Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 9410 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF "Inbound Anomaly Score Exceeded (Total Score: 5)" without a ID in reverseproxy.log

StefanS

Hi there,
We have a support portal protected with the WAF (v18.5.1), however, we get this error message.

"Inbound Anomaly Score Exceeded (Total Score: 5)"

However, we do not find any ID in "reverseproxy.log" to make an exclusion.
What can be done here (Bypass WAF rules) ?

regards
Stefan



This thread was automatically locked due to age.
Parents
  • 0

    Hello Stefan,

    Thank you for contacting the Sophos Community.

    Yes, you would need to bypass the ID.

    Most likely the Protection Policy is running in Reject mode, change this to Monitor. (Can you go to Web server > Protection Policies > Mode)

    Then the ID should show in the log.

    Example of the log:

    [Fri Oct 01 05:23:10.487047 2020] [security2:error] [pid 20338:tid 140188537747200] [client XXX.XXX.XXX.XXX:58840] [client XXX.XXX.XXX.XXX] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/apache/conf/waf/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "91"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag] [tag] [tag] [tag] [hostname "mail.mymailserver.com"] [uri "/Microsoft-Server-ActiveSync"] [unique_id "X6VOPn8AAAEAAE9y7RAAAABL"]

    Regards,

  • 0 in reply to emmosophos

    Hi Emmanuel,

    i think this wouldn't work.

    I have protected a Server instance, where i send a complex URL (sometimes) ... anomaly is high .. but no hint why and no ID. No success with exceptions.

    But i may try it again and send the result ... if someone is interested and try to help ...

Reply
  • 0 in reply to emmosophos

    Hi Emmanuel,

    i think this wouldn't work.

    I have protected a Server instance, where i send a complex URL (sometimes) ... anomaly is high .. but no hint why and no ID. No success with exceptions.

    But i may try it again and send the result ... if someone is interested and try to help ...

Children
No Data