I see that the AWS Managed Core Rule Set for Amazon Web Service (AWS) Web Application Firewall (WAF) was recently updated by AWS.
Now many rules have 2 variants, one plain and the other ending with "_COUNT"
For example:
RestrictedExtensions_URIPATH_COUNT
RestrictedExtensions_URIPATH
This is the page where the rules are documented but it seems the documentation is not updated yet: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html
The names suggest that one of them actually filters and the other one counts but both of them are enabled and in WAF logs I only see COUNT actions, no BLOCKS. Does anybody know how these two variants work? How do they affect each other? What will be the effect of setting "Override rules action" for each?
COUNT by definition doesn't take any action (used just for logging purpose), so my guess is that they are doing some kind of testing of the rules.