How do I detect false positives caused by AWS Managed Rules, and then add the rules to a safe list?

5 minute read
0

Legitimate requests to my application are blocked by an AWS Managed Rules rule group in AWS WAF. I want to understand how these rules cause false positives, and then add the rules to a safe list.

Resolution

Detect false positive errors from managed rule groups

To detect false positive errors from managed rule groups, complete the following steps:

  1. Under terminatingRuleId in the AWS WAF log, find the rule in your managed rule group that blocks the legitimate request. For more details, see the terminatingRuleMatchDetails section of Log fields.

  2. Verify the part of the request parameter that's causing the false positive error. Use one of the following methods:
    curl
    Run a curl command on your endpoint:

    $ curl -ikv http://example-domain-name/example-false-positive

    Note: Replace example-domain-name with your domain name and example-false-positive your false positive vector.
    Check whether you receive a 403 Forbidden error when you send the false positive error.
    Web browser
    Enter your domain and the false positive vector in your web browser to check whether you receive a 403 Forbidden error. For example: http://example-domain-name/example-false-positive
    Postman
    Use the Postman tool to send a request to your endpoint. Use the rule and parameter that returns the false positive error.

  3. Determine the vector that's causing the false positive error. Then, create a custom condition rule that allows you to pass legitimate requests.

    For example, an internal team is making webpage changes. The requests contain scripts for the changes that cause the requests to be blocked by the ManagedRulesCommonRuleSet rule. You can use the parameters that uniquely identify the internal requests so that the managed rule doesn't inspect those requests. If the legitimate requests are sourced from specific IP addresses, then you must create an IP set to exclude the IP addresses from inspection.

Add false positives to your safe list

Configure the web access control list (web ACL) so that it doesn't inspect the legitimate requests against the rule group that's causing the false positive. You can then bypass the rule that blocked the request. To modify the managed rule group, add labels or use scope-down statements.

Note: The scope-down statement doesn't inspect requests that fall out of scope against all of the rules in a rule group. For fine-grain explicit rule, it's a best practice to use labels.

Labels

Use labels added by AWS Managed Rules to prevent false positives. When you create custom rules that match requests with labels, you can change the default action of rules inside a managed rule group.

To use labels to prevent false positives, complete the following steps:

  1. Open the AWS WAF console, and then choose the correct AWS Region.
  2. In the navigation pane, choose IP sets.
  3. Create an IP set that contains legitimate IP addresses to exclude from an inspection by a rule group.
  4. Choose Web ACLs, and then choose your web ACL.
  5. Choose the Rules tab.
  6. Choose the rule group that contains the rule that causes the false positive error, and then choose Edit.
  7. Choose the rule that's causing the false positive error, and then set it to Count.
  8. Choose Save rule.
  9. Choose Add rule, and then choose Add my own rules and rule groups.
  10. Choose Rule Builder for the rule type.
  11. Enter a rule name, and then choose Regular rule as the type.
  12. Set the If a request drop-down to matches all the statements (AND).
  13. Select the following parameters for Statement 1:
    Set Inspect to Has a label.
    Set Match scope to Label.
    Enter the string that contains the label name for the rule that's causing the false positive error.
  14. Select the following parameters for Statement 2:
    Turn on the Negate statement results option.
    Set Inspect to Originates from an IP address in.
    Set IP set to the IP set that contains the legitimate IP addresses.
    Set IP address to use as the originating address to Source IP address.
  15. Set the Action to Block.
  16. Under Set rule priority, set the rule's priority to a lower priority.
  17. Choose Save.

Scope-down statement

Use a scope-down statement to narrow the scope of the requests that the rule or rule group evaluates. When you add a scope-down statement to a rule group, the requests can be inspected. The statement skips any legitimate IP addresses that are included in the statement.

To use a scope-down statement to prevent false positives, complete the following steps:

  1. Open the AWS WAF console, and then choose the correct Region. 
  2. Choose IP sets.
  3. Create an IP set that contains legitimate IP addresses to exclude from inspections by a managed rule group.
  4. Choose Web ACLs, and then choose your web ACL.
  5. Choose the Rules tab.
  6. Choose the AWS Managed Rules entry that you want to add a scope-down statement to, and then choose Edit.
  7. Create the scope-down statement that excludes the IP set that you created. The following example shows what the statement might look like:
    If a request: doesn't match the statements (NOT)
    Inspect: originates from an IP address in
    IP set: example-IP-set
    IP addresses to use as the originating address: Source IP address
  8. Choose Save rule.
AWS OFFICIAL
AWS OFFICIALUpdated 16 days ago