Forum Discussion
If you export the AWS WAF logs to a log_group you can get detailed information about what happend. Look for the terminating rule ID, you can then disable the rule within the rule group. On the question of not impacting security, the rules are created off know good (reliable signatures) so by disabling a rule to allow traffic that matches a known good signature you will also allow bad actors that are attempting to use that signature. You will need to ensure that your applicaition and supporting infrastructure are appropriatley hardened to mitigate the risk of allow the traffic.
{ "ruleGroupId": "AWS#AWSManagedRulesKnownBadInputsRuleSet", "terminatingRule": { "ruleId": "JavaDeserializationRCE_HEADER", "action": "BLOCK", "ruleMatchDetails": null }, "nonTerminatingMatchingRules": [ { "ruleId": "JavaDeserializationRCE_HEADER_RC_COUNT", "action": "COUNT", "ruleMatchDetails": [] |
- a-vg-opsAug 26, 2022Nimbostratus
Thank you very much for the answer. Log Output :
{ "ruleGroupId": AWS#AWSManagedRulesBotControlRuleSet", "terminatingRule": null, "nonTerminatingMatchingRules": [], "excludedRules": null, "ruleActionOverrides": null }, {"ruleGroupId": AWS#AWSManagedRulesKnownBadInputsRuleSet", "terminatingRule": null, "nonTerminatingMatchingRules": [], "excludedRules": null, "ruleActionOverrides": null }, { "ruleGroupId": "F5#OWASP_Managed", "terminatingRule": { "ruleId": "rule_SSRF_attempt_AllQueryArguments_Body", "action": "BLOCK", "ruleMatchDetails": null }, "nonTerminatingMatchingRules": [], "excludedRules": null, "ruleActionOverrides": null }
We cannot disable the rule, as this will affect the security of the system. What do we need to do to set up traffic flow?
We can provide the details of the http request.