Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

How to disable or remove a Specific WAF Rule

This guide outlines the available methods to remove specific WAF Rules. This can be achieved by disabling the entire rule or by creating a more specific custom rule. 

Removing a WAF Rules using the GUI:

Navigate to Virtual Service's > View/Modify Services. Select Modify on the WAF enabled VS. Expand the WAF options. Select the collection of rules, where your specific rule is located. In this example we have selected scanner-detection, which expands to reveal all the rules available. We have unchecked the rule ID 913100 and clicked apply. This rule is now disabled.

disabling_a_waf_rule.png

 

Alternative method of removing a specific Rule by ID:

A WAF rule can be disabled or “whitelisted” by creating a Custom Rule and assigning that rule to the appropriate WAF enabled Virtual Service.

To disable a rule, we need to know the rule ID and the associated rule file. This information will be found in the WAF Audit Logs under System Configuration > Logging Options > Extended Log Files. The WAF Audit Log snippet below indicates that a rule has been triggered. The parts of the log message we are concerned with for the purpose of this article have been highlighted.

2021-04-09T14:48:05+00:00 lb100 wafd: [client 10.35.56.24] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 15 at TX:anomaly_score. [file "/tmp/waf/2/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 19)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "10.35.56.31"] [uri "/drupal/index.php/contextual/render"] [unique_id "3de20800-e006-4d5c-856c-15279227f84b"]

 

Access denied with code 403 – indicates the action taken by the LoadMaster.

iis_attacks.conf – the rule file corresponding to the entry in the Assigned Rules under WAF Options.

949110 – the rule ID.

Rule Format: 

SecRuleRemoveById ID ID RANGE

 We can break the rule down into the explanation below.

  1. ID specifies the specific rule that will be disabled.
  2. ID RANGE specifies a range of rules that will be disabled, for example “9000-9010”.

The steps below illustrate the rule creation and implementation using the rule ID of 949110 and the iis_attacks rule file for example purposes:

  1. Create a file in your text editor, for example z_rule(s).conf, and add the line SecRuleRemoveById 949110 to it.
  2. Import this file z_rule(s).conf to the LoadMaster as a Custom Rule.
  3. The z_rule(s).conf file is now available for selection under WAF > Managed Rules > Custom Rules in the Virtual Service settings.
  4. Check the box for the z_rules rule and select Apply.

The SecRuleRemoveById rule is now installed, and the corresponding rule ID removed from the WAF rules processing engine.

The WAF engine will no longer trigger for this rule id.


Comments