1. Overview

WAAS custom rules offer an additional mechanism to protect your running web apps. Custom rules are expressions that give you a precise way to describe and detect discrete conditions in requests and responses. WAAS intercepts layer 7 traffic, passes it to Prisma Cloud for evaluation. Expressions let you inspect various facets of requests and responses in a programmatic way, then take action when they evaluate to true. Custom rules can be used in container, host, and app-embedded WAAS policies.

Besides your own custom rules, Prisma Labs ships and maintains rules for newly discovered threats. These systems rules are distributed via the Intelligence Stream. By default, they are shipped in a disabled state. You can review, and optionally activate them at any time. System rules cannot be modified. However, you can clone and customize them to fit your own specific needs.

2. Expression grammar

Expressions let you examine the contents of requests and responses. The grammar lets you inspect various properties in an event. For example, you could write an expression that determines if an IP address fall inside a specific CIDR block.

Expressions support the following types:

  • String.

  • String array.

  • String map.

  • Integer.

  • IP address (e.g. "192.168.0.1")

  • CIDR block (e.g. "192.168.0.0/16")

Expressions have the following grammar:

term (op term | in | )*

term

integer | string | keyword | event | '(' expression ')' | unaryOp

op

and | or | > | < | >= | ⇐ | = | !=

in

'(' integer | string (',' integer | string)*)?

Can also be used to determine if an IP address is in a CIDR block: For example:

req.ip in "192.168.0.0/16"

unaryOp

not

keyword (similar to wildcards)

startswith | contains

contains can be used for:

  • Equality. For example: req.header_names contains "X-Forwarded-For"

  • Regular expression match for string arrays. For example: req.header_names contains /^X-Forwarded.*/

  • Regular expression match for strings. For example: req.body contains /^some-regex-text.*/

string

Strings must be enclosed in double quotes.

integer

int

event

req | resp

[ ]

Selector operator. Selects a specific value by key from a map. Headers, cookies, body params, and query params are maps. The selection operation template is as following:

req.<map>["<key>"]

For example:

req.headers["Content-Type"] contains "text/html"

2.1. Request events

Expressions can examine the following attributes of a request.

Attribute Type

req.headers

Map of String

req.header_names

String Array

req.header_values

String Array

req.cookies

Map of String

req.cookie_names

String Array

req.cookie_values

String Array

req.query_params

Map of String

req.query_param_names

String Array

req.query_param_values

String Array

req.body_param_values

String Array

req.http_method

String

req.file_extension

String

req.path

String

req.ip

IP (written as string, parsed as IP if IP is valid)

req.country_code

String

req.body

String

2.2. Response events

Expressions can examine the following attributes of a response.

Attribute Type

resp.status_code

Integer

2.3. Example expressions

The following examples show how to use the expression grammar:

Special expression to determine if an IP address falls within a CIDR block:

req.ip in "192.168.0.0/16"

Example of using a regular expression:

req.header_names contains /^X-Forwarded.*/

Determine if the request method matches a method in the array. Currently, you can only create custom arrays as part of the in operator.

req.http_method in ("POST", "PUT")

Example of using contains:

req.header_values contains "text/html"

Example using a selector:

req.cookies["yummy-cookie"] contains "flour"

Example of an expression with three conditions. All conditions must evaluate to true for there to be a match.

req.http_method = "POST" and resp.status_code >= 400 and resp.status_code ⇐ 599

3. Write a WAAS custom rule

Expression syntax is validated when you save a custom rule.

  1. Open Console, and go to Defend > Custom configs > WAAS.

  2. Click Add rule.

  3. Enter a name for the rule.

  4. In Message, enter a audit message to be emitted when an event matches the condition logic in this custom rule.

  5. Select the rule type.

    You can write expressions for requests or responses. What you select here scopes the vocabulary available for your expression.

  6. Enter your expression logic.

    Press OPTION + SPACE to get a list of valid terms, expressions, operators, etc, for the given position.

    Use the example expressions here as a starting point for your own expression.

  7. Click Save.

    Your expression logic is validate before it’s save to Console’s database.

4. Activate WAAS custom rules

A custom rule is made up of one or more conditions. Attach a custom rule to a WAAS policy rule to activate it.

Custom rules are defined in Defend > Custom configs > WAAS. WAAS policy rules are defined in Defend > WAAS > {Container | Host | App-Embedded}.

When attaching a custom rule to a WAAS policy rule, you specify the action to take when the expression evaluates to true (i.e. the expression matches). Supported actions are disable, alert, prevent, and ban.

Custom rules have priority over all other enabled WAAS protections. WAAS evaluates all custom rules that are attached, so you can get more than one audit if more than one custom rule matches.

Prerequisites: You have already set up WAAS to protect an app, and there’s a rule for it under Defend > WAAS > {Container | Host | App-Embedded}. For more information about setting up an app, see Deploy WAAS.

  1. Open Console, and go to Defend > WAAS > {Container | Host | App-Embedded}.

  2. In the table, expand a rule.

  3. Under App list, click Actions > Edit for an app in the table.

  4. In the edit rule dialog, click the Custom rules tab.

  5. Click Select rules.

    You’re presented with a list of WAAS custom rules that have already been written.

    Alternatively, you can click Add rule to author a new custom rule in place.

  6. Select one or more rules.

  7. Click Apply.

  8. Configure the effect for each custom rule.

    By default, the effect is set to Alert.

  9. Click Save.