cloudflarecloudflare-workers

How to get all Cloudflare Specials managed rules using Cloudflare API endpoint

How to get all Cloudflare Specials managed rules using Cloudflare API endpoint eg. Anomaly:Header:User-Agent - Missing , DoS - IE6 Binary POST, Anomaly:Header:User-Agent, Anomaly:Header:Referer - Missing or empty, DoS - Query String Cache Busting - 6 or more Numbers, DotNetNuke - File Inclusion - CVE:CVE-2018-9126, CVE:CVE-2011-1892, CVE:CVE-2022-31474

It's have more than 460 rules I just need the configuration of these rules.

I am using this API endpoint but getting below error

https://api.cloudflare.com/client/v4/zones/xyz/waf_migration/config?phase_two=1

{
    "result": null,
    "success": false,
    "errors": [
        {
            "message": "this zone uses waf uri overrides - please contact your csm for migration"
        }
    ],
    "messages": null
}

Thanks

Solution

  • Get the ruleset id first,

    % curl -sX GET "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets" \
     -H "X-Auth-Email: $EMAIL" \
     -H "X-Auth-Key: $APIKEY" \
     -H "Content-Type: application/json" | jq -r '.result[] | select (.name == "Cloudflare Managed Ruleset")'

{
  "id": "efb7b8c949ac4650a09736fc376e9aee",
  "name": "Cloudflare Managed Ruleset",
  "description": "Created by the Cloudflare security team, this ruleset is designed to provide fast and effective protection for all your applications. It is frequently updated to cover new vulnerabilities and reduce false positives.",
  "source": "firewall_managed",
  "kind": "managed",
  "version": "194",
  "last_updated": "2024-04-22T20:47:31.939647Z",
  "phase": "http_request_firewall_managed"
}

    Then you can get all rules in the ruleset with ruleset id

    % curl -sX GET "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/efb7b8c949ac4650a09736fc376e9aee" \
     -H "X-Auth-Email: $EMAIL" \
     -H "X-Auth-Key: $APIKEY" \
     -H "Content-Type: application/json" | jq -r '.result.rules[]'

{
  "id": "5de7edfa648c4d6891dc3e7f84534ffa",
  "version": "194",
  "action": "block",
  "categories": [
    "cve-2014-5265",
    "cve-2014-5266",
    "cve-2014-5267",
    "dos",
    "drupal",
    "wordpress"
  ],
  "description": "Drupal, Wordpress - DoS - XMLRPC - CVE:CVE-2014-5265, CVE:CVE-2014-5266, CVE:CVE-2014-5267",
  "last_updated": "2024-04-22T20:47:31.939647Z",
  "ref": "b569ea728adc47b3ba6dee1b5d3b2849",
  "enabled": false
}
{
  "id": "e3a567afc347477d9702d9047e97d760",
  "version": "191",
  "action": "block",
  "categories": [
    "cve-2020-12720",
    "sqli",
    "vbulletin",
    "beta"
  ],
  "description": "vBulletin - SQLi - CVE:CVE-2020-12720 - beta",
  "last_updated": "2024-04-22T20:47:31.939647Z",
  "ref": "8db020ccd4d0be9f46b817a4865a1b482",
  "enabled": false
}
{
  "id": "980c5b4fa30f4214b836ebd8521e1eff",
  "version": "163",
  "action": "block",
  "categories": [
    "broken-access-control",
    "wordpress"
  ],
  "description": "Wordpress - Broken Access Control",
  "last_updated": "2024-04-22T20:47:31.939647Z",
  "ref": "e75cd6ec7756048bf35e7f3f514a13f8",
  "enabled": true
}
...
{
  "id": "c11d57f6f6204c338b0cab291a3e21e4",
  "version": "1",
  "action": "block",
  "categories": [
    "remote-code-execution",
    "beta",
    "new"
  ],
  "description": "Remote Code Execution - Generic Payloads",
  "last_updated": "2024-04-22T20:47:31.939647Z",
  "ref": "846e12c8ca535ed20e1ac6e9359f80dc",
  "enabled": false
}
{
  "id": "048dc8c7995f44b5871eed98554f9705",
  "version": "1",
  "action": "log",
  "categories": [
    "beta"
  ],
  "description": "Vulnerability scanner activity Beta",
  "last_updated": "2024-04-22T20:47:31.939647Z",
  "ref": "95ed449897b26e1b65fa899bcf5eeb6a",
  "enabled": true
}

    @Sudhir Your overriding config should be found at entrypoint

    % curl -sX GET "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/phases/http_request_firewall_managed/entrypoint" \
     -H "X-Auth-Email: $EMAIL" \
     -H "X-Auth-Key: $APIKEY" \
     -H "Content-Type: application/json" | jq -r
{
  "result": {
    "id": "83b2ceeff7d5426d9775ad88cfb7c928",
    "name": "zone",
    "description": "",
    "source": "firewall_managed",
    "kind": "zone",
    "version": "121",
    "rules": [
      {
        "id": "e55a2858d1054b75919de77c8200a34e",
        "version": "2",
        "action": "skip",
        "expression": "(ip.src eq x.x.x.x)",
        "description": "Skip all from my home",
        "last_updated": "2023-07-10T06:25:15.866337Z",
        "ref": "e55a2858d1054b75919de77c8200a34e",
        "enabled": true,
        "logging": {
          "enabled": true
        },
        "action_parameters": {
          "ruleset": "current"
        }
      },
      ...
      {
        "id": "79baee871d7e4bb59946e7ee494be39e",
        "version": "5",
        "action": "execute",
        "expression": "true",
        "last_updated": "2023-07-10T06:25:15.866337Z",
        "ref": "79baee871d7e4bb59946e7ee494be39e",
        "enabled": true,
        "action_parameters": {
          "id": "c2e184081120413c86c3ab7e14069605",
          "version": "latest"
        }
      },
    ],
    "last_updated": "2023-09-13T02:05:32.971174Z",
    "phase": "http_request_firewall_managed"
  },
  "success": true,
  "errors": [],
  "messages": []
}