Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 15523 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF mod_security XSS Prevents WordPress Posts

jobo2
I noticed that if the cross site scripting for WAF is enabled, it prevents users from being able to make posts on WordPress, saying that it's "forbidden".

I also see a lot of legitimate traffic from our corporate office to the site being blocked by the SQL Injection rule, for things like "wp-check-locked-posts".

I don't want to completely disable these rules, as I feel that the protection they provide is needed. However, I need the sites to function properly. I'm sure I could modify the rules manually, but would assume any updates to the UTM would revert those changes, and could have other negative impacts.

Does anyone know of a way to resolve this without disabling the rules or modifying them manually?


This thread was automatically locked due to age.
  • 0
    I just went thru the same exercise with our website and portals.  I ended up disabling over a dozen rules.  Also, the logs were getting huge with all the excessive logging from the false positives (200MB+ per day).  Besides the reduction in logging, we also saw a performance improvement.

    Dave
  • 0
    Using your example, SQL Injection Attacks isn't a rule itself, it is a category containing dozens of individual rules, some of which may generate false positions based on your specific environment.  What you will need to do is use the Webserver Protection Reporting (Top Rules report works well or a combination of Top Attackers and Top Rules by Attacker) to find the individual rules numbers (IDs) being triggered.  Use these IDs in your Skip Filter Rules list.

    Manual modification of rules from the backend is not supported and will not be persistent.
  • 0

    I added the following Filter IDs to the "Skip Filter Rules". No idea if better way to get a clone of the Basic Protection Profile to work with Wordpress, but the site is now working with these in place.  Also, I unchecked Signed Cookies.

    950901
    960024
    973300
    973306
    973316
    973332
    973338
    981172
    981173
    981176
    981200
    981203
    981204
    981245