Merge pull request #208656 from johndowns/waf-front-door-anomaly

prmerger-automator[bot] · web-flow · commit cda5104d3504 · 2022-08-28T21:28:52.000Z
Front Door WAF - Anomaly scoring and rule ID 949110
diff --git a/articles/web-application-firewall/afds/waf-front-door-drs.md b/articles/web-application-firewall/afds/waf-front-door-drs.md
@@ -5,17 +5,16 @@ ms.service: web-application-firewall
 author: vhorne
 ms.author: victorh
 ms.topic: conceptual
-ms.date: 06/15/2022
+ms.date: 08/28/2022
 ---
 
 # Web Application Firewall DRS rule groups and rules
 
 Azure Front Door web application firewall (WAF) protects web applications from common vulnerabilities and exploits. Azure-managed rule sets provide an easy way to deploy protection against a common set of security threats. Since such rule sets are managed by Azure, the rules are updated as needed to protect against new attack signatures. Default rule set also includes the Microsoft Threat Intelligence Collection rules that are written in partnership with the Microsoft Intelligence team to provide increased coverage, patches for specific vulnerabilities, and better false positive reduction.
 
-
 ## Default rule sets
 
-Azure-managed Default Rule Set includes rules against the following threat categories:
+The Azure-managed Default Rule Set (DRS) includes rules against the following threat categories:
 
 - Cross-site scripting
 - Java attacks
@@ -27,40 +26,42 @@ Azure-managed Default Rule Set includes rules against the following threat categ
 - SQL injection protection
 - Protocol attackers
 
-The version number of the Default Rule Set increments when new attack signatures are added to the rule set.
-Default Rule Set is enabled by default in Detection mode in your WAF policies. You can disable or enable individual rules within the Default Rule Set to meet your application requirements. You can also set specific actions (ALLOW/BLOCK/REDIRECT/LOG) per rule.
+The version number of the DRS increments when new attack signatures are added to the rule set.
+
+DRS is enabled by default in Detection mode in your WAF policies. You can disable or enable individual rules within the Default Rule Set to meet your application requirements. You can also set specific actions per rule. The available actions are: [Allow, Block, Log, and Redirect](afds-overview.md#waf-actions).
 
-Sometimes you may need to omit certain request attributes from a WAF evaluation. A common example is Active Directory-inserted tokens that are used for authentication. You may configure an exclusion list for a managed rule, rule group, or for the entire rule set.  
+Sometimes you might need to omit certain request attributes from a WAF evaluation. A common example is Active Directory-inserted tokens that are used for authentication. You may configure an exclusion list for a managed rule, rule group, or for the entire rule set. For more information, see [Web Application Firewall (WAF) with Front Door exclusion lists](./waf-front-door-exclusion.md).
 
-The Default action is to BLOCK. Additionally, custom rules can be configured in the same WAF policy if you wish to bypass any of the pre-configured rules in the Default Rule Set.
+By default, DRS blocks requests that trigger the rules. Additionally, custom rules can be configured in the same WAF policy if you wish to bypass any of the pre-configured rules in the Default Rule Set.
 
 Custom rules are always applied before rules in the Default Rule Set are evaluated. If a request matches a custom rule, the corresponding rule action is applied. The request is either blocked or passed through to the back-end. No other custom rules or the rules in the Default Rule Set are processed. You can also remove the Default Rule Set from your WAF policies.
 
 ### Microsoft Threat Intelligence Collection rules
 
-The Microsoft Threat Intelligence Collection rules are written in partnership with the Microsoft Intelligence team to provide increased coverage, patches for specific vulnerabilities, and better false positive reduction.
+The Microsoft Threat Intelligence Collection rules are written in partnership with the Microsoft Threat Intelligence team to provide increased coverage, patches for specific vulnerabilities, and better false positive reduction.
 
-### Anomaly Scoring mode
+### <a name="anomaly-scoring-mode"></a>Anomaly scoring
 
-OWASP has two modes for deciding whether to block traffic: Traditional mode and Anomaly Scoring mode.
+When you use DRS 2.0 or later, your WAF uses *anomaly scoring*. Traffic that matches any rule isn't immediately blocked, even when your WAF is in prevention mode. Instead, the OWASP rule sets define a severity for each rule: *Critical*, *Error*, *Warning*, or *Notice*. The severity affects a numeric value for the request, which is called the *anomaly score*:
 
-In Traditional mode, traffic that matches any rule is considered independently of any other rule matches. This mode is easy to understand. But the lack of information about how many rules match a specific request is a limitation. So, Anomaly Scoring mode was introduced. It's the default for OWASP 3.*x*.
+| Rule severity | Values contributes to anomaly score |
+|-|-|
+| Critical | 5 |
+| Error | 4 |
+| Warning | 3 |
+| Notice | 2 |
 
-In Anomaly Scoring mode, traffic that matches any rule isn't immediately blocked when the firewall is in Prevention mode. Rules have a certain severity: *Critical*, *Error*, *Warning*, or *Notice*. That severity affects a numeric value for the request, which is called the Anomaly Score. For example, one *Warning* rule match contributes 3 to the score. One *Critical* rule match contributes 5.
+If the anomaly score is 5 or greater, WAF blocks the request.
 
-|Severity  |Value  |
-|---------|---------|
-|Critical     |5|
-|Error        |4|
-|Warning      |3|
-|Notice       |2|
+For example, a single *Critical* rule match is enough for the WAF to block a request, because the overall anomaly score is 5. However, one *Warning* rule match only increases the anomaly score by 3, which isn't enough by itself to block the traffic.
 
-There's a threshold of 5 for the Anomaly Score to block traffic. So, a single *Critical* rule match is enough for the WAF to block a request, even in Prevention mode. But one *Warning* rule match only increases the Anomaly Score by 3, which isn't enough by itself to block the traffic. For more information, see [What content types does WAF support?](waf-faq.yml#what-content-types-does-waf-support-) in the FAQ to learn what content types are supported for body inspection with different DRS versions.
+When your WAF uses older version of the default rule set (before DRS 2.0), your WAF runs in the traditional mode. Traffic that matches any rule is considered independently of any other rule matches. In traditional mode, you don't have visiblity into the complete set of rules that a specific request matched.
 
+The version of the DRS that you use also determines which content types are supported for request body inspection. For more information, see [What content types does WAF support?](waf-faq.yml#what-content-types-does-waf-support-) in the FAQ.
 
 ### DRS 2.0
 
-DRS 2.0 includes 17 rule groups, as shown in the following table. Each group contains multiple rules, which can be disabled.
+DRS 2.0 includes 17 rule groups, as shown in the following table. Each group contains multiple rules, and you can disable individual rules as well as entire rule groups.
 
 > [!NOTE]
 > DRS 2.0 is only available on Azure Front Door Premium.
@@ -118,9 +119,6 @@ DRS 2.0 includes 17 rule groups, as shown in the following table. Each group con
 |**[MS-ThreatIntel-WebShells](#drs9905-10)**|Protect against Web shell attacks|
 |**[MS-ThreatIntel-CVEs](#drs99001-10)**|Protect against CVE attacks|
 
-
-
-
 ### Bot rules
 
 |Rule group|Description|
@@ -129,10 +127,7 @@ DRS 2.0 includes 17 rule groups, as shown in the following table. Each group con
 |**[GoodBots](#bot200)**|Identify good bots|
 |**[UnknownBots](#bot300)**|Identify unknown bots|
 
-
-
-The following rule groups and rules are available when using Web Application Firewall on Azure 
-Front Door.
+The following rule groups and rules are available when using Web Application Firewall on Azure Front Door.
 
 # [DRS 2.0](#tab/drs20)
 
@@ -289,7 +284,6 @@ Front Door.
 >[!NOTE]
 > This article contains references to the term *blacklist*, a term that Microsoft no longer uses. When the term is removed from the software, we’ll remove it from this article.
 
-
 ### <a name="drs942-20"></a> SQLI - SQL Injection
 |RuleId|Description|
 |---|---|
@@ -335,7 +329,6 @@ Front Door.
 |942500|MySQL in-line comment detected.|
 |942510|SQLi bypass attempt by ticks or backticks detected.|
 
-
 ### <a name="drs943-20"></a> SESSION-FIXATION
 |RuleId|Description|
 |---|---|
@@ -383,6 +376,13 @@ Front Door.
 |99001015|Attempted Spring Framework unsafe class object exploitation [CVE-2022-22965](https://www.cve.org/CVERecord?id=CVE-2022-22965)|
 |99001016|Attempted Spring Cloud Gateway Actuator injection [CVE-2022-22947](https://www.cve.org/CVERecord?id=CVE-2022-22947)
 
+> [!NOTE]
+> When reviewing your WAF's logs, you might see rule ID 949110. The description of the rule might include *Inbound Anomaly Score Exceeded*.
+>
+> This rule indicates that the total anomaly score for the request exceeded the maximum allowable score. For more information, see [Anomaly scoring](#anomaly-scoring-mode).
+> 
+> When you tune your WAF policies, you need to investigate the other rules that were triggered by the request so that you can adjust your WAF's configuration. For more information, see [Tuning Web Application Firewall (WAF) for Azure Front Door](waf-front-door-tuning.md).
+
 # [DRS 1.1](#tab/drs11)
 
 ## <a name="drs11"></a> 1.1 rule sets
diff --git a/articles/web-application-firewall/afds/waf-front-door-exclusion.md b/articles/web-application-firewall/afds/waf-front-door-exclusion.md
@@ -9,7 +9,7 @@ ms.author: victorh
 ms.topic: conceptual
 ---
 
-# Web Application Firewall (WAF) with Front Door Service exclusion lists 
+# Web Application Firewall (WAF) with Front Door exclusion lists
 
 Sometimes Web Application Firewall (WAF) might block a request that you want to allow for your application. WAF exclusion lists allow you to omit certain request attributes from a WAF evaluation. The rest of the request is evaluated as normal.
 
diff --git a/articles/web-application-firewall/afds/waf-front-door-tuning.md b/articles/web-application-firewall/afds/waf-front-door-tuning.md
@@ -5,7 +5,7 @@ services: web-application-firewall
 author: mohitkusecurity
 ms.service: web-application-firewall
 ms.topic: conceptual
-ms.date: 12/11/2020
+ms.date: 08/21/2022
 ms.author: mohitku
 ms.reviewer: victorh 
 ms.custom: devx-track-azurepowershell
@@ -275,6 +275,12 @@ Another way to view request and response headers is to look inside the developer
 
 If the request contains cookies, the Cookies tab can be selected to view them in Fiddler. Cookie information can also be used to create exclusions or custom rules in WAF.
 
+## Anomaly scoring rule
+
+If you see rule ID 949110 during the process of tuning your WAF, this indicates that the request was blocked by the [anomaly scoring](waf-front-door-drs.md#anomaly-scoring-mode) process.
+
+Review the other WAF log entries for the same request, by searching for the log entries with the same tracking reference. Look at each of the rules that were triggered, and tune each rule by following the guidance throughout this article.
+
 ## Next steps
 
 - Learn about [Azure web application firewall](../overview.md).
