Need a bit help on digging the problem:
Got some POST methods that were blocked due to
XSS, HTML Injection (rule id 100173) and I was wondering is there any possibility (if yes, where) to find out what triggered that (more info), maybe some raw logs. Because it seems that it could’ve been false positive. At the moment I believe that it could’ve been because of
EdgeResponseBytes size - whenever the size was
4999-5000, WAF was dropping and other traffic with lower byte size is going through. Though, traffic with that big
EdgeResponseBytes size a month ago reached destination. Traffic I’m talking about comes only from one entity (few different IPs).
At the moment there’s a WAF rule with exception to Allow traffic from those IPs, but it’s bugging me not knowing why rule fired in the first place…
Thanks in advance