Questions[web-application-firewall](server)

I was trying to make an acl rule in waf2 which allows only a regex matched cookie value, but only if the cookie exists.

sadly, this type of conditional rule aren't possible and I tried many ways and regex tricks with no luck.

The same for any other header, for example a X-Csrf-Token, I would like to validate it (format) but for the very first request on the site this header will not exists, hence the request will be blocked.

Am I doing and/or thinking this wrong?, I can't believe that a very common sense rule like those are so hard to create.

Thanks!

I'm using OWASP core rule set 3.2.0 set up with ModSecurity 3.0.4 and ModSecurity-nginx.

If I have a rule exclusion like this, in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf:

 SecRule REQUEST_URI "@beginsWith /api.php" \
     "id:1015,\
     phase:2,\
     pass,\
     nolog,\
     ctl:ruleRemoveById=941160"

How do I also limit this exclusion to a specific hostname? For example, wiki.example.com.

I have an AWS lightsail instance running wordpress. It is getting pounded with hits from Chinese IP addresses - and they keep changing IP's. I started making hundreds of iptables rules but am giving up as this is clearly the wrong approach.

I discovered the AWS WAF service, and created an ACL which drops traffic from China. And the WAF is in the same region as my lightsail instance.

Great. But it's not doing anything...still getting hit. I can't figure out how (or IF) I connect my lightsail traffic to the WAF. Is it even possible?

I don't need a load balancer, nor cloudfront, nor do a have a gateway (I think). This setup is really simple...

I have a AWS EC2 instance and want deny access on port 80 for a single ip address (a bad bot).

AWS console it seem support only "allow" rules.

How deny a single ip address?

I've come across a little problem with retrieving stats via SNMP from a Barracuda Web Application Firewall 660.

According to both the documentation (page 211), and the MIB defination, doing an SNMP GET on the OID 1.3.6.1.4.1.20632.8.4 (Barracuda-BWS::totalAttacks) should retrieve the "Count of attacks in last one hour".

However, it looks to be instead returning the total ever attacks.

I've not come across any mention of this bug online, and barracuda themselves don't seem to be interested in correcting it. The devices are patched up-to-date.

Can anyone else confirm they see the issue, or have resolved it in the past?

(I know I can calculate the last hour's value via the total, however it would be much nicer to get the value directly into our monitoring setup without the intermediate step).