amazon web services - How do recent updates on AWS WAF Managed Core Rule Set work

Question

I see that the AWS Managed Core Rule Set for Amazon Web Service (AWS) Web Application Firewall (WAF) was recently updated by AWS.

Now many rules have 2 variants, one plain and the other ending with "_COUNT" For example: RestrictedExtensions_URIPATH_COUNT
RestrictedExtensions_URIPATH

This is the page where the rules are documented but it seems the documentation is not updated yet: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html

The names suggest that one of them actually filters and the other one counts but both of them are enabled and in WAF logs I only see COUNT actions, no BLOCKS. Does anybody know how these two variants work? How do they affect each other? What will be the effect of setting "Override rules action" for each?

question from:https://stackoverflow.com/questions/65881245/how-do-recent-updates-on-aws-waf-managed-core-rule-set-work

Answer 1

COUNT by definition doesn't take any action (used just for logging purpose), so my guess is that they are doing some kind of testing of the rules.