AkamaiWAF UserGuide
AkamaiWAF UserGuide
AkamaiWAF UserGuide
Akamai
ColdFusion
injection attacks. Formerly, in CRS version 1.6.1, this group also included
SQL and XSS attacks. Those are now in their own respective groups.
SQL Injection Attacks This group is new to the 2.x CRS and specifically covers SQL Injection attacks.
XSS Attacks This group is new to the 2.x CRS and specifically covers Cross-Site Scripting attacks.
Tight Security Provides rules that screen user-supplied inputs for malicious content or characters that leverage
insufficient validation at origin.
Trojans Detection of attempts to access Trojans already installed on the system.
Outbound (Leakage) Prevents application error messages and code snippets from being sent to the user. This makes
attacking the server much harder and is also a last line of defense if an attack passes through.
ModSecurity Core Rule Set Group Definitions
118 Web Application Firewall User Guide. Akamai Confidential.
Web Application Firewall User Guide. Akamai Confidential. 119
Appendix B. Network Layer IP Controls
Behaviors
If your Firewall Policy includes Network Layer Controls, it is important to know how
entries in the BLOCKED IPS and ALLOWED IPS lists on Luna Control Centers
Network Layer Controls page (see Figure 2-17 on page 27) behave in relation to one
another and to your Firewall Policy as a whole.
The following table summarizes behaviors given different entry combinations:
BLOCKED IPS Entry ALLOWED IPS Entry Result
No entry 192.168.0.1 Only 192.168.0.1 is allowed. All other IP
addresses are blocked.
This is called a strict whitelist.
192.168.0.1 No entry All IP addresses are allowed except
192.168.0.1
192.168.0.0/24 192.168.0.1 All IP addresses are allowed except those
contained in the 192.168.0.0/24 CIDR
block. Within the block, IP 192.168.0.1 is
allowed.
Adding an IP address to the ALLOWED IPS
list that is not within the CIDR block is super-
fluous, as that address would have been
allowed anyway.
192.168.0.1 192.168.0.1 All IP addresses are allowed.
The presence of address 192.168.0.1 in the
ALLOWED IPS list overrides its presence in
the BLOCKED IPS list.
192.168.0.1 192.168.0.2 All IP addresses are allowed except
192.168.0.1.
The presence of address 192.168.0.2 in the
ALLOWED IPS list is superfluous, as it would
have been allowed anyway.
Network Layer IP Controls Behaviors
120 Web Application Firewall User Guide. Akamai Confidential.
Web Application Firewall User Guide. Akamai Confidential. 121
Appendix C. Real-Time Reporting POST
Schema
The Real-Time Reporting (RTR) POST schema is as follows:
Each line contains a space-separated list of fields
The first field is always a letter that describes the type of line
Empty fields are denoted by a hyphen ( - )
Fields are URL-encoded so as to not include characters that would make the
parsing of logs ambiguous
Lines and Fields
Currently, two types of lines are supported:
vversion number
The first line of each payload is always a v line.
Wfirewall policy data
A W line is reported for each request that triggers at least one firewall policy
rule, even if the rule does not cause the request to be denied (i.e., the rule only
generated an alert).
Line Fields
Line Field Notes
v v
1.0 Updated each time the W line format changes.
W Epoch time for the end
of the request
Application ID The WAF policy ID you configured in Luna Control Center.
Client IP Ignore the X-Forwarded-For header unless security:fire-
wall.debug.honor-xff is enabled in metadata.
Method
ARL
HTTP status code
returned to the client
Request ID
Real-Time Reporting POST Schema
122 Web Application Firewall User Guide. Akamai Confidential.
An example of RTR reporting values follows, assuming a policy ID of lb01_736.
Fields Added by WAF to W3C and Combined LDS Formats
When WAF logging is enabled in Akamais LDS (Log Delivery Service), a new field is
appended to either the W3C or Combined lines. The exact format of the Web
Application Firewall Information field is:
Where:
<application_id> is the firewall policy ID assigned by you and Akamai in Luna
Control Center.
The rules listed between the | symbols and separated by a colon ( : )a delim-
iterare rules that matched in alert mode.
The rule after the second | symbol matched in deny mode.
For example, the following field shows a Firewall Policy with several matches of rules
in alert mode, followed by a deny rule.
Here, the Firewall Policy identified as fw01_1234 triggered rule 960006, then rule
9600015 (both in an alert action) and ended enforcement with rule 960021 triggering
a deny action.
Number of triggered
rules (1 or more).
Each rule adds six fields to the line.
ID for rule #1
Deny flag for rule #1 0 or 1
Tag for rule #1
Message for rule #1
User data for rule #1
Selector for rule #1
ID for rule #2 ...
Line Field Notes
v 1.0
W 1236205695.625 lb01_736 127.0.0.1 GET /L/1/16399/10s/www.example.com/index.html 400 15 1 950012 1
HTTP%20Request%20Smuggling%20Attack. WEB_ATTACK/REQUEST_SMUGGLING - REQUEST_HEADERS:Content-Length
W 1236205695.629 lb01_736 127.0.0.1 GET /L/1/16399/10s/www.example.com/index.html 400 16 1 960016 1 Content-
Length%20HTTP%20header%20is%20not%20numeric PROTOCOL_VIOLATION/INVALID_HREQ - REQUEST_HEADERS:Content-Length
W 1236205695.635 lb01_736 127.0.0.1 GET /L/1/16399/10s/www.example.com/index.html?test_arg=coalesce 200 17 1 950908 0 W
1236205696.749 lb01_736 127.0.0.1 GET /L/1/16399/10s//www.example.com/index.html 400 23 1 960016 1 Content-
Length%20HTTP%20header%20is%20not%20numeric PROTOCOL_VIOLATION/INVALID_HREQ - REQUEST_HEADERS:Content-Length
W 1236205696.753 lb01_736 127.0.0.1 GET /L/1/16399/10s//www.example.com/index.html?test_arg=coalesce 200 24 1 950908 0
SQL%20Injection%20Attack WEB_ATTACK/SQL_INJECTION coalesce ARGS:test_arg
<application_id> "|" ((<alert_rule_id> ":" ) * <alert_rule_id>) ? "|" <deny_rule_id>
fw01_1234 | 960006:960015 | 960021
Web Application Firewall User Guide. Akamai Confidential. 123
Appendix D. Rule Profiles Comparison
Risk Scoring Comparison
Individual Rule Actions per Profile
*Indicates the setting is not a part of the default Rule Profile. Rather, it is applied as a result of providing a particu-
lar answer to a particular question in the Profiles Advanced Options.
Risk Group Action Standard Intermediate Strict Recommended
SQL Injection Deny 19 14 14 14
Cross Site Scripting (XSS) Deny 9 9 9 9
Command Injection Deny 4 4 4 4
Invalid HTTP Deny 7 7
Remote File Inclusion Deny 4 4 4 4
PHP Injection Deny 4 4 4 4
Trojan Deny 4 4 4
Total Request Score (Inbound) Deny 30 25 20 30
Total Response Score (Outbound) Deny 2 2 2 2
Risk Group Title Standard Intermediate Strict Recommended
950000 Session Fixation Deny Deny
950001 SQL Injection Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
950002 System Command Access Risk Scoring Risk Scoring Risk Scoring Risk Scoring
950003 Session Fixation Deny Deny
950005 Remote File Access Attempt Deny Deny Deny Deny
950006 System Command Injection Risk Scoring Risk Scoring Risk Scoring Risk Scoring
950007 Blind SQL Injection Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
950008 Injection of Undocumented ColdFusion Tags Deny* Deny* Disabled
950009 Session Fixation Deny Deny
950010 LDAP Injection Attack Deny* Deny* Disabled
950011 SSI Injection Attack Risk Scoring Risk Scoring
950018 UPDF/XSS Injection Attack Risk Scoring Risk Scoring
950019 Email Injection Attack Deny Deny
Rule Profiles Comparison
124 Web Application Firewall User Guide. Akamai Confidential.
950103 Path Traversal Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
950107 URL Encoding Abuse Attack Attempt Risk Scoring* Risk Scoring
950108 URL Encoding Abuse Attack Attempt Deny* Risk Scoring* Risk Scoring
950109 Multiple URL Encoding Detected Risk Scoring* Risk Scoring
950110 Backdoor Access Risk Scoring Risk Scoring Risk Scoring Risk Scoring
950116 Unicode Full/Half Width Abuse Attack
Attempt
Risk Scoring Risk Scoring
950117 Remote File Inclusion Attack (Remote URL
with IP Address)
Risk Scoring Risk Scoring Risk Scoring Risk Scoring
950118 Remote File Inclusion Attack (Common PHP
RFI Attacks)
Risk Scoring Risk Scoring Risk Scoring Risk Scoring
950119 Remote File Inclusion Attack (Remote URL
Ending with ?)
Risk Scoring Risk Scoring Risk Scoring Risk Scoring
950120 Remote File Inclusion Attack (Remote URL
Detected)
Risk Scoring Risk Scoring Risk Scoring
950901 SQL Injection Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
950907 System Command Injection
950908 SQL Injection Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
950910 HTTP Response Splitting Attack (Header
Injection)
Deny Deny Deny
950911 HTTP Response Splitting Attack (Response
Injection
Deny Deny Deny
950921 Backdoor Access Risk Scoring Risk Scoring Risk Scoring Risk Scoring
950922 Backdoor Access Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958000 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958001 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958002 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958003 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958004 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958005 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958006 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958007 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958008 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958009 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958010 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
Risk Group Title Standard Intermediate Strict Recommended
Individual Rule Actions per Profile
Web Application Firewall User Guide. Akamai Confidential. 125
958011 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958012 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958013 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958016 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958017 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958018 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958019 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958020 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958022 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958023 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958024 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958025 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958026 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958027 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958028 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958030 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958031 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958032 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958033 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958034 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958036 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958037 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958038 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958039 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958040 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958041 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958045 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958046 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958047 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958049 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958051 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958052 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958054 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
Risk Group Title Standard Intermediate Strict Recommended
Rule Profiles Comparison
126 Web Application Firewall User Guide. Akamai Confidential.
958056 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958057 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958059 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958230 Range: Invalid Last Byte Value Deny Deny
958231 Range: Too Many Fields Deny Deny
958291 Range: Field Exists and Begins With 0 Risk Scoring* Risk Scoring
958295 Multiple/Conflicting Connection Header
Data Found
Risk Scoring* Risk Scoring
958404 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958405 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958406 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958407 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958408 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958409 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958410 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958411 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958412 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958413 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958414 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958415 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958416 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958417 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958418 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958419 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958420 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958421 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958422 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958423 Cross-Site Scripting (XSS) Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958976 PHP Injection Attack (Common Functions) Risk Scoring Risk Scoring Risk Scoring Risk Scoring
958977 PHP Injection Attack (Configuration Over-
ride)
Risk Scoring Risk Scoring Risk Scoring Risk Scoring
959070 SQL Injection Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
959071 SQL Injection Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
Risk Group Title Standard Intermediate Strict Recommended
Individual Rule Actions per Profile
Web Application Firewall User Guide. Akamai Confidential. 127
959072 SQL Injection Attack Risk Scoring Risk Scoring Risk Scoring Risk Scoring
959073 SQL Injection Attack Risk Scoring Risk Scoring
959151 PHP Injection Attack (Opening Tag) Risk Scoring Risk Scoring Risk Scoring Risk Scoring
960012 POST Request Missing Content-Length
Header
Risk Scoring* Risk Scoring
960016 Content-Length HTTP header is not numeric Deny Deny Deny Deny
960020 Pragma Header Requires Cache-Control
Header for HTTP/1.1 Requests
Risk Scoring* Risk Scoring
960022 Expect Header Not Allowed for HTTP 1.0 Risk Scoring* Risk Scoring
960034 HTTP Protocol Version Is Not Allowed By Pol-
icy
Risk Scoring* Risk Scoring
960035 URL file extension is restricted by policy Risk Scoring Deny Deny Different
960901 Invalid character in request Risk Scoring Risk Scoring
960902 Invalid Use of Identity Encoding Risk Scoring* Risk Scoring
960904 Request Containing Content, but Missing
Content-Type Header
Risk Scoring* Risk Scoring
960912 Failed to parse request body Risk Scoring Risk Scoring Risk Scoring Risk Scoring
970003 SQL Information Leakage Risk Scoring* Risk Scoring* Risk Scoring* Disabled
970004 IIS Information Leakage Risk Scoring* Risk Scoring* Risk Scoring* Disabled
970007
Zope Corporation Zope
Information Leak-
age
Risk Scoring* Risk Scoring* Risk Scoring* Disabled
970008 Cold Fusion Information Leakage Risk Scoring* Risk Scoring* Risk Scoring* Disabled
970009 PHP Information Leakage Risk Scoring* Risk Scoring* Risk Scoring* Disabled
970010
Microsoft
information Disclosure
Risk Scoring* Risk Scoring* Risk Scoring* Disabled
970118 Application Is Not Available (Server-Side
Exceptions)
Risk Scoring* Risk Scoring* Risk Scoring* Disabled
970901 The Application Is Not Available (HTTP 5XX) Risk Scoring* Risk Scoring* Risk Scoring* Disabled
970902 PHP Source Code Leakage Risk Scoring* Risk Scoring* Disabled
970903 ASP/JSP Source Code Leakage Risk Scoring* Disabled
970904 ISS Information Leakage Risk Scoring* Risk Scoring* Risk Scoring* Disabled
Risk Group Title Standard Intermediate Strict Recommended
Rule Profiles Comparison
128 Web Application Firewall User Guide. Akamai Confidential.
973300 Possible XSS Attack Detected - HTML Tag
Handler
Risk Scoring Risk Scoring Risk Scoring Risk Scoring
973301 XSS Attack Detected Risk Scoring Risk Scoring Risk Scoring Risk Scoring
973302 XSS Attack Detected Risk Scoring Risk Scoring Risk Scoring Risk Scoring
973303 XSS Attack Detected Risk Scoring Risk Scoring Risk Scoring Risk Scoring
973304 XSS Attack Detected Risk Scoring Risk Scoring Risk Scoring Risk Scoring
973305 XSS Attack Detected Risk Scoring Risk Scoring Risk Scoring Risk Scoring
973306 XSS Attack Detected Risk Scoring Risk Scoring Risk Scoring Risk Scoring
973307 XSS Attack Detected Risk Scoring Risk Scoring Risk Scoring Risk Scoring
973308 XSS Attack Detected Risk Scoring Risk Scoring Risk Scoring Risk Scoring
973309 XSS Attack Detected Risk Scoring Risk Scoring Risk Scoring Risk Scoring
973310 XSS Attack Detected Risk Scoring Risk Scoring Risk Scoring Risk Scoring
973311 XSS Attack Detected Risk Scoring Risk Scoring Risk Scoring Risk Scoring
973312 XSS Attack Detected Risk Scoring Risk Scoring Risk Scoring Risk Scoring
973313 XSS Attack Detected Risk Scoring Risk Scoring Risk Scoring Risk Scoring
973314 XSS Attack Detected Risk Scoring Risk Scoring Risk Scoring Risk Scoring
973315 IE XSS Filters - Attack Detected Risk Scoring Risk Scoring Risk Scoring Risk Scoring
973316 IE XSS Filters - Attack Detected Risk Scoring Risk Scoring Risk Scoring Risk Scoring
973317 IE XSS Filters - Attack Detected Risk Scoring Risk Scoring Risk Scoring Risk Scoring
973318 IE XSS Filters - Attack Detected Risk Scoring Risk Scoring Risk Scoring Risk Scoring
973319 IE XSS Filters - Attack Detected Risk Scoring Risk Scoring Risk Scoring Risk Scoring
973320 IE XSS Filters - Attack Detected Risk Scoring Risk Scoring Risk Scoring Risk Scoring
973321 IE XSS Filters - Attack Detected Risk Scoring Risk Scoring Risk Scoring Risk Scoring
973322 IE XSS Filters - Attack Detected Risk Scoring Risk Scoring Risk Scoring Risk Scoring
973323 IE XSS Filters - Attack Detected Risk Scoring Risk Scoring Risk Scoring Risk Scoring
973324 IE XSS Filters - Attack Detected Risk Scoring Risk Scoring Risk Scoring Risk Scoring
973325 IE XSS Filters - Attack Detected Risk Scoring Risk Scoring Risk Scoring Risk Scoring
973326 IE XSS Filters - Attack Detected Risk Scoring Risk Scoring Risk Scoring Risk Scoring
973327 IE XSS Filters - Attack Detected Risk Scoring Risk Scoring Risk Scoring Risk Scoring
973328 IE XSS Filters - Attack Detected Risk Scoring Risk Scoring Risk Scoring Risk Scoring
973329 IE XSS Filters - Attack Detected Risk Scoring Risk Scoring Risk Scoring Risk Scoring
973330 IE XSS Filters - Attack Detected Risk Scoring Risk Scoring Risk Scoring Risk Scoring
973331 IE XSS Filters - Attack Detected Risk Scoring Risk Scoring Risk Scoring Risk Scoring
Risk Group Title Standard Intermediate Strict Recommended
Individual Rule Actions per Profile
Web Application Firewall User Guide. Akamai Confidential. 129
973332 IE XSS Filters - Attack Detected Risk Scoring Risk Scoring Risk Scoring Risk Scoring
973333 IE XSS Filters - Attack Detected Risk Scoring Risk Scoring Risk Scoring Risk Scoring
973334 IE XSS Filters - Attack Detected Risk Scoring Risk Scoring Risk Scoring Risk Scoring
973335 IE XSS Filters - Attack Detected Risk Scoring Risk Scoring Risk Scoring Risk Scoring
973336 XSS Filter - Category 1: Script Tag Vector Risk Scoring Risk Scoring Risk Scoring
973337 XSS Filter - Category 2: Event Handler Vector Risk Scoring Risk Scoring Risk Scoring
981000 Potentially Malicious iFrame Tag Detected in
Output
Risk Scoring* Disabled
981001 Potentially Malicious iFrame Tag Detected in
Output
Risk Scoring* Disabled
981003 Malicious iFrame+JavaScript Tag in Output Risk Scoring* Disabled
981004 Potentially Obfuscated JavaScript in Output
(fromCharCode)
Risk Scoring* Disabled
981005 Potentially Obfuscated JavaScript in Output -
eval() and unescape()
Risk Scoring* Disabled
981006 Potentially Obfuscated JavaScript in Output -
unescape()
Risk Scoring* Disabled
981007 Potentially Obfuscated JavaScript in Output -
Heap Spray
Risk Scoring* Disabled
981173 Restricted SQL Character Anomaly Detection
Alert - Total # of special characters exceeded
Risk Scoring Risk Scoring Risk Scoring Risk Scoring
981241 Conditional SQL Injection Attempts Risk Scoring Risk Scoring Risk Scoring Risk Scoring
981242 Classic SQL Injection Probes 1/2 Risk Scoring Risk Scoring Risk Scoring Risk Scoring
981243 Classic SQL Injection Probes 2/2 Risk Scoring Risk Scoring Risk Scoring Risk Scoring
981244 Basic SQL Authentication Bypass Attempts
1/3
Risk Scoring Risk Scoring Risk Scoring Risk Scoring
981245 Basic SQL Authentication Bypass Attempts
2/3
Risk Scoring Risk Scoring Risk Scoring Risk Scoring
981246 Basic SQL Authentication Bypass Attempts
3/3
Risk Scoring Risk Scoring Risk Scoring Risk Scoring
981247 Concatenated Basic SQL Injection and
SQLLFI Attempts
Risk Scoring Risk Scoring Risk Scoring Risk Scoring
981248 Chained SQL Injection Attempts 1/2 Risk Scoring Risk Scoring Risk Scoring Risk Scoring
981249 Chained SQL Injection Attempts 2/2 Risk Scoring Risk Scoring Risk Scoring Risk Scoring
981250 SQL Benchmark and sleep() Injection
Attempts Including Conditional Queries
Risk Scoring Risk Scoring Risk Scoring Risk Scoring
981251 MySQL UDF Injection and Other Data/Struc-
ture Manipulation Attempts
Risk Scoring Risk Scoring Risk Scoring Risk Scoring
Risk Group Title Standard Intermediate Strict Recommended
Rule Profiles Comparison
130 Web Application Firewall User Guide. Akamai Confidential.
981252 MySQL Charset Switch and MSSQL DoS
Attempts
Risk Scoring Risk Scoring Risk Scoring Risk Scoring
981253 MySQL and PostgreSQL Stored Procedure/
Function Injections
Risk Scoring Risk Scoring Risk Scoring Risk Scoring
981254 Postgres pg_sleep() Injection, WAITFORDE-
LAY Attacks and Database Shutdown
Attempts
Risk Scoring Risk Scoring Risk Scoring Risk Scoring
981255 MSSQL Code Execution and Information
Gathering Attempts
Risk Scoring Risk Scoring Risk Scoring Risk Scoring
981256 MATCH AGAINST, MERGE, EXECUTE IMME-
DIATE, and HAVING Injections
Risk Scoring Risk Scoring Risk Scoring Risk Scoring
981260 SQL Hex Encoding Identified Risk Scoring Risk Scoring Risk Scoring Risk Scoring
981270
Basic MongoDB
MongoDB
SQL Injection
Attempts
Risk Scoring Risk Scoring Risk Scoring Risk Scoring
981272 Blind SQLI Tests Using sleep() or benchmark() Risk Scoring Risk Scoring Risk Scoring Risk Scoring
981276 Basic SQL Injection - Common Attack Pay-
loads
Risk Scoring Risk Scoring Risk Scoring Risk Scoring
981277 Integer Overflow Attacks (Taken from Skip-
fish)
Risk Scoring Risk Scoring
981300 SQL SELECT Statement Anomaly Detection
Alert
Risk Scoring Risk Scoring Risk Scoring Risk Scoring
981318 SQL Injection Attack: Common Injection
Testing Detected
Risk Scoring Risk Scoring Risk Scoring Risk Scoring
981319 SQL Injection Attack: SQL Operator Detected Risk Scoring Risk Scoring Risk Scoring Risk Scoring
981320 SQL Injection Attack: Common DB Names
Detected
Risk Scoring Risk Scoring Risk Scoring Risk Scoring
990002 Request Indicates a Security Scanner
Scanned the Site
Deny Deny Deny Deny
990012 Rogue Web Site Crawler Deny Deny Deny
990901 Request Indicates a Security Scanner
Scanned the Site
Deny Deny Deny Deny
990902 Request Indicates a Security Scanner
Scanned the Site
Deny Deny Deny Deny
3000000 SQL Injection Bypass/Probing Risk Scoring Risk Scoring Risk Scoring Risk Scoring
3000001 HTTP Response Splitting (Header Injection
Attempt)
Deny Deny Deny Deny
3000002 Local System File Access Attempt Risk Scoring Risk Scoring Risk Scoring Risk Scoring
3000003 PHP Code Injection Risk Scoring Risk Scoring Risk Scoring Risk Scoring
3000004 PHP Remote File Include Risk Scoring Risk Scoring Risk Scoring Deny
Risk Group Title Standard Intermediate Strict Recommended
Individual Rule Actions per Profile
Web Application Firewall User Guide. Akamai Confidential. 131
3000005 System Command Injection (The Open
Groups UNIX
operating system)
Risk Scoring Risk Scoring Risk Scoring Risk Scoring
3000006 SQL Injection (String Termination and Com-
ment Sequence)
Risk Scoring Risk Scoring Deny Deny
3000007 System Command Injection (UNIX File Leak-
age)
Risk Scoring Risk Scoring Risk Scoring Risk Scoring
3000008 Pandora / Dirt Jumper DDoS Detection -
HTTP GET Attacks
Deny* Deny* Deny
3000009
Ruby on Rails
Pingback API
Deny* Deny* Disabled
3000022 SQL Injection (DROP Statement) Risk Scoring Risk Scoring Risk Scoring Risk Scoring
Risk Group Title Standard Intermediate Strict Recommended
Rule Profiles Comparison
132 Web Application Firewall User Guide. Akamai Confidential.