with known attack methods but also has the ability to protect against unknown attacks. This method goes beyond the traditional pattern-matching detection method and improves the recognition accuracy of complex and new attacks. With deep analysis, you will get a higher level of security protection, reduce the risk of false positives and false negatives, and ensure that your website is free from malicious attacks and data leakage threats.
Note:
Deep analysis function is only supported by the Standard plan and the Enterprise plan.

Enable Deep Analysis

1. Log in to the EdgeOne console and click Site List in the left sidebar. In the site list, click the target site.
2. Click Security > Web Security . By default, it is a site-level security policy. To configure differentiated security policies for a specific domain name under the current site, you can enter the Domain-level security policy tab and click the corresponding domain name to enter the configuration page for the domain-level security policy. The subsequent steps are the same.
3. In the Managed Rules - Deep Analysis tab, click Edit .
4. Select the protection mode as Enable, click Save to enable Deep Analysis.
Observe (default): Only log the identified malicious requests without intercepting them.
Enable: Intercept identified malicious requests.
Off: Turn off deep analysis.

Related Reference

Global Observation Mode

Note:
The global observation mode is enabled by default. To handle requests by the block action, you should disable the global observation mode.
When the global observation mode is enabled, under all managed rule policies configured as block, requests are only logged but not actually handled. This mode can help you comprehensively assess the current vulnerability policy configuration and prevent false blocking of normal business requests that contain vulnerability characteristics.
For new business access, it is recommended to maintain the global observation mode and observe complete client access scenarios for 48 hours (adjust the duration based on your actual assessment). When normal business requests are found to match a specific rule continuously, the rule is adjusted to Observe.

Protection Level Description

Managed rules provide multiple protection levels for different attack and vulnerability types, including Loose, Normal, Strict, and Ultra-Strict. When selecting a protection level, the corresponding level and all levels below it will be enabled. For example, selecting the Strict protection level will enable the rules of Loose, Normal, and Strict levels, achieving layered protection. It is recommended to enable the corresponding protection level according to the business scenario:
Loose: Meet the most basic protection needs and try to avoid false positives. It is recommended that all external HTTP services enable at least all rules of this level.
Normal (recommended): Comprehensive protection, suitable for most scenarios. It is recommended to enable this level for services involving customer data. This level of rules may generate false positives in specific scenarios, which can be debugged and optimized through observation mode.
Strict: Full protection, suitable for stricter protection scenarios, ensuring no attacks bypass. It is recommended to use this level for services involving financial data (such as online banking). Under this protection level, rules may generate some false positives, and it is recommended to debug and optimize them in combination with observation mode and custom rules.
Ultra-Strict: Suitable for access scenarios under strict control environments. This level of rules may cause more false positives, so please enable them according to specific protection needs and deploy them in combination with exception rules, observation, and custom rules.
If you need more fine-grained control, you can also use custom protection levels to customize the actions of different rules according to specific business needs.