OWASP Inbound Anomaly Score Exceeded

Hello,

We have a file upload page. Which triggers some false positives when uploading excel files eventually getting blocked. Until we fix it within our code I tried to create a page rule with below settings but still having the error.

Can you guys help ?

Below is the event Json

{
  "action": "block",
  "clientASNDescription": "ASTURKNET",
  "clientAsn": "12735",
  "clientCountryName": "TR",
  "clientIP": "x",
  "clientRequestHTTPHost": "portal.example.com",
  "clientRequestHTTPMethodName": "POST",
  "clientRequestHTTPProtocol": "HTTP/3",
  "clientRequestPath": "/UploadFile/ExcelImport",
  "clientRequestQuery": "?type=1",
  "datetime": "2023-05-10T16:57:43Z",
  "rayName": "7c53b90d8c3192d7",
  "ruleId": "6179ae15870a4bb7b2d480d4843b323c",
  "rulesetId": "4814384a9e5d4991b9815dcfc25d2f1f",
  "source": "firewallManaged",
  "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36 Edg/113.0.1774.35",
  "matchIndex": 0,
  "metadata": [
    {
      "key": "ruleset_version",
      "value": "83"
    },
    {
      "key": "version",
      "value": "82"
    },
    {
      "key": "type",
      "value": "customer"
    },
    {
      "key": "score_total",
      "value": "60"
    },
    {
      "key": "score_rules",
      "value": "[\"3500d96add324dcbbc0a93b2bd22c723\",\"a882bfdf91b3440b83020de61d8cf992\",\"753c98e3a15f4a389ea0b196c91b7247\",\"d57dfc4bce7349179de0c65e354c65f9\",\"9ceb9ca06e344c4e9a2c0e9158cc3667\",\"c4926d96b87647329947ec2ccbc01671\",\"a2e88d6e0e604f05b9e660567fbedd30\",\"f2db062052cf453fbe9e93f058ecf7e7\",\"6afe6795ee6a48d6a1dfe59255395a78\",\"293e73c033b34a2290481c4718a93bb2\",\"5a6f5a57cde8428ab0668ce17cdec0c8\",\"d12ad6d1bc0c42b3affe0cee682bb405\"]"
    }
  ],
  "sampleInterval": 1
}

Hello!

For OWASP Inbound Anomaly Score Exceeded you may want to use an Exception instead.

Hello,
I was able to create an exception from managed rules within WAF and it works as intended.
Thanks

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.