WAF Rules Allowing Unexpected Requests

cm00001 1 month ago

Hello,

I am getting some unexpected and unwanted requests (trying to find exploits) that are handled by one of the WAF Rules:

Here's the WAF Rule that is being it with this traffic:

Here's how it looks in the Event Viewer:

How can I change the WAF rule (or through another rule) so if the traffic doesn't match the published paths (below), it gets dropped (instead of returning an HTTP 403)?

Thanks!

Added TAGs
[edited by: Raphael Alganes at 5:40 AM (GMT -7) on 19 Mar 2024]

Top Replies

dtconnect 1 month ago +2 verified

I don't think this is possible. Although the Sophos GUI allows you to configure both in the same place (WAF and Packet Filter), they are distinct entities. A packet should have already traversed the packet…

+1 dtconnect 1 month ago

I don't think this is possible. Although the Sophos GUI allows you to configure both in the same place (WAF and Packet Filter), they are distinct entities. A packet should have already traversed the packet filter (where packet dropping occurs) before reaching the WAF module. An HTTP 403 Forbidden response is essentially the packet filter's REJECT action equivalent. For true packet dropping based on WAF actions, Sophos would need to implement a system that can control the packet filter based on WAF outcomes, similar to how Fail2Ban operates.

If this functionality is essential, one potential workaround could be analyzing the WAF logs and dynamically generating firewall rules through the API. This would of course involve some external systems to automate the process. Of course this means, that the first (few) requests would have to hit the WAF anyway.
Cancel
Vote Up +2 Vote Down

Sign in to reply

Verify Answer

Reject Answer

Cancel
0 cm00001 1 month ago

Thanks Raphael. I understand.

If I enable country blocking on this rule, will the traffic coming from a blocked country be rejected or dropped?

Is there anything else (from the security standpoint) that I could put in place to better handle this (outside any complex automation as you described)?

Just want to have peace of mind that I am locking this down as much as I possibly can.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 cm00001 1 month ago in reply to cm00001

Bumping this up..

Is there anything else (from the security standpoint) that I could put in place to better handle this (outside any complex automation as you described)? Just want to have peace of mind that I am locking this down as much as I possibly can.

Thanks!
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 LuCar Toni 1 month ago in reply to cm00001

Essentially no - You could add GEO IP blocking, if you think, this will increase something, but nowadays attacks are not based on IP geo locations.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 dtconnect 1 month ago in reply to cm00001

I'm afraid, there isn't much more you can do without increasing complexity. If you got some $$$ then another / additional vendor product might help - but in the end, this will increase complexity as well...
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 cm00001 1 month ago in reply to cm00001

Thank you all. I think I'll still enable the Geo-Blocking. It bothers me to see requests from many parts of the world being answered as HTTP 403. All of these are not legitimate attempts (in the last 5 days):
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 dtconnect 1 month ago in reply to cm00001

Just one more thing: If you activate Country Blocking in the WAF rule, you'll still receive a 403 response. If your aim is to genuinely block or drop traffic from specific countries, then consider using BlackHole NAT—a NAT rule that directs to a non-existent host. For more details, you might want to check this link:

https://docs.sophos.com/nsg/sophos-firewall/20.0/help/en-us/webhelp/onlinehelp/AdministratorHelp/RulesAndPolicies/FirewallRules/FirewallRulesBlackHoleDNATRuleCreate/index.html

As a potential target, I suggest selecting a host within the 192.0.2.0/24 range, as outlined in RFC 5735. It's worth noting, though, that the NAT rule is not connected to your WAF Rule and, as such, cannot be employed to filter by country exclusively for certain domains or URLs. Instead, it will apply the country filter to all traffic that matches the NAT rule's criteria.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel