Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

Understanding WAF anomaly scoring

 

Information

 

Summary:

How can an administrator tell how the rules included with WAF are scored and blocked?

Environment:

Product: LoadMaster

Version: Any

Platform: Any

Application: HTTP/HTTPs

Question/Problem Description:

Have WAF enabled on a service, but need to know how the rules are scored 

Steps to Reproduce:  
Error Message:  
Defect Number:  
Enhancement Number:  
Cause:  
Resolution:

For each request, every triggered detection raises the anomaly score, most rules having a score of 5. If the cumulative anomaly score per request hits the configured limit, the request will be blocked. The default value is 100 and allowable range is 1 to 10000.

 

The logs wont show the anomaly score of each rule but it will show the severity associated which can be translated using the following chart:
 

Severity Level

Default Anomaly Score

CRITICAL

5

ERROR

4

WARNING

3

NOTICE

2
For instance, in the WAF event logs, an entry may contain: [severity "WARNING"] which means that the anomaly score for said rule is 3. The anomaly histogram seen in the LoadMaster is simply an combination of the triggered rules' anomaly score (which is the anomaly level) and not the individual score per rule.
 
This link will also list all rules included with WAF and will state what severity level and paranoia level they are in a very clear manner.
 
Key points within WAF log entries:
 
  • id "932105" indicated which rule was triggered.  In this case, this is "Remote Command Execution: Unix Command Injection"
  • client x.x.x.x indicated the IP that made the request to the service that triggered the rule
Workaround:  
Notes: False Positive Handling on LoadMaster

Was this article helpful?
0 out of 0 found this helpful

Comments