Managed rules
Overview
Exposed site vulnerabilities may lead to origin intrusion, sensitive data loss, and may further seriously damage your relationship with users. Managed rules provide comprehensive and real-time vulnerability attack protection for your website, covering common vulnerabilities and attack types in OWASP TOP 10 Note 1, such as SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), etc. Through continuous updates, this rule set can effectively deal with emerging security threats, ensuring that your site operating environment and sensitive data are reliably protected.
Note:
Note 1:OWASP TOP 10 lists common and severe security risks in web applications. These risks represent a major part of current network security threats, so covering these scenarios is crucial for protecting the security of web applications. EdgeOne's vulnerability attack protection rule set covers all OWASP Top 10 risk scenarios and automatically updates the rule list for 0-day vulnerabilities.
Note 2: By default, managed rules only scan the first 10 KB of the request body. If you subscribe to the Enterprise package and need to scan more request body data, please contact your Tencent Cloud sales rep for expansion.
Note 3: Different plans support different managed rules. For details, see Comparison of EdgeOne Plans.
Optimize Managed Rule Policy
If you need to customize the configuration of protection rule policies according to your actual business situation and protection requirements, you can configure them in the following ways:
Note:
During access to new sites or creation of policy templates or security policies, the evaluation mode is enabled by default for managed rules. Requests matching the rules will be only logged for observation but not actually handled.
You should complete policy evaluation and optimization as soon as possible, and then disable the Evaluation mode to implement the protection rules and block malicious requests.
Scenario 1: Configure Global Protection Level Policy by Rule Type
According to the rule types divided by managed rules, you can enable interception for all rules in that type according to the protection level. For example, the current domain name www.example.com often exposes open source component vulnerabilities, and you can intercept all rules within the open source component vulnerabilities and all rules with strict and below protection levels.
1. Log in to the EdgeOne console and click Site List in the left sidebar. In the site list, click the target site.
2. Click Security > Web Security. By default, it is a site-level security policy. Click the Domain-level security policy tab and then click the target domain name such as
www.example.com
, to enter the configuration page for the security policy of the target domain name.3. In the Managed Rules - Ruleset tab, search for Open-Source component vulnerability and separately configure the protection level and action. Adjust the protection level to Strict and the action to Block, to complete the rule configuration.
Scenario 2: Customize Optimization Protection Strategy by Single Rule
If you need to customize the protection strategy for a single rule, you can optimize the rule by customizing it. For example, the current domain name
www.example.com
has a file upload scenario, and the current protection strategy for file upload attacks is a strict blocking policy. However, normal file uploads are intercepted because the name contains .exe
extensions, and you want to configure this rule separately for observation and only record logs.1. Log in to the EdgeOne console and click Site List in the left sidebar. In the site list, click the target site.
2. Click Security > Web Security. By default, it is a site-level security policy. Click the Domain-level security policy tab and then click the target domain name such as
www.example.com
, to enter the configuration page for the security policy of the target domain name.3. In the Managed Rules - Ruleset tab, search for File upload attack prevention and modify the protection level to Custom.
4. Click the Rules in the upper right corner to enter the Detailed Rules Optimization page, and customize the modification of different rules' actions. Select Rule ID: 4401214802's action as Observe, then the configuration can be completed.
Updating a Version of Managed Rules
EdgeOne, based on independent development and third-party threat intelligence, formulates new vulnerability protection rules for the request characteristics of 0-day vulnerabilities and adds them to the set of managed rules. Users can deploy new protection rules to cover new vulnerability threats by updating the version of managed rules. Properly configuring automatic updates and new rule deployment options can reduce the risk of external 0-day vulnerability attacks on your site, which is crucial for continuously protecting your site.
Note:**
Not all 0-day vulnerabilities can be protected through traffic. EdgeOne provides web vulnerability protection that can identify traffic based on the HTTP/HTTPS protocol.
EdgeOne periodically updates the rule set based on Tencent's threat intelligence and vulnerability POC information. If you have independent threat intelligence sources and want to protect vulnerabilities not covered by managed rules, use Custom Rules to configure you security policy according to the intelligence and POC information. If you have more custom rule requirements, please contact us for technical support.
Updating a Rule Set and Deploying New Rules
When new rules are added to the rule set, the list of managed rules will be updated accordingly. New rules cannot be directly used in the existing version of managed rules. To use new rules, you need to update the version of managed rules to the latest one. According to the protection level (Notify Only, Do Not Automatically Update) or protection mode (Automatically Update) configuration of corresponding classifications of new rules, new rules will be deployed to your site.
Note:
Regarding updates to published rules: For published rules, EdgeOne will also optimize them based on rule recognition and POC intelligence updates to ensure that rule recognition accuracy and false alarm situations meet protection expectations. When existing rules are updated, the version of managed rules will not be updated; the action of the rules will remain unchanged after the update.
When a new version update is released, your managed rules will be updated as follows:
1. Check the automatic update configuration: If you enabled automatic update, the managed rules will automatically apply the latest rule list; if you chose manual update, the managed rules will retain the current rule list, and you can arrange the timing to update the version of managed rules by yourself.
2. Check the protection mode and action configuration for each rule classification: If you select the "Auto-Protect" option for a classification, when the new version includes updates for the classification, the action of corresponding rules will be configured based on your protection mode level. After the update, the action of each rule in the classification will be consistent with the protection level and action configuration of the rule classification.
Example of Rule Update Process: Automatic Deployment of New Rules When "Automatic Update" Is Enabled and "Automatic Protection" Mode Is Used
In the new version of managed rules, a new rule for the SQL Injection Attackclassification with a Loose rule level is added. When this version is released, EdgeOne detects that the web protection policy of the current site has Automatic Update enabled. Therefore, it further checks the rule configuration of the SQL Injection Attack classification. Since the protection mode for the SQL Injection Attack classification of this policy is Automatic Protection - Strict, rules with a rule level of Loose , Normal , or Strict need to be configured as Interception according to the action of the rule classification. Since the rule level of the new rule is Loose , which falls under the above rule range, it is configured as Interception .
(The rule ID, classification, name and other items used in this example are for illustrative purposes only. The actual rule ID and rule name should prevail.)
Scenario 1: Automatic Operation of Vulnerability Protection Policy
The site has strict protection requirements for 0-day vulnerabilities from SQL injection attacks and requires automated protection against known vulnerabilities. Due to business sensitivity, requests suspected of attacks are also intercepted first. You may refer to this example to automatically operate your security policy:
Automatically update the rule list when a new version is available.
Automatically deploy new rules. The new rules will be classified based on EdgeOne's rule level and be deployed and take effect according to your configured protection level and action.
The scheme in the example has the following features:
For high-risk 0-day vulnerabilities, when an appropriate protection level is configured, the configuration scheme can intercept requests exploiting the vulnerabilities as soon as the managed rules are updated.
After an appropriate protection level is configured, the managed rules will automatically operate the policy, resulting in low continuous operation costs.
Only enabled rules are monitored, and other rules do not generate logs or alarms to reduce operational interference.
Note:
When using the scheme in the example, consider the following configuration recommendations and risks:
It is recommended to carefully evaluate the protection level of each rule classification. When a vulnerability corresponding to a disabled protection rule is exploited, it cannot be detected through logs or alerts, potentially leading to data risks.
It is recommended to select an appropriate operational policy for different rule classifications based on the interactive mode of actual business and the middleware used and use the automatic protection and manual protection options in combination.
If you find that the rules have intercepted your normal business, configure Protection Exception Rules for temporary handling as needed, and timely evaluate and fix potential business component vulnerabilities.
It is recommended to configure Web Security Monitoring and Alerting synchronously to monitor the request data that hits the managed rules. When a large number of requests hit the managed rules, timely evaluate the request logs and adjust the protection level.
Configuration Procedure
1. Log in to the EdgeOne console, click Site List in the left sidebar, and click the site to be configured on the site list.
2. Click Security Protection > Web Protection . The default is site-level security policy. If you need to configure a differentiated protection policy for a specific domain name under the current site, go to the Domain-level security policy tab, click the corresponding domain name to go to the domain-level security policy configuration page, and follow the same subsequent steps.
3. In the Managed Rule > Automatic Update card, click Option Switch . In the pop-up window, select Automatic Update to the Latest Version . After confirming the policy behavior, click Save .
4. In the Managed Rule > Rule Set card, search for SQL Injection Attack Protection and change the protection mode to Automatic Protection - Strict . Then automatic update rules can take effect for SQL injection attack protection type rules.
Scenario 2: Assisted Operation of Vulnerability Protection Policy
The site has strict protection requirements for 0-day vulnerabilities from SQL injection attacks. However, to avoid false interceptions, new vulnerability rules will not be enabled directly as interception. When a new rule is launched, it is required to adopt the Monitor mode by default. Only after confirmation by the security operation team will the new rule be adjusted as interception. The scheme in this example is suitable for business scenarios where there are high vulnerability protection requirements and it is able to operate security policies and timely evaluate vulnerability risks. You can refer to this example to assist in operating your security policies:
Automatically update the rule list when a new version is available.
Do not automatically enable new rules as interception mode. The default action for new rules is Monitor , and only logs are recorded. You can manage the enabling scope and timing of rules and adjust them to interception manually.
The scheme in the example has the following features:
For ultra-high-risk 0-day vulnerabilities, the managed rules will not automatically intercept them, but need to be manually enabled to provide protection.
You need to perform daily operation and maintenance of the managed rule configuration. You need to be able to judge whether specific security vulnerabilities are applicable to the site's backend architecture.
You can freely choose the scope of rules to monitor and record request logs. Through the Monitor mode, you can keep an eye on vulnerabilities that do not need interception.
Note:
It is recommended to select an appropriate operational policy for different rule classifications based on the interactive mode of actual business and the middleware used and use the automatic protection and manual protection options in combination.
If you find that the rules have intercepted your normal business, configure Protection Exception Rules for temporary handling as needed, and timely evaluate and fix potential business component vulnerabilities.
It is recommended to configure Web Security Monitoring and Alerting synchronously to monitor the request data that hits the managed rules. When a large number of requests hit the managed rules, timely evaluate the managed rule policy and optimize the configuration.
Configuration Procedure
1. Log in to the EdgeOne console, click Site List in the left sidebar, and click the site to be configured on the site list.
2. Click Security Protection > Web Protection . The default is site-level security policy. If you need to configure a differentiated protection policy for a specific domain name under the current site, go to the Domain-level security policy tab, click the corresponding domain name to go to the domain-level security policy configuration page, and follow the same subsequent steps.
3. In the Managed Rule > Automatic Update card, click Option Switch . In the pop-up window, select Automatic Update to the Latest Version . After confirming the policy behavior, click Save .
4. In the Managed Rule > Rule Set card, search for SQL Injection Attack Protection and change the protection mode to Manual Protection .
Scenario 3: Manual Operation of Vulnerability Protection Policy
The site does not use managed rules at all and only needs to temporarily enable protection in a few scenarios. The scheme in this example will not automatically update the rule list. When new rules are released, you will be notified through the message center, and you can upgrade to the latest version as needed.
The scheme in the example has the following features:
For high-risk 0-day vulnerabilities, the managed rules will not automatically intercept them.
You need to perform daily operation and maintenance of the managed rule configuration. You need to be able to judge whether specific security vulnerabilities are applicable to the site's backend architecture.
You can freely choose the scope of rules to monitor and record request logs.
Note:
During the manual update process, more policies will be enabled simultaneously. To reduce the risk of false interception, configure the rules as needed to the Monitor mode or enable the Managed Rule - Evaluate mode.
If you find that the rules have intercepted your normal business, configure Protection Exception Rules for temporary handling as needed, and timely evaluate and fix potential business component vulnerabilities.
It is recommended to configure Web Security Monitoring and Alerting synchronously to monitor the request data that hits the managed rules. When a large number of requests hit the managed rules, timely evaluate the managed rule policy and optimize the configuration.
Configuration Procedure
1. Log in to the EdgeOne console, click Site List in the left sidebar, and click the site to be configured on the site list.
2. Click Security Protection > Web Protection . The default is site-level security policy. If you need to configure a differentiated protection policy for a specific domain name under the current site, go to the Domain-level security policy tab, click the corresponding domain name to go to the domain-level security policy configuration page, and follow the same subsequent steps.
3. In the Managed Rule > Automatic Update card, click Option Switch . In the pop-up window, select Notify Only, Do Not Automatically Update . After confirming the policy behavior, click Save .
4. If the rule list needs to be updated after a rule update occurs, you can go to the Managed Rule > Automatic Update card to click Update Now . After confirmation in the pop-up window, the managed rule list for the current policy will be updated immediately.
Use Deep Analysis to Automatically Identify Unknown Vulnerabilities
Deep analysis uses advanced semantic analysis technology to deeply understand the intent of SQL and XSS statements. It can not only effectively deal with known attack methods but also has the ability to protect against unknown attacks. This method goes beyond the traditional pattern-matching detection method and improves the recognition accuracy of complex and new attacks. With deep analysis, you will get a higher level of security protection, reduce the risk of false positives and false negatives, and ensure that your website is free from malicious attacks and data leakage threats.
Note:
Deep analysis function is only supported by the Standard plan and the Enterprise plan.
Enable Deep Analysis
1. Log in to the EdgeOne console and click Site List in the left sidebar. In the site list, click the target site.
2. Click Security > Web Security. By default, it is a site-level security policy. To configure differentiated security policies for a specific domain name under the current site, you can enter the Domain-level security policy tab and click the corresponding domain name to enter the configuration page for the domain-level security policy. The subsequent steps are the same.
3. In the Managed Rules - Deep Analysis tab, click Edit.
4. Select the protection mode as Enable, click Save to enable Deep Analysis.
Observe (default): Only log the identified malicious requests without intercepting them.
Enable: Intercept identified malicious requests.
Off: Turn off deep analysis.
Related Reference
Evaluation Mode
Note:
The Evaluation mode is enabled by default. To handle requests by the block action, you should disable the Evaluation mode.
When the evaluation mode is enabled, under all managed rule policies configured as block, requests are only logged but not actually handled. This mode can help you comprehensively assess the current vulnerability policy configuration and prevent false blocking of normal business requests that contain vulnerability characteristics.
For new business access, it is recommended to maintain the evaluation mode and observe complete client access scenarios for 48 hours (adjust the duration based on your actual assessment). When normal business requests are found to match a specific rule continuously, the rule is adjusted to Observe.
Protection Level Description
Managed rules provide multiple protection levels for different attack and vulnerability types, including Loose, Normal, Strict, and Ultra-Strict. When selecting a protection level, the corresponding level and all levels below it will be enabled. For example, selecting the Strict protection level will enable the rules of Loose, Normal, and Strict levels, achieving layered protection. It is recommended to enable the corresponding protection level according to the business scenario:
Loose: Meet the most basic protection needs and try to avoid false positives. It is recommended that all external HTTP services enable at least all rules of this level.
Normal (recommended): Comprehensive protection, suitable for most scenarios. It is recommended to enable this level for services involving customer data. This level of rules may generate false positives in specific scenarios, which can be debugged and optimized through observation mode.
Strict: Full protection, suitable for stricter protection scenarios, ensuring no attacks bypass. It is recommended to use this level for services involving financial data (such as online banking). Under this protection level, rules may generate some false positives, and it is recommended to debug and optimize them in combination with observation mode and custom rules.
Ultra-Strict: Suitable for access scenarios under strict control environments. This level of rules may cause more false positives, so please enable them according to specific protection needs and deploy them in combination with exception rules, observation, and custom rules.
If you need more fine-grained control, you can also use custom protection levels to customize the actions of different rules according to specific business needs.