CD
Cloudflare Developers3mo ago
! menudo

WAF Rules Arent working

Hello can someone please help me i've made cloudflare WAF Rules but they arent working/triggering anyone has it Here are my rules below 
(ssl and http.request.uri.path eq "/auth/login" and http.request.uri.path eq "/" and http.request.uri.path contains "/register" and http.request.full_uri eq "https://panel.lylanodes.com/auth/login" and http.request.full_uri eq "https://dash.lylanodes.com/servers" and http.request.full_uri contains "https://panel.lylanodes.com/" and http.request.full_uri contains "https://dash.lylanodes.com/" and cf.client.bot and http.request.method eq "GET" and http.request.version in {"HTTP/1.0" "HTTP/1.1" "HTTP/1.2" "HTTP/2" "HTTP/3" "SPDY/3.1"} and cf.waf.score.class eq "attack" and cf.waf.score.class eq "likely_attack" and cf.waf.score.class eq "likely_clean" and cf.waf.score.class eq "clean" and cf.threat_score gt 2 and http.cookie contains "TOKEN=11111111111111111111111") or (http.cookie contains "TOKEN=" and ip.geoip.continent in {"AF" "AN" "AS" "EU" "NA" "OC" "SA" "T1"} and ip.geoip.asnum eq 33575 and ip.geoip.asnum eq 13335 and http.request.uri.path contains "/:80" and http.request.uri.path contains "/:443" and http.request.uri.path contains "/:53" and http.request.uri.path contains "/:8443")
(ssl and http.request.uri.path eq "/auth/login" and http.request.uri.path eq "/" and http.request.uri.path contains "/register" and http.request.full_uri eq "https://panel.lylanodes.com/auth/login" and http.request.full_uri eq "https://dash.lylanodes.com/servers" and http.request.full_uri contains "https://panel.lylanodes.com/" and http.request.full_uri contains "https://dash.lylanodes.com/" and cf.client.bot and http.request.method eq "GET" and http.request.version in {"HTTP/1.0" "HTTP/1.1" "HTTP/1.2" "HTTP/2" "HTTP/3" "SPDY/3.1"} and cf.waf.score.class eq "attack" and cf.waf.score.class eq "likely_attack" and cf.waf.score.class eq "likely_clean" and cf.waf.score.class eq "clean" and cf.threat_score gt 2 and http.cookie contains "TOKEN=11111111111111111111111") or (http.cookie contains "TOKEN=" and ip.geoip.continent in {"AF" "AN" "AS" "EU" "NA" "OC" "SA" "T1"} and ip.geoip.asnum eq 33575 and ip.geoip.asnum eq 13335 and http.request.uri.path contains "/:80" and http.request.uri.path contains "/:443" and http.request.uri.path contains "/:53" and http.request.uri.path contains "/:8443")
1 Reply
Chaika
Chaika3mo ago
Well what is that expression? Those are two large blocks joined with only "ANDs" in both That first block is never going to be true because you check if the same field equals multiple things and http.request.uri.path eq "/auth/login" and http.request.uri.path eq "/" and http.request.full_uri eq "https://panel.lylanodes.com/auth/login" and http.request.full_uri eq "https://dash.lylanodes.com/servers" and cf.waf.score.class eq "attack" and cf.waf.score.class eq "likely_attack" and cf.waf.score.class eq "likely_clean" and cf.waf.score.class eq "clean" Not possible for it to be both "attack" and "clean" of course The second block isn't ever going to be true either because you're checking if the asnum is equal to two things: and ip.geoip.asnum eq 33575 and ip.geoip.asnum eq 13335 As for the rest, I'm not really sure the intent of that expression, but break it down into multiple rules/more nicely formatted and understand that when those are all joined by ANDs they all need to be true for that part of the expression to be true -- boolean logic. Seems like there is intended to be a lot more ORs in that expression
Want results from more Discord servers?
Add your server