Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
AWS WAFv2 Rule
{
"Name": "AdminRequestFromLoggedInUser",
"Priority": 8,
"Action": {
"Allow": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "AdminRequestFromLoggedInUser"
},
"Statement": {
"AndStatement": {
"Statements": [
{
"ByteMatchStatement": {
"FieldToMatch": {
"UriPath": {}
},
"PositionalConstraint": "CONTAINS",
"SearchString": "/wp-admin/",
"TextTransformations": [
{
"Type": "NONE",
"Priority": 0
}
]
}
},
{
"ByteMatchStatement": {
"FieldToMatch": {
"SingleHeader": {
"Name": "cookie"
}
},
"PositionalConstraint": "CONTAINS",
"SearchString": "wordpress_logged_in_",
"TextTransformations": [
{
"Type": "NONE",
"Priority": 0
}
]
}
}
]
}
}
}
{
"Name": "DownloadWPConfig",
"Priority": 3,
"Action": {
"Block": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "DownloadWPConfig"
},
"Statement": {
"AndStatement": {
"Statements": [
{
"ByteMatchStatement": {
"FieldToMatch": {
"QueryString": {}
},
"PositionalConstraint": "CONTAINS",
"SearchString": "file",
"TextTransformations": [
{
"Type": "LOWERCASE",
"Priority": 0
}
]
}
},
{
"ByteMatchStatement": {
"FieldToMatch": {
"QueryString": {}
},
"PositionalConstraint": "CONTAINS",
"SearchString": "wp-config.php",
"TextTransformations": [
{
"Type": "LOWERCASE",
"Priority": 0
}
]
}
}
]
}
}
}
{
"Name": "BruteForce",
"Priority": 4,
"Action": {
"Block": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "BruteForce"
},
"Statement": {
"RateBasedStatement": {
"Limit": 100,
"AggregateKeyType": "IP",
"ScopeDownStatement": {
"OrStatement": {
"Statements": [
{
"ByteMatchStatement": {
"FieldToMatch": {
"UriPath": {}
},
"PositionalConstraint": "CONTAINS",
"SearchString": "/wp-login.php",
"TextTransformations": [
{
"Type": "NONE",
"Priority": 0
}
]
}
},
{
"ByteMatchStatement": {
"FieldToMatch": {
"UriPath": {}
},
"PositionalConstraint": "CONTAINS",
"SearchString": "/xmlrpc.php",
"TextTransformations": [
{
"Type": "NONE",
"Priority": 0
}
]
}
}
]
}
}
}
}
}
{
"Name": "RESTAPIRequestFromLoggedInUser",
"Priority": 8,
"Action": {
"Allow": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "AdminRequestFromLoggedInUser"
},
"Statement": {
"AndStatement": {
"Statements": [
{
"ByteMatchStatement": {
"FieldToMatch": {
"UriPath": {}
},
"PositionalConstraint": "CONTAINS",
"SearchString": "/wp-json/wp/v2/",
"TextTransformations": [
{
"Type": "NONE",
"Priority": 0
}
]
}
},
{
"ByteMatchStatement": {
"FieldToMatch": {
"SingleHeader": {
"Name": "cookie"
}
},
"PositionalConstraint": "CONTAINS",
"SearchString": "wordpress_logged_in_",
"TextTransformations": [
{
"Type": "NONE",
"Priority": 0
}
]
}
}
]
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment