docs
Edgecast Console

Custom Rules

Use custom rules to tailor how Security identifies malicious traffic. This provides added flexibility for threat identification that allows you to target malicious traffic with minimal impact to legitimate traffic. Custom threat identification combined with rapid testing and deployment enables you to quickly address long-term and zero-day vulnerabilities.
The Custom rules capability requires Edgecast Enterprise, Edgecast Premier, Security Premier, or Security Business. Contact your account manager or our sales department at 1 (866) 200 - 5463 to upgrade your account.

Custom Rule Sets

A custom rule set defines how threats will be identified through rules. Each custom rule set may contain up to 10 rules. Each rule contains:
  • Up to 6 conditions that define threat identification criteria.
  • A rule ID and message that will be associated with threats identified by this rule. A rule ID must be a number between 66,000,000 and 66,999,999.
    Assigning a unique ID and message to each rule makes it easy to identify threats detected as a result of a specific rule.

Threat Identification

Edgecast identifies a threat when a request satisfies at least one rule in a custom rule set. A rule is satisfied when a match is found for each of its conditions. A condition defines what will be matched (i.e., variable), how it will be matched (i.e., operator), and a match value.
A variable identifies the request element (e.g., request header, query string, or request body) that Edgecast will analyze.
Example #1:
This example assumes that your custom rule set contains the following two rules:
RuleDescription
1This rule contains a single condition with a single variable.
2This rule contains the following conditions:
  1. The first condition contains a single variable.
  2. The second condition contains two variables.
Assuming the above configuration, Security identifies a threat under either of the following circumstances:
  • A match is found for the variable defined in the first rule’s condition.
  • A match is found for the variable defined in the second rule’s first condition.
    AND
    A match is found for either of the variables defined in the second rule’s second condition.
Certain variables match on key-value pairs. If you match on multiple keys within a single variable, Edgecast will only need to find one of those matches to satisfy that variable. For example, if you set up a request header variable to match for Authorization and Content-Type, then requests that contain either or both of those headers will satisfy that variable.

Conditions

A condition determines how requests will be identified through variables, operators, match values, transformations, and negative matching.
Variables
A variable identifies the request element that Edgecast will analyze.
Key information:
  • All variables support the ability to match on the number of times that a request element is found within the request. Set up a variable to match on the number of instances instead of inspecting the element for a specific value or regular expression pattern by marking the Count option.
  • You may define zero or more keys when setting up variables that match on key-value pairs. Edgecast must find at least one of the specified keys in the request before that variable will be satisfied.
    For example, if you set up a request header variable to match for Authorization and Content-Type, then requests that contain either or both of those headers will satisfy that variable.
  • We support the following request elements:
ASN
Identifies requests by the Autonomous System Number (ASN) associated with the client’s IP address.
Specify a regular expression to match for multiple ASNs.
Example:
Use the following pattern to match for requests from 15133 and 14153: 15133|14153
Country
Identifies requests by the country from which the request originated. Specify the desired country using a country code.
Specify a regular expression to match for multiple country codes.
Example:
Use the following pattern to match for requests from the United States, Canada, and Mexico: US|CA|MX
Country Subdivision (ISO3166-2)
Identifies requests by a country’s subdivision (e.g., state or province). Specify each desired subdivision using an ISO-3166-2 code.
Syntax:
<Country Code>-<Subdivision Code>
Example:
The following value identifies requests from California: US-CA
IP Address
Identify requests by the requester’s IP address.
Key information:
  • Specify a comma-delimited list of the desired IP address(es) using standard IPv4/IPv6 and CIDR notation.
  • Specify a subnet by appending a slash (/) and the desired bit-length of the prefix (e.g., 11.22.33.0/22).
  • Do not specify more than 1,000 IP addresses or IP blocks.
  • Identifying requests by IP address is only supported when a condition contains a single variable.
  • Example: 192.0.2.20,203.0.113.0/24,2001:DB8::/32
Request Body Parsed
Match against all or specific key-value pair(s) in the request body for a URL-encoded or JSON POST request:
  • All: Do not specify a key within this variable and specify the desired value or pattern within the Match value option.
  • Specific Key-Value Pair: Define the name of the desired key within this variable and specify the desired value or pattern within the Match value option.
    Setting up a request body parsed variable also allows you to define whether Edgecast uses a regular expression, a negative match, or both when comparing the value assigned to the variable against key names. Use a negative match to find requests whose payload does not contain the specified key.
Use the Request body raw variable to match against the URL-encoded request body for any type of request (e.g., XML).
Edgecast only inspects the first 8 KB of the request body. You may restrict the request body for valid requests to 8 KB (8,192 bytes) through an access rule.
Example:
Match against the following request body by setting the the Match value option to blue. Require that this value be assigned to the sky key by also setting the request body parsed variable to sky.
1{
2    "id": "srZf45oP34p",
3    "sky": "blue"
4}
Request Body Raw
Match against a URL-encoded request body for any type of request (e.g., XML).
Edgecast only inspects the first 8 KB of the request body. You may restrict the request body for valid requests to 8 KB (8,192 bytes) through an access rule.
Request Cookies
Match against all or specific cookies.
  • All: Match against all cookies by not specifying a cookie name within this variable. Specify the desired cookie value or pattern within the Match value option.
  • Specific Cookies: Define the name of the desired cookie within this variable and specify the desired cookie value or pattern within the Match value option.
    Setting up a cookie variable also allows you to define whether Edgecast uses a regular expression, a negative match, or both when comparing the value assigned to the variable against cookies. Use a negative match to find requests that do not contain the specified cookie.
Request Header
Match against all or specific request headers.
  • All: Match against all request headers by not specifying a request header name within this variable. Specify the desired header value or pattern within the Match value option.
  • Specific Request Headers: Define the name of the desired request header within this variable and specify the desired header value or pattern within the Match value option.
    Setting up a request header variable also allows you to define whether Edgecast uses a regular expression, a negative match, or both when comparing the value assigned to the variable against request headers. Use a negative match to find requests that do not contain the specified request header.
Request Method
Match against request method (e.g., GET and POST).
Request Query
Match against the request’s query string. Specify the desired value or pattern within the Match value option.
Request URI
Match against the request’s URL path and query string. Define a URL path that starts directly after the hostname. Exclude the protocol and hostname when defining this property.
Sample values: /marketing?id=123456 and /resources/images
Request URL Path
Match against the request’s URL path. Define a URL path that starts directly after the hostname. Exclude the protocol, hostname, and query string when defining this property.
Sample values: /marketing and /resources/images
Operators
An operator determines how Edgecast will compare a match value against the request element identified by a variable.
  • Begins with: A match is found when the request element starts with the specified match value.
  • Contains: A match is found when the request element contains the specified match value.
  • Ends with:  A match is found when the request element ends with the specified match value.
  • Exact match:  A match is found when the request element is an exact match to the specified match value.
    Avoid enabling the Negative match option with the Exact match operator. This configuration will not yield the expected set of matches.
  • Regex: A match is found when the request element satisfies the regular expression defined in the match value.
  • Value match: A match is found when the request element occurs the exact number of times defined in the match value.
    The Value match operator should only be used when the Count option has been enabled.
Match Value
Edgecast uses a match value to identify threats.
  • Default: By default, Edgecast compares a match value against the request element identified by a variable (e.g., URL path or a request header’s value).
  • Count: Enable the Count option on a variable to compare this value against the number of times that the request element identified by a variable (e.g., a specific cookie or request header) occurs within the request.
    Example:
    This example assumes the following configuration:
    1Variable: Request header = Authentication
    2Match value: 1
    We will now examine how the Count option affects comparisons for this configuration.
    • Disabled: If the Count option has been disabled on the variable, then Edgecast will compare the value of the Authentication request header to 1.
    • Enabled: If the Count option has been enabled on the variable, then Edgecast will compare the number of times that the Authentication request header occurred in the request to 1.
    The type of comparison that will be performed is determined by the Operator option.
Match Transformations
Edgecast can transform the source value before it inspects it. Select one or more of the following transformations to allow Edgecast to compare the match value against the result of each selected transformation:
  • Lowercase: Converts all uppercase characters to lowercase characters.
  • None: The source value will not be modified.
  • Remove nulls: Removes all null values from the source value.
  • URL decode: Applies URL decoding to the source value. This transformation is useful when the source value has been URL encoded twice.

Custom Rule Administration

You may create, modify, and delete custom rule sets.
Key information:
  • Administer custom rule sets from the Custom Rules page.
  • Apply a custom rule set to production traffic by adding it to a Security Application configuration and then determining how it will be enforced. Multiple Security Application configurations may use the same custom rule set. Leverage this capability to tailor security screening by application or traffic profile.
  • It may take up to 2 minutes for an updated custom rule set to be applied across our entire network.
To create a custom rule set
  1. Navigate to the Custom Rules page.
    1. From the Edgecast Console, select the desired organization.
    2. From the Security section, click Custom Rules.
  2. Click + New Custom Ruleset.
  3. In the Name option, type the unique name by which this custom rule set will be identified. This name should be sufficiently descriptive to identify it when setting up a Security Application configuration.
  4. By default, a blank rule is associated with each new custom rule. Find the rule’s Rule message option and set it to a brief description that identifies the purpose of this rule.
  5. In the Rule ID option, specify a number between 66,000,000 and 66,999,999.
  6. The default rule contains a default condition. Modify this condition to determine how Edgecast will identify threats.
    Default condition
    1. From the condition’s Variable option, select the request element through which Edgecast will identify threats.
    2. Certain variables (e.g., request cookies and request header) match on name and value. If you have selected this type of variable, then perform the following steps:
      1. Optional. Mark the Count option to match by the number of instances that a match is found instead of by inspecting that request element.
      2. Click + Add Match.
      3. From the Name option, type the desired name.
        For example, match for requests that contain an Authorization header by setting this option to Authorization.
      4. Optional. Mark the Negative Match option to match for requests that do not contain a matching value for the name defined in the previous step.
      5. If you specified a regular expression in the Name option, then you should mark the Regex Match option.
      6. Optional. Add another match through which this variable can be satisfied by repeating steps 6.ii.a - 6.ii.e.
    3. From the Operator option, select an operator that determines how Edgecast will compare the match value to the request element identified by the above variable.
    4. In the Match value option, type either of the following values:
      • Count Option - Disabled: Type the value that will be compared against the value associated with the request element identified by the variable selected above.
      • Count Option - Enabled: Type the number of instances that a match must be found within a single request.
        For example, if you are counting the Set-Cookie header, then this numerical value determines the number of times that the Set-Cookie header must be found within a request.
    5. From the Match transformations option, select each transformation that will be applied to the source value.
    6. Optional. Mark the Negative Match option to match for requests that do not contain a matching value for the value defined in step 6.iv.
  7. Optional. Click + Add Condition to add another condition that must be met before a request can be flagged as a threat. Repeat step 6 for this new condition.
  8. Optional. Click + Add Rule to add another rule through which Edgecast may identify threats. Repeat steps 6 and 7.
  9. Click Save.
To modify a custom rule set
  1. Navigate to the Custom Rules page.
    1. From the Edgecast Console, select the desired organization.
    2. From the Security section, click Custom Rules.
  2. Click on the desired custom rule set.
  3. Make the desired changes.
    Key tasks:
    • Delete a variable by clicking
      Delete icon
      Delete Variable.
    • Delete a match within a variable by clicking the
      Delete icon
      icon.
    • Delete a condition by clicking
      Delete icon
      Delete Condition.
      A rule must have at least one condition.
    • Delete a rule by clicking the
      Delete icon
      icon that appears to the right of the Name option and then clicking Confirm.
  4. Click Save.
To delete a custom rule set
You cannot delete a custom rule that is associated with a Security Application configuration. Please either modify the Security Application configuration to point to a different custom rule or delete that Security Application configuration.
  1. Check your Security Application configurations to verify that the desired custom rule is not in use.
  2. Navigate to the Custom Rules page.
    1. From the Edgecast Console, select the desired organization.
    2. From the Security section, click Custom Rules.
  3. Click on the desired custom rule set.
  4. Click Delete.
  5. Click Confirm.

Version Control

Version control allows you to:
  • View a previous version of a configuration.
  • Reactivate a previous version of a configuration.
  • Compare a previous version of a configuration to the current version.
Edgecast Security Premier and Business support a rolling window of up to 200 versions, while Edgecast Security Essentials and Insights is restricted to a rolling window of up to 100 versions.
An advantage of using version control is that it allows you to quickly roll back to a previously vetted configuration. For example, if you notice that a new configuration has resulted in more false positives, then you can roll back to the previous version before analyzing the data.
To view, compare, and reactivate a previous configuration
  1. Load the desired security configuration (e.g., access rule, rate rule, or custom rule).
  2. Click Versions.
    Versions button
  3. Click on the desired version to view it.
    Version selection
  4. Optional. Compare the version selected in the previous step to the current version by clicking Diff. Differences between those two versions are highlighted in green (new or updated lines) and red (modified or deleted lines).
  5. Optional. Reactivate the version selected in step 3 by clicking Reactivate. Click Reactivate this version to confirm that it will be reactivated.