Application Gateway WAF: update to OWASP CRS 3.0.2
The 'OWASP 3.0' (3.0.0) WAF rule set generates a lot of false positives, even on random base64 payloads. The only option is to disable many rules.
2 examples which frequently trigger on SAML authentication exchanges are 932140 (https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/671) and 941120 (https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/675).
OWASP CRS 3.0.2 reworked some rules, in order to reduce some of these false positives. Please support CRS 3.0.2 (either as an in-place upgrade for 3.0.0, or as a new option).
Thanks for your feedback. This is planned as a new supported RuleSet.
Following enhancements would be useful:
1. Able to configure rules based on paranoia levels.
2. Provision to add certain URL's to be excluded from rule checking. (Someway to override the global behavior).
Hi team, is there any update on the progress of this work?
Any updates on this?
It's almost 10 months since we got an update from the Azure Networking Team.
What's going on here? Why is this such a difficult task? Currently unusable due to false positives.
Any updates on this?
Paranoia level would also be great!
Snehanshu Vasant Bhaisare commented
1. When WAF_V2 will be available in South East Australia region
2. WAF_v2 won't accept .cer files when setting HTTPS Settings., why ?
Setting Paranoia level would be great!
Also please support 3.0.2 and support future releases of OWASP rulesets faster. This one has been available for almost 6 months now.
Don Wellington commented
Please include the ability to disable rules by paranoia level. The WAF essentially defaults to paranoia level 4 and for most applications paranoia level 1 is sufficient.
David aguado commented
any update about when will be supported 3.0.2?
James Fletcher commented
Is there an estimate of when the rule set 3.0.2 will be supported?
Glen Little commented
Also, rules that are flagged with a severity of "WARNING" in the specs are being completely blocked by the WAF. There should be a way to log but allow any with a severity of "warning".
Yes when is this happening, support are telling to disable the rules, but I do not want to do this. Perhaps Amazon Web Services is the way to go!!