This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF anormaly

Hello everyone.

I have enabled a WAF protection policy on my website.

And now I have some WAF anomaly.

Problem is I can't find the reason of the anomaly.

Here is the log that I have in the log viewer :

2022-06-18 12:00:41Web server protectionmessageid="17071" log_type="WAF" log_component="Web Application Firewall" user="-" server="xxxxxxxx.xx" src_ip="XX.XX.XX.XX" local_ip="XX.XX.XX.XX" protocol="HTTP/1.1" url="/Account/Login" query_string="" cookie=".AspNetCore.Antiforgery.5C72YkdQ8=CfDJ8H6OqtRk5mFNgR29thUJp93cVi1QP3HZq3pGUzYVcpGakMlIQ; HASH_.AspNetCore.Antiforgery.C72YkdQ8=33980a352d756b691cb3465e67119; expires=Thu, 01 Jan 1970 00:00:00 GMT" referer="">https://xxxxxxxxxxxx.xx/xxx" method="POST" response_code="403" reason="WAF Anomaly" extra="Inbound Anomaly Score Exceeded (Total Score: 5)" content_type="text/html" user_agent="Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36" response_time="7297" bytes_sent="582" bytes_received="3680" fw_rule_id="26"

How can I determine the origin of the issue ?

King regards



This thread was automatically locked due to age.
Parents
  • Hi : WAF anomaly may get triggered if any of the data or packets OR the header content gets matched with any of the conditions set in the OWASP core rule sets. This could be a false positive or false negative as well however the exact details can be validated by referring to reverseproxy.log and checking the log lines around this anomaly detection. Generally, if the triggered rules are non-infrastructure rules then sometimes bypassing them in the protection policy fixes the issue for the end-user however if you wanted to confirm is it safe to bypass that rule or not and want to double-check then you may consult the internal Web Server team with those logs who has developed the web app server which is hosted behind the WAF - so they can validate more on the detection part and confirm is it due to any coding side issue or header level things due to which anomaly triggered or just completely false positive which is safe to add an exception. 

    www.netnea.com/.../

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.

  • Here what I can see in reverseproxy that match the url of false positive on WAF :

    [Mon Jun 20 09:48:31.701223 2022] [form_hardening:error] [pid 17165:tid 139690019632896] [client xx.xx.xx.xx:35252] Form validation failed: Received unhardened form data, referer: https://mywebsite/

    and

    [Mon Jun 20 09:48:41.022792 2022] [security2:error] [pid 17061:tid 139689692317440] [client xx.xx.xx.xx:35246] [client xx.xx.xx.xx] ModSecurity: Warning. Operator GT matched 400 at ARGS:passwordKey. [file "/usr/apache/conf/waf/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "777"] [id "920370"] [msg "Argument value too long"] [data "ARGS:passwordKey=xxx"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag] [tag] [tag] [tag] [tag] [tag] [hostname "website.something"] [uri "/Account/Login"] [unique_id "YrAmWX8AAAEAAEKlBL4AAACS"], referer: https://mywebsite2.something

  • you see [id "920370]
    You may have to skip this pattern in the linked protection rule for the web server!

Reply Children
No Data