This feature allows users to perform false positive analysis against their applications to obtain enhanced visibility of attacks and fine-tune protection. Click the Click here to perform False Positive Analysis button to check False Positives against any virtual service that runs OWASP CRS rules.

Rule Counts

The Rule Counts section displays information on any rules that are being triggered by requests. It displays the Rule ID, the paranoia level the rule is running under, the number of hits per requests that have triggered the rule and the message or match for the request are displayed for each rule that is triggered.

Clicking Show Rule in the Operation column displays the contents of the rule file associated with the triggered rule. This opens in a separate tab and the URL contains the triggered rule id.

You can disable a rule by clicking Disable Rule.

Reset FPA Counter

Reset all False Positive Analysis Counters (Anomaly Histogram and Latest Events) for the Virtual Service. Clearing the Latest Events does not remove the logs from the LoadMaster. They are still available under System Configuration > Logging Options > System Log Files > WAF Event Log File.

Anomaly Histogram

The first row of the Anomaly Histogram section displays how many requests have been run without triggering a rule.

Each subsequent row gives details of rules that have been triggered and which are affecting the Anomaly Score. In each row the cumulative Anomaly Score, the number of requests which have triggered the rule and the rule details are provided

Latest Events (newest at top)

Displays the event details for each rule that is triggered. These messages are in the standard ModSecurity log format and contains the anomaly score, the warning message, the attack state, and the paranoia level.

Download

Click Download to download the displayed WAF event logs details.