Thread Info
  • State Verified Answer
  • Replies 7 replies
  • Subscribers 39 subscribers
  • Views 1044 views
  • Users 0 members are here
Options
Suggested

WAF Rules Allowing Unexpected Requests

cm00001

Hello,

I am getting some unexpected and unwanted requests (trying to find exploits) that are handled by one of the WAF Rules:



Here's the WAF Rule that is being it with this traffic:




Here's how it looks in the Event Viewer:

How can I change the WAF rule (or through another rule) so if the traffic doesn't match the published paths (below), it gets dropped (instead of returning an HTTP 403)?

Thanks!



Added TAGs
[edited by: Raphael Alganes at 5:40 AM (GMT -7) on 19 Mar 2024]
Parents
  • +1
    I don't think this is possible. Although the Sophos GUI allows you to configure both in the same place (WAF and Packet Filter), they are distinct entities. A packet should have already traversed the packet filter (where packet dropping occurs) before reaching the WAF module. An HTTP 403 Forbidden response is essentially the packet filter's REJECT action equivalent. For true packet dropping based on WAF actions, Sophos would need to implement a system that can control the packet filter based on WAF outcomes, similar to how Fail2Ban operates.
    If this functionality is essential, one potential workaround could be analyzing the WAF logs and dynamically generating firewall rules through the API. This would of course involve some external systems to automate the process. Of course this means, that the first (few) requests would have to hit the WAF anyway. 
Reply
  • +1
    I don't think this is possible. Although the Sophos GUI allows you to configure both in the same place (WAF and Packet Filter), they are distinct entities. A packet should have already traversed the packet filter (where packet dropping occurs) before reaching the WAF module. An HTTP 403 Forbidden response is essentially the packet filter's REJECT action equivalent. For true packet dropping based on WAF actions, Sophos would need to implement a system that can control the packet filter based on WAF outcomes, similar to how Fail2Ban operates.
    If this functionality is essential, one potential workaround could be analyzing the WAF logs and dynamically generating firewall rules through the API. This would of course involve some external systems to automate the process. Of course this means, that the first (few) requests would have to hit the WAF anyway. 
Children
No Data
Unfiltered HTML