WAF anormaly

Question

Hello everyone. 
 I have enabled a WAF protection policy on my website. 
 And now I have some WAF anomaly. 
 Problem is I can't find the reason of the anomaly. 
 Here is the log that I have in the log viewer : 
 2022-06-18 12:00:41Web server protectionmessageid="17071" log_type="WAF" log_component="Web Application Firewall" user="-" server="xxxxxxxx.xx" src_ip="XX.XX.XX.XX" local_ip="XX.XX.XX.XX" protocol="HTTP/1.1" url="/Account/Login" query_string="" cookie=".AspNetCore.Antiforgery.5C72YkdQ8=CfDJ8H6OqtRk5mFNgR29thUJp93cVi1QP3HZq3pGUzYVcpGakMlIQ; HASH_.AspNetCore.Antiforgery.C72YkdQ8=33980a352d756b691cb3465e67119; expires=Thu, 01 Jan 1970 00:00:00 GMT" referer=" ">https://xxxxxxxxxxxx.xx/xxx" method="POST" response_code="403" reason="WAF Anomaly" extra="Inbound Anomaly Score Exceeded (Total Score: 5)" content_type="text/html" user_agent="Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36" response_time="7297" bytes_sent="582" bytes_received="3680" fw_rule_id="26" 
 
 How can I determine the origin of the issue ? 
 King regards

Vishal_R · Answer

Hi Service Informatique2 : WAF anomaly may get triggered if any of the data or packets OR the header content gets matched with any of the conditions set in the OWASP core rule sets. This could be a false positive or false negative as well however the exact details can be validated by referring to reverseproxy.log and checking the log lines around this anomaly detection. Generally, if the triggered rules are non-infrastructure rules then sometimes bypassing them in the protection policy fixes the issue for the end-user however if you wanted to confirm is it safe to bypass that rule or not and want to double-check then you may consult the internal Web Server team with those logs who has developed the web app server which is hosted behind the WAF - so they can validate more on the detection part and confirm is it due to any coding side issue or header level things due to which anomaly triggered or just completely false positive which is safe to add an exception. www.netnea.com/.../

njabi · Answer

you see [id "920370] You may have to skip this pattern in the linked protection rule for the web server!

WAF anormaly

Top Replies