WAF Rule ID 340202

---

Alert message: Invalid SessionID Submitted.

Rule Class: Generic Attack Ruleset (70_asl_csrf_experimental.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 1

HTTP Status:

Action:

Transforms:

Log Types:

• Basic Information (log)

Description:

Invalid SessionID Submitted.

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

• enabled by: MODSEC_10_RULES

• Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340207

---

Alert message: Warning - Sticky SessionID Data Changed - User-Agent Mismatch.

Rule Class: Generic Attack Ruleset (70_asl_csrf_experimental.conf)

Version:

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 1

HTTP Status:

Action: pass

Transforms:

Log Types:

Description:

Warning - Sticky SessionID Data Changed - User-Agent Mismatch.

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

• enabled by: MODSEC_10_RULES

• Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340208

---

Alert message: Possible Session Hijacking - IP Address and User-Agent Mismatch.

Rule Class: Generic Attack Ruleset (70_asl_csrf_experimental.conf)

Version:

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 1

HTTP Status:

Action: pass

Transforms:

Log Types:

Description:

Possible Session Hijacking - IP Address and User-Agent Mismatch.

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

• enabled by: MODSEC_10_RULES

• Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 345402

---

Alert message: CSRF Attack Detected - Missing CSRF Token.

Rule Class: Generic Attack Ruleset (70_asl_csrf_experimental.conf)

Version:

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status:

Action: pass

Transforms:

Log Types:

Description:

CSRF Attack Detected - Missing CSRF Token.

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

• enabled by: MODSEC_10_RULES

• Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 345403

---

Alert message: CSRF Attack Detected - Invalid Token.

Rule Class: Generic Attack Ruleset (70_asl_csrf_experimental.conf)

Version:

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status:

Action: pass

Transforms:

Log Types:

Description:

CSRF Attack Detected - Invalid Token.

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

• enabled by: MODSEC_10_RULES

• Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.