This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF Error - Outbound Anomaly

Hi.

Lately  I see the following in my WAF log:

2023:05:24-11:12:03 momgate-2 httpd: id="0299" srcip="199.64.207.44" localip="80.180.251.220" size="429" user="-" host="199.64.207.44" method="POST" statuscode="403" reason="waf" extra="Outbound Anomaly Score Exceeded (score 4): Last Matched Message: The application is not available" exceptions="-" time="603501" url="/Microsoft-Server-ActiveSync" server="momail.mom.com" port="443" query="?Cmd=Ping&User=goolen%40dab.com&DeviceId=SEC1EAC070D70C3C&DeviceType=SamsungDevice" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="ZG3G00GgjmbgwiTAxSfiVwAAALc" =iPhone&Cmd=FolderSync" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="ZG3IAUGgjmbgwiTAxSfinwAAALg"

I have disabled the "Protocol anomalies" in the WAF, but I still get this message.

Any Idea or help will be appreciate. Slight smile

Thanks,
Goldy.



This thread was automatically locked due to age.
Parents
  • Hello Goldy, 

    Good day and thanks for reaching out to Sophos Community

    You may refer to this KBA - Sophos UTM: Troubleshoot Web Application Firewall-related issues: https://support.sophos.com/support/s/article/KB-000036283?language=en_US

    Additionally, WAF anomaly might be triggered if any of the data, packets or the header content gets matched with any of the conditions set in the OWASP core rule sets. This could be a false positive or false negative as well. However, the exact details can be validated by referring to reverseproxy.log and checking the log lines around this anomaly detection. Generally, if the triggered rules are non infrastructure rules then sometimes bypassing them in the protection policy: https://support.sophos.com/support/s/article/KB-000035267?language=en_US  which in general cases fixes the issue.

    Nonetheless, if you wanted to confirm if it's safe to bypass that rule or not you may validate with your team with those logs who has developed the web app server which is hosted behind the WAF - so they can validate more on the detection part and confirm is it due to any coding side issue or header level things due to which anomaly triggered or just completely false positive which is safe to add an exception.

    UTM WAF is based on Mod Security Corerule set which you can always refer here: https://www.netnea.com/cms/core-rule-set-inventory/

    Hope this helps. Many thanks for your time and patience and thank you for choosing Sophos

    Cheers,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Thanks.
    This issue happened only with Activesync, which is the way my internal mail server works with cellphone, and only with a few cellphones.  Out of it - all is well
    Investigating the WAF log I have found the above error with those phones.
    Now I disabled the "Protocol anomalies" in the WAF configuration, but I still see this error on the log.

Reply
  • Thanks.
    This issue happened only with Activesync, which is the way my internal mail server works with cellphone, and only with a few cellphones.  Out of it - all is well
    Investigating the WAF log I have found the above error with those phones.
    Now I disabled the "Protocol anomalies" in the WAF configuration, but I still see this error on the log.

Children
No Data