Skip to content

Example

The following example calculates the OWASP request threat score for an incoming request. The OWASP managed ruleset configuration is the following:

  • OWASP Anomaly Score Threshold: High - 25 and higher
  • OWASP Paranoia Level: PL3
  • OWASP Action: Managed Challenge

This table shows the progress of the OWASP ruleset evaluation:

Rule IDParanoia levelRule matched?Rule scoreCumulative
threat score
0
...1813a269PL3Yes+55
...ccc02be6PL3No5
...96bfe867PL2Yes+510
...48b74690PL1Yes+515
...3297003fPL2Yes+318
...317f28e1PL1No18
...682bb405PL2Yes+523
...56bb8946PL2No23
...e5f94216PL3Yes+326
(…)(…)(…)(…)(…)
...f3b37cb1PL4(not evaluated)26

Final request threat score: 26

Since 26 >= 25 — that is, the threat score is greater than the configured score threshold — the WAF will apply the configured action (Managed Challenge). If you had configured a score threshold of Medium - 40 and higher, the WAF would not apply the action, since the request threat score would be lower than the score threshold (26 < 40).

The Activity log in Security Events would display the following details for the example incoming request handled by the OWASP Core Ruleset:

Event log for example incoming request mitigated by the WAF's OWASP Core Ruleset

In the activity log, the rule associated with requests mitigated by the Cloudflare OWASP Core Ruleset is the last rule in this managed ruleset: 949110: Inbound Anomaly Score Exceeded, with rule ID ...843b323c . To get the scores of individual rules contributing to the final request threat score, expand Additional logs in the event details.