This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF false positives

Hello fellow forum users

I had problems with false positives in the WAF that made connecting to my Microstrategy DEV server impossible.
I found a link https://community.sophos.com/kb/en-us/123406 which made a suggestion to skip the following filter options:

  • 951173
  • 960010
  • 960015
  • 960018
  • 960032
  • 970901
  • 981176
  • 981200
  • 981203
  • 981204
  • 981205

Afterwards, I had no more problems and my website was working splendidly. What worries me tho is:

  • How safe is skipping these filter options

Any input/suggestion is highly appreciated



This thread was automatically locked due to age.
Parents
  • I have found that all my WAF sites require skipping some rules, and that getting a complete list from clean-traffic testing is difficult.

    If you enable the rule and test again, the WAF log files have details about why each rule fires.   Often it is a suspicious character sequence, so I think the risk is necessary, and minimal, because your site handles it as legitimate traffic.

    Not that the light files are easy to read.  You are looking for [id 999999], where 999999 represents the rule number.

Reply
  • I have found that all my WAF sites require skipping some rules, and that getting a complete list from clean-traffic testing is difficult.

    If you enable the rule and test again, the WAF log files have details about why each rule fires.   Often it is a suspicious character sequence, so I think the risk is necessary, and minimal, because your site handles it as legitimate traffic.

    Not that the light files are easy to read.  You are looking for [id 999999], where 999999 represents the rule number.

Children
  • Tnx Douglas,

    In the end i have scoured trough the WAF logs every time a false positive was detected i added it to the skipped rules and now my list looks something like:

    • 981173
    • 981172
    • 981245
    • 981246
    • 950901
    • 981243
    • 960017
    • 981242
    • 973302
    • 960024
    • 981001
    • 981200
    • 981205
    • 981247
    • 973338
    • 981204
    • 950109
    • 973304
    • 981176
    • 970901
    • 970003
    • 981257
    • 973347

    Now everything is working correctly