This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 70%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDF%3C/text%3E%3C/svg%3E)
How to understand which rules are BLOCKING-EVALUATION-949110? Or which content of my application data is blocking me with this rules?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 81%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
I have an application running in Azure VM which is behind APplication gateway(I have enabled Azure WAf with OWASP 3.2 in policy). When I am accessing my application my requests were getting blocked with rule ID :949110.
But whats the reason for increasing the anomoly score is what my question.
As we think the rule 949110 in the OWASP CRS 3.2 blocks your request because the combined anomaly score from one or more other rules matching your request data reached the blocking threshold. It's the result of other detections, not the cause itself.
You need to have a look on which rules are contributing to the anomaly score and what specific content in your request is triggering them, you need to analyze the Azure WAF logs.
Make sure that the diagnostic logging is enabled for your Application Gateway and configured to send ApplicationGatewayFirewallLog data to a Log Analytics workspace.
Go to your Log Analytics workspace and use KQL to find the relevant logs. Look for the specific transaction that was blocked.
Look for rows where action is matched and RuleID is not 949110 and the msg field will give you a description of the rule that matched and verify the details message and details data fields.
The details data field often contains the exact string or content within your request that caused the rule match. Note the RuleID of these matching rules.
These might be the rules causing your anomaly score to increase.
Kindly let us know if the above helps or you need further assistance on this issue.
Following up to see if the above suggestion helped. If you have any further queries on this, please let us know in the comments below so that we can address them.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 82%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVV%3C/text%3E%3C/svg%3E)
Hi @Deepaklal-FT
As per MS DOC, WAF RULE ID 949110 may appear when reviewing your WAF logs. The rule description might include 'Inbound Anomaly Score Exceeded'
You can use the Kusto query below to find the detailed reason by examining the Message, DetailedMessage, and FileDetails fields for the blocked rule ID 949110. These fields help pinpoint which part of the request was flagged
AGWFirewallLogs
Output:
To check the detailed reason for the rule ID 949110 block and find the specific rules that contributed to the score, run the following KQL query in your Log Analytics Workspace.
Note: Copy the
TransactionIdfrom the result above and replace it in the KQL query below.
AGWFirewallLogs
| where TransactionId == "6688fa7d46942f5f8beb9c51a091d5cc"
| where RuleId != 949110
| project TimeGenerated, RuleId, Message, Action, RuleSetType, RuleSetVersion, FileDetails
Output:
This will list all the individual rules (e.g., SQLi, XSS) that were triggered and contributed to the total score of 71—each rule typically adds 5, 10, or 20 points.
The final reason rule ID 949110 was triggered is that your request violated multiple OWASP CRS rules. Each rule adds an 'anomaly score' (typically 5, 10, or 20), and in this case, the cumulative score reached 71(in mycase), which is well above the default blocking threshold of 5.
A mix of XSS + SQL Injection + host header issues resulted in a high anomaly score. Since the WAF is in Prevention mode, the summary rule 949110 blocks the request
I hope this is helpful! Do not hesitate to let me know if you have any other questions.
Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
Hi @Deepaklal-FT
I just wanted to follow up and see if you had a chance to review my answer to your question. Please let us know if it was helpful, and feel free to reach out if you have any further queries.
I really appreciate your feedback. It’s valuable to us. Please click Accept Answer on this post to assist other community members facing similar issues in finding the correct solution.