Technical Tip: How to avoid the Web Applicaion Firewall log 'msg="Known Exploits"'.

1. Web Application Firewall log example:

date=2025-05-05 time=08:36:10 eventtime=1746405370688240771 tz="+0800" logid="1200030249" type="utm" subtype="waf" eventtype="waf-signature" level="warning" vd="root" policyid=XX poluuid="6e7d6900-495d-51e9-4232-4b19c4187508" policytype="policy" sessionid=30449444 profile="default" srcip=x.x.x.x srcport=xxxxx srccountry="China" srcuuid="a2b767d2-462b-51e9-c149-494e5698a1af" dstip=y.y.y.y dstport=80 dstcountry="Reserved" dstuuid="89e941e2-495c-51e9-7d9b-7539b5b89808" srcintf="wan1" srcintfrole="wan" dstintf="lan" dstintfrole="lan" proto=6 httpmethod="GET" service="HTTP" url="http://XXX.XXXXXXX.com/YYYYY/WebResource.axd?d=pynGkmcFUV13He1Qd6_TZDwcbo-pzvmCkHYnznPFF-hUXV1A3zswFxgnBN15yfCU1Dk-oe8Ejy07re8Z_D_rQg2&t=638568892745067788" agent="http://XXX.XXXXXXX.com/YYYYY/login.aspx" severity="high" action="passthrough" direction="request" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 NetType/WIFI MicroMessenger/7.0.20.1781(0x6700143B) WindowsWechat(0x63090c33) XWEB/11581 Flue" eventid=90240001 msg="Known Exploits"

2. Using eventid to check the details about the Known Exploits:

diagnose waf dump | grep 9024001
90240001 - This signature prevents attackers from accessing embedded resources through a URL with "WebResource.axd" or "ScriptResource.axd".

3. Config to avoid the related log by disabling the related signature:

config waf profile
    edit default
        config signature
             set disabled-signature 90240001
        end
    end

end