How to set oversize handling WAF

0

I got an email from AWS to configure WAF for oversize before October 1,2022. I want to inspect first 8 KB and ignore remaining bytes of body. I understand the option 'Continue" will be best choice in this case, but I still cannot figure out which should I choose 'Allow' or 'Block' in Action. Also, I want to know whether there is a diffrence between Classic and V2 in defing the rurles.

asked 3 months ago52 views
1 Answer
2
Accepted Answer

AWS WAF can only inspect the first 8 KB (8,192 bytes) of the body of a request. Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits.

Since you want to inspect only first 8 KB and ignore remaining bytes of body, the best option would be to “continue” the requests where AWS WAF will inspect only those request component contents that are within the size limitations i.e. 8KB.

Below is an example to get a better understanding of the 3 Options in oversize handling:

Continue: AWS WAF inspects bytes 1 through 8,192 bytes of the body content for SQLI attack. The remaining 8,193 through 9000 byte content isn't inspected.
Match: AWS WAF marks this request as containing an SQLi attack and takes the rule action (either ALLOW or BLOCK).
Not match: AWS WAF marks this request as not containing an SQLi attack regardless of the request body content.

Now, the rule action might be set to “allow” or “block” depending upon your use case. For example, if you are inspecting the body for SQLi attacks and want to block all the requests, you would choose the action “BLOCK”.

If the rule's logic is to ALLOW requests, then setting the oversize handling to CONTINUE means the body would be inspected only up to 8192 bytes and even if anything suspicious is found, it would be allowed.

If the rule's logic is to BLOCK requests that have a body payload greater than 8192, then setting the oversize handling to CONTINUE means the body would be inspected only up to 8192 bytes and if anything suspicious is found, then it would be blocked.

In WAF classic, you can work with size constraint conditions to manage how the requests which are exceeding 8192 bytes would be handled. Please refer the below documentation. https://docs.aws.amazon.com/waf/latest/developerguide/classic-web-acl-size-conditions.html

SUPPORT ENGINEER
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions