![]() "terminatingRuleId": "AWS-AWSManagedRulesCommonRuleSet", "webaclId": "arn:aws:wafv2:ap-northeast-1:XXXXXXXXXXXX:regional/webacl/XXXXXXXXXXXX/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX", ![]() In this case, we can read from the WAF log that "NoUserAgent_HEADER" was detected. ![]() The detected rule name is listed in "terminatingrule." Step 1: Identify the rule name from the WAF log. We will check the detection history, assuming that the WAF logs are being output to S3. Next, let's follow the steps to identify the detected rule names and set them to COUNT mode. Now, we assumed that the bellow accesses is blocked by AWS WAF.Ĥ03 forbidden Configuring Exceptions for Rule Groups Please turn the managed rule and the rule to be BLOCK mode. We pickuped the rule "NoUserAgent_HEADER" to demonstrate changing the mode. This time, we will use AWS-ManagedRulesCommonRuleSet as a sample, which is the ruleset published by AWS. Here’s an illustration of how that works: It is possible to change the specific rules to COUNT mode in a rule group where false positives have occurred.īy changing only the relevant rules to COUNT, we can minimize the defense capability loss rather than make the rule group to COUNT mode. Handling False Positives Using the Rule Group Exception Feature ![]() New feature: "Rule Group Exceptions" released to control individual rules in AWS WAF managed rules. When a false positive occurs, you can exclude a specific rule from the rule group.Įxcluding a specific rule does not mean deleting the rule, but changing the action of the rule to COUNT mode. In this article, we will show you how to set exceptions for individual rules from a rule group.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |