Memahami Alur WAF CRS
Oke!Oke, Sayasaya buatkanbuat versi lebih detail dari diagram alurteks CRS WAF + ModSecurityModSecurity, dalam bentuk teks ASCII agar mudah dibaca di terminal atau dokumen teks. Diagram ini fokus padadengan paranoia level →dan scoringskor →threshold blocking:per kategori.
+----------------------+
| Incoming RequestHTTP Req |
+----------------------+
|
v
+-------------------------------+
| ModSecurity Core Processing |
+-------------------------------+
|
+---------------------+---------------------+
| |
v v
+----------------------+ +----------------------+
| Protocol Checks | | Header Checks |
| (HTTP,- Methods,HTTP etc)method | | (- User-Agent,Agent Cookies)|
| - URI length | | - Cookies |
| - HTTP version | | - Referrer |
| Paranoia Level: 1-2 | | Paranoia Level: 1-3 |
| Score per rule: 5 | | Score per rule: 5-8 |
+----------------------+ +----------------------+
| |
v v
+----------------------+ +----------------------+
| Argument Checks | | File Upload Checks |
| (tx.max_num_args,- Num of args | | (Extensions,- Size)Extension Whitelist|
| - Arg length | | tx.arg_length)- Max File Size |
| Paranoia Level: 2-3 | | Paranoia Level: 2-4 |
| Score per rule: 7-10 | | Score per rule: 10-15|
+----------------------+ +----------------------+
| | v
+--------------------+------------------------+
|
v
+--------------------------+
| Apply CRS Rules |
| (Request/Response)Response |
| - REQUEST-901 → INIT |
| - REQUEST-920 → Protocol|
| - REQUEST-932 → RCE |
| - RESPONSE-950 → Data |
| Paranoia Level: 1-4 |
| Score per rule: 5-20 |
+--------------------------+
|
v
+--------------------------+
| Calculate Anomaly Score |
| (per matched rule) |
+--------------------------+
|
v
+--------------------------+
| Check Paranoia Leveltx.inbound_anomaly_score |
| tx.paranoia_level |outbound_anomaly_score|
+--------------------------+
|
v
+--------------------------+
| Compare Score Threshold |
| inbound_anomaly_score- inbound: 5/10/15/20 |
| outbound_anomaly_score- outbound: 4/8/12/16 |
| (varies per paranoia lvl)|
+--------------------------+
|
+--------------------+--------------------+
| |
v v
+----------------------+ +----------------------+
| Score < Threshold | | Score >= Threshold |
| → Allow Request | | → Block Request |
+----------------------+ +----------------------+
Penjelasan:Penjelasan tambahan:
-
Paranoia Level (
tx.paranoia_level)PLmenentukanrule mana yang dijalankan1-4):-
LevelPL1:rendahRule→dasar,ruleminimalamanfalsesajapositives -
LevelPL2:tinggiRule→tambahansemuauntuk common attacks -
PL3: Rule agresif (RCE, SQLi, LFI)
-
PL4: Semua rule, termasuk yang paling agresif
-
-
AnomalyScoring:-
Setiap rule
yangmenambahcocokskormenambahkan skor.(tx.inbound_anomaly_score) -
RequestThresholddiblokPL1-4hanyabiasanya:jika5skor/total10≥/threshold15(tx.inbound_anomaly_score_threshold)/ 20
-
-
RuleRequestLayeringvs Response Rules:-
ProtocolRequest →Headermemfilter input user -
Response →
Argumentmemfilter→outputFilewebUploadserver→(misalCRSdatarules → Anomaly scoringleak)
-
-
OutboundCRSRulesLayers:-
MiripREQUEST-901:prosesInitializationdi -
tapiREQUEST-920:
memeriksaProtocol enforcement -
responseREQUEST-932:untukRCEdatadetection -
RESPONSE-950: Data leakage
atau sensitive info.
atas -
Kalau mau, saya bisa buatkan versi diagram “paranoia level → rule sets → score → blok” dalam tabel + flow lengkap, jadi gampang buat dokumentasi WAF.
Apakah mau saya buatkan versi tabel + flow itu juga?