Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 9423 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF "Inbound Anomaly Score Exceeded (Total Score: 5)" without a ID in reverseproxy.log

StefanS

Hi there,
We have a support portal protected with the WAF (v18.5.1), however, we get this error message.

"Inbound Anomaly Score Exceeded (Total Score: 5)"

However, we do not find any ID in "reverseproxy.log" to make an exclusion.
What can be done here (Bypass WAF rules) ?

regards
Stefan



This thread was automatically locked due to age.
Parents
  • 0

    Hello Stefan,

    Thank you for contacting the Sophos Community.

    Yes, you would need to bypass the ID.

    Most likely the Protection Policy is running in Reject mode, change this to Monitor. (Can you go to Web server > Protection Policies > Mode)

    Then the ID should show in the log.

    Example of the log:

    [Fri Oct 01 05:23:10.487047 2020] [security2:error] [pid 20338:tid 140188537747200] [client XXX.XXX.XXX.XXX:58840] [client XXX.XXX.XXX.XXX] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/apache/conf/waf/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "91"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag] [tag] [tag] [tag] [hostname "mail.mymailserver.com"] [uri "/Microsoft-Server-ActiveSync"] [unique_id "X6VOPn8AAAEAAE9y7RAAAABL"]

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Hi Emmanuel,

    i think this wouldn't work.

    I have protected a Server instance, where i send a complex URL (sometimes) ... anomaly is high .. but no hint why and no ID. No success with exceptions.

    But i may try it again and send the result ... if someone is interested and try to help ...


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Reply
  • 0 in reply to emmosophos

    Hi Emmanuel,

    i think this wouldn't work.

    I have protected a Server instance, where i send a complex URL (sometimes) ... anomaly is high .. but no hint why and no ID. No success with exceptions.

    But i may try it again and send the result ... if someone is interested and try to help ...


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Children
No Data
Cookie Information Banner