Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How can I detect false positives caused by AWS Managed Rules?

5 minute read
3

Legitimate requests to my application are blocked by an AWS Managed Rules rule group in AWS WAF. I want to understand how these rules cause false positives. I also want to keep the managed rules in effect and allow legitimate traffic to pass through.

Resolution

First, identify the false positives caused by AWS Managed Rules. Then, use labels or a scope-down statement to add those false positives to your allow list.

Detect false positive errors from managed rule groups

Complete the following steps:

  1. Under terminatingRuleId in your AWS WAF logs, find the manager rule group that blocks the legitimate request. The following is an example of an AWS WAF log:

    "timestamp": 1712236911743,
"formatVersion": 1,
"webaclId": "arn:aws:wafv2:us-west-2:***:regional/webacl/WAFtester/3c372***-***",
"terminatingRuleId": "AWS-AWSManagedRulesCommonRuleSet",
"terminatingRuleType": "MANAGED_RULE_GROUP",
"action": "BLOCK",
"terminatingRuleMatchDetails": [],
"ruleGroupList": [{
"ruleGroupId": "AWS#AWSManagedRulesCommonRuleSet",
"terminatingRule": {
"ruleId": "SizeRestrictions_BODY",
"action": "BLOCK",
"overriddenAction": "BLOCK",
"ruleMatchDetails": null
},
"nonTerminatingMatchingRules": [],
"excludedRules": null,
"customerConfig": null
}],

  2. Under terminatingRule, find ruleId to identify the rule that blocks the legitimate request. For example: "SizeRestrictions_Body".

  3. Identify the attribute or criteria that causes the false positive. For example, if a database admin runs stored procedures remotely, then their requests might contain a large volume of data. The ManagedRulesCommonRuleSet rule group blocks these requests due to the SizeRestrictions_Body rule.

Add false positives to your allow list

Configure the web access control list (web ACL) to allow the legitimate requests through the managed rule group that causes the false positive. To modify the managed rule group, use labels or use scope-down statements.

Note: It's a best practice to use labels for fine-grain explicit rules. The scope-down statement doesn't inspect requests that fall out of scope against all rules in a rule group.

Labels

Use labels added by AWS Managed Rules to prevent false positives. When you create custom rules that match requests with these labels, change the default action of the rules inside the managed rule group.

Complete the following steps:

  1. Open the AWS WAF console.
  2. In the navigation pane, choose AWS WAF.
  3. Choose Resources & protection packs.
  4. Under Protection packs, select the dropdown Managed sets and groups and choose Manage IP sets.
  5. In the right pane, choose Create new IP set.
  6. Enter IP set name.
    If you use this IP set in CloudFront, then under Scope choose CloudFront.
    (Optional) Enter a Description.
    Choose your IP version.
    Enter the IP address.
  7. Choose Save.
  8. Find your protection pack and choose View and edit next to Rules.
  9. In the right pane, select the AWS Managed Rules that's blocking your requests.
  10. Under Rule overrides, change the action to Count for the rule that is blocking the request.
  11. Choose Save rule.
  12. In the right pane, choose Add rules.
    Choose Custom rule and select Next.
    Choose Custom rule again and select Next.
  13. Set the Rule Action to BLOCK.
  14. Enter your Rule name.
  15. For If a request, expand the dropdown and choose matches all the statements (AND).
  16. On Statement 1, complete the following:
    For Inspect, choose Has a label.
    For Statement, choose Label.
    For Match key, select the label for the AWS Managed Rules rule group's rule that's blocking your requests.
  17. On Statement 2, complete the following:
    For Inspect, choose Originates from IP address in.
    Under Statement, for IP address list, select your IP set.
    Expand Rule configuration, under Negate statement (NOT), choose Negate statement results.
    For IP address to use as the originating address, choose Source IP address.
  18. Choose Create Rule.
  19. To set rule priority, select Edit Rule Order in the right pane and drag the rule below the AWS Managed Rule Group.
    Note: Rules are applied in the order they appear.
  20. Choose Save Rule Order.

Scope-down statement

Use a scope-down statement to narrow the scope of the requests that the rule or rule group evaluates. When you add a scope-down statement to a rule group, the requests can be inspected. The statement skips legitimate IP addresses that are included in the statement.

Complete the following steps:

  1. Open the AWS WAF console.
  2. In the navigation pane, choose AWS WAF.
  3. Choose Resources & protection packs.
  4. Under Protection packs, click Managed sets and groups and choose Manage IP sets.
  5. In the right pane, choose Create new IP set.
  6. Enter IP set name.
    If you use this IP set in CloudFront, then under Scope choose CloudFront.
    (Optional) Enter a Description.
    Choose your IP version.
    Enter the IP address.
  7. Choose Save.
  8. Find your protection pack and choose View and edit next to Rules.
  9. In the right pane, select the AWS Managed Rules rule group that's blocking your requests.
  10. Under Inspection, select Match statement.
  11. For If a request, select doesn't match the statement (NOT).
  12. For Inspect, select Originates from IP address in.
  13. Under Statement, for IP address list, select your IP set.
  14. Expand Rule configuration and select Source IP address as origin.
  15. Choose Save rule.
Topics
Security, Identity, & Compliance
Tags
AWS WAF
Language
English
AWS OFFICIALUpdated 5 months ago
1 Comment

Excellent post!!

replied a year ago

Relevant content