Help Center/ Web Application Firewall/ User Guide (Paris) / Best Practices/ Handling False Alarms to Get Improved Basic Web Protection
Updated on 2024-03-14 GMT+08:00

Handling False Alarms to Get Improved Basic Web Protection

After you connect your website to Web Application Firewall (WAF) and enable basic web protection, WAF detects and blocks requests that match the rules you configured. If a normal request matches a basic web protection rule and is blocked by WAF, you can handle the event as false alarm. In this way, WAF will no longer block the same type of request.

Prerequisites

You can view false alarm events on the Events page.

Constraints

An event can only be handled as a false alarm once.

Application scenarios

Sometimes normal service requests may be blocked by WAF. For example, suppose you deploy a web application on an ECS and then add the public domain name associated with that application to WAF. If you enable basic web protection for that application, WAF may block the access requests that match the basic web protection rules. As a result, the website cannot be accessed through its domain name. However, the website can still be accessed through the IP address. In this case, you can handle the false alarms to allow normal access requests to the application.

Impact on the System

  • The event will not be displayed on the Events page and you will not receive any alarm notifications about the event.
  • If an event is handled as a false alarm, the rule hit will be added to the global protection whitelist (formerly false alarm masking) rule list. You can go to the Policies page and then switch to the Global Protection Whitelist (Formerly False Alarm Masking) page to manage the rule, including querying, disabling, deleting, and modifying the rule.

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
  4. In the navigation pane on the left, choose Events.
  5. In the event list, search for false alarms by protected website, event type, source IP address, and URL.
  6. In the Operation column of an event you consider as a false alarm, click Details. On the displayed page, confirm that the event is a false alarm.

    Figure 1 Event Details

  7. In the row containing the event, click More > Handle as False Alarm.
  8. In the displayed dialog box, add a false alarm handling policy. For details, see Handling False Alarms.

    Figure 2 Add Global Protection Whitelist Rule

Verification

A false alarm will be deleted within about a minute after the handling configuration is done. It will no longer be displayed in the event list. You can clear the cache, refresh the browser, and access the page again to verify whether the false alarm was successfully handled. If the requested page responds normally, the configuration takes effect.

Basic Web Protection Check Items

WAF basic web protection defends against common Open Web Application Security Project (OWASP) security threats. WAF uses built-in semantic analysis and regular expression engines for basic web protection to detect and block threats such as malicious scanners, IP addresses, and web shells. You can enable all protection rules in basic web protection or only the ones you want. For details, see Table 1.

Table 1 Protection types

Type

Description

General Check

Defends against attacks such as SQL injections, XSS, remote overflow vulnerabilities, file inclusions, Bash vulnerabilities, remote command execution, directory traversal, sensitive file access, and command/code injections. SQL injection attacks are mainly detected based on semantics.

NOTE:

If you enable General Check, WAF checks your websites based on the built-in rules.

Webshell Detection

Protects against web shells from upload interface.

NOTE:

If you enable Webshell Detection, WAF detects web page Trojan horses inserted through the upload interface.

Deep Inspection

Identifies and blocks evasion attacks, such as the ones that use homomorphic character obfuscation, command injection with deformed wildcard characters, UTF7, data URI scheme, and other techniques.

NOTE:

If you enable Deep Inspection, WAF detects and defends against evasion attacks in depth.

Header Inspection

This function is disabled by default. When it is disabled, General Check will check some of the header fields, such as User-Agent, Content-type, Accept-Language, and Cookie.

NOTE:

If you enable this function, WAF checks all header fields in the requests.

Basic Web Protection Levels

WAF provides three basic web protection levels, Low, Medium, and High. The default level is Medium. The lower the protection level, the higher the false negative rate and the lower the false positive rate. For details, see Table 2.

Table 2 Protection levels

Protection Level

Description

Low

WAF only blocks the requests with obvious attack signatures.

If a large number of false alarms are reported, Low is recommended.

Medium

The default level is Medium, which meets a majority of web protection requirements.

High

WAF blocks the requests with no attack signature but have specific attack patterns.

High is recommended if you want to block SQL injection, XSS, and command injection attacks.