High number false positives with AFW and wordpress

Question

Hi,

  We are having false positives with wordpress and it is impossible to avoid them with exclusion rules or custom rules because there are many false positives and each one is one different rule and the people connect from different ip address (cannot filter by ip) .  

So, we have found that there is an OWASP exclusion rule on internet (900130) that if you activate it, it contains code to prevent false positives with wordpress. The problem is that I can't find the exclusion rule in the owasp 3.2 rules in the AFW of the App Gateway. I have found this exclude rule on the OWASP to modsecurity (https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.3/dev/crs-setup.conf.example).

Any help?

Thanks in advance.

Answer 1

Hi @Pineda-Montes Jose-Antonio ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you would like to enable the exclusion rule 900130 in App Gateway WAF.

I am afraid that I did not quite catch your question.

In App Gateway WAF, Exclusions are not configured the same way as Rules are.
You should use a request attribute and set an exclusion.

Refer: Web Application Firewall exclusion lists

This document provides the list of rules available in WAF using OWASP 3.2
App gateway CRS Rules
I do not see Rule 900130 listed here.

In this case where you encounter a large number of false positives, the ideal way to get around this is by using Custom Rules and allow your requests using a matchVariable

Let me know if you have any queries on the above.

Cheers,
Kapil