Sometimes, requests are blocked by deny rules due to content that resembles attacks but may actually be valid for a certain web application. These blocks are called false-positives. Usually, these kinds of blocks occur during integration or at an early stage after going live.
- By going through the following steps, the correct configuration can be found:
- 1.
- 2.
- Repeat until no unwanted block messages appear in the logs.
Search the logs for block messages
Block log messages are generally identified by a log_id starting with WR-SG-BLOCK*.
- For deny rule blocks, search for:
- ●WR-SG-BLOCK-110-01
- ●WR-SG-BLOCKDET-110-*
Request summary log messages are always a good source of information and could be helpful to compose a deny rule exception. The table below shows how to combine the log information with the corresponding DSL setting to compose a deny rule exception.
Log message id | Log key | DSL key | Example log message |
WR-SG-SUMMARY | entry_path | exceptions[].path.pattern | "entry_path":"/contactform/" |
WR-SG-BLOCK-110-01 or WR-SG-BLOCKDET-110-* | rule_group_key | rule_group_keys[] | "rule_group_key":"HTML_PARAM_VALUE" |
WR-SG-BLOCKDET-110-05 | message | exceptions[].parameter_name.pattern | "message":"Blocked parameter: \"comment=..." |
The WR-SG-BLOCKDET-* log messages are only logged in the integration log level.
Resolve the false-positives
After verifying that the blocked request was a false-positive, there are the following options to resolve this issue:
- ●Add a deny rule exception for the blocking deny rule group.
- ●the parameter password on for all deny rule groups.
- ●the parameter comment, on the path /contactform for the deny rule group HTML_PARAM_VALUE.
- ●Choose a lower security level for the corresponding deny rule group.
The example configures security level "strict" for all deny rule groups. For the deny rule group SQLI_PARAM_VALUE the security level will be set to "standard".
To configure a deny rule exception, add the exceptions segment in the deny_rule_groups section of the mapping (see DSL reference).
The example will add a deny rule exceptions for:
mappings: - name: example entry_path: value: / ... deny_rule_groups: - exceptions: - parameter_name: pattern: ^password$ - rule_group_keys: - HTML_PARAM_VALUE exceptions: - path: pattern: ^/contactform - parameter_name: pattern: ^comment$
Check Deny rule exceptions to understand how Airlock Microgateway applies exceptions.
mappings: - name: example entry_path: value: / ... deny_rule_groups: - level: strict - rule_group_keys: - SQLI_PARAM_VALUE level: standard