Triggers are tools that allow you to receive notifications and set how WAF should react to some events that it doesn't respond to by default (e.g., behavior attacks).
Each trigger consists of three components:
Let's say, for example, that you want to receive alerts about XSS attacks (if there are more than 2,000 per hour) via e-mail. In this case, you should create a trigger with the following components:
This is what a tab looks like with two triggers that add IP addresses that meet the conditions to the denylist:
Go to the Triggers tab and click Create trigger.
A new window opens.
Click the appropriate condition from the list to the right.
There are ten conditions available for triggers:
1. Brute force. Brute force attacks include brute-forcing passwords, session IDs, and account data spoofing. Signs of brute forcing include sending many requests to the same endpoint during the defined time interval.
2. Forced browsing. Forced browsing is a behavioral attack in which an attacker tries to find directories and files with information about an application's configuration and components. Signs of forced browsing include sending many requests to different endpoints, to which the application responds with a 404 code.
3. BOLA. BOLA (Broken Object Level Authorization) is a behavioral attack in which an attacker can retrieve or modify an application component by identity through an API, thus bypassing authorization. This attack exploits a vulnerability related to the lack of or insufficient verification of access rights.
4. By default, WAF doesn't protect applications from brute-force attacks, forced browsing, or BOLA, so with condition 1, 2, or 3 triggers, you would point WAF to the attack signs and then configure how the firewall should react to them.
Number of malicious payloads. A malicious payload is the part of a request which contains instructions about what actions should be performed in an attacked application. With a trigger, you can specify how many requests with payloads WAF should react to.
5–7. Number of attacks, hits, incidents. With conditions 5–7, you'll set the number of attacks, hits, or incidents about which the WAF should send you an e-mail notification.
8. Denylisted IP. This will allow you to specify blocked IPs to WAF.
9. Hits from the same IP. Using a condition, you can specify the threshold from which hits sent from the same IP should be grouped into a single attack in the Events section.
10. User added. Using a condition, you'll command WAF to send an e-mail notification when the user is added to the WAF account.
Filters detail the chosen condition. The set of available filters depends on the selected condition. In the example below, there are available filters for the 'Number of attacks' condition to the right.
Click the needed filters from the list to add them to the condition. After that, the filter will display on the left, and you can specify its values.
For example, we added the 'Type' filter and selected 'xss', 'sqli', and 'rce' types to determine only those types of attack we want to be notified about.
To add other filters, click the one you need on the right.
We list all available filters below.
The reaction determines what WAF should do if a request fits the condition and filters (if they were set). The set of available reactions also depends on the selected condition.
The example below shows two available reactions for the 'Brute force' (requests from the same IP) condition to the right.
Click Add a reaction to add the suitable response and set it up if necessary.
We list all available reactions below.
Check the trigger components, then enter a name and description if necessary. If no name or description is specified, the trigger will be created with a default name in the format.
New trigger by
<creation_date>, and an empty description.
Go to the Triggers tab, click the three dots next to the trigger you want to disable or delete, select the needed option, and confirm the action.
Was this article helpful?
Discover the all-in-one Web security solution by Gcore