Custom Rules -  DETECT operator

The DETECT operator for custom rules lets you detect incoming traffic based on QIDs.

For example, you can use the DETECT operator to detect false positives.

request.path DETECT “qid/150011” with action Allow

The above rule will look for a path that potentially exposes sensitive files (QID 150011 -  Local File Inclusion), but allows this request even if it’s usually blocked, as it’s a false positive.

Similarly, if you create a DETECT rule with action Block, WAF blocks the request and applies a virtual patch for it.

Once you select the DETECT operator for a key, enter qid/ followed by the QID number (all in quotes)

request.path DETECT “qid/150011”

The DETECT operator is available for the following keys:

• request.body.charset
• request.body.parameter
• request.body.parameter.name
• request.body.parameter.value
• request.header
• request.header.content-type
• request.header.cookie
• request.header.cookie.name
• request.header.cookie.value
• request.header.name
• request.header.value
• request.path
• request.query-string.parameter
• request.query-string.parameter.name
• request.query-string.parameter.value
• request.url
• response.header
• response.header.content-type
• response.header.cookie
• response.header.cookie.name
• response.header.cookie.value
• response.header.name
• response.header.value