Edgio

Managed Rule Groups

Edgio Managed Rules

Edgio recommends utilizing this rule group for all WAF use cases.
Rule NameDescriptionLog Name
Cross-site scripting (XSS) BodyInspects the value of the request body and blocks common cross-site scripting (XSS) patterns using the built-in XSS detection rule in Edgio WAF. Example patterns include scripts such as <script>alert("hello")</script>. CAUTION: This rule only inspects the first 8 KB of the request body.cssBody
Cross-site scripting (XSS) CookieInspects the value of cookie headers and blocks common cross-site scripting (XSS) patterns using the built-in XSS detection rule in Edgio WAF. Example patterns include scripts such as <script>alert("hello")</script>.cssCookie
cssCookieCross-site scripting (XSS) Query. Inspects the value of query arguments and blocks common cross-site scripting (XSS) patterns using the built-in XSS detection rule in Edgio WAF. Example patterns include scripts such as <script>alert("hello")</script>.cssArgs
Cross-site scripting (XSS) URI PathInspects the URI path and blocks requests that attempt to exploit RFI (Remote File Inclusion) in web applications by embedding URLs that contain IPv4 addresses. Examples include patterns such as http://, https://, ftp://, ftps://, and file://, with an IPv4 host header in the exploit attempt.cssPath
EC2 BodyInspects for attempts to exfiltrate Amazon EC2 metadata from the request body. CAUTION: This rule only inspects the first 8 KB of the request body.metaBody
EC2 CookieInspects for attempts to exfiltrate Amazon EC2 metadata from the request cookie.metaCookie
EC2 QueryInspects for attempts to exfiltrate Amazon EC2 metadata from the request query arguments.metaArgs
EC2 URI PathInspects for attempts to exfiltrate Amazon EC2 metadata from the request URI path.metaPath
General LFI BodyInspects for the presence of Local File Inclusion (LFI) exploits in the request body. Examples include path traversal attempts using techniques such as ../../. CAUTION: This rule only inspects the first 8 KB of the request bodyfileBody
General LFI QueryInspects for the presence of Local File Inclusion (LFI) exploits in the query arguments. Examples include path traversal attempts using techniques such as ../../.fileArgs
General LFI URI PathInspects for the presence of Local File Inclusion (LFI) exploits in the URI path. Examples include path traversal attempts using techniques such as ../../.filePath
General RFI BODYInspects for the presence of Local File Inclusion (LFI) exploits in the request body. Examples include path traversal attempts using techniques such as ../../. CAUTION: This rule only inspects the first 8 KB of the request bodyremoteBody
General RFI QueryInspects the values of all query parameters and blocks requests that attempt to exploit RFI (Remote File Inclusion) in web applications by embedding URLs that contain IPv4 addresses. Examples include patterns such as http://, https://, ftp://, ftps://, and file://, with an IPv4 host header in the exploit attempt.remoteArgs
General RFI URI PathInspects the URI path and blocks requests that attempt to exploit RFI (Remote File Inclusion) in web applications by embedding URLs that contain IPv4 addresses. Examples include patterns such as http://, https://, ftp://, ftps://, and file://, with an IPv4 host header in the exploit attempt.remotePath
Invalid ArgumentInspects requests whose query arguments are system file extensions that the clients shouldn’t read or run. Example patterns include extensions such as .log and .ini.invalidArgs
Invalid URI Path.Inspects requests whose URI path includes system file extensions that the clients shouldn’t read or run. Example patterns include extensions such as .log and .ini.invalidPath
Missing User AgentBlocks requests with no HTTP User-Agent header.missingAgent
Size - BodyVerifies that the request body size is at most 8 KB (8,192 bytes).sizeBody
Size - CookieVerifies that the cookie header length is at most 10,240 bytes.sizeCookie
Size - URI PathVerifies that the URI path length is at most 1,024 bytes.sizePath
Size - URI Query SizeVerifies that the URI query string length is at most 2,048 bytes.sizeArgs

Admin Page Protection Rule

Rule NameDescriptionLog Name
Protected URI PathInspects requests for URI paths that are generally reserved for administration of a webserver or application. Example patterns include sqlmanager.protectedPath

Bad Input Rules

Edgio recommends enabling the ‘Bad Input - Log4J’ rule on all WAF applications.
Rule NameDescriptionLog Name
Bad Input - Bad hostInspects the host header in the request for patterns indicating localhost. Example patterns include localhostbadHost
Bad Input - Bad pathInspects the URI path for attempts to access exploitable web application paths. Example patterns include paths such as web-inf.badPath
Bad Input - Log4jsInspects the request for the presence of the Log4j vulnerability CVE-2021-44228 and protects against Remote Code Execution (RCE) attempts. Example patterns include ${jndi:ldap://example.com/}. CAUTION: This rule only inspects the first 8 KB of the request body.3
Bad Input - PropfindInspects the HTTP method in the request for PROPFIND, which is a method similar to HEAD, but with the extra intention to exfiltrate XML objects.badProperty

PHP Application Rules

Rule NameDescriptionLog Name
PHP - BodyInspects the values of the request body for PHP script code injection attempts. Example patterns include functions such as fsockopen and the $_GET superglobal variable.phpBody
PHP - QueryInspects the values of all query parameters for PHP script code injection attempts. Example patterns include functions such as fsockopen and the $_GET superglobal variable.phpArgs

SQL Database Rules

Rule NameDescriptionLog Name
SQL - BodyUses the built-in Edgio WAF SQL injection match statement to inspect the request body for patterns that match malicious SQL code. CAUTION: This rule only inspects the first 8 KB of the request bodysqlBody
SQL - CookieUses the built-in Edgio WAF SQL injection match statement to inspect the request cookie header for patterns that match malicious SQL code.sqlCookie
SQL - QueryUses the built-in Edgio WAF SQL injection match statement to inspect the request query parameters for patterns that match malicious SQL code.sqlArgs
SQL - Query ExtendedInspects the values of all query parameters for patterns that match malicious SQL code. The patterns this rule inspects for aren’t covered by the built-in Edgio WAF SQL injection match statement.sqlArgsExtra
SQL - URI pathUses the built-in Edgio WAF injection match statement to inspect the request URI path for patterns that match malicious SQL code.sqlPath

Bot Control Rules

Rule NameInspects forLog Name
BOT - AdvertisingBots that are used for advertising purposes.botAds
BOT - ArchiverBots that are used for archiving purposes.botArchiver
BOT - BrowserIndications of an automated web browser.botBrowser
BOT - ContentBots that are fetching content on behalf of an end user.botFetcher
BOT - Data centerData centers that are typically used by bots.botProvider
BOT - HTTP LibraryHTTP libraries that are often used by bots.botLib
BOT - Link checkerBots that check for broken links.botLinkChecker
BOT - MiscellaneousMiscellaneous bots.botOther
BOT - MonitoringBots that are used for monitoring purposes.botPing
BOT - ScrapingWeb scraping frameworks.botScraper
BOT - Search EngineSearch engine bots. Verified search engines are not blocked.botSearch
BOT - SecuritySecurity-related bots.botSecurity
BOT - SEOBots that are used for search engine optimization.botSeo
BOT - Social MediaBots that are used by social media platforms to provide content summaries. Verified social media bots are not blocked.botSocial
BOT - User agentUser agent strings that don’t seem to be from a web browser.botUserAgent