Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 9404 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF "Inbound Anomaly Score Exceeded (Total Score: 5)" without a ID in reverseproxy.log

StefanS

Hi there,
We have a support portal protected with the WAF (v18.5.1), however, we get this error message.

"Inbound Anomaly Score Exceeded (Total Score: 5)"

However, we do not find any ID in "reverseproxy.log" to make an exclusion.
What can be done here (Bypass WAF rules) ?

regards
Stefan



This thread was automatically locked due to age.
  • 0

    Hello Stefan,

    Thank you for contacting the Sophos Community.

    Yes, you would need to bypass the ID.

    Most likely the Protection Policy is running in Reject mode, change this to Monitor. (Can you go to Web server > Protection Policies > Mode)

    Then the ID should show in the log.

    Example of the log:

    [Fri Oct 01 05:23:10.487047 2020] [security2:error] [pid 20338:tid 140188537747200] [client XXX.XXX.XXX.XXX:58840] [client XXX.XXX.XXX.XXX] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/apache/conf/waf/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "91"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag] [tag] [tag] [tag] [hostname "mail.mymailserver.com"] [uri "/Microsoft-Server-ActiveSync"] [unique_id "X6VOPn8AAAEAAE9y7RAAAABL"]

    Regards,

  • 0 in reply to emmosophos

    Hi Emmanuel,

    i think this wouldn't work.

    I have protected a Server instance, where i send a complex URL (sometimes) ... anomaly is high .. but no hint why and no ID. No success with exceptions.

    But i may try it again and send the result ... if someone is interested and try to help ...

  • 0 in reply to emmosophos

    I found this page and thought I had struck gold, only to find out once I get into my reverseproxy.log file, all of the IDs show as [id="-"]. It's in Monitor mode. What more do I need to do to get the ID to add to my skip filter rules list? 

  • 0 in reply to djb-sophos

    Possible there is no ID / Rule trigger the drop.

    Please post the "cleaned" log-lines.

  • 0 in reply to dirkkotte 

    [Thu Jan 06 12:18:12.205276 2022] [security2:error] [pid 7887:tid 140231210559232] [client 1.2.3.4:12345] [client 1.2.3.4] ModSecurity: Rule 3cc8e50 [id "-"][file "/usr/apache/conf/waf/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf"][line "89"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "test.domain.com"] [uri "/something/asdf/store/p/48/"] [unique_id "asdf-asdf-asdf"], referer: https://test.domain.com/something/asdf/store/
[Thu Jan 06 12:18:12.248649 2022] [security2:error] [pid 7887:tid 140231210559232] [client 1.2.3.4:12345] [client 1.2.3.4] ModSecurity: Rule 3d22d90 [id "-"][file "/usr/apache/conf/waf/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf"][line "417"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "test.domain.com"] [uri "/something/asdf/store/p/48/"] [unique_id "asdf-asdf-asdf"], referer: https://test.domain.com/something/asdf/store/
[Thu Jan 06 12:18:56.273761 2022] [security2:error] [pid 5916:tid 140231151810304] [client 1.2.3.4:12345] [client 1.2.3.4] ModSecurity: Rule 3cc8e50 [id "-"][file "/usr/apache/conf/waf/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf"][line "89"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "test.domain.com"] [uri "/"] [unique_id "asdfasdf"], referer: https://test.domain.com/something/somecompany/?something
[Thu Jan 06 12:18:56.284070 2022] [security2:error] [pid 5916:tid 140231151810304] [client 1.2.3.4:12345] [client 1.2.3.4] ModSecurity: Rule 3cf6850 [id "-"][file "/usr/apache/conf/waf/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf"][line "266"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "test.domain.com"] [uri "/"] [unique_id "asdfasdf"], referer: https://test.domain.com/something/somecompany/?something
[Thu Jan 06 12:18:56.286554 2022] [security2:error] [pid 5916:tid 140231151810304] [client 1.2.3.4:12345] [client 1.2.3.4] ModSecurity: Rule 3d04fd0 [id "-"][file "/usr/apache/conf/waf/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf"][line "317"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "test.domain.com"] [uri "/"] [unique_id "asdfasdf"], referer: https://test.domain.com/something/somecompany/?something
[Thu Jan 06 12:18:56.295260 2022] [security2:error] [pid 5916:tid 140231151810304] [client 1.2.3.4:12345] [client 1.2.3.4] ModSecurity: Rule 3d0beb8 [id "-"][file "/usr/apache/conf/waf/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf"][line "342"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "test.domain.com"] [uri "/"] [unique_id "asdfasdf"], referer: https://test.domain.com/something/somecompany/?something
[Thu Jan 06 12:18:56.299170 2022] [security2:error] [pid 5916:tid 140231151810304] [client 1.2.3.4:12345] [client 1.2.3.4] ModSecurity: Rule 3d12ad0 [id "-"][file "/usr/apache/conf/waf/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf"][line "367"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "test.domain.com"] [uri "/"] [unique_id "asdfasdf"], referer: https://test.domain.com/something/somecompany/?something
[Thu Jan 06 12:18:56.301731 2022] [security2:error] [pid 5916:tid 140231151810304] [client 1.2.3.4:12345] [client 1.2.3.4] ModSecurity: Rule 3d1c148 [id "-"][file "/usr/apache/conf/waf/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf"][line "392"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "test.domain.com"] [uri "/"] [unique_id "asdfasdf"], referer: https://test.domain.com/something/somecompany/?something
[Thu Jan 06 12:18:56.303599 2022] [security2:error] [pid 5916:tid 140231151810304] [client 1.2.3.4:12345] [client 1.2.3.4] ModSecurity: Rule 3d22d90 [id "-"][file "/usr/apache/conf/waf/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf"][line "417"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "test.domain.com"] [uri "/"] [unique_id "asdfasdf"], referer: https://test.domain.com/something/somecompany/?something
[Thu Jan 06 12:18:56.305354 2022] [security2:error] [pid 5916:tid 140231151810304] [client 1.2.3.4:12345] [client 1.2.3.4] ModSecurity: Rule 3d31cd0 [id "-"][file "/usr/apache/conf/waf/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf"][line "442"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "test.domain.com"] [uri "/"] [unique_id "asdfasdf"], referer: https://test.domain.com/something/somecompany/?something
[Thu Jan 06 12:19:00.750095 2022] [security2:error] [pid 7887:tid 140231135024896] [client 1.2.3.4:12345] [client 1.2.3.4] ModSecurity: Rule 3cc8e50 [id "-"][file "/usr/apache/conf/waf/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf"][line "89"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "test.domain.com"] [uri "/"] [unique_id "fdsafdsa"], referer: https://test.domain.com/something/account/?source=landing
[Thu Jan 06 12:19:00.759527 2022] [security2:error] [pid 7887:tid 140231135024896] [client 1.2.3.4:12345] [client 1.2.3.4] ModSecurity: Rule 3cf6850 [id "-"][file "/usr/apache/conf/waf/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf"][line "266"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "test.domain.com"] [uri "/"] [unique_id "fdsafdsa"], referer: https://test.domain.com/something/account/?source=landing
[Thu Jan 06 12:19:00.762055 2022] [security2:error] [pid 7887:tid 140231135024896] [client 1.2.3.4:12345] [client 1.2.3.4] ModSecurity: Rule 3d04fd0 [id "-"][file "/usr/apache/conf/waf/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf"][line "317"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "test.domain.com"] [uri "/"] [unique_id "fdsafdsa"], referer: https://test.domain.com/something/account/?source=landing
[Thu Jan 06 12:19:00.770467 2022] [security2:error] [pid 7887:tid 140231135024896] [client 1.2.3.4:12345] [client 1.2.3.4] ModSecurity: Rule 3d0beb8 [id "-"][file "/usr/apache/conf/waf/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf"][line "342"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "test.domain.com"] [uri "/"] [unique_id "fdsafdsa"], referer: https://test.domain.com/something/account/?source=landing
[Thu Jan 06 12:19:00.774486 2022] [security2:error] [pid 7887:tid 140231135024896] [client 1.2.3.4:12345] [client 1.2.3.4] ModSecurity: Rule 3d12ad0 [id "-"][file "/usr/apache/conf/waf/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf"][line "367"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "test.domain.com"] [uri "/"] [unique_id "fdsafdsa"], referer: https://test.domain.com/something/account/?source=landing
[Thu Jan 06 12:19:00.777047 2022] [security2:error] [pid 7887:tid 140231135024896] [client 1.2.3.4:12345] [client 1.2.3.4] ModSecurity: Rule 3d1c148 [id "-"][file "/usr/apache/conf/waf/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf"][line "392"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "test.domain.com"] [uri "/"] [unique_id "fdsafdsa"], referer: https://test.domain.com/something/account/?source=landing
[Thu Jan 06 12:19:00.778902 2022] [security2:error] [pid 7887:tid 140231135024896] [client 1.2.3.4:12345] [client 1.2.3.4] ModSecurity: Rule 3d22d90 [id "-"][file "/usr/apache/conf/waf/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf"][line "417"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "test.domain.com"] [uri "/"] [unique_id "fdsafdsa"], referer: https://test.domain.com/something/account/?source=landing
[Thu Jan 06 12:19:00.780662 2022] [security2:error] [pid 7887:tid 140231135024896] [client 1.2.3.4:12345] [client 1.2.3.4] ModSecurity: Rule 3d31cd0 [id "-"][file "/usr/apache/conf/waf/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf"][line "442"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "test.domain.com"] [uri "/"] [unique_id "fdsafdsa"], referer: https://test.domain.com/something/account/?source=landing

  • 0 in reply to djb-sophos

    If you don't use SQL at the backend, you may disable the SQL security.

    Otherwise try these Rule-ID's:   "ModSecurity: Rule 3cc8e50 [id "-"][file"

  • 0 in reply to dirkkotte

    Only numeric values are allowed. Trust me, I've tried a lot of things. Hoping coming to the source (Sophos) helps.