A WAF rule can be disabled or “whitelisted” by creating a custom rule and assigning that rule to the appropriate WAF enabled Virtual Service.
In order to disable a rule we need to know the rule ID and the associated rule file. This information will be found in the WAF Audit Logs under System Configuration > Logging Options > Extended Log Files. The WAF Audit Log snippet below indicates that a rule has been triggered. The parts of the log message we are concerned with for the purpose of this article have been highlighted.
[16/Jul/2015:08:09:57 --0700] [172.16.91.15/sid#6ace20][rid#14ac570][/Login.aspx] Access denied with connection close (phase 1). String match "GET" at REQUEST_METHOD. [file "/tmp/waf/6/modsecurity_slr_45_iis_attacks.conf"] [line "9"] [id "2100097"] [msg "SLR: Microsoft IIS ASP.net Auth Bypass / Canonicalization"] [data "GET"] [severity "CRITICAL"] [tag "http://www.cvedetails.com/cve/CVE-2004-0847/"]
Access denied with connection close – indicates the action taken by the LoadMaster.
iis_attacks.conf – the rule file corresponding to the entry in the Assigned Rules under WAF Options.
2100097 – the rule ID.
SecRuleRemoveById ID ID RANGE
The parts have the following meanings:
- ID specifies the specific rule that will be disabled
- ID RANGE specifies a range of rules that will be disabled, for example “9000-9010”
The steps below illustrate the rule creation and implementation using the rule ID of 2100097 and the iis_attacks rule file for example purposes:
- Create a file in your text editor, for example z_rule(s).conf, and add the line SecRuleRemoveById 2100097 to it.
- Import this file z_rule(s).conf to the LoadMaster as a Custom Rule.
- The z_rule(s).conf file is now available for selection under WAF Options > Available Rules in the Virtual Service settings.
- Select the iis_attacks file and move it back to the Available Rules section and hit the Assign Rules button.
- Select the z_rules rule and move it to the Assigned Rules section and hit the Assign Rules button.
- Select the iis_attacks configuration file and move it to the Assigned Rules section and hit the Assign Rules button.
The SecRuleRemoveById rule is now installed and the corresponding rule ID removed from the WAF rules processing engine.
The WAF engine will no longer trigger for this rule id.