Overview
Menu

Managed rules

Overview

Exposed site vulnerabilities may lead to origin intrusion, sensitive data loss, and may further seriously damage your relationship with users. Managed rules provide comprehensive and real-time vulnerability attack protection for your website, covering common vulnerabilities and attack types in OWASP TOP 10 Note 1, such as SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), etc. Through continuous updates, this rule set can effectively deal with emerging security threats, ensuring that your site operating environment and sensitive data are reliably protected.
Note:

Note 1:
OWASP TOP 10 lists common and severe security risks in web applications. These risks represent a major part of current network security threats, so covering these scenarios is crucial for protecting the security of web applications. EdgeOne's vulnerability attack protection rule set covers all OWASP Top 10 risk scenarios and automatically updates the rule list for 0-day vulnerabilities.
Note 2: By default, managed rules only scan the first 10KB of the request body. If you subscribe to the Enterprise package and need to scan more request body data, please contact your Tencent Cloud sales rep for expansion.
Note 3: Different plans support different managed rules. For details, see Comparison of EdgeOne Plans.

Optimize Managed Rule Policy

If you need to customize the configuration of protection rule policies according to your actual business situation and protection requirements, you can configure them in the following ways:

Scenario 1: Configure global protection level policy by rule type

According to the rule types divided by managed rules, you can enable interception for all rules in that type according to the protection level. For example, the current domain name www.example.com often exposes open source component vulnerabilities, and you can intercept all rules within the open source component vulnerabilities and all rules with strict and below protection levels.
1. Log in to the EdgeOne console and click Site List in the left sidebar. In the site list, click the target site.
2. In the site details page, click Security Protection > Web Protection.
3. In the Web Protection details page, select the domain name that needs to be protected from the protection domain list on the left.
4. Find the Managed Rules card and click Settings.
5. On the Managed Rules page, find the Open Source Component Vulnerability Rules card, and configure the Protection Level and Action. Adjust the protection level to Strict and the action to Intercept, then the configuration can be completed.


Scenario 2: Customize optimization protection strategy by single rule

If you need to customize the protection strategy for a single rule, you can optimize the rule by customizing it. For example, the current domain name www.example.com has a file upload scenario, and the current protection strategy for file upload attacks is a strict blocking policy. However, normal file uploads are intercepted because the name contains .exe extensions, and you want to configure this rule separately for observation and only record logs.
1. Log in to the EdgeOne console and click Site List in the left sidebar. In the site list, click the target site.
2. In the site details page, click Security Protection > Web Protection.
3. In the Web Protection details page, select the domain name that needs to be protected from the protection domain list on the left.
4. Find the Managed Rules card and click Settings.
5. On the Managed Rules page, for example, find the File Upload Attack Protection Rule module and change the protection level to Custom.

6. Click the Detailed Rules in the upper right corner to enter the Detailed Rules Optimization page, and customize the modification of different rules' actions. Select Rule ID: 4401214802's action as Observe, then the configuration can be completed.


Use Deep Analysis to Automatically Identify Unknown Vulnerabilities

Deep analysis uses advanced semantic analysis technology to deeply understand the intent of SQL and XSS statements. It can not only effectively deal with known attack methods but also has the ability to protect against unknown attacks. This method goes beyond the traditional pattern-matching detection method and improves the recognition accuracy of complex and new attacks. With deep analysis, you will get a higher level of security protection, reduce the risk of false positives and false negatives, and ensure that your website is free from malicious attacks and data leakage threats.
Note:
Deep analysis function is only supported by the Standard plan and the Enterprise plan.

Enable Deep Analysis

1. Log in to the EdgeOne console and click Site List in the left sidebar. In the site list, click the target site.
2. In the site details page, click Security Protection > Web Protection.
3. In the Web Protection details page, select the domain name that needs to be protected from the protection domain list on the left.
4. Find the Managed Rules card and click Settings.
5. On the Managed Rules page, click the configure of Deep Analysis.



6. Select the protection mode as Enable, click Save to enable Deep Analysis.



Observe (default): Only log the identified malicious requests without intercepting them.
Enable: Intercept identified malicious requests.
Off: Turn off deep analysis.

Related Reference

Protection Level Description

Managed rules provide multiple protection levels for different attack and vulnerability types, including Loose, Normal, Strict, and Ultra-Strict. When selecting a protection level, the corresponding level and all levels below it will be enabled. For example, selecting the Strict protection level will enable the rules of Loose, Normal, and Strict levels, achieving layered protection. It is recommended to enable the corresponding protection level according to the business scenario:
Loose: Meet the most basic protection needs and try to avoid false positives. It is recommended that all external HTTP services enable at least all rules of this level.
Normal (recommended): Comprehensive protection, suitable for most scenarios. It is recommended to enable this level for services involving customer data. This level of rules may generate false positives in specific scenarios, which can be debugged and optimized through observation mode.
Strict: Full protection, suitable for stricter protection scenarios, ensuring no attacks bypass. It is recommended to use this level for services involving financial data (such as online banking). Under this protection level, rules may generate some false positives, and it is recommended to debug and optimize them in combination with observation mode and custom rules.
Ultra-Strict: Suitable for access scenarios under strict control environments. This level of rules may cause more false positives, so please enable them according to specific protection needs and deploy them in combination with exception rules, observation, and custom rules.
If you need more fine-grained control, you can also use custom protection levels to customize the actions of different rules according to specific business needs.