WAF Rule ID 343434

Alert message: Atomicorp.com WAF Rules: Client Connection dropped by Apache due to slow connection, possible Slowaris attack

Rule Class: Generic Attack Ruleset (03_asl_dos.conf)

Version: 1

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 5

HTTP Status:

Action: pass

Transforms:

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

WAF Rule ID 331215

Alert message: Atomicorp.com WAF Rules: CtrlFunc Brute Force Attack Dropped

Rule Class: Generic Attack Ruleset (03_asl_dos.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 1

HTTP Status: 403

Action: deny

Transforms:

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: CtrlFunc Brute Force Attack Dropped

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 390639

Alert message: Atomicorp.com WAF Rules - Just In Time Patch: WordPRess trackback resource exhaustion attack

Rule Class: Generic Attack Ruleset (03_asl_dos.conf)

Version: 2

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 1

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 390640

Alert message: Atomicorp.com WAF Rules - Just In Time Patch: WordPRess trackback resource exhaustion attack

Rule Class: Generic Attack Ruleset (03_asl_dos.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 1

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 370145

Alert message: Atomicorp.com WAF Rules: Known wormsign

Rule Class: Generic Attack Ruleset (03_asl_dos.conf)

Version: 2

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 1

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 331216

Alert message: Atomicorp.com WAF Rules: Wordpress DOS Attack Dropped

Rule Class: Generic Attack Ruleset (03_asl_dos.conf)

Version: 2

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 1

HTTP Status: 403

Action: deny

Transforms:

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Wordpress DOS Attack Dropped

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 331217

Alert message: Atomicorp.com WAF Rules: Possible DOS Attack Dropped

Rule Class: Generic Attack Ruleset (03_asl_dos.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 1

HTTP Status: 403

Action: deny

Transforms:

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Possible DOS Attack Dropped

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 392331

Alert message: Atomicorp.com WAF Rules: xmlrpc DOS attack

Rule Class: Generic Attack Ruleset (03_asl_dos.conf)

Version: 3

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 1

HTTP Status: 403

Action: deny

Transforms:

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: xmlrpc DOS attack

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 350116

Alert message: Atomicorp.com WAF Rules: Potential Denial of Service (DoS) Attack Identified from %{tx.real_ip} (%{tx.dos_block_counter} hits since last alert)

Rule Class: Generic Attack Ruleset (03_asl_dos.conf)

Version:

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 1

HTTP Status: 404

Action: deny

Transforms:

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Potential Denial of Service (DoS) Attack Identified from %{tx.real_ip} (%{tx.dos_block_counter} hits since last alert)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 350114

Alert message: Atomicorp.com WAF Rules: Potential Denial of Service (DoS) Attack from %{tx.real_ip} - # of Request Bursts: %{ip.dos_burst_counter}

Rule Class: Generic Attack Ruleset (03_asl_dos.conf)

Version: 1

Severity: Error (HIDS: 8)

HTTP Protocol Phase: 5

HTTP Status: 404

Action: pass

Options: No active Response

Transforms:

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Potential Denial of Service (DoS) Attack from %{tx.real_ip} - # of Request Bursts: %{ip.dos_burst_counter}

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.