Serioues issues with new WAF OWASP after migration

After migrating to Cloudflare new WAF, we have had constant issues with the OWASP core rule set. The main problem is that Skipped rules counts toward OWASP anomality score.

I have opened a ticket to support, but after two weeks this issue is still ongoing. I have been offered two options:

  1. Add WAF Exception
    You can define WAF exceptions in the Cloudflare dashboard or using the Rulesets API.
  2. If the rule blocking is 949110 (new OWASP), it means it was blocked by the OWASP rules. You need then to decrease the OWASP Anomaly Score Threshold or lower the OWASP Paranoia Level.

The option one is excatly what we want and tried to do. But seems that it does not work. We have also been offered to skip rule “949110: Inbound Anomaly Score Exceeded” but if I understood correctly, that would disable anomaly score calculation at all. This is not something we want. Our goal is to disable/skip certain OWASP rules that is triggered (false positives) to keep the OWASP score under our treshold.

Currently only thing that is working is to bypass ALL OWASP rules, but that is not something we want to do for all requests.

This is serious issue, but support is not understanding the problem (or I am missing something) or able to solve it. Last email from support is last monday.

I really think there is issue/bug with the WAF as we already found one related to migration.
“I can see the previous version of the managed rules are still being triggered even though you have updated to the newest version, so I recommend that you create a custom firewall rule where you skip managed rules (previous version) on hostname contains domain.com

I finally got another person from support who understood the problem.

There indeed is some sort or bug/issue with the WAF migration and OWASP rules skipping does not work.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.