How to intercept?

Website, Application, Performance Security
1

What is the name of the domain?

www.ex.com

What is the issue you’re encountering

Malicious ranking manipulation

What steps have you taken to resolve the issue?

How to intercept this:
66.249.79.33 - - [16/Jul/2024:18:16:06 +0800] "GET /?s=%E6%B7%B1%E5%9C%B3%E7%A6%8F%E7%94%B0%E5%8C%BA%E5%A4%A7%E5%AD%A6%E7%94%9F%E9%99%AA%E6%B8%B8+%E5%BE%AE%F0%9D%9F%92%F0%9D%9F%92%F0%9D%9F%91%F0%9D%9F%93%F0%9D%9F%91%F0%9D%9F%92%F0%9D%9F%94%F0%9D%9F%96%F0%9D%9F%95+%E7%94%B5V%E5%90%8C%E6%AD%A5%F0%9D%9F%8F%F0%9D%9F%91%F0%9D%9F%8E-%F0%9D%9F%93%F0%9D%9F%93%F0%9D%9F%97%F0%9D%9F%95-%F0%9D%9F%92%F0%9D%9F%8E%F0%9D%9F%90%F0%9D%9F%93%E9%AB%98%E7%BA%A7%E8%B5%84%E6%BA%90-%E5%BF%AB%E9%80%9F%E5%AE%89%E6%8E%92V HTTP/2.0" 403 146 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

Was the site working with SSL prior to adding it to Cloudflare?

Yes

What is the current SSL/TLS setting?

Full (strict)

What are the steps to reproduce the issue?

Keywords cannot be intercepted!
And this was done using the IP address of Google spider~
Why the WAF can’t intercept?

Screenshot of the error

QQ截图20240718045657.png
QQ截图20240718045657.png1853×101 11.5 KB

3

The cloudflare WAF didn’t work?!

4

What is the actual domain name?
Can you share a copy of the rule you created?

5

Thank you for your reply!
The domain name is not important, for example, Facebook. com also has malicious ranking manipulation.
I have tried all the rules, but none of them have taken effect. RUL keyword blocking and IP blocking also do not take effect. May I ask if WAF does not take effect?
Or is there a good way to intercept get requests?

6

it is, but only if you want me to be able to easily take a look at the rule & settings to help troubleshoot.

7

The rule like this:
(http.request.uri.path contains “/wp-login.php” and http.request.uri.path contains “/wp-admin/” and http.request.uri.path contains “/xmlrpc.php” and http.request.uri.query contains “%E4%B8%8A%E9%97%A8” and http.request.uri.query contains “%E5%90%8C%E6%AD%A5” and http.request.uri.path contains “上门”)

But it didn’t work!

8

It wont work: AND/OR logic

Path cannot contain “/wp-login.php” AND “/wp-admin/” AND “/xmlrpc.php” all at the same time

Replace the AND with OR

3 Likes
9

Yeah! That’s right!
Thank you very much!

2 Likes
10

20240718073637
202407180736371852×480 60.4 KB

it has been changed to OR.

It seems that it cannot be completely intercepted it.

11

20240718074134
202407180741341867×587 63.1 KB

it’s crazy!

12

Please post your updated rule’s expression again.

1 Like
13

20240719033956
202407190339561860×225 24.6 KB

update rules:
(http.request.uri.path contains "/wp-login.php") or (http.request.uri.path contains "/wp-admin/") or (http.request.uri.path contains "/xmlrpc.php") or (http.request.uri.query contains "%E4%B8%8A%E9%97%A8") or (http.request.uri.query contains "%E5%90%8C%E6%AD%A5") or (http.request.uri.query contains "%E5%A4%96%E5%9B%B4") or (http.request.uri.query contains "%E7%94%B5V") or (http.request.uri.query contains "%E7%94%B5v") or (http.request.uri.query contains "%E7%BA%A6%E7%82%AE") or (http.request.uri.query contains "%E6%8E%92%E5%90%8D") or (http.request.uri.query contains "%E7%97%95%E8%BF%B9") or (http.request.uri.query contains "%E3%80%8E%E5%9B%B4%E3%80%8F") or (http.request.uri.query contains "%E7%94%B5%E6%8A%A5") or (http.request.uri.query contains "%E7%94%B5%E5%BE%AE") or (http.request.uri.query contains "%E5%BF%AB%E9%80%9F%E5%AE%89%E6%8E%92")
But ,It may still occur, with some interception possible, but not all interception.

14

Excluding the first three items, the rest cannot be intercepted at all.
Have any suggestions?