Severity of Events Triggered by Handlers

In various places, vWAF calculates and shows a severity level of events:

In the Log Files, there’s a column that lists the severity of each individual event.
In Attack Analysis, you get an overview of how many attacks of a certain severity have been launched. This gives you an instant idea of the current threat.

When using the Requests Per IP Per Path Per Timeframe Per Application Event Source, you can tell vWAF to count only requests that have at least a particular severity.

Severity Levels

There are three severity levels:

low
It’s likely that the incident wasn’t an attack at all, or that there’s a rather limited risk involved with the type of attack.
medium
There’s some fair risk that this incident might have been an attack.
high
It’s likely that a direct attack has been launched on your web application. The nature of the attack involves a considerable threat.

How the severity is calculated

The risk level of an event is determined by the handler that triggers the event.

Handler	Severity levels
Invalid Args Handler Invalid Body Text Handler Invalid Parameter Handler Invalid Request Handler Invalid URL Handler OWA Protection Handler Protect Form Handler Simple Form Protection Handler Whitelist Handler	high
Authentication Handler Event Per IP Per Path Prefilter Handler ICAP Client Handler Script Handler Valid XML Handler Virtualize Form Field Handler	medium
Application Virtualization Handler Check HTML Syntax Handler Check User Agent Handler Classify Request Handler Content Type Handler Cookie Jar Handler Deny Handler Entry Point Handler Hide Basic Auth Handler Invalid Cookie Handler Limit Requests Per Second Handler Log Configuration Handler Log Request Response Handler Redirect Handler Referer Handler Required Header Field Handler Response Body Filter Handler Robots.txt Handler Secure Connection Handler Session Handler Shortcut Handler Time Period Handler Url Encryption Handler Valid Client IP Handler Valid HTTP Method Handler Valid Request Handler	low
Baseline Protection Handler	The severity level depends on the particular rule that the handler applies. (If several rules match a request, the one with the highest severity determines the total severity.) The rules of this handler usually aren’t configured manually but are added and updated by the Baseline Protection Wizard. You can view the rules and each corresponding severity as follows: Edit the Baseline Protection Handler. In the line labeled rules, click Show Rules. You now see a list of all rules configured for the handler. Click the rule for which you want to know its severity. The view expands and shows a table with the rule’s details, including its severity level.

ATTENTION
Be aware that the actual risk potential always depends on the particular web application being attacked. The severity levels can help you decide whether it’s worth enabling a particular handler compared to the risk of getting false positives by this handler. However, to a certain extent, this always remains a fuzzy decision. We recommend using detection mode for testing new rulesets or new versions of your web application. You can then fix false positives before enabling protection mode (see Detection Mode, Protection Mode).