**Introducing a new console experience for Amazon WAF**
You can now use the updated experience to access Amazon WAF functionality anywhere in the console. For more details, see [Working with the console](https://docs.amazonaws.cn/waf/latest/developerguide/working-with-console.html).
# Using match rule statements in Amazon WAF
This section explains what a match statement is and how it works.
Match statements compare the web request or its origin against criteria that you provide. For many statements of this type, Amazon WAF compares a specific component of the request for matching content.
Match statements are nestable. You can nest any of these statements inside logical rule statements and you can use them in scope-down statements. For information about logical rule statements, see [Using logical rule statements in Amazon WAF](waf-rule-statements-logical.md). For information about scope-down statements, see [Using scope-down statements in Amazon WAF](waf-rule-scope-down-statements.md).
This table describes the regular match statements that you can add to a rule and provides some guidelines for calculating protection pack (web ACL) capacity units (WCU) usage for each. For information about WCUs, see [Web ACL capacity units (WCUs) in Amazon WAF](aws-waf-capacity-units.md).
| Match Statement | Description | WCUs |
| --- | --- | --- |
| [Geographic match](waf-rule-statement-type-geo-match.md) | Inspects the request's country of origin and applies labels for the country and region of origin. | 1 |
| [ASN match](waf-rule-statement-type-asn-match.md) | Inspects the request against an ASN associated with IP addresses and address ranges. | 1 |
| [IP set match](waf-rule-statement-type-ipset-match.md) | Inspects the request against a set of IP addresses and address ranges. | 1 for most cases. If you configure the statement to use a header with forwarded IP addresses and specify a position in the header of Any, then increase the WCUs by 4. |
| [Label match rule statement](waf-rule-statement-type-label-match.md) | Inspects the request for labels that have been added by other rules in the same protection pack (web ACL). | 1 |
| [Regex match rule statement](waf-rule-statement-type-regex-match.md) | Compares a regex pattern against a specified request component. | 3, as a base cost.
If you use the request component **All query parameters**, add 10 WCUs. If you use the request component **JSON body**, double the base cost WCUs. For each **Text transformation** that you apply, add 10 WCUs. |
| [Regex pattern set](waf-rule-statement-type-regex-pattern-set-match.md) | Compares regex patterns against a specified request component. | 25 per pattern set, as a base cost.
If you use the request component **All query parameters**, add 10 WCUs. If you use the request component **JSON body**, double the base cost WCUs. For each **Text transformation** that you apply, add 10 WCUs. |
| [Size constraint](waf-rule-statement-type-size-constraint-match.md) | Checks size constraints against a specified request component. | 1, as a base cost.
If you use the request component **All query parameters**, add 10 WCUs. If you use the request component **JSON body**, double the base cost WCUs. For each **Text transformation** that you apply, add 10 WCUs. |
| [SQLi attack](waf-rule-statement-type-sqli-match.md) | Inspects for malicious SQL code in a specified request component. | 20, as a base cost.
If you use the request component **All query parameters**, add 10 WCUs. If you use the request component **JSON body**, double the base cost WCUs. For each **Text transformation** that you apply, add 10 WCUs. |
| [String match](waf-rule-statement-type-string-match.md) | Compares a string to a specified request component. | The base cost depends on the type of string match and is between 1 and 10.
If you use the request component **All query parameters**, add 10 WCUs. If you use the request component **JSON body**, double the base cost WCUs. For each **Text transformation** that you apply, add 10 WCUs. |
| [XSS scripting attack](waf-rule-statement-type-xss-match.md) | Inspects for cross-site scripting attacks in a specified request component. | 40, as a base cost.
If you use the request component **All query parameters**, add 10 WCUs. If you use the request component **JSON body**, double the base cost WCUs. For each **Text transformation** that you apply, add 10 WCUs. |