Support for REQUEST-949-BLOCKING-EVALUATION Rule Group within the Web Application Firewall Policy Validation

[da-access-group]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Description

I am currently encountering an error when trying to disable a rule within the REQUEST-949-BLOCKING-EVALUATION Rule Group for Azure Web Application Firewall. I believe this is due to the rule not being located within the validation file: https://github.com/hashicorp/terraform-provider-azurerm/blob/main/internal/services/network/validate/web_application_firewall_policy.go

Error encountered:

Error: expected managed_rules.0.managed_rule_set.0.rule_group_override.2.rule_group_name to be one of ["BadBots" "crs_20_protocol_violations" "crs_21_protocol_anomalies" "crs_23_request_limits" "crs_30_http_policy" "crs_35_bad_robots" "crs_40_generic_attacks" "crs_41_sql_injection_attacks" "crs_41_xss_attacks" "crs_42_tight_security" "crs_45_trojans" "crs_49_inbound_blocking" "General" "GoodBots" "KnownBadBots" "Known-CVEs" "REQUEST-911-METHOD-ENFORCEMENT" "REQUEST-913-SCANNER-DETECTION" "REQUEST-920-PROTOCOL-ENFORCEMENT" "REQUEST-921-PROTOCOL-ATTACK" "REQUEST-930-APPLICATION-ATTACK-LFI" "REQUEST-931-APPLICATION-ATTACK-RFI" "REQUEST-932-APPLICATION-ATTACK-RCE" "REQUEST-933-APPLICATION-ATTACK-PHP" "REQUEST-941-APPLICATION-ATTACK-XSS" "REQUEST-942-APPLICATION-ATTACK-SQLI" "REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" "REQUEST-944-APPLICATION-ATTACK-JAVA" "UnknownBots" "METHOD-ENFORCEMENT" "PROTOCOL-ENFORCEMENT" "PROTOCOL-ATTACK" "LFI" "RFI" "RCE" "PHP" "NODEJS" "XSS" "SQLI" "FIX" "JAVA" "MS-ThreatIntel-WebShells" "MS-ThreatIntel-AppSec" "MS-ThreatIntel-SQLI" "MS-ThreatIntel-CVEs"], got REQUEST-949-BLOCKING-EVALUATION

New or Affected Resource(s)/Data Source(s)

azurerm_web_application_firewall_policy

Potential Terraform Configuration

resource "azurerm_web_application_firewall_policy" "example" {
  name                = "example"
  resource_group_name = azurerm_resource_group.example.name
  location            = azurerm_resource_group.example.location

  managed_rules {
    managed_rule_set {
      type    = "OWASP"
      version = "3.2"
      rule_group_override {
        rule_group_name = "REQUEST-949-BLOCKING-EVALUATION"
        rule {
          id      = "949110"
          enabled = true
          action  = "Log"
        }
      }
    }
  }
}

References

No response

[da-access-group]

My mistake, upon further investigation this appears to be related to anomaly score and is not configurable within the ruleset, details included in the note here: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules?tabs=drs21#drs99001-21

When reviewing your WAF's logs, you might see rule ID 949110. The description of the rule might include Inbound Anomaly Score Exceeded.

This rule indicates that the total anomaly score for the request exceeded the maximum allowable score. For more information, see Anomaly scoring.