resource "aws_wafregional_byte_match_set" "match_admin_url" { name = "${var.waf_prefix}-generic-match-admin-url" byte_match_tuples { text_transformation = "URL_DECODE" target_string = "/admin" positional_constraint = "STARTS_WITH" field_to_match { type = "URI" } } } resource "aws_wafregional_byte_match_set" "match_saml_url" { name = "${var.waf_prefix}-generic-match-saml-url" byte_match_tuples { text_transformation = "URL_DECODE" target_string = "/complete/saml" positional_constraint = "STARTS_WITH" field_to_match { type = "URI" } } } resource "aws_wafregional_byte_match_set" "match_admin_company_url" { name = "${var.waf_prefix}-generic-match-admin-company-url" byte_match_tuples { text_transformation = "URL_DECODE" target_string = "/admin/user_portal/company/" positional_constraint = "STARTS_WITH" field_to_match { type = "URI" } } } resource "aws_wafregional_byte_match_set" "match_api_url" { name = "${var.waf_prefix}-generic-match-api-url" byte_match_tuples { text_transformation = "URL_DECODE" target_string = "/api/" positional_constraint = "STARTS_WITH" field_to_match { type = "URI" } } } resource "aws_wafregional_byte_match_set" "match_login_url" { name = "${var.waf_prefix}-generic-match-login-url" byte_match_tuples { text_transformation = "URL_DECODE" target_string = "/login" positional_constraint = "STARTS_WITH" field_to_match { type = "URI" } } } resource "aws_wafregional_byte_match_set" "match_auth_tokens" { name = "${var.waf_prefix}-generic-match-auth-tokens" byte_match_tuples { text_transformation = "URL_DECODE" target_string = ".TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ" positional_constraint = "ENDS_WITH" field_to_match { type = "HEADER" data = "authorization" } } byte_match_tuples { text_transformation = "URL_DECODE" target_string = "example-session-id" positional_constraint = "CONTAINS" field_to_match { type = "HEADER" data = "cookie" } } } resource "aws_wafregional_byte_match_set" "match_csrf_method" { name = "${var.waf_prefix}-generic-match-csrf-method" byte_match_tuples { text_transformation = "LOWERCASE" target_string = "post" positional_constraint = "EXACTLY" field_to_match { type = "METHOD" } } } resource "aws_wafregional_byte_match_set" "match_php_insecure_uri" { name = "${var.waf_prefix}-generic-match-php-insecure-uri" byte_match_tuples { text_transformation = "URL_DECODE" target_string = "php" positional_constraint = "ENDS_WITH" field_to_match { type = "URI" } } byte_match_tuples { text_transformation = "URL_DECODE" target_string = "/" positional_constraint = "ENDS_WITH" field_to_match { type = "URI" } } } resource "aws_wafregional_byte_match_set" "match_php_insecure_var_refs" { name = "${var.waf_prefix}-generic-match-php-insecure-var-refs" byte_match_tuples { text_transformation = "URL_DECODE" target_string = "_ENV[" positional_constraint = "CONTAINS" field_to_match { type = "QUERY_STRING" } } byte_match_tuples { text_transformation = "URL_DECODE" target_string = "auto_append_file=" positional_constraint = "CONTAINS" field_to_match { type = "QUERY_STRING" } } byte_match_tuples { text_transformation = "URL_DECODE" target_string = "disable_functions=" positional_constraint = "CONTAINS" field_to_match { type = "QUERY_STRING" } } byte_match_tuples { text_transformation = "URL_DECODE" target_string = "auto_prepend_file=" positional_constraint = "CONTAINS" field_to_match { type = "QUERY_STRING" } } byte_match_tuples { text_transformation = "URL_DECODE" target_string = "safe_mode=" positional_constraint = "CONTAINS" field_to_match { type = "QUERY_STRING" } } byte_match_tuples { text_transformation = "URL_DECODE" target_string = "_SERVER[" positional_constraint = "CONTAINS" field_to_match { type = "QUERY_STRING" } } byte_match_tuples { text_transformation = "URL_DECODE" target_string = "allow_url_include=" positional_constraint = "CONTAINS" field_to_match { type = "QUERY_STRING" } } byte_match_tuples { text_transformation = "URL_DECODE" target_string = "open_basedir=" positional_constraint = "CONTAINS" field_to_match { type = "QUERY_STRING" } } } resource "aws_wafregional_byte_match_set" "match_rfi_lfi_traversal" { name = "${var.waf_prefix}-generic-match-rfi-lfi-traversal" byte_match_tuples { text_transformation = "HTML_ENTITY_DECODE" target_string = "://" positional_constraint = "CONTAINS" field_to_match { type = "QUERY_STRING" } } byte_match_tuples { text_transformation = "HTML_ENTITY_DECODE" target_string = "../" positional_constraint = "CONTAINS" field_to_match { type = "QUERY_STRING" } } byte_match_tuples { text_transformation = "URL_DECODE" target_string = "://" positional_constraint = "CONTAINS" field_to_match { type = "QUERY_STRING" } } byte_match_tuples { text_transformation = "URL_DECODE" target_string = "../" positional_constraint = "CONTAINS" field_to_match { type = "QUERY_STRING" } } byte_match_tuples { text_transformation = "HTML_ENTITY_DECODE" target_string = "://" positional_constraint = "CONTAINS" field_to_match { type = "URI" } } byte_match_tuples { text_transformation = "HTML_ENTITY_DECODE" target_string = "../" positional_constraint = "CONTAINS" field_to_match { type = "URI" } } byte_match_tuples { text_transformation = "URL_DECODE" target_string = "://" positional_constraint = "CONTAINS" field_to_match { type = "URI" } } byte_match_tuples { text_transformation = "URL_DECODE" target_string = "../" positional_constraint = "CONTAINS" field_to_match { type = "URI" } } } resource "aws_wafregional_byte_match_set" "match_ssi" { name = "${var.waf_prefix}-generic-match-ssi" byte_match_tuples { text_transformation = "LOWERCASE" target_string = ".cfg" positional_constraint = "ENDS_WITH" field_to_match { type = "URI" } } byte_match_tuples { text_transformation = "LOWERCASE" target_string = ".backup" positional_constraint = "ENDS_WITH" field_to_match { type = "URI" } } byte_match_tuples { text_transformation = "LOWERCASE" target_string = ".ini" positional_constraint = "ENDS_WITH" field_to_match { type = "URI" } } byte_match_tuples { text_transformation = "LOWERCASE" target_string = ".conf" positional_constraint = "ENDS_WITH" field_to_match { type = "URI" } } byte_match_tuples { text_transformation = "LOWERCASE" target_string = ".log" positional_constraint = "ENDS_WITH" field_to_match { type = "URI" } } byte_match_tuples { text_transformation = "LOWERCASE" target_string = ".bak" positional_constraint = "ENDS_WITH" field_to_match { type = "URI" } } byte_match_tuples { text_transformation = "LOWERCASE" target_string = ".config" positional_constraint = "ENDS_WITH" field_to_match { type = "URI" } } byte_match_tuples { text_transformation = "URL_DECODE" target_string = "/includes" positional_constraint = "STARTS_WITH" field_to_match { type = "URI" } } }