How can we improve Azure Networking?

Application Gateway WAF: update to OWASP CRS 3.0.2

The 'OWASP 3.0' (3.0.0) WAF rule set generates a lot of false positives, even on random base64 payloads. The only option is to disable many rules.

2 examples which frequently trigger on SAML authentication exchanges are 932140 (https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/671) and 941120 (https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/675).

OWASP CRS 3.0.2 reworked some rules, in order to reduce some of these false positives. Please support CRS 3.0.2 (either as an in-place upgrade for 3.0.0, or as a new option).

94 votes
Vote
Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)
You have left! (?) (thinking…)
Nick shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

12 comments

Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)
Submitting...
  • Nijas commented  ·   ·  Flag as inappropriate

    Following enhancements would be useful:
    1. Able to configure rules based on paranoia levels.
    2. Provision to add certain URL's to be excluded from rule checking. (Someway to override the global behavior).

  • Hackim commented  ·   ·  Flag as inappropriate

    Any updates on this?
    It's almost 10 months since we got an update from the Azure Networking Team.

  • Anonymous commented  ·   ·  Flag as inappropriate

    What's going on here? Why is this such a difficult task? Currently unusable due to false positives.

  • Daniël commented  ·   ·  Flag as inappropriate

    Setting Paranoia level would be great!
    Also please support 3.0.2 and support future releases of OWASP rulesets faster. This one has been available for almost 6 months now.

  • Don Wellington commented  ·   ·  Flag as inappropriate

    Please include the ability to disable rules by paranoia level. The WAF essentially defaults to paranoia level 4 and for most applications paranoia level 1 is sufficient.

  • Glen Little commented  ·   ·  Flag as inappropriate

    Also, rules that are flagged with a severity of "WARNING" in the specs are being completely blocked by the WAF. There should be a way to log but allow any with a severity of "warning".

  • Jason commented  ·   ·  Flag as inappropriate

    Yes when is this happening, support are telling to disable the rules, but I do not want to do this. Perhaps Amazon Web Services is the way to go!!

Feedback and Knowledge Base