WAF Rule based on Threat Score

Looking for clarification on current Threat Score thresholds and rule creation.

Is it possible that the cf.threat_score attribute of the rule is being ignored because it’s no longer in bounds, and that setting it to 100 would actually be more lenient than the currently set 120?

I have a rule for a specific customer:

If (http.host eq “sub.domain.com” and http.request.uri.path eq “/Content/SaveAttachments” and cf.threat_score le 120)
Then bypass WAF Managed Rules.

I have logs indicating that traffic is being blocked thusly:

Rule ID: OWASP Block (981176)
Rule message: Inbound Anomaly Score Exceeded (Total Score: 28, SQLi=0, XSS=20)

I try to change the rule thusly:

(http.host eq “sub.domain.com” and http.request.uri.path eq “/Content/SaveAttachments” and cf.threat_score le 240)

And get “Score must be 0 through 100”, which makes sense given the information here.

Perhaps the rule was created before the threshold was in place, or perhaps it’s shoddy input validation. Either way, I have no choice but to go apparently stricter with it…

This topic was automatically closed after 30 days. New replies are no longer allowed.