1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Administrator’s Guide (Compute)
    5. WAAS
    6. WAAS custom rules

    WAAS custom rules

    WAAS custom rules offer an additional mechanism to protect your running web apps. Custom rules are expressions that give you a precise way to describe and detect discrete conditions in requests and responses. WAAS intercepts layer 7 traffic, passes it to Prisma Cloud for evaluation. Expressions let you inspect various facets of requests and responses in a programmatic way, then take action when they evaluate to true. Custom rules can be used in container, host, and app-embedded WAAS policies.
    Besides your own custom rules, Prisma Labs ships and maintains rules for newly discovered threats. These systems rules are distributed via the Intelligence Stream. By default, they are shipped in a disabled state. You can review, and optionally activate them at any time. System rules cannot be modified. However, you can clone and customize them to fit your own specific needs.
    Before using custom rules, ensure Console and Defender run the same version of Prisma Cloud Compute. The minimum required version for a Defender appears when you add a custom rule to a policy. For example, if a Console runs a newer version, but Defenders have not been upgraded, using functionality only available in the newer version will result in a WAAS error. If this occurs, upgrade Defenders to match their Console’s version.

    Expression grammar

    Expressions let you examine the contents of requests and responses. The grammar lets you inspect various properties in an event. For example, you could write an expression that determines if an IP address fall inside a specific CIDR block.
    Expressions support the following types:
    • String.
    • String list.
    • String map.
    • Integer.
    • IP address (e.g. "192.168.0.1")
    • CIDR block (e.g. "192.168.0.0/16")
    Expressions have the following grammar:

    Request events

    Expressions can examine the following attributes of a request:
    Attribute
    Minimum Defender version
    Type
    Example
    req.host
    22.06
    Map of String
    (for matching on "Host" header use req.host)
    21.04
    Map of String
    req.header_names
    21.04
    String List
    req.header_values
    21.04
    String List
    req.cookies
    21.04
    Map of String
    req.cookie_names
    21.04
    String List
    req.cookie_values
    21.04
    String List
    req.query_params
    21.04
    Map of String
    req.query_param_names
    21.04
    String List
    req.query_param_values
    21.04
    String List
    req.body_param_values
    21.04
    String List
    req.http_method
    21.04
    String
    req.file_extension
    21.04
    String
    req.path
    21.04
    String
    req.ip
    21.04
    (written as string, parsed as IP if IP is valid)
    req.country_code
    21.04
    String
    req.body
    21.04
    String
    req.http_version
    21.04
    String
    req.http_scheme
    21.04
    String
    When gRPC is enabled, the req.body attribute may not be able to properly match on the body content if it is sent in binary form.

    Response events

    Expressions can examine the following attributes of a response.
    To examine server responses in custom rules, the rule type must be set to waas-response
    Attribute
    Minimum Defender version
    Type
    Example
    resp.status_code
    21.04
    Integer
    resp.content_type
    21.08
    String
    resp.body
    21.08
    String
    resp.headers
    21.08
    Map of String
    resp.header_names
    21.08
    String List
    resp.header_values
    21.08
    String List
    When gRPC is enabled, the resp.body attribute may not be able to properly match on the body content if it is sent in binary form.

    Trasformation functions

    The following transformations are available to users creating custom rules:
    • lowercase
       - converts all charactes to lowercase.
    • compressWhitespace
       - converts whitespace characters (32, \f, \t, \n, \r, \v, 160) to spaces (32) and then compresses multiple space characters into only one.
    • removeWhitespace
       - removes all whitespace characters.
    • urlQueryDecode
       - decodes URL query string.
    • urlPathDecode
       - decodes URL path string (identical to
      urlQueryDecode
       except that it does not unescape + to space).
    • unicodeDecode
       - normalizes unicode characters to their closest resemblance in ASCII format.
    • htmlEntityDecode
       - decodes HTML components in a given string.
    • base64Decode
       - decoes a base64-encoded string.
    • replaceComments
       - replaces each occurence of a C-style comments (/* …​ */) with a single space (multiple consecutive occurences of a space will not be compressed).
    • removeCommentSymbols
       - removes each comment symbol (/*, */) from a string.
    • removeTags
       - replaces encoded tag entities (<, >) with a single whitespace.

    Effects

    The following effects may be applied on HTTP requests/responses that match a WAAS custom rule:
    • Allow
       - The request is passed to the protected application, all other detections are not applied (e.g app firewall, bot protection, API protection, etc.). No audit is generated.
    • Alert
       - The request is passed to the protected application and an audit is generated for visibility.
    • Prevent
       - The request is denied from reaching the protected application, an audit is generated and WAAS responds with an HTML page indicating the request was blocked.
    • Ban
       - Can be applied on either IP or Prisma Session IDs. All requests originating from the same IP/Prisma Session to the protected application are denied for the configured time period (default is 5 minutes) following the last detected attack.
    For custom rules defined in
    Out-of-band
    , only
    Allow
     and
    Alert
     effects are allowed.

    Example expressions

    The following examples show how to use the expression grammar:
    Special expression to determine if an IP address falls within a CIDR block:
    Example of using a regular expression:
    Determine if the request method matches a method in the array. Currently, you can only create custom arrays as part of the in operator.
    Example of using contains:
    Example using a selector:
    Example of an expression with three conditions. All conditions must evaluate to true for there to be a match.
    Example for detecting HTTP 1.0 requests sent to a path starting with /api/control/ with an "admin" cookie whose Base64 decoded value is set to "True".
    Example for detecting successful login requests by checking the Set-Cookie header value using chained tranformation functions.

    Write a WAAS custom rule

    Expression syntax is validated when you save a custom rule.
    1. Open Console, and go to
      Defend > WAAS
       >
      {Container | Host | App-Embedded | Out-of-band}
      .
    2. Click
      Add rule
      .
    3. Enter a name for the rule.
    4. In
      Message
      , enter a audit message to be emitted when an event matches the condition logic in this custom rule.
      Use the following syntax to view the matched groups: <Your text>: %regexMatches
      Refer to the following screenshot:
    5. Select the rule type.
      You can write expressions for requests or responses. What you select here scopes the vocabulary available for your expression.
    6. Enter your expression logic.
      Press OPTION + SPACE to get a list of valid terms, expressions, operators, etc, for the given position.
      Use the example expressions here as a starting point for your own expression.
    7. Click
      Save
      .
      Your expression logic is validate before it’s save to Console’s database.

    Activate WAAS custom rules

    A custom rule is made up of one or more conditions. Attach a custom rule to a WAAS policy rule to activate it.
    Custom rules are defined in
    Defend > Custom rules > WAAS
    . WAAS policy rules are defined in
    Defend > WAAS > {Container | Host | App-Embedded | Out-of-band}
    .
    When attaching a custom rule to a WAAS policy rule, you specify the action to take when the expression evaluates to true (i.e. the expression matches). Supported actions are disable, alert, prevent, and ban.
    Custom rules have priority over all other enabled WAAS protections. WAAS evaluates all custom rules that are attached, so you can get more than one audit if more than one custom rule matches.
    Prerequisites:
     You have already set up WAAS to protect an app, and there’s a rule for it under
    Defend > WAAS > {Container | Host | App-Embedded | Out-of-band}
    . For more information about setting up an app, see Deploy WAAS.
    1. Open Console, and go to
      Defend > WAAS > {Container | Host | App-Embedded | Out-of-band}
      .
    2. In the table, expand a rule.
    3. Under
      App list
      , click
      Actions > Edit
       for an app in the table.
    4. In the edit rule dialog, click the
      Custom rules
       tab.
    5. Click
      Select rules
      .
      A list of available WAAS custom rules is displayed. Whenever a user creates a rule, the
      owner
       column is populated with the username. The owner column of virtual patches provided by Unit-42 researchers will have the value system.
      Alternatively, you can click
      Add rule
       to author a new custom rule in place.
    6. Select one or more rules.
    7. Click
      Apply
      .
      The minimum supported Defender version appears when you add the custom rule to a policy.
    8. Configure the effect for each custom rule.
      By default, the effect is set to
      Alert
      .
    9. Click
      Save
      .