How can I detect false positives caused by AWS Managed Rules and add them to a safe list?

Last updated: 2020-06-11

Legitimate requests to my application are blocked by AWS Managed Rules (AMRs) in AWS WAF. How can I detect false positives caused by AMRs and add them to a safe list?

Resolution

Detect false positives caused by AMRs

  • Use curl. Be sure to replace [false positive] with your false positive. The response is a "403 Forbidden" error.
$ curl -ikv http://example.com/[false positive]
  • Use your web browser. For example, if you're checking for a false positive of "style==xxx" on your "example.com" domain, enter "example.com/style==xxx" in your web browser. The response is a "403 Forbidden" error.
  • View your sampled requests in AWS WAF. Or, use the get-sampled-requests command to receive a list of sampled requests. Check for your false positive in the list of sampled requests. Be sure that Action Block.
  • Check your AWS WAF logs to confirm the "terminatingRuleId". For more details, check the "terminatingRuleMatchDetails" section of the log.

Add false positives caused by AMRs to your safe list

You can use either of two methods to add false positives to your safe list:

  • Use Override rules action
  • Create another, higher priority rule

To use the "Override rules action" to allow legitimate traffic requests, follow these steps:

  1. Open the AWS WAF console.
  2. Select your web access control list (web ACL).
  3. Choose the Rules tab.
  4. Select the AMR rule group that's preventing your legitimate requests.
  5. Choose Edit.
  6. In the list of rules in the AMR rule group, find the rule that you've identified as your false positive. Then, choose Override rules action.
  7. Choose Save rule.

To create another rule (known as an "exclusion rule") with a higher priority than the AMR that's triggering the false positive, follow these steps:

  1. Open the AWS WAF console.
  2. Select your web access control list (web ACL).
  3. Choose the Rules tab.
  4. Choose Add rules, and then choose Add my own rules and rule groups.
  5. Create a rule to allow your false positive by populating the appropriate fields.
  6. Choose Save rule.
  7. Set the rule priority so that the new rule is a higher priority than the AMR that's triggering the false positive. Then, choose Save.

The traffic request is now allowed by your new exclusion rule. You can confirm this by checking your sampled requests or your AWS WAF logs. For steps on how to check these requests, see steps 3 and 4 in "Detect false positives caused by AMRs."

Note: 
It's a best practice to test your exclusion rules in your Dev environment to be sure that they're working as expected before you implement them in your production environment.


Did this article help you?

Anything we could improve?


Need more help?