|
|
@@ -42,7 +42,7 @@ resource "aws_wafv2_ip_set" "allowed" {
|
|
|
resource "aws_wafv2_rule_group" "xdr_custom_rules" {
|
|
|
name = "${local.waf_name}_xdr_custom_rules_rev3" # update name when updating
|
|
|
scope = "REGIONAL"
|
|
|
- capacity = 50
|
|
|
+ capacity = 60
|
|
|
|
|
|
# Note, there is visibilty config for the group and for the rule
|
|
|
visibility_config {
|
|
|
@@ -110,7 +110,7 @@ resource "aws_wafv2_rule_group" "xdr_custom_rules" {
|
|
|
name = "user-agent"
|
|
|
}
|
|
|
}
|
|
|
- positional_constraint = "CONTAINS"
|
|
|
+ positional_constraint = "STARTS_WITH"
|
|
|
search_string = "$${jndi:" # ldap://"
|
|
|
|
|
|
text_transformation {
|
|
|
@@ -118,10 +118,10 @@ resource "aws_wafv2_rule_group" "xdr_custom_rules" {
|
|
|
type = "BASE64_DECODE"
|
|
|
}
|
|
|
|
|
|
- text_transformation {
|
|
|
- priority = 3
|
|
|
- type = "HEX_DECODE"
|
|
|
- }
|
|
|
+ #text_transformation {
|
|
|
+ # priority = 3
|
|
|
+ # type = "HEX_DECODE"
|
|
|
+ #}
|
|
|
|
|
|
text_transformation {
|
|
|
priority = 5
|
|
|
@@ -130,55 +130,55 @@ resource "aws_wafv2_rule_group" "xdr_custom_rules" {
|
|
|
}
|
|
|
}
|
|
|
|
|
|
- statement {
|
|
|
- byte_match_statement {
|
|
|
- field_to_match {
|
|
|
- method {}
|
|
|
- }
|
|
|
- positional_constraint = "CONTAINS"
|
|
|
- search_string = "$${jndi:" # ldap://"
|
|
|
-
|
|
|
- text_transformation {
|
|
|
- priority = 1
|
|
|
- type = "BASE64_DECODE"
|
|
|
- }
|
|
|
-
|
|
|
- text_transformation {
|
|
|
- priority = 3
|
|
|
- type = "HEX_DECODE"
|
|
|
- }
|
|
|
-
|
|
|
- text_transformation {
|
|
|
- priority = 5
|
|
|
- type = "LOWERCASE"
|
|
|
- }
|
|
|
- }
|
|
|
- }
|
|
|
-
|
|
|
- statement {
|
|
|
- byte_match_statement {
|
|
|
- field_to_match {
|
|
|
- query_string {}
|
|
|
- }
|
|
|
- positional_constraint = "CONTAINS"
|
|
|
- search_string = "$${jndi:" # ldap://"
|
|
|
-
|
|
|
- text_transformation {
|
|
|
- priority = 1
|
|
|
- type = "BASE64_DECODE"
|
|
|
- }
|
|
|
-
|
|
|
- text_transformation {
|
|
|
- priority = 3
|
|
|
- type = "HEX_DECODE"
|
|
|
- }
|
|
|
-
|
|
|
- text_transformation {
|
|
|
- priority = 5
|
|
|
- type = "LOWERCASE"
|
|
|
- }
|
|
|
- }
|
|
|
- }
|
|
|
+# statement {
|
|
|
+# byte_match_statement {
|
|
|
+# field_to_match {
|
|
|
+# method {}
|
|
|
+# }
|
|
|
+# positional_constraint = "STARTS_WITH"
|
|
|
+# search_string = "$${jndi:" # ldap://"
|
|
|
+#
|
|
|
+# text_transformation {
|
|
|
+# priority = 1
|
|
|
+# type = "BASE64_DECODE"
|
|
|
+# }
|
|
|
+#
|
|
|
+# text_transformation {
|
|
|
+# priority = 3
|
|
|
+# type = "HEX_DECODE"
|
|
|
+# }
|
|
|
+#
|
|
|
+# text_transformation {
|
|
|
+# priority = 5
|
|
|
+# type = "LOWERCASE"
|
|
|
+# }
|
|
|
+# }
|
|
|
+# }
|
|
|
+#
|
|
|
+# statement {
|
|
|
+# byte_match_statement {
|
|
|
+# field_to_match {
|
|
|
+# query_string {}
|
|
|
+# }
|
|
|
+# positional_constraint = "CONTAINS"
|
|
|
+# search_string = "$${jndi:" # ldap://"
|
|
|
+#
|
|
|
+# text_transformation {
|
|
|
+# priority = 1
|
|
|
+# type = "BASE64_DECODE"
|
|
|
+# }
|
|
|
+#
|
|
|
+# #text_transformation {
|
|
|
+# # priority = 3
|
|
|
+# # type = "HEX_DECODE"
|
|
|
+# #}
|
|
|
+#
|
|
|
+# text_transformation {
|
|
|
+# priority = 5
|
|
|
+# type = "LOWERCASE"
|
|
|
+# }
|
|
|
+# }
|
|
|
+# }
|
|
|
|
|
|
statement {
|
|
|
byte_match_statement {
|
|
|
@@ -193,10 +193,10 @@ resource "aws_wafv2_rule_group" "xdr_custom_rules" {
|
|
|
type = "BASE64_DECODE"
|
|
|
}
|
|
|
|
|
|
- text_transformation {
|
|
|
- priority = 3
|
|
|
- type = "HEX_DECODE"
|
|
|
- }
|
|
|
+ #text_transformation {
|
|
|
+ # priority = 3
|
|
|
+ # type = "HEX_DECODE"
|
|
|
+ #}
|
|
|
|
|
|
text_transformation {
|
|
|
priority = 5
|
Fred Damstra [afs macbook]