Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 27 subscribers
  • Views 5838 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ID numbers from WAF log - Common threat filter - Skip filter rules

MartinBozko

How can I find rule ID (like [id "981176"]) in Sophos XG - web server publishing to add it to bypass at Web server - Protection policies?

When using Sophos SG it was in logs.

For Sophos XG there is article https://community.sophos.com/kb/en-us/122833  and ID has to be in logs: [id "981176"] [msg "Inbound Anomaly Score Exceeded

 

When I open Log viewer from Sophos XG webconsole -Detailed view - module Web server protection
and log seems like this (without ID number):


messageid="17071" log_type="WAF" log_component="Web Application Firewall" user="-" server="MYURL" src_ip="mypublicIP" local_ip="my-XG-IP-address" protocol="HTTP/1.1" url="/RDWeb/Pages/en-US/login.aspx" query_string="" cookie="_ga=GA1.2.553296830.1454709251; _gcl_au=1.1.2086021688.1580460192" referer="myURL" method="POST" response_code="403" reason="WAF Anomaly" extra="Inbound Anomaly Score Exceeded (Total Score: 6, SQLi=1, XSS=): Last Matched Message: Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded" content_type="text/html" user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0" host="mypublicIP" response_time="4656" bytes_sent="429" bytes_received="1055" fw_rule_id="76"

There is not ID like 981176.
I am using XG230 (SFOS 17.5.9 MR-9) 

 

Thanks

Martin



This thread was automatically locked due to age.
  • 0

    Martin,

    if the ID does not come out, put the WAF service in debug from the advanced shell.

    service WAF:debug -ds nosync

    Check the logs again from log viewer or from the /log/reverseproxy.log and you should see more information from the log since the service is in debug mode.

    To disable the debug, please run the command again.

    More info here:

    community.sophos.com/.../124574

    Regards

  • 0 in reply to lferrara

    Hi

     

    Thanks for fast reply.

    Command "service WAF:debug -ds nosync" returns 400 Bad Request

    XG230_WP02_SFOS 17.5.9 MR-9# service WAF:debug -ds nosync
    400 Bad Request

     

    "service -S" shows:WAF                  RUNNING

    "service WAF:restart -ds nosync"  is working

    What I am doing wrong?

    Martin

  • 0

    Hi Martin,

     

    We don't show this information in the log viewer.

    You can find the full logfile of the WAF under /log/reverseproxy.log in the advanced shell.

     

    Regards,
    Sabine

  • 0 in reply to Evianne

    Thanks, it is working.

    For other users, I have to SSH to XG firewall, choose 5 -3 Advanced shell

    tail -n 5000 -f /log/reverseproxy.log | grep security2:error | grep mypublishedurl

    This command shows from last 5000 lines of log file only those with string security2:error and string mypublishedurl

    Thehe I can find ID numbers.