Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 1 subscriber
  • Views 10332 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF exception rules for false positives

BSavage
I'm trying to protect an IIS based web server called Precision BI. 

When SQL injection protection is enabled, a user cannot change their password. When using the XSS protection, and running a search function, we see a 403 error.When using cookie signing, the login page doesn't populate the server and database names field.


I see an option for exceptions for web clients coming from source networks, which is difficult if no impossible for me to use that option. The "Web requests matching this path" exception is interesting, but unsure how to apply it.

I also see Skip WAF rules option, but don't see the rule number in the log. How do you determine the rule that is causing a false positive?


Does anyone have a suggestion on how I can tune the WAF to protect a web server who's standard functionality appears to be blocked with false positives?

In the log I'm seeing:
] Dropping cookie '.ASPXAUTH' from request due to missing/invalid signature, referer: 

ModSecurity: Rule execution error - PCRE limits exceeded (-8): (null).

method="POST" statuscode="403" reason="waf" extra="Anomaly Score Exceeded (score 200): XSS Attack Detected" time="121208"  


Thanks!
Brian


This thread was automatically locked due to age.
  • 0
    From the help
    "Skip WAF Rules: Add WAF rule numbers to this box which you want to skip for the current profile, for example because they return false positives. WAF rule numbers can be retrieved on the Logging & Reporting > Web Application Firewall > Details page, via the Top Rules filter."



    I don't see any stats on this details page, no top rules, top attackers or anything listed here. Shows all 0's
  • 0 in reply to BSavage
    What version of ASG are you using?  The WAF reporting was pretty broken in the 8.3xx releases... I think this is fixed in V9 though.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0
    Brian, I suspect you also should be able to see the rule number(s) in the log file.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    It's on 8.305. Thanks Bob. I'm guessing without the reporting, I can't refine any exception rules because I need a rule ID to disable?
  • 0
    You should be able to see the rule IDs in the log file - there's no issue with that.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    You might need to download the log file and not just use the live log viewer.

    Barry
  • 0 in reply to BarryG
    Hi.

    I have a quit similiar issue.

    We are also getting false positives and need to skip the appropiate waf rule.
    The problem is, that we can't find the rule number. Our log looks like this: 
    2012:08:23-14:38:11 fw01 reverseproxy: [Thu Aug 23 14:38:11 2012] [error] [client 193.169.48.48] ModSecurity: Rule execution error - PCRE limits exceeded (-8): (null). [hostname "bt.embex.de"] [uri "/PEX_RSMB/bug_update.php"] [unique_id"UDYkM6wQ-QEAAD6mB7kAAAAH"]


    I tried to insert the unique_id, but the webmin didn't accept it.

    kind rgds
    Luis
  • 0 in reply to LuisMompoHanden
    Luis:

    I'd start an official support case with Sophos (while some Sophos employees do sometimes ramble through this site, they don't consider it a place to start a real support case) -- it doesn't look like a rule was triggered, rather, the PCRE engine that evaluates the data apparently couldn't handle it.... that might be a bug.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0
    Hi.

    I opened a support case and was told to look up the appropriate rule number to add an exeption. 
    You can find die rule number by opening the waf reporting, changing to details and choosing top attackers. After choosing the corresponding IP the rule number is shown.

    cheers
    Luis
Unfiltered HTML