WAF Rule ID 303831

Alert message: Atomicorp.com WAF Rules: Fake twitter bot

Rule Class: Generic Attack Ruleset (00_asl_y_searchengines.conf)

Version: 1

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 1

HTTP Status: 403

Action: deny

Transforms:

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Fake twitter bot

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 303890

Alert message: Atomicorp.com WAF Rules: Fake Feedly webcrawler

Rule Class: Generic Attack Ruleset (00_asl_y_searchengines.conf)

Version: 4

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 1

HTTP Status: 403

Action: deny

Transforms:

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Fake Feedly webcrawler

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 303800

Alert message: Atomicorp.com WAF Rules: Fake Googlebot webcrawler

Rule Class: Generic Attack Ruleset (00_asl_y_searchengines.conf)

Version: 3

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 1

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

This exclusive capability in the Atomicorp ruleset can detect when a client pretends to be the google webcrawler. This helps to detect and block potential zero day and other supsicious behavior. Attacks have been know to impersonate webcrawlers to trick naive applications that blinding trust webcrawlers. They use this method to gain access that would otherwise be blocked to non-crawlers.

This will not block the real google webcrawler. We do not recommend you disable this rule.

For ASL users, if you enable the option below, ASL will automatically and dynamically whitelist the real google webcrawler from all WAF events:

WAF_LUA_00_SEARCHENGINE

Troubleshooting:

False Positives:

There are no known false positives with this rule. Please do not report this as a false positive if you are using a proxy, CDN or other similar service and your web server is not setup per this article

If you have confirmed your webserver is setup correctly, per the article above, and you have performed the troubleshooting in that article, and still believe this is a false positive, please report this following the process at the link below.

And be sure to also include the troubleshooting steps you took to ensure your proxy and/or CDN is setup correctly to use these rules. If you are unable to do this troubleshooting yourself, please let us know and we would be happy to have our professional services team put a quote together for you and take care of this for you.

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 303833

Alert message: Atomicorp.com WAF Rules: Fake Google Feedfetcher webcrawler

Rule Class: Generic Attack Ruleset (00_asl_y_searchengines.conf)

Version: 5

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 1

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

This exclusive capability in the Atomicorp ruleset can detect when a client pretends to be a google feedfetcher webcrawler. This is part of googles search engine technology used with feeds (e.g. RSS). This helps to detect and block potential zero day and other suspicious behavior. Attackers have been know to impersonate webcrawlers to trick naive applications that blinding trust webcrawlers. They use this method to gain access that would otherwise be blocked to non-crawlers.

This will not block the real google webcrawler. We do not recommend you disable this rule.

For ASL users, if you enable the option below, ASL will automatically and dynamically whitelist the real google webcrawler from all WAF events:

https://www.atomicorp.com/wiki/index.php/ASL_WAF#MODSEC_00_AUTOWHITELIST_SEARCHENGINE

Troubleshooting:

False Positives:

There are no known false positives with this rule. Please do not report this as a false positive if you are using a proxy, CDN or other similar service and your web server is not setup per this article: https://www.atomicorp.com/wiki/index.php/Proxy

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 303801

Alert message: Atomicorp.com WAF Rules: Fake msnbot/bingbot webcrawler

Rule Class: Generic Attack Ruleset (00_asl_y_searchengines.conf)

Version: 6

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 1

HTTP Status: 403

Action: deny

Transforms:

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

This exclusive capability in the Atomicorp ruleset can detect when a client pretends to be the bing webcrawler. This helps to detect and block potential zero day and other supsicious behavior. Attacks have been know to impersonate webcrawlers to trick naive applications that blinding trust webcrawlers. They use this method to gain access that would otherwise be blocked to non-crawlers.

This will not block the real bing webcrawler. We do not recommend you disable this rule.

For ASL users, if you enable the option below, ASL will automatically and dynamically whitelist the real bing webcrawler from all WAF events:

https://wiki.atomicorp.com/wiki/index.php/ASL_WAF#WAF_LUA_00_SEARCHENGINE

Troubleshooting:

False Positives:

There are no known false positives with this rule. Please do not report this as a false positive if you are using a proxy, CDN or other similar service and your web server is not setup per this article: https://www.atomicorp.com/wiki/index.php/Proxy

If you have confirmed your webserver is setup correctly, per the article above, and you have performed the troubleshooting in that article, and still believe this is a false positive, please report this following the process at the link below.

And be sure to also include the troubleshooting steps you took to ensure your proxy and/or CDN is setup correctly to use these rules. If you are unable to do this troubleshooting yourself, please let us know and we would be happy to have our professional services team put a quote together for you and take care of this for you.

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 303802

Alert message: Atomicorp.com WAF Rules: Fake Yahoo! Slurp webcrawler

Rule Class: Generic Attack Ruleset (00_asl_y_searchengines.conf)

Version: 5

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 1

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Fake Yahoo! Slurp webcrawler

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 303803

Alert message: Atomicorp.com WAF Rules: Fake Yahoo Pipes webcrawler

Rule Class: Generic Attack Ruleset (00_asl_y_searchengines.conf)

Version: 2

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 1

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Fake Yahoo Pipes webcrawler

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 303804

Alert message: Atomicorp.com WAF Rules: Fake Yeti webcrawler

Rule Class: Generic Attack Ruleset (00_asl_y_searchengines.conf)

Version: 4

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 1

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Fake Yeti webcrawler

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 303805

Alert message: Atomicorp.com WAF Rules: Fake Hailoobot webcrawler.

Rule Class: Generic Attack Ruleset (00_asl_y_searchengines.conf)

Version: 1

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 1

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Fake Hailoobot webcrawler.

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 303806

Alert message: Atomicorp.com WAF Rules: Fake Technoratibot webcrawler.

Rule Class: Generic Attack Ruleset (00_asl_y_searchengines.conf)

Version: 1

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 1

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Fake Technoratibot webcrawler.

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 303807

Alert message: Atomicorp.com WAF Rules: Fake FriendFeed/Facebook webcrawler

Rule Class: Generic Attack Ruleset (00_asl_y_searchengines.conf)

Version: 1

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 1

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Fake FriendFeed/Facebook webcrawler

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 303808

Alert message: Atomicorp.com WAF Rules: Fake Yandex webcrawler.

Rule Class: Generic Attack Ruleset (00_asl_y_searchengines.conf)

Version: 2

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 1

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Fake Yandex webcrawler.

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 303810

Alert message: Atomicorp.com WAF Rules: Fake Bloglines webcrawler.

Rule Class: Generic Attack Ruleset (00_asl_y_searchengines.conf)

Version: 1

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 1

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Fake Bloglines webcrawler.

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 303811

Alert message: Atomicorp.com WAF Rules: Fake Gist webcrawler

Rule Class: Generic Attack Ruleset (00_asl_y_searchengines.conf)

Version: 1

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 1

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Fake Gist webcrawler

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 303812

Alert message: Atomicorp.com WAF Rules: Fake BlogScope webcrawler

Rule Class: Generic Attack Ruleset (00_asl_y_searchengines.conf)

Version: 1

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 1

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Fake BlogScope webcrawler

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 303813

Alert message: Atomicorp.com WAF Rules: Fake NewsGatorOnline webcrawler

Rule Class: Generic Attack Ruleset (00_asl_y_searchengines.conf)

Version: 1

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 1

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Fake NewsGatorOnline webcrawler

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 303814

Alert message: Atomicorp.com WAF Rules: Fake Netvibes webcrawler

Rule Class: Generic Attack Ruleset (00_asl_y_searchengines.conf)

Version: 1

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 1

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Fake Netvibes webcrawler

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 303937

Alert message: Atomicorp.com WAF Rules: Fake Baidu webcrawler

Rule Class: Generic Attack Ruleset (00_asl_y_searchengines.conf)

Version: 7

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 1

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

This exclusive capability in the Atomicorp ruleset can detect when a client pretends to be the Baidu webcrawler. This helps to detect and block potential zero day and other suspicious behavior. Attacks have been know to impersonate webcrawlers to trick naive applications that blinding trust webcrawlers. They use this method to gain access that would otherwise be blocked to non-crawlers.

This will not block the real Baidu webcrawler. We do not recommend you disable this rule.

For ASL users, if you enable the option below, ASL will automatically and dynamically whitelist the real Baidu webcrawler from all WAF events:

https://wiki.atomicorp.com/wiki/index.php/ASL_WAF#WAF_LUA_00_SEARCHENGINE

Troubleshooting:

False Positives:

There are no known false positives with this rule. Please do not report this as a false positive if you are using a proxy, CDN or other similar service and your web server is not setup per this article: https://www.atomicorp.com/wiki/index.php/Proxy

If you have confirmed your webserver is setup correctly, per the article above, and you have performed the troubleshooting in that article, and still believe this is a false positive, please report this following the process at the link below.

And be sure to also include the troubleshooting steps you took to ensure your proxy and/or CDN is setup correctly to use these rules. If you are unable to do this troubleshooting yourself, please let us know and we would be happy to have our professional services team put a quote together for you and take care of this for you.

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.