Firewall event with unknown rule_id 960015

Using the API, I see the a firewall event that matches the following rule:

{
  "rule_id": "960015",
  "source": "waf",
  "action": "log",
  "metadata": {
    "group": "owasp_protocol_anomalies"
  }
}
  1. The rule_id 960015 doesn’t exist in the “OWASP Protocol Anomalies” group. Where can I find more information about this rule?
  2. The action is set to “log.” However, I’m not on the enterprise plan and I set all OWASP events to “block.” Is this due to some internal Cloudflare testing?

image

I’m drawing a big blank on that one as well. Even from Advanced Mode that lists all rules.

DDG (I wish the Duck people used a shorter name) search turns up: “Request Missing an Accept Header”

It’s sure strange that it triggers a rule that’s not listed. Maybe Support can explain this.

Login to Cloudflare and then contact Cloudflare Support by clicking on the Get More Help button.

Hi, engineer on the WAF team here.

  1. @sdayman is correct, that rule checks if the request is Missing an Accept Header. It should be appearing in the dashboard, I’ve opened a ticket to address that.
  2. For OWASP, you can enable/disable individual rules or groups and then set the action that should be taken if the chosen threshold is reached. The rule being in log means it matched and added to the total score.
1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.