Looking for clarification on current Threat Score thresholds and rule creation.
Is it possible that the cf.threat_score attribute of the rule is being ignored because it’s no longer in bounds, and that setting it to 100 would actually be more lenient than the currently set 120?
I have a rule for a specific customer:
If (http.host eq “sub.domain.com” and http.request.uri.path eq “/Content/SaveAttachments” and cf.threat_score le 120)
Then bypass WAF Managed Rules.
I have logs indicating that traffic is being blocked thusly:
Rule ID: OWASP Block (981176)
Rule message: Inbound Anomaly Score Exceeded (Total Score: 28, SQLi=0, XSS=20)
I try to change the rule thusly:
(http.host eq “sub.domain.com” and http.request.uri.path eq “/Content/SaveAttachments” and cf.threat_score le 240)
And get “Score must be 0 through 100”, which makes sense given the information here.
Perhaps the rule was created before the threshold was in place, or perhaps it’s shoddy input validation. Either way, I have no choice but to go apparently stricter with it…