52%
of organizations run their WAF in detection-only mode due to false positive concerns
6 weeks
median time from WAF deployment to the first request to create a blanket exception or disable rules
30-40%
false positive rate for OWASP CRS in Paranoia Level 1 against typical enterprise web applications
39%
of surveyed organizations report disabling or substantially weakening WAF rules within six months of deployment

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

A WAF that is too aggressive does not just annoy users; it erodes trust in the security tool until someone with authority disables it. The pattern repeats across organizations: a WAF is deployed, it blocks a legitimate request from an executive or a critical business workflow, the security team is pressured to add an exception or disable the offending rule, and within months the exception list is so broad that the WAF provides minimal protection. The solution is not to accept higher false positive rates as the cost of security; it is to tune the WAF properly. This guide covers the methodology for moving from detection mode to enforcing mode without breaking business-critical traffic, and the ongoing maintenance practices that prevent exception list sprawl.

Detection Mode vs. Block Mode: The Mandatory Starting Point

No WAF should be deployed in blocking mode on day one against production traffic that has not been previously characterized. Detection mode (also called monitor mode, count mode, or audit mode depending on the platform) captures all requests and records which rules would have triggered without actually blocking traffic. This gives you the data you need to separate real attack traffic from legitimate requests that happen to look like attacks.

The operationally critical difference between going straight to blocking mode and running detection mode first is that detection mode failures are invisible to users and produce logs, while blocking mode failures are 403s that produce support tickets. Tuning should happen in logs, not in production incidents.

The minimum viable detection mode observation period depends on your application's traffic patterns. For applications with consistent daily traffic, two weeks of detection mode data captures enough variety to tune the ruleset effectively. For applications with weekly cycles (high traffic Monday through Friday, low on weekends) or monthly cycles (end-of-month reporting tools, billing applications), extend the observation period to ensure you have captured the traffic patterns that are unique to those cycles. Missing a weekly traffic spike during the observation period means you will discover the false positive in blocking mode when it costs you something.

During the observation period, the operational task is to review detection mode logs daily and categorize each triggered rule by whether the triggering request represents legitimate traffic or a genuine attack attempt. Most WAF platforms provide a management console where you can filter log entries by triggered rule ID and review the request details (URI, headers, body). For applications with high request volumes, sampling is acceptable: review a random sample of 200 to 400 requests for each rule that fires more than 50 times per day, enough to establish whether the rule is firing primarily on attack traffic or primarily on legitimate traffic.

At the end of the observation period, you should have a clear picture of which rules have zero or near-zero false positives (safe to enable in blocking mode immediately), which rules have manageable false positives that can be addressed with targeted exceptions, and which rules are fundamentally incompatible with your application's traffic patterns and may require custom rule replacements.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Reading WAF Logs to Distinguish False Positives from Attack Traffic

WAF log analysis is a skill that takes practice to develop because attack traffic and legitimate traffic can trigger the same rules for completely different reasons. Understanding what to look for in each field of a WAF log entry is what separates confident tuning decisions from guesswork.

For a WAF log entry that shows a SQL injection rule firing, the critical fields to review are the matched field and the matched data. A rule firing on the request URI against a path like /api/search?q=it%27s+a+test (where the apostrophe in the word "it's" matches a SQL injection pattern) is clearly a false positive, because the matched data is a natural language possessive apostrophe. A rule firing on a POST request body where the matched data is ' OR 1=1 -- is clearly attack traffic. Most false positives look like the first example: legitimate user input that contains characters or patterns that overlap with attack signatures.

Source IP and user agent analysis helps categorize traffic intent. A SQL injection rule firing from a consistent set of internal corporate IP addresses (visible if your WAF logs source IPs) is almost certainly a false positive from internal tooling or API clients. The same rule firing from a cloud provider IP range against your login endpoint is a more credible attack signal. A rule firing from requests with a curl user agent is worth investigating because legitimate API clients sometimes use curl but so do automated scanners.

For OWASP Core Rule Set (CRS) deployments on ModSecurity and compatible WAFs, the anomaly score log field is important for block/allow decisions. CRS accumulates rule matches into a total anomaly score and blocks requests only when the score exceeds a configured threshold. A request that triggers one low-confidence SQL injection rule with a score of 5 may not be blocked at a threshold of 10 but will be logged as a detection event. Reviewing the rule match sequence for a blocked request shows whether it was a single high-confidence rule match or an accumulation of many low-confidence signals.

For Cloudflare WAF, the Security Events log in the Cloudflare dashboard shows triggered rules with full request details including the matched field, the rule description, and the action taken. Cloudflare's managed rules are grouped by category (OWASP rules, Cloudflare managed rules, custom rules), and the log includes the rule ID in a format that maps directly to the Cloudflare ruleset documentation. Cross-referencing the rule ID with the documentation reveals what attack pattern the rule targets and helps determine whether the legitimate traffic triggering it has a characteristic that can be used to write a specific exception.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

The Rule-by-Rule Exception Workflow

The correct exception methodology is always rule-specific, not IP-based or URL-based blanket allowlisting. Blanket IP allowlisting says: requests from IP X are always allowed regardless of content. Rule-specific exceptions say: rule Y is disabled for requests matching specific characteristics that indicate legitimate traffic. The second approach maintains protection even for legitimate traffic sources that might be compromised or spoofed.

The exception characteristics to use, in order of preference from most specific to least, are: request body field names (disable the SQL injection check specifically on the description form field where users enter free-text), URL path plus HTTP method (disable the rule only on POST requests to /api/v2/search, not on all requests to any path), user agent string patterns (disable for requests from your specific internal tool's user agent string with an exact string match), and authenticated user characteristics if your WAF integrates with your identity platform.

For AWS WAF, exceptions are implemented using rule group exclusions and label-based rule conditions. For managed rule groups (the AWS Managed Rule Groups like AWSManagedRulesCommonRuleSet), you can add an override at the rule level to set the action to count instead of block for specific rules. To make the exception more granular (applying only when specific request characteristics are present), you create a custom rule that runs before the managed rule group and applies a label to matching requests, then add a scope-down statement to the managed rule that excludes labeled requests. This scoped exception approach is more complex to configure but dramatically more precise than disabling the rule entirely.

For Cloudflare WAF, exceptions are created under the Security section as WAF exception rules. An exception rule specifies a match expression (using Cloudflare's Rules Language, which supports field comparisons, IP ranges, and boolean logic) and a list of managed rule IDs to skip when the expression matches. The key is to make the match expression as specific as possible: rather than matching on source IP alone, match on source IP AND specific URI path AND specific HTTP method. This creates an exception that applies only in the exact context where the false positive occurs.

For ModSecurity with CRS, exceptions are configured using SecRuleRemoveById (to disable a rule entirely for a location or virtual host), SecRuleUpdateTargetById (to remove a specific field from a rule's target list), or SecRuleUpdateActionById (to change a rule's action from block to log). The CRS project maintains a detailed exception documentation guide that shows the correct directive for each type of exception. Prefer SecRuleUpdateTargetById over SecRuleRemoveById because it removes a specific field from the rule's scope rather than disabling the rule entirely, preserving protection for all other fields.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Writing Custom Rules to Replace Noisy Managed Rules

When a managed rule fires frequently on legitimate traffic and cannot be made precise enough through exceptions, the better approach is to replace it with a custom rule that captures the genuine threat signal with fewer false positives. This requires understanding what attack pattern the managed rule is trying to detect and writing a more targeted expression.

Consider a managed SQL injection rule that fires on any request body containing single quotes. This rule has a high false positive rate for applications where users enter customer names, addresses, or free-text descriptions that legitimately contain apostrophes. The attack pattern the rule is trying to detect is SQL injection, which requires both quote characters and SQL keywords or operators to form a valid injection payload. A custom rule that requires the presence of SQL keywords (SELECT, UNION, INSERT, DROP, OR, AND) in combination with quote characters, encoded or not, reduces false positives dramatically while maintaining detection of actual injection attempts.

For Cloudflare WAF, custom rules are written using the Rules Language in the Firewall Rules section. The expression builder supports contains, matches (for regex), in, and logical operators. A custom SQL injection rule might look like: http.request.body contains "'" and (http.request.body contains "UNION SELECT" or http.request.body contains "OR 1=1" or http.request.body contains "DROP TABLE"). This fires only when both the quote character and a known SQL attack pattern are present, rather than on any request containing a quote.

For AWS WAF, custom rules use the web ACL rule builder. You create a rule with a statement type of "String match statement" or "Regex pattern set" and apply it to the relevant request component (body, URI, specific header). The same SQL injection narrowing logic applies: add a logical AND condition that requires both the injection trigger character and a SQL keyword pattern. AWS WAF's regex pattern sets support up to 10 patterns per set, so complex rules may require multiple sets combined with AND/OR logic.

Custom rules require careful testing before deployment because they are written by humans rather than maintained by threat intelligence teams. Before enabling a custom rule in blocking mode, run it in count mode for a full two-week observation period and review every triggered request manually. A custom rule that has zero false positives in one week of count mode is still not validated against traffic patterns you have not yet seen. The confidence threshold for custom blocking rules should be higher than for managed rules, because managed rules are tested against broad traffic datasets by their vendors.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Platform-Specific Tuning: Cloudflare, AWS WAF, and ModSecurity/CRS

Each major WAF platform has specific features and tuning approaches that are worth knowing at the platform level. Generic WAF tuning guidance applies broadly, but platform-specific features can significantly reduce the effort required to achieve a well-tuned configuration.

For Cloudflare WAF, the most useful platform-specific feature for false positive reduction is the WAF attack score. Cloudflare's managed rules use machine learning-based scoring in addition to signature matching, and the attack score (a value from 1 to 99, where lower is more likely to be an attack) can be used as a condition in custom rules. Setting a blocking action only for requests with a WAF attack score below a threshold (for example, block requests that trigger SQL injection rules AND have a WAF attack score below 20) dramatically reduces false positives compared to signature-only blocking. The score reflects Cloudflare's cross-customer threat intelligence, not just the pattern match on the individual request.

For AWS WAF, the label matching feature enables sophisticated multi-rule logic. When a managed rule fires, it applies a label to the request (such as awswaf:managed:aws:core-rule-set:SQLi_QueryArguments). You can create a custom rule that triggers only on requests that have accumulated multiple labels from different rule groups, which reduces false positives by requiring independent corroborating signals before blocking. The rate-based rule capability in AWS WAF is also underutilized: rather than blocking every request that matches a pattern, rate-based rules block source IPs that trigger the pattern more than N times in a 5-minute window, which catches automated scanners while allowing occasional legitimate matches through.

For ModSecurity with OWASP CRS, the paranoia level setting is the single most impactful configuration choice. Paranoia Level 1 enables the most critical rules with the fewest false positives. Paranoia Level 2 adds rules that catch more attack variants but produce more false positives. Levels 3 and 4 are appropriate only for hardened applications where developers are actively reviewing every false positive. For most enterprise web applications, Paranoia Level 1 in blocking mode, combined with specific exceptions for known false positive fields, provides a better security-to-noise ratio than Paranoia Level 2 with a large exception list.

The allowlist creep audit is a maintenance practice that applies to all platforms. Quarterly, export your full exception list (whether implemented as IP allowlists, rule exclusions, or skip rules) and review each entry for whether the original justification still applies. Applications change, traffic patterns change, and internal tool user agents change. An exception added eighteen months ago for a now-decommissioned internal analytics tool is no longer justified and should be removed. This quarterly review prevents the exception list from growing indefinitely and ensures your WAF configuration reflects the current state of your application.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

Deploy in detection mode first, measure false positive rates per rule over two weeks, then apply logic-based exceptions only to the specific rules generating the noise. Never bypass a WAF rule with a blanket IP allowlist. Write custom rules to replace managed rules that cannot be tuned. Review your exception list quarterly and treat any exception without a documented business owner as a candidate for removal.

Frequently asked questions

How long should we run in detection mode before enabling blocking?

At minimum, two weeks for applications with consistent daily traffic patterns. Extend to four to six weeks if your application has weekly cycles (high business traffic on specific days) or monthly cycles (end-of-month financial processing, batch jobs). The goal is to ensure your detection mode observation covers all legitimate traffic patterns before blocking mode makes false positives visible as errors.

What is the safest way to handle a rule that fires on both attack traffic and legitimate traffic?

Write a targeted exception that covers only the legitimate traffic characteristic rather than disabling the rule. If the rule fires on legitimate requests to a specific API endpoint with a specific content type, write an exception scoped to that endpoint and content type. This preserves the rule's detection for all other contexts. If the rule cannot be made precise enough through exceptions, replace it with a custom rule that uses a compound condition requiring multiple attack indicators simultaneously.

Our WAF blocked the CEO during a board presentation. How do we prevent this without disabling protection?

Identify the specific rule that triggered on the request the CEO was making, review the matched data, and write an exception scoped to the specific behavior that caused the false positive. If the cause was an internal IP address, add that IP range to a named IP set and use it as a scope-down condition in the exception rather than as a blanket allowlist. Do not create a blanket allowlist for the entire executive floor network, as that allowlists all attacks originating from those IPs too.

We inherited a WAF with a 200-entry exception list. Where do we start the cleanup?

Export the full exception list and cross-reference each entry against your current application architecture and network topology. Entries referencing IP ranges that belong to decommissioned vendors, old office locations, or replaced CI systems are safe to remove first. For remaining entries, search your ticketing system for the original support ticket that caused the exception to be added. If the underlying application behavior that caused the false positive has changed (API updated, form removed), the exception is likely no longer needed.

Does enabling a WAF provide protection against all the OWASP Top 10?

A WAF addresses certain OWASP Top 10 categories well: injection (A03), cross-site scripting (A03), and server-side request forgery (A10) are directly addressed by WAF rules. It provides partial coverage for security misconfiguration (A05) and broken access control (A01) only in specific cases. A WAF does not address cryptographic failures (A02), insecure design (A04), vulnerable components (A06), authentication failures (A07 in many forms), software integrity failures (A08), or logging failures (A09). A WAF is one layer of a defense-in-depth strategy, not a comprehensive application security control.

Sources & references

  1. OWASP ModSecurity Core Rule Set Documentation
  2. AWS WAF Developer Guide
  3. Cloudflare WAF Documentation
  4. OWASP Web Application Firewall Evaluation Criteria

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.