My question is about best handling of the false positive for OWASP ModSecurity Core Rule Set
Rule ID: OWASP Block (981176)
Rule message: Inbound Anomaly Score Exceeded
Rule group: OWASP Inbound Blocking
OWASP Score: 25
Action taken: Block
We have WAF enabled and we have Package: OWASP ModSecurity Core Rule Set On with High to Block.
We have also firewall for the 3d party partners set currently to Allow.
Some of their requests do trigger false positive on the OWASP Block (981176)
I have looked at:
- https://support.cloudflare.com/hc/en-us/articles/200172016-Understanding-the-Cloudflare-Web-Application-Firewall-WAF-#B6O9QKf2vhGcHZZoaaJP3
- OWASP Block (981176)
From that I think my plan B would to set Firewall Rule to BYPASS, but …
My Plan C would be to lower the sensitivity of OWASP ModSecurity Core Rule Set
Plan A: It would great if I can lower the sensitivity of the OWASP ModSecurity Core Rule Set for any requests that matched the Firewall Rule. This way for partners I still have the OWASP on lower level and I have OWASP for the rest requests on the same level.
Does anyone know if it is possible?
2nd part of the question if anyone has better suggestion on desirability of plans A, B and C I got above. Perhaps I am misjudging desirability of approaches listed in OWASP Block (981176)