WAF Error - Outbound Anomaly

Goldy 13 days ago

Hi.

Lately I see the following in my WAF log:

2023:05:24-11:12:03 momgate-2 httpd: id="0299" srcip="199.64.207.44" localip="80.180.251.220" size="429" user="-" host="199.64.207.44" method="POST" statuscode="403" reason="waf" extra="Outbound Anomaly Score Exceeded (score 4): Last Matched Message: The application is not available" exceptions="-" time="603501" url="/Microsoft-Server-ActiveSync" server="momail.mom.com" port="443" query="?Cmd=Ping&User=goolen%40dab.com&DeviceId=SEC1EAC070D70C3C&DeviceType=SamsungDevice" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="ZG3G00GgjmbgwiTAxSfiVwAAALc" =iPhone&Cmd=FolderSync" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="ZG3IAUGgjmbgwiTAxSfinwAAALg"

I have disabled the "Protocol anomalies" in the WAF, but I still get this message.

Any Idea or help will be appreciate.

Thanks,
Goldy.

1
[edited by: Goldy at 12:04 PM (GMT -7) on 24 May 2023]

Parents

0 Raphael Alganes 13 days ago

Hello Goldy,

Good day and thanks for reaching out to Sophos Community

You may refer to this KBA - Sophos UTM: Troubleshoot Web Application Firewall-related issues: https://support.sophos.com/support/s/article/KB-000036283?language=en_US

Additionally, WAF anomaly might be triggered if any of the data, packets or the header content gets matched with any of the conditions set in the OWASP core rule sets. This could be a false positive or false negative as well. However, the exact details can be validated by referring to reverseproxy.log and checking the log lines around this anomaly detection. Generally, if the triggered rules are non infrastructure rules then sometimes bypassing them in the protection policy: https://support.sophos.com/support/s/article/KB-000035267?language=en_US which in general cases fixes the issue.

Nonetheless, if you wanted to confirm if it's safe to bypass that rule or not you may validate with your team with those logs who has developed the web app server which is hosted behind the WAF - so they can validate more on the detection part and confirm is it due to any coding side issue or header level things due to which anomaly triggered or just completely false positive which is safe to add an exception.

UTM WAF is based on Mod Security Corerule set which you can always refer here: https://www.netnea.com/cms/core-rule-set-inventory/

Hope this helps. Many thanks for your time and patience and thank you for choosing Sophos

Cheers,

Raphael Alganes
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Goldy 13 days ago in reply to Raphael Alganes

Thanks.
This issue happened only with Activesync, which is the way my internal mail server works with cellphone, and only with a few cellphones. Out of it - all is well
Investigating the WAF log I have found the above error with those phones.
Now I disabled the "Protocol anomalies" in the WAF configuration, but I still see this error on the log.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Goldy 13 days ago in reply to Raphael Alganes

Thanks.
This issue happened only with Activesync, which is the way my internal mail server works with cellphone, and only with a few cellphones. Out of it - all is well
Investigating the WAF log I have found the above error with those phones.
Now I disabled the "Protocol anomalies" in the WAF configuration, but I still see this error on the log.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

No Data