Understanding WAF anomaly scoring
How can an administrator tell how the rules included with WAF are scored and blocked?
Have WAF enabled on a service, but need to know how the rules are scored
|Steps to Reproduce:|
For each request, every triggered detection raises the anomaly score, most rules having a score of 5. If the cumulative anomaly score per request hits the configured limit, the request will be blocked. The default value is 100 and allowable range is 1 to 10000.
The logs wont show the anomaly score of each rule but it will show the severity associated which can be translated using the following chart:
This link will also list all rules included with WAF and will state what severity level and paranoia level they are in a very clear manner.
Key points within WAF log entries:
|Notes:||False Positive Handling on LoadMaster|