Help Center

  1. StackPath Help
  2. WAF
  3. WAF Features
  4. Advanced Rules

Advanced Rules - Source Field Objects

Avatar
Joelle Lanke
Updated:

Overview 

The table below contains a table of all of the available source field objects you can use in your expressions along with their respective attributes and types. For more information, please see Advanced Rules.

 

Object Attribute Type Description

Compiled source Field

request

headers

dict

request headers

  

ip

string

NOTE: every string value should warp with ' sign and NOT" sign.

client ip

request.ip

request.ip == '117.20.32.5' || request.ip == '117.20.32.4'

uri

Domain's URI (URL path + arguments)

request.uri

('/prehistoric/monotony/monotony.phtml' or '/amfphp/services') in request.uri

path

domain’s URL path

request.path

request.path in ['/process_neopet_desc.phtml', '/modify_neomessages.phtml']

method

HTTP method (uppercase)

request.method

request.method == 'OPTION'

origin_ip

Web application server IP

request.origin_ip

request.origin_ip == '120.36.54.1'

ja3

TLS fingerprint

request.ja3

request.ja3 == 'e2925c27149b0d0dc34373d55040dde1' or request.ja3 == '3e9b20610098b6c9bff953856e58016a' or request.ja3 == '7d671906ed4a1edac3262a54676dacfa'

http_version

represents http version 

request.http_version

request.http_version in ['1.1']

is_api()

function

returns true if the request is api

request.is_api()

is_ajax()

returns true if the request is ajax

request.is_ajax()

is_static()

returns true if the request is static

request.is_static()

ip_in_range

returns true if client ip is within the specified range

request.ip_in_range(<string>, <string>)

request.ip_in_range('72.21.217.0', '72.21.217.255') 
or request.ip_in_range('2409:4072:6c8c:e228:ecaf:ce2c:fd7d:0000', '2409:4072:6c8c:e228:ecaf:ce2c:fd7d:4780')

rate_limit - more info can be found

Returns true if the rate limit exceeded for the given parameters (scope is 'ip'/'cluster')

  • ip: list of ip addresses that the rule applies to (if there are no IPs in the list, counting will be done for all IPs)

  • URL: regex pattern to match requests' URI(URL + query_parms) against

  • interval: the time limit in seconds, within which we are only allowingn number of requests' to URI matching the pattern

  • requests: the maximum number of requests accepted within the given time period before an action is taken

  • method: list of methods type the request aggregation will be applicated on

  • status_code: list of status codes the request aggregation will be applicate on

  • content_type: regex pattern to match request content_type’s against

  • scope: (If the granularity will not be set to IP the default aggregation will set to cluster)

    • Granularity: 'cluster' - counts all the traffic of a pop, NOTE:

      • Interval counting will be made on each pop separately, this can cause unsynchronized counting

      • IPs counting can be counted separately on different pops (each requests individually, not overlapped)

      • Pops could be related to certain locations, meaning that some clients may never be addressed to certain pops

    • Granularity: 'ip' - counts the traffic per given IP

 
rate_limit(
[ip <string>, ...], 
url <string>, 
interval <int>, 
requests <int>, 
[method <string>,...], 
[status_code <int>,...], 
content_type <string>, 
scope <string>
)

example:

request.rate_limit([], '/', 5, 200, ['GET', 'HEAD'], [], 'text/html; charset=', 'ip')

whois

country

string

NOTE: every string value should warp with ' sign and NOT" sign.

two-letter country code (uppercase)

whois.country

whois.country in ['BR', 'VN', 'ID']

org

organization name from the whois db

whois.org

whois.org in ['Google Inc', 'Google Inc.', 'Google LLC', 'Google Incorporated']

owner_type

owner type of the range

whois.owner_type

whois.owner_type != 'hosting services'

session

request_counter

int

sequential number of the request within the session

session.session_request_counter

session.request_counter > 1000

profiling_status

string

NOTE: every string value should warp with ' sign and NOT" sign.

Client’s fingerprint profiling status, Possible values follow:

  • initiated: JavaScript execution was initiated (sent to the client as an injection into the response).

  • executed once: JavaScript was executed and preliminary results were received by WAF

  • profiling error: An error occurred during profiling.

  • profiling completed: Profiling complete without error.

  • idle: All JavaScript tests and finger printing process completed.

session.profiling_status

session.profiling_status == 'idle'

response

status

int

HTTP status code

response.status

headers

dict

response headers

 
response.headers['Access-Control-Allow-Credentials'] == 'true'

tags

exists(tag <string>)

function

returns true if the tag exists

tags.exists(<string>)

tags.any([<string>, <string>…., <string>]) up to 10 tags

tags.all([<string>, <string>…., <string>]) up to 10 tags

tags.any(['proxynetwork','hostingservices']) 
and tags.exists('penalty')

any([tag <string>, ...])

returns true if any of the tags exists

all([tag <string>, ...])

returns true if all of the tags exist

user_agent

engine

string

NOTE: every string value should warp with ' sign and NOT" sign.

ua_parsed: A table containing user agent information collected by WAF from the source of the logged request:

  • engine: The client engine. An example of engine is “Gecko”.

  • client_version: The client engine's version.

  • client_type: The type of client. Optional values:

    • Major Browser, NA, Lib, Crawler, Custom Browser, mobile app, Headless Browser, Bot, Application, mail client, Site Monitoring, RSS Reader, Game Console, Text Browser, Network Diagnostics, certificate authority, paying service

  • client: The name of the client. An example of client name is "Firefox".

  • client_version_float: A possibly truncated version of the client browser engine's version.

  • os: The client computer's operating system. An example of os is "Mac OS X 10.14".

  • cpu: The client computer's CPU. An example of CPU is "Intel".

  • device: Information about the client device. An example of device is "mac".

  • device_type: Additional information about the client device. Optional values:

    • |Web Search Engine Bots |
      |mobile |
      |NA |
      |SEO, Analytics or Marketing Bots |
      |Preview Bot |
      |Media or Entertainment Search Bots |
      |Social Media or Blog Bots |
      |RSS Feed Reader Bots |
      |Site Monitoring and Web Development Bots|
      |Web Archiver Bots |
      |console |
      |Job Search Engine Bots |
      |Online Advertising Bots |
      |News Aggregator Bots |
      |Academic or Research Bots |
      |Desktop |
      |Business Intelligence Bots |
      |Automated Shopping Cart and Sniper Bots |
      |Enterprise Data Aggregator Bots |
      |Media Player |

user_agent.engine

client

user_agent.client

client_type

user_agent.client_type

'major browser' in user_agent.client_type

client_version

user_agent.client_version

client_version_float

user_agent.client_version_float

os

user_agent.os

cpu

user_agent.cpu

device

user_agent.device

device_type

user_agent.device_type

user_agent.device_type == 'na'

client_data

fingerprint['hash']

dict

A table containing fingerprint information about the request (fingerprint information is collected by WAF with injected JavaScript):

fp__hash of the client

fp__js of the client

fp__flash of the client

fp__header of the client

client_data.fingerprint == 'kvd8oxizrdl-41-37zpvwqrr-5tzoaavgfr7-v2osmr4iefe-noieo-90.3095389639745667'

client_data.fingerprint['hash']

client_data.fingerprint['hash'] == '9be394dca715eca8e42783397a507d2e'

fingerprint['js']

client_data.fingerprint['js']

fingerprint['flash']

client_data.fingerprint['flash']

fingerprint['header']

client_data.fingerprint['header']
Was this article helpful?

Related articles

Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Contact Us