Skip to content

Commit 570fc00

Browse files
vhornevhorne
committedMay 28, 2019
add exclusion list paragraph and screenshot
1 parent 82adaad commit 570fc00

File tree

2 files changed

+10
-6
lines changed

2 files changed

+10
-6
lines changed
 

‎articles/application-gateway/media/waf-tshoot/exclusion-list.png

10.3 KB
Loading

‎articles/application-gateway/waf-tshoot.md

Lines changed: 10 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ description: This article provides troubleshooting information for web applicati
44
services: application-gateway
55
author: vhorne
66
ms.service: application-gateway
7-
ms.date: 5/22/2019
7+
ms.date: 5/29/2019
88
ms.author: ant
99
ms.topic: conceptual
1010
---
@@ -87,7 +87,7 @@ The final two log entries show the request was blocked because the anomaly score
8787
"requestUri": "\/",
8888
"ruleSetType": "",
8989
"ruleSetVersion": "",
90-
"ruleId": "949110",
90+
"ruleId": "0",
9191
"message": "Mandatory rule. Cannot be disabled. Inbound Anomaly Score Exceeded (Total Score: 8)",
9292
"action": "Blocked",
9393
"site": "Global",
@@ -112,7 +112,7 @@ The final two log entries show the request was blocked because the anomaly score
112112
"requestUri": "\/",
113113
"ruleSetType": "",
114114
"ruleSetVersion": "",
115-
"ruleId": "980130",
115+
"ruleId": "0",
116116
"message": "Mandatory rule. Cannot be disabled. Inbound Anomaly Score Exceeded (Total Inbound Score: 8 - SQLI=5,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): SQL Injection Attack: SQL Tautology Detected.",
117117
"action": "Blocked",
118118
"site": "Global",
@@ -143,7 +143,11 @@ To make an informed decision about handling a false positive, it’s important t
143143

144144
One benefit of using an exclusion list is that only a specific part of a request is being disabled. However, this means that a specific exclusion is applicable to all traffic passing through your WAF because it is a global setting. For example, this could lead to an issue if *1=1* is a valid request in the body for a certain app, but not for others. Another benefit is that you can choose between body, headers, and cookies to be excluded if a certain condition is met, as opposed to excluding the whole request.
145145

146-
In this example, you’ll want to exclude the *request attribute name* that equals **text1**. This is apparent because you can see the attribute name in the firewall logs: **data: Matched Data: 1=1 found within ARGS:text1: 1=1**. The *attribute* is **text1**. You can also find this attribute name a few other ways, see [Finding request attribute names](#finding-request-attribute-names).
146+
Occasionally, there are cases where specific parameters get passed into the WAF in a manner that may not be intuitive. For example, there is a token that gets passed when authenticating using Azure Active Directory. This token, *__RequestVerificationToken*, usually get passed in as a Request Cookie. However, in some cases where cookies are disabled, this token is also passed as a request attribute or "arg". If this happens, you need to ensure that *__RequestVerificationToken* is added to the exclusion list as a **Request attribute name** as well.
147+
148+
![Exclusions](media/waf-tshoot/exclusion-list.png)
149+
150+
In this example, you want to exclude the **Request attribute name** that equals *text1*. This is apparent because you can see the attribute name in the firewall logs: **data: Matched Data: 1=1 found within ARGS:text1: 1=1**. The attribute is **text1**. You can also find this attribute name a few other ways, see [Finding request attribute names](#finding-request-attribute-names).
147151

148152
![WAF exclusion lists](media/waf-tshoot/waf-config.png)
149153

@@ -237,7 +241,7 @@ In this example, you can see that you have four rules with the same TransactionI
237241
- "requestUri": "\/",
238242
- "ruleSetType": "",
239243
- "ruleSetVersion": "",
240-
- "ruleId": "949110",
244+
- "ruleId": "0",
241245
- "message": "Mandatory rule. Cannot be disabled. Inbound Anomaly Score Exceeded (Total Score: 8)",
242246
- "action": "Blocked",
243247
- "site": "Global",
@@ -262,7 +266,7 @@ In this example, you can see that you have four rules with the same TransactionI
262266
- "requestUri": "\/",
263267
- "ruleSetType": "",
264268
- "ruleSetVersion": "",
265-
- "ruleId": "980130",
269+
- "ruleId": "0",
266270
- "message": "Mandatory rule. Cannot be disabled. Inbound Anomaly Score Exceeded (Total Inbound Score: 8 - SQLI=5,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): SQL Injection Attack: SQL Tautology Detected.",
267271
- "action": "Blocked",
268272
- "site": "Global",

0 commit comments

Comments
 (0)
Please sign in to comment.