Default OWASP ruleset

matthew.giannelis · November 27, 2022, 7:58pm

Hello

I am looking at my OWASP ruleset. and there is so much in there. I was wondering if the default settings out of the box for the Cloudflare pro accounts are already set to the recommedend settings?

Going through them all I have noticed many aee set to disabled and not blocking anything. While attempting to look up each one via the ID for example ;

WP0015 Wordpress - XSS - CVE:CVE-2015-3440 Cloudflare WordPress Disable (This option is disabled) - I have searched for it Cloudflare and it brings me to a very confusing page. One of them in my chain of search is

2020-04-27 · Cloudflare Web Application Firewall (WAF) docs

So, What I am trying I trying to do is search each EG. WP0015 number for example to try and learn about each one, what it does, and if I should turn it on. However, many do say depeciated (is this because a new rules now superseeds it?)

There are quite a few turned off (disabled) some seem obvious to keep off. But many give me no or conficting information if the Cloudflare help pages.

Where can I go on Cloudflare to look up each one correctly ?

Another example. This one by default is actually turned off. (disable) Wordpress - DoS - XMLRPC

Im pretty sure I have seen in many other places that an attack can happen on this. So I am thinking this should be turned on. However, A little confused why this is turned off by default

user10146 · November 28, 2022, 10:20am

Hi!

It depends if you are on the old WAF version or not (https://support.cloudflare.com/hc/en-us/articles/5995821690637-Migrating-from-WAF-managed-rules-to-WAF-Managed-Rulesets).

If you have already the new version of WAF I can recommend you to follow the next developer documentation:

Take Care!

erictung · November 28, 2022, 2:33pm

Sometimes a WAF rule was not set to Block by default can be due to few reasons:

A newer version of WAF rule supersedes an old version of the rule.
The particular WAF rule has a high number of false positives.
Some WAF rules, if turned on, might affect normal business operations - for example some websites might use XMLRPC for legitimate use instead of launching an attack, thus it’s not a good idea to apply default action as block for all customers.

So, it’s up to the customers to assess and evaluate the risk of enabling WAF rules that are disabled by default. You may set it to Simulate(log) mode first and watch for firewall events, if you notice legitimate traffic is triggered and shows up on the firewall analytics, then you know that the WAF rule is not suitable for your website.

system · December 13, 2022, 2:34pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.