How can I detect false positives caused by AWS Managed Rules and then add them to a safe list?

Resolution

Detect false positives caused by AWS Managed Rules

1.    Find the rule inside the managed rule-group that is blocking the legitimate request. You can find the rule blocking the requests under "terminatingRuleId" field of AWS WAF logs. For more details, check the "terminatingRuleMatchDetails" section of the log.

2.    Verify the part of the request parameter that's causing the false positive using one of the methods below:

curl: Perform a curl on your endpoint and then check whether you are receiving "403 Forbidden" error when sending the false positive error. For example:

$ curl -ikv http://<your-domain>.com/<false positive>

Note: In this example, replace <your-domain> with your domain and <false positive> with your false positive vector.

Web browser: Enter your domain and the false positive vector in your web browser to check whether you are receiving "403 Forbidden" error. For example:

http://<your-domain>/<false positive>

In the previous example, replace <your-domain> with your domain and <false positive> with your false positive vector.

Postman: Use the Postman tool to send a request to an endpoint using the rule and parameter that's giving the false positive error.

3.    Determine the vector that's causing the false positive. Create a custom condition rule that allows you to pass legitimate requests.

For example, an internal team is making webpage changes. The requests contain scripts for those changes that cause the requests to be blocked by the rule ManagedRulesCommonRuleSet. You can use the parameters that uniquely identify the internal requests to prevent the managed rule from inspecting those requests. For example, if the legitimate requests are sourced from specific IPs, then you can create the IP set condition to exclude the IPs from inspection.

Add false positives caused by AWS Managed Rules to your safe list

After detecting the false positive, configure the Web ACL to not inspect the legitimate requests against the AWS Managed Rules rule-group that's causing the False Positive. You can then bypass the rule that's blocking the request. You have two ways to modify AWS Managed Rules:

• Adding labels (best practice)
• Using scope-down statements

Labels

You can use labels added by AWS Managed Rules to prevent false positives. A label is metadata that a rule can add to matching web requests, regardless of the action associated with the rule. The latest version of AWS Managed Rules supports labels. By creating custom rules that match requests that have labels, you can change the default action of rules inside a managed rule-group.

1.    Open the AWS WAF console, choose the correct Region, then choose IP sets.

2.    Create an IP set containing legitimate IPs that you want excluded from inspection by a rule-group.

3.    Choose Web ACLs from navigation pane on the AWS WAF console and choose your Web ACL.

4.    Choose the Rules tab.

5.    Choose the rule-group that contains the rule causing the false positive error, and then choose Edit.

6.    Choose the rule causing the false positive error, and then set it to Count.

7.    Choose Save rule.

8.    Choose Add rule, and then choose Add my own rules and rule groups.

9.    Choose Rule Builder for the rule type.

10.    Enter a rule name, and then choose Regular rule as the type.

11.    Set the If a request drop-down to matches all the statements (AND).

12.    Select the following parameters for Statement 1:
Set Inspect to Has a label
Set Match scope to Label
Enter the string containing the label name for the rule that's causing the false positive error

13.    Select the following parameters for Statement 2:
Turn on the Negate statement results option
Set Inspect to Originates from an IP address in
Set IP set to the IP set you created containing the legitimate IPs
Set IP address to use as the originating address to Source IP address

14.    Set the Action to Block.

15.    Under Set rule priority, set the priority of the rule to a lower priority than the AWS Managed Rules that's causing the false positive error.

16.    Choose Save.

Scope-down statement

You can use a scope-down statement to narrow the scope of the requests that the rule or rule-group evaluates. Adding a scope-down statement to a rule-group allows the requests to be inspected. The statement skips over any legitimate IPs included in the statement.

1.    Open the AWS WAF console, choose the correct Region, and then choose IP sets.

2.    Create an IP set containing legitimate IPs that you want excluded from inspection by a rule-group.

3.    Choose Web ACLs on the navigation pane in the AWS WAF console, and then select your Web ACL.

4.    Choose the Rules tab.

5.    Choose the AWS Managed Rules entry that you want to add a scope-down statement to, and then choose Edit.

6.    Create the scope-down statement excluding the IP set that you created. The following is an example of what the statement might look like:
If a request: doesn't match the statements (NOT)
Inspect: originates from an IP address in
IP set: <your-IP-set>
IP addresses to use as the originating address: Source IP address

7.    Choose Save rule.

Note: The scope-down statement doesn't inspect requests that fall out of scope against all the rules in a rule-group. For fine-grain explicit rule, it's best practice to use labels.