Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 1 reply
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 1613 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF Anomaly Score 15

xRron

Hi to all,

We have configured WAF for WEB Protection Rule but when a operator try to upload news content on web upload the Sophos XG Denies to upload news content to published, see the denied log.

/Media/InsertContent/11224
WAF Anomaly
Inbound Anomaly Score Exceeded (Total Score: 15)

messageid="17071" log_type="WAF" log_component="Web Application Firewall" user="-" server="kostt.com" src_ip="84.XX.X7.XXlocal_ip="XX.238.XX.XX3" protocol="HTTP/1.1" url="/Media/InsertContent/11224" query_string="" cookie="_ga=GA1.2.1533364674.1556618133; ASP.NET_SessionId=2uaby5ejic05n4nf5vh20qqm; HASH_ASP.NET_SessionId=0ca2d605036b39283da4eed64c81490f11e2d848; __RequestVerificationToken=ZHJmODTgt4u15-MIpGUDqlMMPuz67WwoD7m26KQI5zy9Zb76rp3ypzqCODltNGSl9CrrQZ0gIGRd_lLI1; HASH___RequestVerificationToken=2f49cc74b046f3699f36bea4608d30c051af09cd; _gid=GA1.2.331972070.1653376698" referer="">kostt.com/.../11224" method="POST" response_code="403"
reason="WAF Anomaly" extra="Inbound Anomaly Score Exceeded (Total Score: 15)" content_type="text/html" user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36" response_time="38787" bytes_sent="429" bytes_received="8545" fw_rule_id="19""



This thread was automatically locked due to age.
Parents
  • 0

    Hi : Thank you for reaching out to the Sophos community team. Around this Anomaly detection time, before these lines, you should be able to see the Rule ID in reverseproxy.log which has triggered this detection for that specific URL or data of the webserver. You may add those IDs in the exception. Please ensure that you are not adding infrastructure rules ids in the exception.

Reply
  • 0

    Hi : Thank you for reaching out to the Sophos community team. Around this Anomaly detection time, before these lines, you should be able to see the Rule ID in reverseproxy.log which has triggered this detection for that specific URL or data of the webserver. You may add those IDs in the exception. Please ensure that you are not adding infrastructure rules ids in the exception.

Children
No Data