How to disable or remove a Specific WAF Rule
This guide outlines the available methods to remove specific WAF Rules, either via the Web user interface or by creating a Custom WAF Rule.
Available method of removing a Specific WAF Rule using the GUI:
You just must remove the rule according to the Rule ID.
This will an alternative method of removing a specific Rule by ID:
A WAF rule can be disabled or “whitelisted” by creating a custom rule and assigning that rule to the appropriate WAF enabled Virtual Service.
To disable a rule, we need to know the rule ID and the associated rule file. This information will be found in the WAF Audit Logs under System Configuration > Logging Options > Extended Log Files. The WAF Audit Log snippet below indicates that a rule has been triggered. The parts of the log message we are concerned with for the purpose of this article have been highlighted.
2021-04-09T14:48:05+00:00 lb100 wafd: [client 10.35.56.24] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 15 at TX:anomaly_score. [file "/tmp/waf/2/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 19)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "10.35.56.31"] [uri "/drupal/index.php/contextual/render"] [unique_id "3de20800-e006-4d5c-856c-15279227f84b"]
Access denied with code 403 – indicates the action taken by the LoadMaster.
iis_attacks.conf – the rule file corresponding to the entry in the Assigned Rules under WAF Options.
949110 – the rule ID.
SecRuleRemoveById ID ID RANGE
The parts have the following meanings:
- ID specifies the specific rule that will be disabled
- ID RANGE specifies a range of rules that will be disabled, for example “9000-9010”
The steps below illustrate the rule creation and implementation using the rule ID of 949110 and the iis_attacks rule file for example purposes:
- Create a file in your text editor, for example z_rule(s).conf, and add the line SecRuleRemoveById 949110 to it.
- Import this file z_rule(s).conf to the LoadMaster as a Custom Rule.
- The z_rule(s).conf file is now available for selection under WAF Options > Available Rules in the Virtual Service settings.
- Select the iis_attacks file and move it back to the Available Rules section and hit the Assign Rules
- Select the z_rules rule and move it to the Assigned Rules section and hit the Assign Rules
- Select the iis_attacks configuration file and move it to the Assigned Rules section and hit the Assign Rules
The SecRuleRemoveById rule is now installed, and the corresponding rule ID removed from the WAF rules processing engine.
The WAF engine will no longer trigger for this rule id.