Unknown rules triggered from Managed OWASP Ruleset

Today I enabled Managed Rules for one of our websites. I put all Ruleset actions to “log” because I first wanted to check if there are no false negatives, in which there are it seems.

In the Events log I see this entry a lot:
Ruleset: Cloudflare OWASP Core Ruleset
Rule: 949110: Inbound Anomaly Score Exceeded

So, I thought, let’s disable this rule. Strangely, I cannot find this specific rule within the OWASP Core Ruleset when I click on “Browse rules” within the ruleset. There is no rule to be found with id 949110.

Does anyone have any advice on how to solve this?

Hi there,

Rule: 949110 is the OWASP score itself, below that you will and extensive report of what rules where triggered and the score each one added to the overall threshold score.

Take care.

I’m not sure what you say here. If I search inside the “Cloudflare OWASP Core Ruleset” for rules on F.E.:

• Inbound Anomaly Score Exceeded
• Score Exceeded

I also cannot find this rule. It seems to me “949110” is the ID, since it matches the other rule id formats.

Are you able to find this specific rule when you browse in the Cloudflare OWASP Core Ruleset?

Hi there,

When you check the event, please click Additional Logs

There you’ll see the actual ID of each rule and the score that contributed to the event.

Your score threshold setting can be changed going in Security → WAF → Managed rules → Cloudflare OWASP Core Ruleset on OWASP Anomaly Score Threshold.
Each time a score is higher than the threshold set there, the OWASP Action will be executed.

Take care.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.