How Blacklists, Whitelists, and Graylists Are Processed
When creating or modifying a ruleset, you’ll find various attributes that allow you to specify a blacklist, a whitelist, or a graylist. In order to achieve the desired behavior, you need to understand how vWAFprocesses these lists.
If there’s only a blacklist
If there’s only a blacklist but no whitelist and no graylist, a vWAF function only looks at the blacklist. If the value that’s to be checked matches a pattern on the blacklist, the function returns FALSE, else it returns TRUE.
If there’s only a whitelist
If there’s only a whitelist but no blacklist and no graylist, a vWAF function only looks at the whitelist. If the value that’s to be checked matches a pattern on the whitelist, the function returns TRUE, else it returns FALSE.
If there’s a blacklist, a whitelist, and a graylist
-
First, vWAF looks at the blacklist. If the value that’s to be checked matches a pattern on the blacklist, the function returns FALSE and exits. In this case, vWAF doesn’t take any further look at the graylist and at the whiltelist.
-
If there has been no match with the blacklist, vWAF next looks at the whitelist. If the value that’s to be checked matches a pattern on the whitelist, the function returns TRUE and exits. In this case vWAF doesn’t take any further look at the graylist..
-
If there has been no match with the blacklist and no match with the whitelist, vWAF next also looks at the graylist. If the value that’s to be checked matches a pattern on the graylist, the function returns FALSE, else it returns TRUE.
It then depends on the specific handler or selector, how it interprets the function’s result “TRUE” or “FALSE.” See Handlers and Preconditions (Selectors).