Link11 WAAP
v5
v5
  • Link11 WAAP Documentation
  • Release Notes
  • Known Issues
  • User Guide
    • Introduction to Link11 WAAP
  • How Link11 WAAP Works
    • Traffic Filtering Process
    • Traffic Reporting and Analytics
    • Policy Mapping and Traffic Routing
    • Tagging
    • UI Overview and Common Elements
  • Console UI Walkthrough
    • Analytics
      • Dashboard
      • Events Log
    • Security
      • Global Filters
      • Flow Control Policies
      • Security Policies
      • Rate Limit Rules
      • ACL Profiles
      • Actions
      • Dynamic Rules
      • Quarantined
      • Content Filter
        • Content Filter Profiles
        • Content Filter Rules
    • Sites
      • Server Groups
      • Proxy Templates
      • Mobile Application Groups
      • Backend Services
      • Edge Functions
      • DNS Records
      • SSL
        • Load Balancers
        • Certificates
    • System
      • Interactive Challenge
      • SSO Configuration
      • Purge CDN Cache
      • Users Management
      • Security Alerts
      • Log Exporters
      • Version Control
      • System DB
      • Publish Changes
    • Account
  • Using the product
    • Best Practices
      • Saving and Publishing Your Changes
      • Enabling Passive Challenges
      • Understanding and Diagnosing Traffic Issues
    • How Do I...
      • Authenticate mobile app users
      • Ban, unban, and allowlist traffic sources
      • Bypass Link11 WAAP for loadtesting or other purposes
      • Configure a new path/section of a site
      • Control caching behavior
      • Enable GraphQL traffic
      • Enable mTLS (mutual TLS)
      • Protect sensitive information in logs and analytics
      • Quickly block an attacker
      • Redirect or block HTTP traffic
      • Run custom code
      • Set rate limits and exemptions
      • Stream event data to a SIEM solution or other destination
    • The Link11 WAAP API
      • Overview
      • Internal data structures
      • Using Swagger UI
      • Using curl
  • Reference Information
    • Acronyms
    • API
      • API access to traffic data
      • Types of namespaces
      • Namespace reference
        • ACL Profiles
        • Actions
        • Backend Services
        • Certificates
        • Configs
        • Content Filter Profiles
        • Content Filter Rules
        • Data queries
        • Dynamic Rules
        • Edge Functions
        • Flow Control Policies
        • Global Filters
        • Load Balancers
        • Log Exporters
        • Mobile Application Groups
        • Planets
        • Proxy Templates
        • Rate Limit Rules
        • Security Alerts
        • Security Policies
        • Server Groups
        • Tags
        • Tools
        • Users
    • Hostile Bot Detection / LWCSI
      • Environmental detection and browser verification
      • Client authentication
      • Biometric behavioral verification
    • HTTP Response Codes
    • Log Exporter Output
    • Pattern Matching Syntax
    • Query Filter Syntax and Best Practices
  • Support
Powered by GitBook
On this page
  • Overview
  • Usage within applications and APIs
  • Administration
  • Components
  • Parameters
  • Name
  • Description
  • Category
  • Subcategory
  • Risk level
  • Tags
  • Log Message
  • Match

Was this helpful?

Export as PDF
  1. Console UI Walkthrough
  2. Security
  3. Content Filter

Content Filter Rules

Signatures of threats and other potential issues

PreviousContent Filter ProfilesNextSites

Last updated 1 month ago

Was this helpful?

Overview

A traditional WAF evaluates incoming requests according to a list of threat signatures, and flags the request if any matches are found.

Within Link11 WAAP, Content Filter Rules provide the equivalent of these signatures, although they are more powerful and flexible than those within a traditional WAF.

Usage within applications and APIs

Content Filter Rules are defined globally within the system, and are available to all Content Filter Profiles.

Administration

The main page lists all current Content Filter Rules.

Out of the box, L11WAAP includes a wide variety of well-tested Content Filter Rules. Usually, there will be no need to edit their Match criteria (which can be quite complicated). Before deleting or editing a default Rule, admins should consider the implications of doing so.

If edits are made, and later it becomes desirable to restore an edited Rule to its original form, an admin can revert it using the Versioning capabilities at the bottom of the page.

Alternately, the original request can be duplicated to preserve it, and marked with an appropriate tag (e.g., inactive) which could then be added to the appropriate Ignore lists.

Components

A Content Filter Rule consists of the following:

  • The signature for this Rule. Usually, this represents the characteristics that makes a request hostile. (Match)

  • Organizational parameters for the Rule (Category, Subcategory, Risk level)

  • Tags to apply to requests that match this Rule

  • Log message for requests that match this Rule (this field is not currently used, but will be in a pending release)

  • General parameters for administration (Name, Description)

Parameters

Name

For the default Rules included with L11WAAP, the Names are numeric identifiers. (A production deployment will include a large number of Rules; therefore, they are usually organized/administered by their categories and subcategories.)

Description

Information about this Rule, for use within the interface.

Category

A general category for this Rule. It will be the basis for a system tag.

Subcategory

A subcategory for this Rule, within the general Category. It will be the basis for a system tag.

Risk level

A number ranging from 1 (lowest threat) to 5 (highest threat). It will be the basis for a system tag.

Tags

A list of one or more tags, separated by spaces. Whenever this Content Filter Rule's Match condition matches a request, these tags will be attached.

In addition to these admin-defined tags, the system also shows some system tags that will be attached as well.

Log Message

(This field is not currently used, but will be in a pending release.) A message that will appear in the traffic logs when a request matches the Match condition.

Match

When a request undergoes the , its content is compared to the Rules administered here. When a request matches a Rule, various tags will be attached to it. Those tags can be evaluated, and can cause actions to be taken on the request.

The usage of Content Filter Profiles within applications and APIs is explained .

The administration (addition/deletion/editing/versioning) of Rules follows the conventions described .

For most of the included Rules, their categories and subcategories should make their functions clear. If you have any questions about the purpose of a specific Rule, feel free to .

A name for this Rule, to be used within the interface. A (shown below the Tags field) will include it as well.

The tags are the basis for the decisions made when the applicable is evaluated for a request. They will also appear in the traffic logs.

The criteria against which incoming requests will be compared. For Content Filter rules only, regexps are of the hyperscan flavor ().

contact Support
Content Filter Profile
syntax
system tag
here
content filtering process
here