To perform False Positive analysis, at least one Virtual Service should be running WAF with OWASP rules and anomaly scoring. Select the appropriate Virtual Service from the drop down list and the rules being triggered will be shown, along with the WAF log information.

Rule Counts

The Rule Counts section displays information on any rules that are being triggered by requests. It displays the Rule ID, the paranoia level the rule is running under, the number of hits per requests that have triggered the rule and the message or match for the request are displayed for each rule that is triggered.

Clicking the Show Rule button in the Operation column displays the contents of the rule file associated with the triggered rule. This opens in a separate tab and the URL contains the triggered rule id..

The rule can be disabled by clicking the Disable Rule button.

Reset FPA Counter

Reset all False Positive Analysis Counters (Anomaly Histogram and Latest Events) for the virtual service. Clearing the Latest Events does not remove the logs from the LoadMaster, they are still available under System Configuration > Logging Options > System Log Files > WAF Event Log File.

Anomaly Histogram

The first row of the Anomaly Histogram section displays how many requests have been run without triggering a rule.

Each subsequent row gives details of rules that have been triggered and which are affecting the Anomaly Score. In each row the cumulative Anomaly Score, the number of requests which have triggered the rule and the rule details are provided

Latest Events (newest at top)

Displays the event details for each rule that is triggered. These messages are in the standard ModSecurity log format and contains the anomaly score, the warning message, the attack state, and the paranoia level.

Download

Click the Download button to download the displayed WAF event logs details.