Show Page 2This is AWS WAF Classic documentation. You should only use this version if you created AWS WAF resources, like rules and web ACLs, in AWS WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your resources, see Migrating your AWS WAF Classic resources to AWS WAF. For the latest version of AWS WAF, see AWS WAF. If you want to allow or block web requests based on strings that appear in the requests, create one or more string match conditions. A string match condition identifies the string that you want to search for and the part of web requests, such as a specified header or the query string, that you want AWS WAF Classic to inspect for the string. Later in the process, when you create a web ACL, you specify whether to allow or block requests that contain the string. Creating a string match conditionWhen you create string match conditions, you specify filters that identify the string that you want to search for and the part of web requests that you want AWS WAF Classic to inspect for that string, such as the URI or the query string. You can add more than one filter to a string match condition, or you can create a separate string match condition for each filter. Here's how each configuration affects AWS WAF Classic behavior:
When you add a string match condition to a rule, you also can configure AWS WAF Classic to allow or block web requests that do not match the values in the condition. To create a string match condition Values that you specify when you create or edit string match conditionsWhen you create or update a string match condition, you specify the following values: Name Enter a name for the string match condition. The name can contain only alphanumeric characters (A-Z, a-z, 0-9) or the following special characters: _-!"#`+*},./. You can't change the name of a condition after you create it. TypeChoose String match. Choose the part of each web request that you want AWS WAF Classic to inspect for the string that you specify in Value to match: Header A specified request header, for example, the User-Agent or Referer header. If you choose Header, specify the name of the header in the Header field. HTTP methodThe HTTP method, which indicates the type of operation that the request is asking the origin to perform. CloudFront supports the following methods: DELETE, GET, HEAD, OPTIONS, PATCH, POST, and PUT. Query stringThe part of a URL that appears after a ? character, if any. URIThe URI path of the request, which identifies the resource, for example, /images/daily-ad.jpg. This doesn't include the query string or fragment components of the URI. For information, see Uniform Resource Identifier (URI): Generic Syntax. Unless a Transformation is specified, a URI is not normalized and is inspected just as AWS receives it from the client as part of the request. A Transformation will reformat the URI as specified. BodyThe part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form. If you choose Body for the value of Part of the request to filter on, AWS WAF Classic inspects only the first 8192 bytes (8 KB). To allow or block requests for which the body is longer than 8192 bytes, you can create a size constraint condition. (AWS WAF Classic gets the length of the body from the request headers.) For more information, see Working with size constraint conditions. Single query parameter (value only)Any parameter that you have defined as part of the query string. For example, if the URL is "www.xyz.com?UserName=abc&SalesRegion=seattle" you can add a filter to either the UserName or SalesRegion parameter. If duplicate parameters appear in the query string, the values are evaluated as an "OR." That is, either value will trigger a match. For example, in the URL "www.xyz.com?SalesRegion=boston&SalesRegion=seattle", either "boston" or "seattle" in Value to match will trigger a match. If you choose Single query parameter (value only) you will also specify a Query parameter name. This is the parameter in the query string that you will inspect, such as UserName or SalesRegion. The maximum length for Query parameter name is 30 characters. Query parameter name is not case sensitive. For example, it you specify UserName as the Query parameter name, this will match all variations of UserName, such as username and UsERName. All query parameters (values only)Similar to Single query parameter (value only), but rather than inspecting the value of a single parameter, AWS WAF Classic inspects the value of all parameters within the query string for the Value to match. For example, if the URL is "www.xyz.com?UserName=abc&SalesRegion=seattle," and you choose All query parameters (values only), AWS WAF Classic will trigger a match if the value of either UserName or SalesRegion is specified as the Value to match. Header (Only When "Part of the request to filter on" is "Header")If you chose Header from the Part of the request to filter on list, choose a header from the list of common headers, or enter the name of a header that you want AWS WAF Classic to inspect. Match typeWithin the part of the request that you want AWS WAF Classic to inspect, choose where the string in Value to match must appear to match this filter: Contains The string appears anywhere in the specified part of the request. Contains wordThe specified part of the web request must include Value to match, and Value to match must contain only alphanumeric characters or underscore (A-Z, a-z, 0-9, or _). In addition, Value to match must be a word, which means one of the following:
The string and the value of the specified part of the request are identical. Starts withThe string appears at the beginning of the specified part of the request. Ends withThe string appears at the end of the specified part of the request. A transformation reformats a web request before AWS WAF Classic inspects the request. This eliminates some of the unusual formatting that attackers use in web requests in an effort to bypass AWS WAF Classic. You can only specify a single type of text transformation. Transformations can perform the following operations: None AWS WAF Classic doesn't perform any text transformations on the web request before inspecting it for the string in Value to match. Convert to lowercaseAWS WAF Classic converts uppercase letters (A-Z) to lowercase (a-z). HTML decodeAWS WAF Classic replaces HTML-encoded characters with unencoded characters:
AWS WAF Classic replaces the following characters with a space character (decimal 32):
In addition, this option replaces multiple spaces with one space. Simplify command lineWhen you're concerned that attackers are injecting an operating system command line command and using unusual formatting to disguise some or all of the command, use this option to perform the following transformations:
Decode a URL-encoded request. Value is base64 encodedIf the value in Value to match is base64-encoded, select this check box. Use base64-encoding to specify non-printable characters, such as tabs and linefeeds, that attackers include in their requests. Value to matchSpecify the value that you want AWS WAF Classic to search for in web requests. The maximum length is 50 bytes. If you're base64-encoding the value, the 50-byte maximum length applies to the value before you encode it. Adding and deleting filters in a string match conditionYou can add filters to a string match condition or delete filters. To change a filter, add a new one and delete the old one. To add or delete filters in a string match condition
Deleting string match conditionsIf you want to delete a string match condition, you need to first delete all filters in the condition and remove the condition from all the rules that are using it, as described in the following procedure. To delete a string match condition
Did this page help you? - Yes Thanks for letting us know we're doing a good job! If you've got a moment, please tell us what we did right so we can do more of it. Did this page help you? - No Thanks for letting us know this page needs work. We're sorry we let you down. If you've got a moment, please tell us how we can make the documentation better. |