Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

WAF is not blocking web based attacks

 

Information

 

Summary:

WAF is enabled in a Virtual Service and some http attacks are not blocked by the WAF rules.

Environment:

Product: LoadMaster

Version: Any 

Platform: Any

Application: Any

Question/Problem Description:

WAF is enabled in a Virtual Service and some http attack are not blocked by the WAF rules. The rules are being triggered but the WAF engine is allowing the requests to flow as normal.

Steps to Reproduce:  
Error Message:  
Defect Number:  
Enhancement Number:  
Cause: Requests are not hitting the anomaly score threshold.
Resolution:
  • For each request, every triggered detection raises the anomaly score, most rules having a score of 5. If the cumulative anomaly score per request hits the configured limit, the request will be blocked. The default value is 100 and allowable range is 1 to 10000.
  • If requests are not being blocked, the anomaly score is not being exceeded. 
  • By default the score is 100. For instance, if a request triggers 20 critical rules (each rule with a score of 5), then it should be blocked since it would reach the threshold.
  • You could lower the threshold if you want to see the requests blocked but in doing so, you could put the WAF in a very sensitive state and end up blocking legitimate traffic.
Workaround:  
Notes:

https://support.kemptechnologies.com/hc/en-us/articles/203128369-Web-Application-Firewall-WAF-

https://www.netnea.com/cms/core-rule-set-inventory/ 

https://kemptechnologies.com/blog/false-positive-handling-loadbalancer/ 


Comments