Hello,
i use the WAF common thread filter and try to get the rule ID´s to skip spezific rules like it is described in this KB: https://community.sophos.com/kb/en-us/122833
The example in this KB:
[Tue Nov 03 17:53:46.196698 2015] [security2:error] [pid 4807:tid 4128242496] [client 192.168.55.1] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(.*)" at TX:960010-OWASP_CRS/POLICY/CONTENT_TYPE_NOT_ALLOWED-TX:0. [file "/content/waf/2.7.3/modsecurity_crs_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5, SQLi=, XSS=): Last Matched Message: Request content type is not allowed by policy"] [data "Last Matched Data: text/plain"] [hostname "test.xyz"] [uri "/jsonrpc"] [unique_id "Vdd0qn8AAAEAABFHBRoAAAAy"]
But my log entry on my 17.0.3 MR3 XG Firewall for WAF shows this log entry:
messageid="17071" log_type="WAF" log_component="Web Application Firewall" user="-" server="..." src_ip="..." local_ip="..." protocol="HTTP/1.1" url="/..." query_string="" cookie="nc_sameSiteCookielax=true; nc_sameSiteCookiestrict=true; ocp7wejoggqt=...; oc_sessionPassphrase=...; HASH_ocp7wejoggqt=...; HASH_oc_sessionPassphrase=...; HASH_nc_sameSiteCookielax=...; HASH_nc_sameSiteCookiestrict=..." referer="-" method="PUT" response_code="403" reason="WAF Anomaly" extra="Inbound Anomaly Score Exceeded (Total Score: 8, SQLi=, XSS=): Last Matched Message: Request content type is not allowed by policy" content_type="text/html" user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0" host="..." response_time="24521" bytes_sent="549" bytes_received="1401" fw_rule_id="3"
Where can I find the rule ID?
Thanks!
This thread was automatically locked due to age.
