英文:
Azure Front door WAF policy Microsoft_DefaultRuleSet-2.0-BLOCKING-EVALUATION-949110 block request with Inbound Anomaly Score Exceeded message
问题
我已经为我的一个Web应用程序配置了前端门和WAF。WAF目前处于检测模式。在审查日志时,我主要在所有阻止请求中看到以下详细信息:
规则名称:Microsoft_DefaultRuleSet-2.0-BLOCKING-EVALUATION-949110
操作:阻止
策略模式:检测
详细匹配项:[]
详细消息:入站异常分数超过限制
类型:Azure诊断
以上信息记录在具有.html、.js、.jpeg等的随机requestUri_s上。我已经按照trackingReference_s进行了跟踪,但在日志中没有找到与trackingReference相关的详细信息。
我只是想知道如何在这种情况下评估误报。如果这些请求在预防模式下被阻止,是否可以将策略模式更改为预防模式呢?
谢谢
Rajesh
英文:
I have front door and WAF configured for one of my web application. The WAF is currently in detection mode. While reviewing the logs, I majorly see below details in all the block requests
ruleName_s : Microsoft_DefaultRuleSet-2.0-BLOCKING-EVALUATION-949110
action_s : Block
policyMode_s : detection
details_matches_s : []
details_msg_s : Inbound Anomaly Score Exceeded
Type: AzureDiagnostics
The above is logged on random requestUri_s that have .html, .js, .jpeg etc. I did follow the trackingReference_s , but didnt get any derails with the trackingReference in the log.
I just want to see how can I evaluate false positive in this case. Is it ok to change the policy mode to prevention if these request are blocked in prevention mode.
Thanks
Rajesh
答案1
得分: 1
要评估这些是否为误报,您需要查看几个方面。
一个具有字段"ruleName_s"为"Microsoft_DefaultRuleSet-2.0-BLOCKING-EVALUATION-949110"和"action_s"为"Block"的Azure Front Door日志条目,后面跟随一个或多个具有"action_s"为"AnomalyScoring"的日志条目。您可以使用字段"trackingReference_s"查看阻止评估的所有相关条目。
查询文本:
AzureDiagnostics
| where trackingReference_s == '03VuQZAAAAABzkx+f3NXPRoWkytsHgm/vQVRBRURHRTEyMTYANTcxYzNhYmEtNjFlOC00NmZhLWJlNTktOTEyMjlkMTIyNzkz'
| project TimeGenerated, Category, ruleName_s, action_s, trackingReference_s
| order by TimeGenerated desc
在您知道触发了哪些规则之后(在示例图像中为Microsoft_DefaultRuleSet-2.0-XSS-941170和Microsoft_DefaultRuleSet-2.0-XSS-941130),您可以调查"details_matches_s"和"details_msg_s"列,以查看请求中的哪些数据与阻止规则匹配。
您还可以通过交叉引用Web应用程序防火墙核心规则集来确定这些规则的评估方式链接。例如,Azure Front Door日志中的规则"Microsoft_DefaultRuleSet-2.0-XSS-941170"是REQUEST-941-APPLICATION-ATTACK-XSS的命中,具体来说是规则941170,用于"NoScript XSS InjectionChecker: Attribute Injection"。
然后,您可以从OWASP网站下载规则定义,以查看用于评估规则的正则表达式。
英文:
To evaluate if these are false positives you'll need to look at several things.
An Azure Front Door log entry with the field "ruleName_s" of "Microsoft_DefaultRuleSet-2.0-BLOCKING-EVALUATION-949110" and an "action_s" of "Block" follows one or more log entries with an "action_s" of "AnomalyScoring". You can see all the relevant entries for a blocking evaluation by using the "trackingReference_s" field.
Text of the query:
AzureDiagnostics
| where trackingReference_s == '03VuQZAAAAABzkx+f3NXPRoWkytsHgm/vQVRBRURHRTEyMTYANTcxYzNhYmEtNjFlOC00NmZhLWJlNTktOTEyMjlkMTIyNzkz'
| project TimeGenerated, Category, ruleName_s, action_s, trackingReference_s
| order by TimeGenerated desc
After you know which rules triggered the block (in the example image, Microsoft_DefaultRuleSet-2.0-XSS-941170 and Microsoft_DefaultRuleSet-2.0-XSS-941130) you can investigate the "details_matches_s" and details_msg_s" columns to see what data from the request matched the blocking rule.
You can also determine how these rules evaluate by cross referencing the Web Application Firewall core rule sets here. For example, the rule in the Azure Front Door log for "Microsoft_DefaultRuleSet-2.0-XSS-941170" is a hit for the REQUEST-941-APPLICATION-ATTACK-XSS, specifically rule 941170 for "NoScript XSS InjectionChecker: Attribute Injection"
You can then download the rule definitions from the OWASP site to see the regex used to evaluate the rule.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论