Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF Anomalies

Hello Community.

Im hosting some assets on Synology box. one of it is Synology Drive. Its accessible from WAN - mainly it works as "One Drive".
I have been create a discussion asking for help  https://community.sophos.com/sophos-xg-firewall/f/discussions/131202/waf-inspection

Now when all is setup im seeing thones of false positive warrings in logs. I did tail -f /log/reverseproxy.log it shows:


[Sun Nov 14 21:14:58.253577 2021] [security2:error] [pid 28228:tid 139994878416640] [client SomeIP:64535] [client SomeIP] ModSecurity: Warning. Pattern match "(?i:[\\"'`]\\\\s*?(?:(?:n(?:and|ot)|(?:x?x)?or|between|\\\\|\\\\||and|div|&&)\\\\s+[\\\\s\\\\w]+=\\\\s*?\\\\w+\\\\s*?having\\\\s+|like(?:\\\\s+[\\\\s\\\\w]+=\\\\s*?\\\\w+\\\\s*?having\\\\s+|\\\\W*?[\\"'`\\\\d])|[^?\\\\w\\\\s=.,;)(]++\\\\s*?[(@\\"'`]*?\\\\s*?\\\\w+\\\\W+\\\\w|\\\\*\\\\s*?\\\\w+\\\\W+[\\"'`])|(?:unio ..." at ARGS:__cIpHeRtExT. [file "/usr/apache/conf/waf/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "803"] [id "942260"] [msg "Detects basic SQL authentication bypass attempts 2/3"] [data "Matched Data: \\x22:\\x22cpK5zMwJbAprUmqMxSW9ZgYXsD3CALcCg1XaDKItG6jXPkubN91qQwnmRN6fpp8nANKEXr/i found within ARGS:__cIpHeRtExT: {\\x22rsa\\x22:\\x22cpK5zMwJbAprUmqMxSW9ZgYXsD3CALcCg1XaDKItG6jXPkubN91qQwnmRN6fpp8nANKEXr/iaCDX5DLJy76aOiWBJEXlG5m/3AGwGLeJQi3dLeGEWv PmgJjeReelZ86XrZeNGBopPrYoqZgYR5QaAqGTqEQaFOeEXPjXkS5nktMFZgTbe1 0DsBoi1226Bjd/e5gaZDx7YitGyBy8jXhnDSeNPeIbTuHIZx8d6VaXyq1kwmpqR6fqPVrvqWdKQsU1nEY41pfUeZcUC6mQnybuha2am9TRuWRpebObnukonwlLHYa7djc6vcHDO4NK961ymdaDkwYl5bC7AGEjHAu65kLz2etBZ8pHORJ2kAci6t..."] [severity "CRITICAL"] [ver "OWAS [hostname "FQDN_Name.synology.me"] [uri "/webman/login.cgi"] [unique_id "YZFuQpZ5F@glMrouUzA4UQAAAD8"], referer: FQDN_Name.synology.me:7001/


[Sun Nov 14 21:14:58.254527 2021] [security2:error] [pid 28228:tid 139994878416640] [client SomeIP:64535] [client SomeIP] ModSecurity: Warning. Pattern match "(?i:(?:[\\"'`](?:\\\\s*?(?:is\\\\s*?(?:[\\\\d.]+\\\\s*?\\\\W.*?[\\"'`]|\\\\d.+[\\"'`]?\\\\w)|\\\\d\\\\s*?(?:--|#))|(?:\\\\W+[\\\\w+-]+\\\\s*?=\\\\s*?\\\\d\\\\W+|\\\\|?[\\\\w-]{3,}[^\\\\w\\\\s.,]+)[\\"'`]|[\\\\%&<>^=]+\\\\d\\\\s*?(?:between|like|x?or|and|div|=))|(?i:n?and|x?x?or|div|like|between|not| ..." at ARGS:__cIpHeRtExT. [file "/usr/apache/conf/waf/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "941"] [id "942340"] [msg "Detects basic SQL authentication bypass attempts 3/3"] [data "Matched Data: \\x22rsa\\x22:\\x22 found within ARGS:__cIpHeRtExT: {\\x22rsa\\x22:\\x22cpK5zMwJbAprUmqMxSW9ZgYXsD3CALcCg1XaDKItG6jXPkubN91qQwnmRN6fpp8nANKEXr/iaCDX5DLJy76aOiWBJEXlG5m/3AGwGLeJQi3dLeGEWv PmgJjeReelZ86XrZeNGBopPrYoqZgYR5QaAqGTqEQaFOeEXPjXkS5nktMFZgTbe1 0DsBoi1226Bjd/e5gaZDx7YitGyBy8jXhnDSeNPeIbTuHIZx8d6VaXyq1kwmpqR6fqPVrvqWdKQsU1nEY41pfUeZcUC6mQnybuha2am9TRuWRpebObnukonwlLHYa7djc6vcHDO4NK961ymdaDkwYl5bC7AGEjHAu65kLz2etBZ8pHORJ2kAci6tKbqvR1VWu2MMrJJc2MAyTCj shpmMuGVkfrV1U9/5IBGFMe/sJ8IlKlbjNTY2XMSu..."] [severity "CRITICAL"] [ver "OWAS [hostname "FQDN_Name.synology.me"] [uri "/webman/login.cgi"] [unique_id "YZFuQpZ5F@glMrouUzA4UQAAAD8"], referer: FQDN_Name.synology.me:7001/

[Sun Nov 14 21:14:58.255105 2021] [security2:error] [pid 28228:tid 139994878416640] [client SomeIP:64535] [client SomeIP] ModSecurity: Warning. Pattern match "((?:[~!@#\\\\$%\\\\^&\\\\*\\\\(\\\\)\\\\-\\\\+=\\\\{\\\\}\\\\[\\\\]\\\\|:;\\"'\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98`<>][^~!@#\\\\$%\\\\^&\\\\*\\\\(\\\\)\\\\-\\\\+=\\\\{\\\\}\\\\[\\\\]\\\\|:;\\"'\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98`<>]*?){12})" at ARGS:__cIpHeRtExT. [file "/usr/apache/conf/waf/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "1255"] [id "942430"] [msg "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)"] [data "Matched Data: {\\x22rsa\\x22:\\x22cpK5zMwJbAprUmqMxSW9ZgYXsD3CALcCg1XaDKItG6jXPkubN91qQwnmRN6fpp8nANKEXr/iaCDX5DLJy76aOiWBJEXlG5m/3AGwGLeJQi3dLeGEWv PmgJjeReelZ86XrZeNGBopPrYoqZgYR5QaAqGTqEQaFOeEXPjXkS5nktMFZgTbe1 0DsBoi1226Bjd/e5gaZDx7YitGyBy8jXhnDSeNPeIbTuHIZx8d6VaXyq1kwmpqR6fqPVrvqWdKQsU1nEY41pfUeZcUC6mQnybuha2am9TRuWRpebObnukonwlLHYa7djc6vcHDO4NK961ymdaDkwYl5bC7AGEjHAu65kLz2etBZ8pHORJ2kAci6tKbqvR1VWu2MMrJJc2MAyTCj shpmMuGVkfrV1U9/5IBGFMe/sJ8IlKlbjNTY2XMSueDmHmSNsrzw4Jk5WwLY4XW1uXUjDRI778a56hgGDPFFlNbPjc..."] [severity "WARNING"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi [hostname "FQDN_Name.synology.me"] [uri "/webman/login.cgi"] [unique_id "YZFuQpZ5F@glMrouUzA4UQAAAD8"], referer: FQDN_Name.synology.me:7001/


[Sun Nov 14 21:14:58.255594 2021] [security2:error] [pid 28228:tid 139994878416640] [client SomeIP:64535] [client SomeIP] ModSecurity: Warning. Pattern match "((?:[~!@#\\\\$%\\\\^&\\\\*\\\\(\\\\)\\\\-\\\\+=\\\\{\\\\}\\\\[\\\\]\\\\|:;\\"'\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98`<>][^~!@#\\\\$%\\\\^&\\\\*\\\\(\\\\)\\\\-\\\\+=\\\\{\\\\}\\\\[\\\\]\\\\|:;\\"'\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98`<>]*?){6})" at ARGS:__cIpHeRtExT. [file "/usr/apache/conf/waf/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "1526"] [id "942431"] [msg "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6)"] [data "Matched Data: {\\x22rsa\\x22:\\x22cpK5zMwJbAprUmqMxSW9ZgYXsD3CALcCg1XaDKItG6jXPkubN91qQwnmRN6fpp8nANKEXr/iaCDX5DLJy76aOiWBJEXlG5m/3AGwGLeJQi3dLeGEWv PmgJjeReelZ86XrZeNGBopPrYoqZgYR5QaAqGTqEQaFOeEXPjXkS5nktMFZgTbe1 0DsBoi1226Bjd/e5gaZDx7YitGyBy8jXhnDSeNPeIbTuHIZx8d6VaXyq1kwmpqR6fqPVrvqWdKQsU1nEY41pfUeZcUC6mQnybuha2am9TRuWRpebObnukonwlLHYa7djc6vcHDO4NK961ymdaDkwYl5bC7AGEjHAu65kLz2etBZ8pHORJ2kAci6tKbqvR1VWu2MMrJJc2MAyTCj shpmMuGVkfrV1U9/5IBGFMe/sJ8IlKlbjNTY2XMSueDmHmSNsrzw4Jk5WwLY4XW1uXUjDRI778a56hgGDPFFlNbPjc..."] [severity "WARNING"] [ver "OWASP_CRS/3.2.0"] [tag] [hostname "FQDN_Name.synology.me"] [uri "/webman/login.cgi"] [unique_id "YZFuQpZ5F@glMrouUzA4UQAAAD8"], referer: FQDN_Name.synology.me:7001/


[Sun Nov 14 21:14:58.255666 2021] [security2:error] [pid 28228:tid 139994878416640] [client SomeIP:64535] [client SomeIP] ModSecurity: Warning. Pattern match "\\\\W{4}" at ARGS:__cIpHeRtExT. [file "/usr/apache/conf/waf/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "1559"] [id "942460"] [msg "Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters"] [data "Matched Data: =\\x22,\\x22 found within ARGS:__cIpHeRtExT: {\\x22rsa\\x22:\\x22cpK5zMwJbAprUmqMxSW9ZgYXsD3CALcCg1XaDKItG6jXPkubN91qQwnmRN6fpp8nANKEXr/iaCDX5DLJy76aOiWBJEXlG5m/3AGwGLeJQi3dLeGEWv PmgJjeReelZ86XrZeNGBopPrYoqZgYR5QaAqGTqEQaFOeEXPjXkS5nktMFZgTbe1 0DsBoi1226Bjd/e5gaZDx7YitGyBy8jXhnDSeNPeIbTuHIZx8d6VaXyq1kwmpqR6fqPVrvqWdKQsU1nEY41pfUeZcUC6mQnybuha2am9TRuWRpebObnukonwlLHYa7djc6vcHDO4NK961ymdaDkwYl5bC7AGEjHAu65kLz2etBZ8pHORJ2kAci6tKbqvR1VWu2MMrJJc2MAyTCj shpmMuGVkfrV1U9/5IBGFMe/sJ8IlKlbjNTY2XMSueDmHmS..."] [severity "WARNING"] [ver "OWASP_CRS/3.2.0"] [tag] [tag] [tag] [tag] [tag] [tag] [tag] [tag] [tag "OWASP_AppSe [hostname "FQDN_Name.synology.me"] [uri "/webman/login.cgi"] [unique_id "YZFuQpZ5F@glMrouUzA4UQAAAD8"], referer: FQDN_Name.synology.me:7001/


[Sun Nov 14 21:14:58.256559 2021] [security2:error] [pid 28228:tid 139994878416640] [client SomeIP:64535] [client SomeIP] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/apache/conf/waf/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "91"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 24)"] [severity "CRITICAL"] [tag] [tag] [tag] [tag] [hostname "FQDN_Name.synology.me"] [uri "/webman/login.cgi"] [unique_id "YZFuQpZ5F@glMrouUzA4UQAAAD8"], referer: FQDN_Name.synology.me:7001/

[Sun Nov 14 21:14:58.256718 2021] [security2:error] [pid 28228:tid 139994878416640] [client SomeIP:64535] [client SomeIP] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/apache/conf/waf/rules/RESPONSE-980-CORRELATION.conf"] [line "86"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 24 - SQLI=19,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 13, 6, 0"] [tag] [hostname "FQDN_Name.synology.me"] [uri "/webman/login.cgi"] [unique_id "YZFuQpZ5F@glMrouUzA4UQAAAD8"], referer: FQDN_Name.synology.me:7001/

[Sun Nov 14 21:14:58.246184 2021] timestamp="1636920898" srcip="SomeIP" localip="SomeIP" user="-" method="POST" statuscode="403" reason="WAF Anomaly" extra="Inbound Anomaly Score Exceeded (Total Score: 24)" exceptions="-" duration="10579" url="/webman/login.cgi" server="FQDN_Name.synology.me:7001" referer="">FQDN_Name.synology.me:7001/" cookie="stay_login=0" set-cookie="-" recvbytes="1797" sentbytes="429" protocol="HTTP/1.1" ctype="text/html" uagent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0" querystring="?enable_syno_token=yes" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="32"

I have pulled IDs (no information what they are meaning)
[id "942460"]
[id "942340"]
[id "942430"]
[id "942431"]
[id "942460"]
[id "949110"]  - acording to sophos its not reccomended to add ths as exception
[id "980130"]  - acording to sophos its not reccomended to add ths as exception.

i thought, ive got two options - add these IDs to exceptions or URL path mentioned below. Im not sure which is more secure or less.

url="/boaform/admin/formLogin"
uri "/webman/login.cgi"
OR
url="/webapi/*"
uri "/webman/*"

screen from configuration:

There maight be a few more. 

What are your thoughts.

Thank you in advanced



This thread was automatically locked due to age.
Parents Reply Children
No Data