Q&A: WAF Policy False Positives: Definition, Examples, What to Do

Example Violation:  Attack Signature

200012012 - DOS "Range Header DoS Attempt" (Headers) (2)
- buffer: Range: bytes=220160-224767, 228352-229375, 229376-232959, 238080-242687, 246272-250879, 254976-259583, 262656-267263, 270848-27

Example Silverline Response:

This violation occurs when there are multiple bytes selected for the range HTTP header. This can be an attempt to DoS the application by potentially attempting to consume more resources. 

Example Violation: Illegal Status Code

alerted: 100.36.xxx.xx - Code: 500

- buffer: 500 response code

Example Silverline Response:

Often times, 4xx and 5xx response code errors can potentially leak server/code information. However, if proper error handling is configured, we can allow 4xx/5xx response code(s) into the WAF policy. 

Example Violation(s): Illegal Method

alerted: 1.xx.xxx.xxx -Method: CONNECT

alerted: 111.xxx.xxx.xxx - Method: PROPFIND

alerted: 163.xxx.xx.xx - Method: Options

Example Silverline Response:

By default, the WAF policy is configured to allow GET/POST/HEAD methods. Please let us know if any other HTTP methods should be allowed.

Example Violation: HTTP protocol compliance failed

alerted: 103.xxx.xxx.xxx - HTTP protocol compliance failed:Host header contains IP address - Code: 302

 - buffer: Host header with IP value: 107.xxx.xxx.xxx

Example Silverline Response:

This violation is due to the fact that the Host header contains an IP address rather than a FQDN (Domain name) as specified in RFC 2616 for HTTP. Do you want to continue alerting and eventually block these violations or allow the request(s)?