i have a single domain on $20/month plan.
With 1 WAF custom rule to block non-us spammers (which works REALLY well).
I have 3 Managed Rules enabled - my issue is with Cloudflare OWASP Core Ruleset.
Today I changed ISP on my home internet. (had been on Verizon, never saw this issue. Changed to Spectrum)
Upon going to my domain, I get a message “You are blocked”.
When I checked security events, I see my IP is blocked because of a high score in this ruleset.
I was just going to my domain - no query string.
Yet it found 10 things that looked odd enough to raise my score enough to block.
I don’t get it - where is all this stuff coming from if I’m on Chrome and only typed in the domain name?
I’ve got to start registration for an event in a few weeks and I can’t have people getting blocked just going to the public facing front page on a WordPress site? geez!
920274: Invalid character in request headers (outside of very strict set)
…7f4d7e64
Cloudflare OWASP Core Ruleset Score (+5)
942200: Detects MySQL comment-/space-obfuscated injections and backtick termination
…58ecf7e7
Cloudflare OWASP Core Ruleset Score (+5)
942260: Detects basic SQL authentication bypass attempts 2/3
…55395a78
Cloudflare OWASP Core Ruleset Score (+5)
942330: Detects classic SQL injection probings 1/3
…18a93bb2
Cloudflare OWASP Core Ruleset Score (+5)
942340: Detects basic SQL authentication bypass attempts 3/3
…feb8fadb
Cloudflare OWASP Core Ruleset Score (+5)
942370: Detects classic SQL injection probings 2/3
…7cdec0c8
Cloudflare OWASP Core Ruleset Score (+5)
942440: SQL Comment Sequence Detected
…682bb405
Cloudflare OWASP Core Ruleset Score (+5)
942490: Detects classic SQL injection probings 3/3
…3eb29c4e
Cloudflare OWASP Core Ruleset Score (+5)
942420: Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (8)
…4b629ea8
Cloudflare OWASP Core Ruleset Score (+3)
942421: Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3)
…b00a383d
Cloudflare OWASP Core Ruleset Score (+3)
{
"action": "block",
"clientASNDescription": "xxx-33363",
"clientAsn": "xxx",
"clientCountryName": "US",
"clientIP": "xxx.209.23",
"clientRequestHTTPHost": "xxx com",
"clientRequestHTTPMethodName": "GET",
"clientRequestHTTPProtocol": "HTTP/2",
"clientRequestPath": "/",
"clientRequestQuery": "",
"datetime": "2023-04-22T16:48:36Z",
"rayName": "7bbf5af49825334f",
"ruleId": "6179ae15870a4bb7b2d480d4843b323c",
"rulesetId": "4814384a9e5d4991b9815dcfc25d2f1f",
"source": "firewallManaged",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36",
"matchIndex": 0,
"metadata": [
{
"key": "ruleset_version",
"value": "83"
},
{
"key": "version",
"value": "82"
},
{
"key": "type",
"value": "customer"
},
{
"key": "score_total",
"value": "46"
},
{
"key": "score_rules",
"value": "[\"ac090cd641d742b3adba4ece7f4d7e64\",\"f2db062052cf453fbe9e93f058ecf7e7\",\"6afe6795ee6a48d6a1dfe59255395a78\",\"293e73c033b34a2290481c4718a93bb2\",\"f394c2277cba4406b408c9d1feb8fadb\",\"5a6f5a57cde8428ab0668ce17cdec0c8\",\"d12ad6d1bc0c42b3affe0cee682bb405\",\"2380cd409b604c2a9273042f3eb29c4e\",\"02a11d6fc5c74dbc911455294b629ea8\",\"04c20a9fe50742bbac9e480fb00a383d\"]"
}
],
"sampleInterval": 1
}