Understanding WAF anomaly scoring
Information
Summary: |
How can an administrator tell how the rules included with WAF are scored and blocked? |
||||||||||
Environment: |
Product: LoadMaster Version: Any Platform: Any Application: HTTP/HTTPs |
||||||||||
Question/Problem Description: |
Have WAF enabled on a service, but need to know how the rules are scored |
||||||||||
Steps to Reproduce: | |||||||||||
Error Message: | |||||||||||
Defect Number: | |||||||||||
Enhancement Number: | |||||||||||
Cause: | |||||||||||
Resolution: |
For each request, every triggered detection raises the anomaly score, most rules having a score of 5. If the cumulative anomaly score per request hits the configured limit, the request will be blocked. The default value is 100 and allowable range is 1 to 10000.
The logs wont show the anomaly score of each rule but it will show the severity associated which can be translated using the following chart:
This link will also list all rules included with WAF and will state what severity level and paranoia level they are in a very clear manner. Key points within WAF log entries:
|
||||||||||
Workaround: | |||||||||||
Notes: | False Positive Handling on LoadMaster |