Web Application Firewall DRS and CRS rule groups and rules

  • Article
  • 03/28/2025

The Azure-managed Default Rule Set (DRS) in the Application Gateway web application firewall (WAF) actively protect web applications from common vulnerabilities and exploits. These rule sets, managed by Azure, receive updates as necessary to guard against new attack signatures. The default rule set also incorporates the Microsoft Threat Intelligence Collection rules. The Microsoft Intelligence team collaborates in writing these rules, ensuring enhanced coverage, specific vulnerability patches, and improved false positive reduction.

You also have the option of using rules that are defined based on the OWASP core rule set 3.2 (CRS 3.2).

You can disable rules individually, or set specific actions for each rule. This article lists the current rules and rule sets available. If a published rule set requires an update, we'll document it here.

Note

When you change a ruleset version in a WAF Policy, any existing customizations you made to your ruleset will be reset to the defaults for the new ruleset. See: Upgrading or changing ruleset version.

Default rule set 2.1

Default rule set (DRS) 2.1 is baselined off the Open Web Application Security Project (OWASP) Core Rule Set (CRS) 3.3.2 and includes additional proprietary protections rules developed by Microsoft Threat Intelligence team and updates to signatures to reduce false positives. It also supports transformations beyond just URL decoding.

DRS 2.1 offers a new engine and new rule sets defending against Java injections, an initial set of file upload checks, and fewer false positives compared with CRS versions. You can also customize rules to suit your needs. Learn more about the new Azure WAF engine.

DRS 2.1 includes 17 rule groups, as shown in the following table. Each group contains multiple rules, and you can customize behavior for individual rules, rule groups, or entire rule set.

Threat Type Rule Group Name
General General
Lock-down methods (PUT, PATCH) METHOD-ENFORCEMENT
Protocol and encoding issues PROTOCOL-ENFORCEMENT
Header injection, request smuggling, and response splitting PROTOCOL-ATTACK
File and path attacks LFI
Remote file inclusion (RFI) attacks RFI
Remote code execution attacks RCE
PHP-injection attacks PHP
Node JS attacks NodeJS
Cross-site scripting attacks XSS
SQL-injection attacks SQLI
Session-fixation attacks SESSION-FIXATION
JAVA attacks SESSION-JAVA
Web shell attacks (MS) MS-ThreatIntel-WebShells
AppSec attacks (MS) MS-ThreatIntel-AppSec
SQL-injection attacks (MS) MS-ThreatIntel-SQLI
CVE attacks (MS) MS-ThreatIntel-CVEs

Fine-tuning guidance for DRS 2.1

Use the following guidance to tune WAF while you get started with DRS 2.1 on Application Gateway WAF:

Rule ID Rule Group Description Recommendation
942110 SQLI SQL Injection Attack: Common Injection Testing Detected Disable rule 942110, replaced by MSTIC rule 99031001
942150 SQLI SQL Injection Attack Disable rule 942150, replaced by MSTIC rule 99031003
942260 SQLI Detects basic SQL authentication bypass attempts 2/3 Disable rule 942260, replaced by MSTIC rule 99031004
942430 SQLI Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12) Disable rule 942430, it triggers too many false positives
942440 SQLI SQL Comment Sequence Detected Disable rule 942440, replaced by MSTIC rule 99031002
99005006 MS-ThreatIntel-WebShells Spring4Shell Interaction Attempt Keep the rule enabled to prevent against SpringShell vulnerability
99001014 MS-ThreatIntel-CVEs Attempted Spring Cloud routing-expression injection CVE-2022-22963 Keep the rule enabled to prevent against SpringShell vulnerability
99001015 MS-ThreatIntel-WebShells Attempted Spring Framework unsafe class object exploitation CVE-2022-22965 Keep the rule enabled to prevent against SpringShell vulnerability
99001016 MS-ThreatIntel-WebShells Attempted Spring Cloud Gateway Actuator injection CVE-2022-22947 Keep the rule enabled to prevent against SpringShell vulnerability
99001017 MS-ThreatIntel-CVEs Attempted Apache Struts file upload exploitation CVE-2023-50164 Set action to Block to prevent against Apache Struts vulnerability. Anomaly Score not supported for this rule

Core rule set 3.2

The recommended managed rule set is the Default Rule Set 2.1, which is baselined off the Open Web Application Security Project (OWASP) Core Rule Set (CRS) 3.3.2 and includes additional proprietary protections rules developed by Microsoft Threat Intelligence team and updates to signatures to reduce false positives. As an alternative to DRS 2.1, you can use CRS 3.2 which is based off OWASP CRS 3.2.0 version.

CRS 3.2 includes 14 rule groups, as shown in the following table. Each group contains multiple rules, which can be disabled.

Note

CRS 3.2 is only available on the WAF_v2 SKU. Because CRS 3.2 runs on the new Azure WAF engine, you can't downgrade to CRS 3.1 or earlier. If you need to downgrade, contact Azure Support.

Rule group name Threat Type
General General
New and known CVEs KNOWN-CVES
Lock-down methods (PUT, PATCH) REQUEST-911-METHOD-ENFORCEMENT
Port and environment scanners REQUEST-913-SCANNER-DETECTION
Protocol and encoding issues REQUEST-920-PROTOCOL-ENFORCEMENT
Header injection, request smuggling, and response splitting REQUEST-921-PROTOCOL-ATTACK
File and path attacks REQUEST-930-APPLICATION-ATTACK-LFI
Remote file inclusion (RFI) attacks REQUEST-931-APPLICATION-ATTACK-RFI
Remote code execution attacks REQUEST-932-APPLICATION-ATTACK-RCE
PHP-injection attacks REQUEST-933-APPLICATION-ATTACK-PHP
Cross-site scripting attacks REQUEST-941-APPLICATION-ATTACK-XSS
SQL-injection attacks REQUEST-942-APPLICATION-ATTACK-SQLI
Session-fixation attacks REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION
JAVA attacks REQUEST-944-APPLICATION-ATTACK-JAVA

Tuning of Managed rule sets

Both DRS and CRS are enabled by default in Detection mode in your WAF policies. You can disable or enable individual rules within the Managed Rule Set to meet your application requirements. You can also set specific actions per rule. The DRS/CRS supports block, log and anomaly score actions. The Bot Manager ruleset supports the allow, block, and log actions.

Sometimes you might need to omit certain request attributes from a WAF evaluation. A common example is Active Directory-inserted tokens that are used for authentication. You can configure exclusions to apply when specific WAF rules are evaluated, or to apply globally to the evaluation of all WAF rules. Exclusion rules apply to your whole web application. For more information, see Web Application Firewall (WAF) with Application Gateway exclusion lists.

By default, DRS version 2.1 / CRS version 3.2 and above uses anomaly scoring when a request matches a rule. CRS 3.1 and below blocks matching requests by default. Additionally, custom rules can be configured in the same WAF policy if you want to bypass any of the preconfigured rules in the Core Rule Set.

Custom rules are always applied before rules in the Core Rule Set are evaluated. If a request matches a custom rule, the corresponding rule action is applied. The request is either blocked or passed through to the back-end. No other custom rules or the rules in the Core Rule Set are processed.

Anomaly scoring

When you use CRS or DRS 2.1 and later, your WAF is configured to use anomaly scoring by default. Traffic that matches any rule isn't immediately blocked, even when your WAF is in prevention mode. Instead, the OWASP rule sets define a severity for each rule: Critical, Error, Warning, or Notice. The severity affects a numeric value for the request, which is called the anomaly score:

Rule severity Value contributed to anomaly score
Critical 5
Error 4
Warning 3
Notice 2

If the anomaly score is 5 or greater, and the WAF is in Prevention mode, the request is blocked. If the anomaly score is 5 or greater, and the WAF is in Detection mode, the request is logged but not blocked.

For example, a single Critical rule match is enough for the WAF to block a request when in Prevention mode, because the overall anomaly score is 5. However, one Warning rule match only increases the anomaly score by 3, which isn't enough by itself to block the traffic. When an anomaly rule is triggered, it shows a "Matched" action in the logs. If the anomaly score is 5 or greater, there's a separate rule triggered with either "Blocked" or "Detected" action depending on whether WAF policy is in Prevention or Detection mode. For more information, please see Anomaly Scoring mode.

Upgrading or changing ruleset version

If you're upgrading, or assigning a new ruleset version, and would like to preserve existing rule overrides and exclusions, it's recommended to use PowerShell, CLI, REST API, or a template to make ruleset version changes. A new version of a ruleset can have newer rules, additional rule groups, and may have updates to existing signatures to enforce better security and reduce false positives. It's recommended to validate changes in a test environment, fine tune if necessary, and then deploy in a production environment.

Note

If you're using the Azure portal to assign a new managed ruleset to a WAF policy, all the previous customizations from the existing managed ruleset such as rule state, rule actions, and rule level exclusions will be reset to the new managed ruleset's defaults. However, any custom rules, policy settings, and global exclusions will remain unaffected during the new ruleset assignment. You'll need to redefine rule overrides and validate changes before deploying in a production environment.

OWASP CRS 3.1

CRS 3.1 includes 14 rule groups, as shown in the following table. Each group contains multiple rules, which can be disabled. The ruleset is based off OWASP CRS 3.1.1 version.

Note

CRS 3.1 is only available on the WAF_v2 SKU.

Rule group name Description
General General group
KNOWN-CVES Help detect new and known CVEs
REQUEST-911-METHOD-ENFORCEMENT Lock-down methods (PUT, PATCH)
REQUEST-913-SCANNER-DETECTION Protect against port and environment scanners
REQUEST-920-PROTOCOL-ENFORCEMENT Protect against protocol and encoding issues
REQUEST-921-PROTOCOL-ATTACK Protect against header injection, request smuggling, and response splitting
REQUEST-930-APPLICATION-ATTACK-LFI Protect against file and path attacks
REQUEST-931-APPLICATION-ATTACK-RFI Protect against remote file inclusion (RFI) attacks
REQUEST-932-APPLICATION-ATTACK-RCE Protect again remote code execution attacks
REQUEST-933-APPLICATION-ATTACK-PHP Protect against PHP-injection attacks
REQUEST-941-APPLICATION-ATTACK-XSS Protect against cross-site scripting attacks
REQUEST-942-APPLICATION-ATTACK-SQLI Protect against SQL-injection attacks
REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION Protect against session-fixation attacks
REQUEST-944-APPLICATION-ATTACK-SESSION-JAVA Protect against JAVA attacks

Bot Manager 1.0

The Bot Manager 1.0 rule set provides protection against malicious bots and detection of good bots. The rules provide granular control over bots detected by WAF by categorizing bot traffic as Good, Bad, or Unknown bots.

Rule group Description
BadBots Protect against bad bots
GoodBots Identify good bots
UnknownBots Identify unknown bots

Bot Manager 1.1

The Bot Manager 1.1 rule set is an enhancement to Bot Manager 1.0 rule set. It provides enhanced protection against malicious bots, and increases good bot detection.

Rule group Description
BadBots Protect against bad bots
GoodBots Identify good bots
UnknownBots Identify unknown bots

The following rule groups and rules are available when using Web Application Firewall on Application Gateway.

1.0 rule sets

Bad bots

RuleId Description
Bot100100 Malicious bots detected by threat intelligence
Bot100200 Malicious bots that have falsified their identity

Bot100100 scans both client IP addresses and IPs in the X-Forwarded-For header.

Good bots

RuleId Description
Bot200100 Search engine crawlers
Bot200200 Unverified search engine crawlers

Unknown bots

RuleId Description
Bot300100 Unspecified identity
Bot300200 Tools and frameworks for web crawling and attacks
Bot300300 General-purpose HTTP clients and SDKs
Bot300400 Service agents
Bot300500 Site health monitoring services
Bot300600 Unknown bots detected by threat intelligence
Bot300700 Other bots

Bot300600 scans both client IP addresses and IPs in the X-Forwarded-For header.

The following rule groups and rules are no longer supported on Web Application Firewall on Application Gateway.

Note

CRS 3.0 and CRS 2.2.9 are no longer supported in Azure WAF. We recommend you upgrade to DRS 2.1 / CRS 3.2

3.0 rule sets

General

RuleId Description
200004 Possible Multipart Unmatched Boundary

KNOWN-CVES

RuleId Description
800100 Rule to help detect and mitigate log4j vulnerability CVE-2021-44228, CVE-2021-45046
800110 Spring4Shell Interaction Attempt
800111 Attempted Spring Cloud routing-expression injection - CVE-2022-22963
800112 Attempted Spring Framework unsafe class object exploitation - CVE-2022-22965
800113 Attempted Spring Cloud Gateway Actuator injection - CVE-2022-22947

REQUEST-911-METHOD-ENFORCEMENT

RuleId Description
911100 Method isn't allowed by policy

REQUEST-913-SCANNER-DETECTION

RuleId Description
913100 Found User-Agent associated with security scanner
913110 Found request header associated with security scanner
913120 Found request filename/argument associated with security scanner
913101 Found User-Agent associated with scripting/generic HTTP client
913102 Found User-Agent associated with web crawler/bot

REQUEST-920-PROTOCOL-ENFORCEMENT

RuleId Description
920100 Invalid HTTP Request Line
920130 Failed to parse request body
920140 Multipart request body failed strict validation
920160 Content-Length HTTP header isn't numeric
920170 GET or HEAD Request with Body Content
920180 POST request missing Content-Length Header
920190 Range = Invalid Last Byte Value
920210 Multiple/Conflicting Connection Header Data Found
920220 URL Encoding Abuse Attack Attempt
920240 URL Encoding Abuse Attack Attempt
920250 UTF8 Encoding Abuse Attack Attempt
920260 Unicode Full/Half Width Abuse Attack Attempt
920270 Invalid character in request (null character)
920280 Request Missing a Host Header
920290 Empty Host Header
920310 Request Has an Empty Accept Header
920311 Request Has an Empty Accept Header
920330 Empty User Agent Header
920340 Request Containing Content but Missing Content-Type header
920350 Host header is a numeric IP address
920380 Too many arguments in request
920360 Argument name too long
920370 Argument value too long
920390 Total arguments size exceeded
920400 Uploaded file size too large
920410 Total uploaded files size too large
920420 Request content type isn't allowed by policy
920430 HTTP protocol version isn't allowed by policy
920440 URL file extension is restricted by policy
920450 HTTP header is restricted by policy (%@{MATCHED_VAR})
920200 Range = Too many fields (6 or more)
920201 Range = Too many fields for pdf request (35 or more)
920230 Multiple URL Encoding Detected
920300 Request Missing an Accept Header
920271 Invalid character in request (non printable characters)
920320 Missing User Agent Header
920272 Invalid character in request (outside of printable chars below ascii 127)
920202 Range = Too many fields for pdf request (6 or more)
920273 Invalid character in request (outside of very strict set)
920274 Invalid character in request headers (outside of very strict set)
920460 Abnormal escape characters

REQUEST-921-PROTOCOL-ATTACK

RuleId Description
921100 HTTP Request Smuggling Attack
921110 HTTP Request Smuggling Attack
921120 HTTP Response Splitting Attack
921130 HTTP Response Splitting Attack
921140 HTTP Header Injection Attack via headers
921150 HTTP Header Injection Attack via payload (CR/LF detected)
921160 HTTP Header Injection Attack via payload (CR/LF and header-name detected)
921151 HTTP Header Injection Attack via payload (CR/LF detected)
921170 HTTP Parameter Pollution
921180 HTTP Parameter Pollution (%@{TX.1})

REQUEST-930-APPLICATION-ATTACK-LFI

RuleId Description
930100 Path Traversal Attack (/../)
930110 Path Traversal Attack (/../)
930120 OS File Access Attempt
930130 Restricted File Access Attempt

REQUEST-931-APPLICATION-ATTACK-RFI

RuleId Description
931100 Possible Remote File Inclusion (RFI) Attack = URL Parameter using IP Address
931110 Possible Remote File Inclusion (RFI) Attack = Common RFI Vulnerable Parameter Name used w/URL Payload
931120 Possible Remote File Inclusion (RFI) Attack = URL Payload Used w/Trailing Question Mark Character (?)
931130 Possible Remote File Inclusion (RFI) Attack = Off-Domain Reference/Link

REQUEST-932-APPLICATION-ATTACK-RCE

RuleId Description
932120 Remote Command Execution = Windows PowerShell Command Found
932130 Application Gateway WAF v2: Remote Command Execution: Unix Shell Expression or Confluence Vulnerability (CVE-2022-26134) or Text4Shell (CVE-2022-42889) Found

Application Gateway WAF v1: Remote Command Execution: Unix Shell Expression
932140 Remote Command Execution = Windows FOR/IF Command Found
932160 Remote Command Execution = Unix Shell Code Found
932170 Remote Command Execution = Shellshock (CVE-2014-6271)
932171 Remote Command Execution = Shellshock (CVE-2014-6271)

REQUEST-933-APPLICATION-ATTACK-PHP

RuleId Description
933100 PHP Injection Attack = Opening/Closing Tag Found
933110 PHP Injection Attack = PHP Script File Upload Found
933120 PHP Injection Attack = Configuration Directive Found
933130 PHP Injection Attack = Variables Found
933150 PHP Injection Attack = High-Risk PHP Function Name Found
933160 PHP Injection Attack = High-Risk PHP Function Call Found
933180 PHP Injection Attack = Variable Function Call Found
933151 PHP Injection Attack = Medium-Risk PHP Function Name Found
933131 PHP Injection Attack = Variables Found
933161 PHP Injection Attack = Low-Value PHP Function Call Found
933111 PHP Injection Attack = PHP Script File Upload Found

REQUEST-941-APPLICATION-ATTACK-XSS

RuleId Description
941100 XSS Attack Detected via libinjection
941110 XSS Filter - Category 1 = Script Tag Vector
941130 XSS Filter - Category 3 = Attribute Vector
941140 XSS Filter - Category 4 = JavaScript URI Vector
941150 XSS Filter - Category 5 = Disallowed HTML Attributes
941180 Node-Validator Blocklist Keywords
941190 XSS using style sheets
941200 XSS using VML frames
941210 XSS using obfuscated JavaScript or Text4Shell (CVE-2022-42889)
941220 XSS using obfuscated VB Script
941230 XSS using 'embed' tag
941240 XSS using 'import' or 'implementation' attribute
941260 XSS using 'meta' tag
941270 XSS using 'link' href
941280 XSS using 'base' tag
941290 XSS using 'applet' tag
941300 XSS using 'object' tag
941310 US-ASCII Malformed Encoding XSS Filter - Attack Detected
941330 IE XSS Filters - Attack Detected
941340 IE XSS Filters - Attack Detected
941350 UTF-7 Encoding IE XSS - Attack Detected
941320 Possible XSS Attack Detected - HTML Tag Handler

REQUEST-942-APPLICATION-ATTACK-SQLI

RuleId Description
942100 SQL Injection Attack Detected via libinjection
942110 SQL Injection Attack: Common Injection Testing Detected
942130 SQL Injection Attack: SQL Tautology Detected
942140 SQL Injection Attack = Common DB Names Detected
942160 Detects blind sqli tests using sleep() or benchmark()
942170 Detects SQL benchmark and sleep injection attempts including conditional queries
942190 Detects MSSQL code execution and information gathering attempts
942200 Detects MySQL comment-/space-obfuscated injections and backtick termination
942230 Detects conditional SQL injection attempts
942260 Detects basic SQL authentication bypass attempts 2/3
942270 Looking for basic sql injection. Common attack string for mysql oracle and others
942290 Finds basic MongoDB SQL injection attempts
942300 Detects MySQL comments, conditions and ch(a)r injections
942310 Detects chained SQL injection attempts 2/2
942320 Detects MySQL and PostgreSQL stored procedure/function injections
942330 Detects classic SQL injection probings 1/2
942340 Detects basic SQL authentication bypass attempts 3/3
942350 Detects MySQL UDF injection and other data/structure manipulation attempts
942360 Detects concatenated basic SQL injection and SQLLFI attempts
942370 Detects classic SQL injection probings 2/2
942150 SQL Injection Attack
942410 SQL Injection Attack
942430 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)
942440 SQL Comment Sequence Detected
942450 SQL Hex Encoding Identified
942251 Detects HAVING injections
942460 Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters

REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION

RuleId Description
943100 Possible Session Fixation Attack = Setting Cookie Values in HTML
943110 Possible Session Fixation Attack = SessionID Parameter Name with Off-Domain Referrer
943120 Possible Session Fixation Attack = SessionID Parameter Name with No Referrer

Related content