【Overview】

While using AWS WAF and operating it with managed rules, inadvertently false-positives may occur. In this blog, we will introduce a method to change the specific rule that triggered the false-positive to count mode.

【What is Count mode?】

In AWS WAF, you can specify the following three actions for rules applied to a Web ACL.

・ALLOW：Allows the request if it matches the rule.

・BLOCK：Blocks the request if it matches the rule.

・COUNT：Instead of allowing or blocking a request, it detects the request as a count if it matches the rule. And if there are multiple rules in the Web ACL, it will move on to match against the other rules. Finally, if it has not been detected by any other rules, set default action will be executed.

※Count mode is an action that detects but does not actually allow or block the request. It is generally used for rule verification.

【Changing action to count mode】

1. Click the target Web ACL.

 
2. Select the “Rules” tab.

 
3. Click “Edit web ACL”.

 
4. Change the action of the target rule to "Count", and click "Update".

 
5. Once you confirm that the action is switched to "Count" mode, the process is complete.

【Summary】

This time we introduced a method to tackle false-positives by changing a specific rule to count mode.
Looking at the sampling, there are often requests that may be false-positives, but this way you can temporarily correspond to false-positives.