Managing False Positives

1 min read Web Security Fundamentals

Managing False Positives

False positives represent the biggest operational challenge in WAF deployment. Legitimate traffic blocked by overly aggressive rules frustrates users and creates support overhead. Developing strategies to minimize and manage false positives is essential for successful WAF operation.

Implement a learning mode before enforcement:

# ModSecurity DetectionOnly mode
SecRuleEngine DetectionOnly

# AWS WAF Count mode
{
  "Name": "RateLimitRule",
  "Priority": 1,
  "Statement": {
    "RateBasedStatement": {
      "Limit": 2000,
      "AggregateKeyType": "IP"
    }
  },
  "Action": {
    "Count": {}
  }
}

Create exception rules for known false positives:

# Exclude specific parameters from SQL injection checks
SecRule REQUEST_URI "@beginsWith /blog/comment" \
    "id:100010,\
    phase:1,\
    pass,\
    nolog,\
    ctl:ruleRemoveTargetById=942100;ARGS:comment"

# Disable specific rules for trusted sources
SecRule REMOTE_ADDR "@ipMatch 10.0.0.0/8" \
    "id:100011,\
    phase:1,\
    pass,\
    nolog,\
    ctl:ruleEngine=Off"