I’m working on a WAF policy. Currently, the WAF is on detection mode and I’ve been creating exclusions and identifying false positives etc.
There is one rule I’m struggling to implement and it concerns RFI. Specifically this:
Rule ID: 931130
Message: Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link
Details message: Pattern match ^(?i:file|ftps?|https?)://(.)$; Begin With RequestHeaders:host at TX:rfi_parameter_..
Please see screenshot for an example in the logs.
Does anybody know how I can exclude this?
If tried this but no dice:
Cheers,
Ben
2
Answers
You may have already figured this out but this is to help some one else facing this issue. You can try – Req Args Name contains urlreferrer
We were able to resolve this with the help of Microsoft support.
In our case the issue came down to the arg name being case-sensitive. You need to know the case the caller is using for the arg name, which if memory serves may differ from the case used in the log entry – unhelpful on all counts.