Skip to content

Creating WAF Custom Rules

This guide shows you how to create and manage custom Web Application Firewall (WAF) rules through the Peakhour dashboard to protect your applications against specific threats and vulnerabilities.

Before you begin: Understand WAF concepts and have admin access to your Peakhour dashboard.

Understanding WAF Custom Rules

WAF custom rules allow you to create targeted security policies that go beyond standard OWASP rule sets. These rules can detect application-specific attack patterns, implement custom logic, and provide granular control over threat detection.

Rule Components

Rule Structure:

  • Name: Descriptive identifier for the rule
  • Description: Detailed explanation of the rule's purpose
  • Conditions: Logic that determines when the rule triggers
  • Action: What happens when conditions are met (block, allow, log)
  • Severity: Impact level (CRITICAL, ERROR, WARNING, NOTICE)
  • Tags: Labels for categorization and filtering

Variable Types:

  • Request Variables: Headers, body, URI, method, cookies
  • Response Variables: Status codes, headers, content
  • Session Variables: User sessions, authentication state
  • Custom Variables: Application-specific data points

Access WAF Custom Rules

  1. Log into Peakhour Dashboard
  2. Select Your Domain from the domain list
  3. Go to SecurityWeb Application Firewall
  4. Click Custom Rules Tab in the WAF interface

Review Existing Rules

Before creating new rules, examine current custom rules:

  • Active Rules: Currently enforcing security policies
  • Disabled Rules: Created but not currently active
  • Rule Categories: Organized by attack type or application area
  • Performance Impact: CPU and memory usage metrics

Create Basic Custom Rules

Create SQL Injection Protection Rule

SQL Injection Protection Rule Configuration

Scenario: Protect against advanced SQL injection attempts in form submissions

  1. Click "Create Custom Rule"

  2. Configure Basic Information:

  3. Name: Advanced SQL Injection Detection

  4. Description: Detect sophisticated SQL injection patterns in form data

  5. Severity: CRITICAL

  6. Tags: sql-injection, forms, database

  7. Set Up Detection Logic: 

    Variable: REQUEST_BODY
Operator: CONTAINS_REGEX  
Value: (?i)(union\s+select|exec\s*\(|script>|javascript:|vbscript:)

  8. Configure Action:

  9. Action Type: BLOCK

  10. Block Message: Request blocked due to suspicious content

  11. Log Level: ERROR

  12. Set Conditions (Optional):

  13. Apply to paths: /contact, /login, /register

  14. Exclude IPs: Add trusted admin IPs if needed

Create XSS Protection Rule

XSS Protection Rule Configuration

Scenario: Block cross-site scripting attempts in user input

  1. Create New Rule:

  2. Name: XSS Attack Prevention

  3. Description: Block script injection attempts in user inputs

  4. Severity: CRITICAL

  5. Tags: xss, scripting, input-validation

  6. Configure Detection: 

    Variable: ARGS (All Arguments)
Operator: CONTAINS_REGEX
Value: <script[^>]*>.*?</script>|javascript:|vbscript:|onload=|onerror=

  1. Set Response Action:

  2. Action: BLOCK

  3. Custom Response Code: 403

  4. Response Body: Custom security warning page

Create Rate Limiting Rule

Rate Limiting Rule Configuration

Scenario: Prevent automated attacks through request frequency limits

  1. Configure Rule:

  2. Name: API Abuse Prevention

  3. Description: Limit API requests to prevent automated attacks

  4. Severity: WARNING

  5. Tags: rate-limiting, api, abuse

  6. Set Rate Conditions: 

    Variable: REQUEST_URI
Operator: STARTS_WITH
Value: /api/

Rate Limit: 100 requests per minute per IP
Burst Allowance: 20 requests

  7. Configure Actions:

  8. Threshold Action: RATE_LIMIT (return 429 status)

  9. Exceeded Action: BLOCK (temporary IP block)

  10. Duration: 5 minutes

Advanced Rule Configuration

Multi-Condition Rules

Complex Multi-Condition Rule Configuration

Scenario: Create complex rules with multiple conditions

  1. Create Combined Logic Rule:

  2. Name: Suspicious Admin Access

  3. Description: Detect unusual admin panel access patterns

  4. Set Multiple Conditions: 

    Condition 1:

- Variable: REQUEST_URI
- Operator: CONTAINS

- Value: /admin/

AND

Condition 2:  

- Variable: HTTP_USER_AGENT
- Operator: REGEX_MATCH

- Value: (bot|crawler|scanner)

AND

Condition 3:

- Variable: REMOTE_ADDR
- Operator: NOT_IN_LIST

- Value: trusted_admin_ips

  5. Configure Response:

  6. Action: CHALLENGE (CAPTCHA verification)

  7. Fallback Action: BLOCK if challenge fails

Custom Variable Rules

Scenario: Use application-specific variables for detection

  1. Create Application-Specific Rule:

  2. Name: Invalid Session Token Access

  3. Description: Detect attempts to use invalid or expired session tokens

  4. Configure Custom Variables: 

    Primary Condition:

- Variable: REQUEST_HEADERS:Authorization
- Operator: EXISTS

- Transformation: DECODE_BASE64

Secondary Condition:

- Variable: CUSTOM:session_valid
- Operator: EQUALS  

- Value: false

  5. Set Actions:

  6. Primary Action: LOG (record attempt)

  7. Secondary Action: REDIRECT to login page

Content Type Specific Rules

Scenario: Apply rules based on request content type

  1. Create File Upload Rule:

  2. Name: Malicious File Upload Prevention

  3. Description: Block uploads of potentially dangerous file types

  4. Configure Content Detection: 

    Condition 1:

- Variable: REQUEST_HEADERS:Content-Type
- Operator: STARTS_WITH

- Value: multipart/form-data

Condition 2:

- Variable: REQUEST_BODY
- Operator: CONTAINS_REGEX

- Value: filename=".*\.(exe|scr|bat|cmd|pif)

  5. Set Response:

  6. Action: BLOCK

  7. Custom Message: File type not allowed for security reasons

Rule Testing and Validation

Test Mode Configuration

Before deploying custom rules to production:

  1. Enable Test Mode:

  2. Toggle "Test Mode" for new rules

  3. Monitor for 24-48 hours to observe behavior

  4. Review logs for false positives

  5. Analyze Test Results:

  6. True Positives: Legitimate threats blocked

  7. False Positives: Valid requests incorrectly flagged

  8. Performance Impact: Response time changes

Rule Refinement

Based on test results:

  1. Adjust Sensitivity:

  2. Tighten conditions if too many false positives

  3. Broaden detection if missing threats

  4. Modify thresholds for rate limiting rules

  5. Whitelist Management:

  6. Add trusted IPs to bypass certain rules

  7. Create exception paths for legitimate use cases

  8. Configure user agent exclusions for known good bots

Staged Deployment

Deploy rules gradually:

  1. Development Environment → Test basic functionality
  2. Staging Environment → Validate with realistic traffic
  3. Production (Monitor Mode) → Log only, don't block
  4. Production (Active Mode) → Full enforcement

Rule Management and Monitoring

Performance Monitoring

Track rule effectiveness through the dashboard:

Security Metrics:

  • Threats Detected: Number of malicious requests identified
  • Attacks Blocked: Successfully prevented security incidents
  • False Positive Rate: Legitimate requests incorrectly flagged

Performance Metrics:

  • Rule Processing Time: Latency added by rule evaluation
  • Memory Usage: Resources consumed by rule engine
  • Cache Hit Rate: Efficiency of rule result caching

Rule Maintenance

Regular maintenance tasks:

Weekly Review:

  • Analyze rule effectiveness through security reports
  • Check for new attack patterns requiring rule updates
  • Review false positive reports from users

Monthly Updates:

  • Update regex patterns based on emerging threats
  • Optimize rule performance by refining conditions
  • Archive unused rules to reduce processing overhead

Quarterly Assessment:

  • Comprehensive security audit of all custom rules
  • Benchmark against industry standards and threat intelligence
  • Plan rule architecture improvements for next quarter

Incident Response Integration

Connect custom rules to incident response:

  1. Automated Alerting:

  2. Critical rule triggers → Immediate notification

  3. Pattern detection → Security team escalation

  4. Threshold breaches → Management alerts

  5. Response Actions:

  6. Automatic IP blocking for severe threats

  7. Traffic diversion to security checkpoint

  8. Evidence collection for forensic analysis

Advanced Use Cases

API Security Rules

Scenario: Protect REST APIs from abuse and attacks

Rule Name: API Authentication Bypass Detection
Conditions:

- URI starts with /api/v1/
- Missing Authorization header OR invalid JWT format
- NOT in trusted service IP range
Action: Block with 401 Unauthorized

E-commerce Protection

Scenario: Protect online store from fraud and abuse

Rule Name: Checkout Fraud Prevention  
Conditions:

- URI contains /checkout OR /payment
- More than 5 failed attempts in 10 minutes
- Credit card pattern in unexpected fields
Action: Challenge with additional verification

Content Management Security

Scenario: Protect CMS admin areas from attacks

Rule Name: CMS Admin Protection
Conditions:

- URI contains /wp-admin OR /admin OR /cms
- Failed login attempts > 3 in 5 minutes
- User agent contains automated tools signatures
Action: Temporary IP block (15 minutes)

Best Practices

Rule Design

  • Start broad, then narrow - Begin with general detection, refine based on results
  • Use descriptive names - Make rule purpose clear for team members
  • Document business logic - Explain why each rule exists
  • Version control - Track rule changes and rationale

Performance Optimization

  • Order rules by frequency - Most commonly triggered rules first
  • Use efficient operators - Prefer simple string matching over complex regex
  • Implement caching - Cache rule results for repeated patterns
  • Monitor resource usage - Ensure rules don't impact site performance

Security Considerations

  • Regular updates - Keep rules current with threat landscape
  • Least privilege - Only block what's necessary
  • Backup rules - Have alternative detection methods
  • Incident logging - Maintain detailed security event logs

This comprehensive approach to WAF custom rules provides robust protection while maintaining flexibility and performance for your web applications.