How can I detect false positives caused by AWS Managed Rules?

4 minute read

Legitimate requests to my application are blocked by an AWS Managed Rules rule group in AWS WAF. I want to understand how these rules cause false positives. I also want to keep the managed rules in effect and allow legitimate traffic to pass through.

Resolution

First, identify the false positives caused by AWS Managed Rules. Then, use labels or a scope-down statement to add those false positives to your allow list.

Detect false positive errors from managed rule groups

Complete the following steps:

Under terminatingRuleId in your AWS WAF logs, find the manager rule group that blocks the legitimate request. The following is an example of an AWS WAF log:

"timestamp": 1712236911743,
"formatVersion": 1,
"webaclId": "arn:aws:wafv2:us-west-2:***:regional/webacl/WAFtester/3c372***-***",
"terminatingRuleId": "AWS-AWSManagedRulesCommonRuleSet",
"terminatingRuleType": "MANAGED_RULE_GROUP",
"action": "BLOCK",
"terminatingRuleMatchDetails": [],
"ruleGroupList": [{
"ruleGroupId": "AWS#AWSManagedRulesCommonRuleSet",
"terminatingRule": {
"ruleId": "SizeRestrictions_BODY",
"action": "BLOCK",
"overriddenAction": "BLOCK",
"ruleMatchDetails": null
},
"nonTerminatingMatchingRules": [],
"excludedRules": null,
"customerConfig": null
}],

Under terminatingRule, find ruleId to identify the rule that blocks the legitimate request. For example: "SizeRestrictions_Body".
Identify the attribute or criteria that causes the false positive. For example, if a database admin runs stored procedures remotely, then their requests might contain a large volume of data. The ManagedRulesCommonRuleSet rule group blocks these requests due to the SizeRestrictions_Body rule.

Add false positives to your allow list

Configure the web access control list (web ACL) to allow the legitimate requests through the managed rule group that causes the false positive. To modify the managed rule group, use labels or use scope-down statements.

Note: It's a best practice to use labels for fine-grain explicit rules. The scope-down statement doesn't inspect requests that fall out of scope against all rules in a rule group.

Labels

Use labels added by AWS Managed Rules to prevent false positives. When you create custom rules that match requests with these labels, change the default action of the rules inside the managed rule group.

Complete the following steps:

Open the AWS WAF console, and then choose your AWS Region.
In the navigation pane, choose IP sets.
Create an IP set that contains the legitimate IP addresses to exclude from an inspection by a rule group.
Choose Web ACLs, and then choose your web ACL.
Under Rules, choose the rule group that causes the false positive error, and then choose Edit.
Choose the rule that causes the false positive error, and then set it to Count.
Choose Save rule.
Choose Add rule, and then choose Add my own rules and rule groups.
For Rule type, choose Rule Builder.
Enter a rule name.
For Type, choose Regular rule.
Set the If a request dropdown list to matches all the statements (AND).
Select the following parameters for Statement 1:
For Inspect, choose Has a label.
For Match scope, choose Label.
Enter the label name for the rule that causes the false positive.
Select the following parameters for Statement 2:
Turn on Negate statement results.
For Inspect, choose Originates from an IP address in.
For IP set, enter the IP set that contains the legitimate IP addresses.
For IP address to use as the originating address, choose Source IP address.
For Action, choose Block.
Under Set rule priority, set the rule's priority to a lower priority than the AWS Managed Rules rule groups.
Choose Save.

Scope-down statement

Use a scope-down statement to narrow the scope of the requests that the rule or rule group evaluates. When you add a scope-down statement to a rule group, the requests can be inspected. The statement skips legitimate IP addresses that are included in the statement.

Complete the following steps:

Open the AWS WAF console, and then choose your Region.
Choose IP sets.
Create an IP set that contains the legitimate IP addresses to exclude from an inspection by a rule group.
Choose Web ACLs, and then choose your web ACL.
Under Rules, choose the AWS Managed Rule that you want to add a scope-down statement to, and then choose Edit.
Create the scope-down statement that excludes the IP set that you created. For example:
For If a request, choose Doesn't match the statements (NOT)
For Inspect, choose Originates from an IP address in
For IP set, enter example-IP-set. Note: Replace example-IP-set with the IP address that you want to exclude
For IP addresses to use as the originating address, choose Source IP address. Note: Replace Source IP address with your IP address.
Choose Save rule.

Topics

Security, Identity, & Compliance

Relevant content

False positive from Inspector2
eugene
asked 2 years ago
False positive in ECR container image detected by AWS Inspector v2 related with com.fasterxml.jackson.core:jackson-databind?
AWS-User-7745669
asked 2 years ago
False positives with AWS DMS validations.
AWS-CPI
asked 2 years ago
CodeGuru Security handle false positives
fongie
asked 2 months ago
GuardDuty False Positive Rates
AWS-User-2792197
asked 2 years ago
How do I resolve drift detection errors in CloudFormation with my AWS managed rule "cloudformation-stack-drift-detection-check" for AWS Config?
AWS OFFICIALUpdated 3 years ago
How do I upload files that are blocked by AWS WAF?
AWS OFFICIALUpdated 5 months ago
How do I identify traffic patterns invoked by SQLi and XSS rules in AWS WAF?
AWS OFFICIALUpdated 9 days ago
How can I configure a custom response for AWS WAF managed rules?
AWS OFFICIALUpdated 10 months ago
List unspent transaction outputs by address on Bitcoin with Amazon Managed Blockchain Query
EXPERT
Forrest Colyer
published 21 days ago