Follow

Q&A: WAF Policy False Positives: Definition, Examples, What to Do

Question

What is a False Positive?

An overly aggressive WAF policy can generate a lot of false positives.

False Positives are violations triggered by legitimate traffic. An essential part of "tuning" a WAF policy is getting the false positive count as low as possible so that we know the triggered violations stem from malicious requests or potential vulnerabilities in the application.

Examples of False Positives

Example Violation:  Attack Signature

200012012 - DOS "Range Header DoS Attempt" (Headers) (2)
- buffer: Range: bytes=220160-224767, 228352-229375, 229376-232959, 238080-242687, 246272-250879, 254976-259583, 262656-267263, 270848-27

Example Silverline Response:

This violation occurs when there are multiple bytes selected for the range HTTP header. This can be an attempt to DoS the application by potentially attempting to consume more resources. 

 

Example Violation: Illegal Status Code

alerted: 100.36.xxx.xx - Code: 500

- buffer: 500 response code

Example Silverline Response:

Often times, 4xx and 5xx response code errors can potentially leak server/code information. However, if proper error handling is configured, we can allow 4xx/5xx response code(s) into the WAF policy. 

 

Example Violation(s): Illegal Method

alerted: 1.xx.xxx.xxx -Method: CONNECT

alerted: 111.xxx.xxx.xxx - Method: PROPFIND

alerted: 163.xxx.xx.xx - Method: Options

Example Silverline Response:

By default, the WAF policy is configured to allow GET/POST/HEAD methods. Please let us know if any other HTTP methods should be allowed.

 

Example Violation: HTTP protocol compliance failed

alerted: 103.xxx.xxx.xxx - HTTP protocol compliance failed:Host header contains IP address - Code: 302

 - buffer: Host header with IP value: 107.xxx.xxx.xxx

Example Silverline Response:

This violation is due to the fact that the Host header contains an IP address rather than a FQDN (Domain name) as specified in RFC 2616 for HTTP. Do you want to continue alerting and eventually block these violations or allow the request(s)?

 

Environment

  • Silverline WAF

 

Answer

What to do when you find False Positives?

First, check for common causes on the customer side:

  • Check if the application was recently updated.
  • Ask if any of your admins requested any other changes to the WAF policy.

Then, alert the SOC:

  • Open a support ticket with the following information:
    • any recent changes in the application,
    • Client IP address or Support ID of Violation,
    • timestamp of the blocked activity
  • Or, send a WAF Assessment to the SOC via the Portal:

 Related Content

 

 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request