WAF Rule ID 340362


Alert message: Atomicorp.com WAF Rules: ModSecurity does not support content encodings and can not detect attacks using it, therefore it must be blocked.

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 1

HTTP Status: 501

Action: deny

Transforms:

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Inbound undefined compressed content (not be confused with compressed files or properly defined compressed content) is invisible to all Web Application Firewalls. Therefore they can not see or evaluate any traffic encoded in this manner. If an attack were to be encoded in this way the WAF would not catch it, therefore WAFs are configured to block this traffic.

This rule looks for this header:

Content-Encoding: Identity

If this header exists, the request is rejected because the WAF can not decode this kind of content. It is invisible to the WAF (because its compressed, but the method of compression is not defined, so the WAF has no idea how to uncompress it), and therefore an attack can simply bypass the WAF by compressing an attack.

Do not disable this rule.

Background

The use of this method is also consider invalid by the HTTP 1.1 RFC. This content-coding is used only in the Accept-Encoding header, and SHOULD NOT be used in the Content-Encoding header. This rule detects this RFC non-compliant compressed inbound content and blocks it correctly. The content is both invalid, and invisible to the WAF. The use of this method is extremely rare in practice, as properly designed client applications will not do this. If you have an application that performs in this manner the application is not in compliance with RFCs, is generating invalid encodings, is producing content the WAF will not be able to decompress (and which it will therefore block) and should be modified to be in compliance with the HTTP 1.1 RFC.

See the RFC in the references section below for technical details.

Troubleshooting:

False Positives:

None. If this rule triggers it means content encoded data, as explained above, is being sent to the server. If you allow this by disabling this rule you will open your system up to attacks that modsecurity can not detect or prevent.

Do not disable this rule.

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html

WAF Rule ID 340002


Alert message: Atomicorp.com WAF Rules: TRACE/TRACK method denied

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 3

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 1

HTTP Status: 403

Action: deny

Transforms:

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

TRACE and TRACK are valid HTTP methods used to do low level debugging of web applications by echoing back input back to the connecting system or user. TRACE and TRACK can be used to steal cookies or other website credentials.

Troubleshooting:

False Positives:

If you use this method this rule can be triggered. It is almost never used legitimately and should always be disabled on Internet facing systems or systems that may receive traffic from potentially hostile users or systems.

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html

WAF Rule ID 340361


Alert message: Atomicorp.com WAF Rules: CONNECT method denied

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 3

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 1

HTTP Status: 403

Action: deny

Transforms:

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

The CONNECT method can be used to connect to arbitrary services and can turn a web server into a proxy server. For example, this method can be used to connec to port 25 on a mail server, turning a web server into an open relay for spamming. Unless you have configured your system to be a proxy, and have setup appropriate access control it is recommended you leave this rule turned on.

Troubleshooting:

False Positives:

Can be triggered if the system is a proxy server.

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html

WAF Rule ID 390616


Alert message: Atomicorp.com WAF Rules: POST request must have a Content-Length header

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 3

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

This rule detects to see if a POST request has a Content-Length header. Per the RFC, a valid Content-Length is required on all HTTP POST requests.

Troubleshooting:

False Positives:

No known false positives. If you see this behavior it is caused by either a buggy, non-compliant application, or it may be part of an attack.

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.5

WAF Rule ID 390706


Alert message: Atomicorp.com WAF Rules: Expect Header Not Allowed for HTTP 1.0. This is an HTTP 1.1 feature.

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Expect Header Not Allowed for HTTP 1.0. This is an HTTP 1.1 feature.

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340012


Alert message: Atomicorp.com WAF Rules: Unauthorized Proxy access attempt

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 3

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

This rule detects any attempt to use the web server as a proxy. For example, if a client attempts to send a request similar to this:

POST http://www.example.com:25/ HTTP/1.0

This is an attempt to use the webserver to contect to an SMTP server. This method (and others) are used by hackers and spammers to carry out attacks and spamming activities through “marks” or systems that are vulnerable to proxying. This deflects the blame for the attack and spamming onto the system that is acting as a proxy.

This rule prevents unauthorized proxy attempts.

Troubleshooting:

False Positives:

There are no known false positives for this rule. If this rule is being triggered, a client is attempting to proxy a connection through the server.

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

If you know that this behavior is acceptable for your application, you can tune it by following the Tuning the Atomicorp WAF Rules guidance.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 392301


Alert message: Atomicorp.com WAF Rules: Request Containing Content, but Missing Content-Type header

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 8

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Options: No active Response

Transforms:

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

This rule detects when a request is made using an improper method. By default, if a request body is sent it must define its Content-Type so the backend application knows how to handle it. The WAF also needs to understand the Content-Type. he WAF works by inspecting content based on the “type” defined by the request. This of this as a foreign language. The WAF needs to understand the type to be able to properly inspect its contents.

Attacks use this method to get past WAFs by not defining the Content-Type, so the WAF has to guess what its reading. The attacker relies on this and that the WAF will assume its reading one content type, when another content type is being used. This can be used to bypass the WAF entirely.

This rule prevents this method. Any application that causes this to occur should be fixed to define its Content-Type.

Troubleshooting:

False Positives:

A false positive can occur when an application legitimately does not set the Content-Type. However, this should never be allowed. All request bodies should define the Content-Type, and there is no reason for an application to not do this. We highly recommend you do not disable this rule, and rather fix the application.

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

If you know that this behavior is acceptable for your application, you can tune it by following the Tuning the Atomicorp WAF Rules guidance.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 390707


Alert message: Atomicorp.com WAF Rules: Too many arguments in request (max set to 4096, increase as necessary for your system)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: ‘9’

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

This rule simply detects if a single request has more that 1000 arguments. This rule is designed to help protect your system from certain Denial of Service (DOS) attacks, such as the PHP Hash DOS attack.

Troubleshooting:

False Positives:

This rule can not generate a false positive. This rule simply sets a limit of 1000 arguments in a request. If this limit is too low for you, then either disable this rule for the domain or increase the limit by following the advice in Tuning Recommendations below.

If you believe this is a true false positive, that is the request does not have 1000 arguments, please report this to our security team.

Please do not report cases where the rule is working correctly.

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

If you do not wish to restrict the number of arguments in a request, just disable this rule.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

https://www.exploit-db.com/exploits/18305

https://arstechnica.com/information-technology/2011/12/huge-portions-of-web-vulnerable-to-hashing-denial-of-service-attack/

WAF Rule ID 330707


Alert message: Atomicorp.com WAF Rules: Too many cookies in request (max set to 1000, increase as necessary for your system)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 2

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Too many cookies in request (max set to 1000, increase as necessary for your system)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 390626


Alert message: Atomicorp.com WAF Rules: Null Byte Attack Blocked (Null byte character in Argument Name)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 23

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Null Byte Attack Blocked (Null byte character in Argument Name)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 395614


Alert message: Atomicorp.com WAF Rules: Spammer attempting to defeat recapatcha

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Spammer attempting to defeat recapatcha

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 390614


Alert message: Atomicorp.com WAF Rules: Null Byte Attack Blocked (Invalid character in ARGS)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 23

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

This rules detects NULL characters in unusual arguments. NULL characters are often used by attackers to try an bypass intrusion detection systems, as there have been vulnerabilities in IDS’ (including modsecurity) that have allowed attackers to bypass IDS systems. WAFs will commonly ignore everything after the null but pass the entire string to web server where it is processed. The Rules will detect the use of NULL characters and will block them.

Example attack’

GET /index.php?option=com_shoutbox&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1

The last character in this request is a null, which is invalid and is part of an actual attack on the system. The above example is an attacker attempting to access the Linux /proc file system via a recursion attack, with an added NULL character at the end to attempt to evade the IDS system.

Troubleshooting:

False Positives:

The rule contains logic to detect cases where the use of NULL characters is non-malicious. In some cases, an application may do this in a new way that logic can not detect.

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

WAF_340613

Outside References:

None.

WAF Rule ID 390613


Alert message: Atomicorp.com WAF Rules: Null Byte Attack Blocked (Invalid character in request or headers)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 10

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

This rules detects NULL characters in the request URL or in a header for the request. NULL characters are often used by attackers to try an bypass intrusion detection systems, as there have been vulnerabilities in IDS’ (including modsecurity) that have allowed attackers to bypass IDS systems. The Rules will detect the use of NULL characters and will block them.

Example attack’

GET /index.php?option=com_shoutbox&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1

The last character in this request is a null, which is invalid and is part of an actual attack on the system. The above example is an attacker attempting to access the Linux /proc file system via a recursion attack, with an added NULL character at the end to attempt to evade the IDS system.

Troubleshooting:

False Positives:

This can be triggered if an application legitimately uses a NULL as a value for a Header. This has only been seen used for some Cookies, and should never be seen for URLs, File Names or Header Names.

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

WAF_340613

Outside References:

None.

WAF Rule ID 390618


Alert message: Atomicorp.com WAF Rules: Content-Length HTTP header is not numeric

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Content-Length HTTP header is not numeric

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 390712


Alert message: Atomicorp.com WAF Rules: Attack Blocked - HTTP Response Splitting Attack

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 5

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 2

HTTP Status: 400

Action: deny

Transforms:

  • compressWhitespace

  • htmlEntityDecode

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

This rule detects possible HTTP response splitting attacks. These types of attacks work by making the server print a carriage return (CR, ASCII 0x0D) line feed (LF, ASCII 0x0A) sequence followed by content supplied by the attacker in the header section of its response, typically by including them in input fields sent to the application. Per the HTTP standard (RFC 2616), headers are separated by one CRLF and the response’s headers are separated from its body by two. Therefore, the failure to remove CRs and LFs allows the attacker to set arbitrary headers, take control of the body, or break the response into two or more separate responses—hence the name.

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 347008


Alert message: Atomicorp.com WAF Rules: Suspicious deep path recursion denied

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 15

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Suspicious deep path recursion denied

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 347028


Alert message: Atomicorp.com WAF Rules: Suspicious deep path recursion denied (base64 encoded)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • base64Decode

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Suspicious deep path recursion denied (base64 encoded)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340008


Alert message: Atomicorp.com WAF Rules: Bogus Path denied

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 8

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • cmdLine

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

This rule is detecting the use of a bogus path. An example of a bogus path would be:

/…/some_file There is no such valid path in any operating system. “…” is an invalid directory. This would be an indication of a possible attempt to access hidden content on the system, or to create a hidden directory.

Troubleshooting:

False Positives:

There are no known valid conditions in which this can occur.

If you believe this to be a a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the Reporting False Positives wiki page.

If you wish to tune this rule yourself, please see the Tuning the Atomicorp WAF Rules page for basic information.

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

There are no known valid conditions in which this can occur, therefore it is not recommended that you tune the system to allow this.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

WAF_340006

Outside References:

None.

WAF Rule ID 340218


Alert message: Atomicorp.com WAF Rules: Bogus Path denied (base64 encoded)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • base64Decode

  • cmdLine

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Bogus Path denied (base64 encoded)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340142


Alert message: Atomicorp.com WAF Rules: Special account protection

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 4

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • cmdLine

  • normalisePath

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Special account protection

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340009


Alert message: Atomicorp.com WAF Rules: Protected Path Access denied in URI/ARGS

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 66

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • cmdLine

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

This rule detects if a protected path is accessed by a web request. A protected path includes key parts of the operating system, such as c:/windows, /bin, /lib, /dev, /proc and other important parts of the OS.

Troubleshooting:

False Positives:

If a web application needs to access these parts of the OS this rule can be triggered. Check to ensure that your application actually needs to access this part of the OS and that this is not an attack. It is not recommended you disable this rule, but rather that you report it as a false positive so we can put out an update for your application.

Instructions to report false positives are detailed on the Reporting False Positives wiki page.

If you wish to tune this rule yourself, please see the Tuning the Atomicorp WAF Rules page for basic information.

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

WAF_340006

Outside References:

None.

WAF Rule ID 340007


Alert message: Atomicorp.com WAF Rules: Generic Path Recursion denied

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 47

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

This rule is detecting the use of path recursion in an Argument or in the URI. This rule attempts to detect encoded recursions, an example of a recursion attack may look like:

../..

An example attack could be to get to a protected file on the system. For example:

../../../../../etc/passwd

Troubleshooting:

False Positives:

Some applications may use recursions to get some files. Therefore a false positive can occur. It is not recommended that you disable this rule. If this is a false positive, please report this to our security team can determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the Reporting False Positives wiki page.

If you wish to tune this rule yourself, please see the Tuning the Atomicorp WAF Rules page for basic information.

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

If you know that this behavior is acceptable for your application, you can tune it by identifying the argument that is being triggered, and specifically allowing that argument for that application to allow recursions.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

WAF_340006

Outside References:

None.

WAF Rule ID 390709


Alert message: Atomicorp.com WAF Rules: Attempt to access protected file remotely

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 30

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • cmdLine

  • htmlEntityDecode

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

This rule detects when a protected file is accessed remotely. This rule specifically protects sensitive OS and application configuration files, such as webserver configuration files, operating system configuration files, password files, and command history files.

Troubleshooting:

False Positives:

A false positive can occur when an application legitimately requires access to these files. The rules contain a large library of known web applications and safe methods for access these highly sensitive files, and can detect known safe methods and ignore them. However it is possible for a new or custom application to do this in an unknown manner and incorrectly trigger this rule.

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

If you know that this behavior is acceptable for your application, you can tune it by identifying the argument that is being triggered, and specifically allowing that argument for that application to allow recursions.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

WAF_390719

Outside References:

None.

WAF Rule ID 390719


Alert message: Atomicorp.com WAF Rules: Attempt to access protected file remotely

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 6

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • cmdLine

  • compressWhitespace

  • htmlEntityDecode

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

This rule detects when a protected file name is used in an HTTP header (other than the URL, Cookie or Referer headers). This rule specifically protects sensitive OS and application configuration files, such as webserver configuration files, operating system configuration files, password files, and command history files from disclosure.

Troubleshooting:

False Positives:

A false positive can occur when an application legitimately uses this information in an HTTP header. There are no known cases where this occurs.

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

If you know that this behavior is acceptable for your application, you can either disable the rule for the domain, or you can disable it for the application.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

WAF_390709

Outside References:

None.

WAF Rule ID 340155


Alert message: Atomicorp.com WAF Rules: Generic SQL Injection protection

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 25

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • replaceComments

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

This rule detects SQL injection attacks. If this rule is being triggered, this means that someone has attempted to inject a SQL statement into an application.

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

If you know that this behavior is acceptable for your application, you can either disable the rule for the domain, or you can disable it for the application.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 380023


Alert message: Atomicorp.com WAF Rules: Generic SQL Injection protection

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 8

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • base64Decode

  • compressWhitespace

  • replaceComments

  • replaceNulls

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Generic SQL Injection protection

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 380024


Alert message: Atomicorp.com WAF Rules: Generic SQL Injection protection

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 5

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • hexDecode

  • replaceComments

  • replaceNulls

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Generic SQL Injection protection

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 380122


Alert message: Atomicorp.com WAF Rules: MySQL and PostgreSQL stored procedure/function injections

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 5

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • replaceComments

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

This rule detects when either database store procedure or function content is detected in a POST from a client to the server. In most cases this indicates that the server is being attacked.

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 380025


Alert message: Atomicorp.com WAF Rules: SQL injection with PHP/PERL payload

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 7

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • replaceComments

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: SQL injection with PHP/PERL payload

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340013


Alert message: Atomicorp.com WAF Rules: Generic SQL injection in cookie or UA

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 4

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • replaceComments

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Generic SQL injection in cookie or UA

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340016


Alert message: Atomicorp.com WAF Rules: Attack Blocked - SQL injection attempt detected

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 47

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • removeComments

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

This rule detects SQL content. It is tuned to try and ignore this in cases where this may be normal (SQL application for example). An example attack could be to get dump user passwords from a database:

union select from usernames

Troubleshooting:

False Positives:

Some applications use SQL in their arguments in ways that we may not have seen before, and therefore we have not tuned the rules to ignore this legitimate behavior. Some applications are vulnerable to SQL injection attacks and this may be an actual attack, and in some very bad cases an application may use raw SQL in an unprotected argument to function properly. Therefore a false positive can occur, and we recommend that you not disable this rule.

Instead, we recommend that you report this to use as a false positive. Our security team can determine if this is a legitimate case for you, or if its clever attack on your system and we will put out an update to the rules to make sure your application can function and that you are not opening your system to further attack. Instructions to report false positives are detailed on the Reporting False Positives wiki page.

If you wish to tune this rule yourself, please see the Tuning the Atomicorp WAF Rules page for basic information.

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

If you know that this behavior is acceptable for your application, you can tune it by identifying the argument that is being triggered, and specifically allowing that argument for that application to SQL.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

WAF_340017

Outside References:

None.

WAF Rule ID 340017


Alert message: Atomicorp.com WAF Rules: Generic SQL injection protection in ARGS

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 49

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • replaceComments

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

This rule detects SQL content. It is tuned to try and ignore this in cases where this may be normal (SQL application for example). An example attack could be to get dump user passwords from a database:

union select from usernames

Troubleshooting:

False Positives:

Some applications use SQL in their arguments in ways that we may not have seen before, and therefore we have not tuned the rules to ignore this legitimate behavior. Some applications are vulnerable to SQL injection attacks and this may be an actual attack, and in some very bad cases an application may use raw SQL in an unprotected argument to function properly. Therefore a false positive can occur, and we recommend that you not disable this rule.

Instead, we recommend that you report this to use as a false positive. Our security team can determine if this is a legitimate case for you, or if its clever attack on your system and we will put out an update to the rules to make sure your application can function and that you are not opening your system to further attack. Instructions to report false positives are detailed on the Reporting False Positives wiki page.

If you wish to tune this rule yourself, please see the Tuning the Atomicorp WAF Rules page for basic information.

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

If you know that this behavior is acceptable for your application, you can tune it by identifying the argument that is being triggered, and specifically allowing that argument for that application to SQL.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

WAF_340016

Outside References:

None.

WAF Rule ID 340144


Alert message: Atomicorp.com WAF Rules: Generic SQL injection protection 2

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 38

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Generic SQL injection protection 2

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340145


Alert message: Atomicorp.com WAF Rules: Attack Blocked - SQL injection probe

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 43

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • replaceComments

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Attack Blocked - SQL injection probe

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 390572


Alert message: Atomicorp.com WAF Rules: Attack Blocked - SQL injection probe

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 22

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • replaceComments

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Attack Blocked - SQL injection probe

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340146


Alert message: Atomicorp.com WAF Rules: Generic SQL metacharacter URI injection protection

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 8

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • replaceComments

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Generic SQL metacharacter URI injection protection

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 381025


Alert message: Atomicorp.com WAF Rules: SQL injection with payload - base64 encoded

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 4

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • base64Decode

  • compressWhitespace

  • lowercase

  • replaceComments

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: SQL injection with payload - base64 encoded

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 381026


Alert message: Atomicorp.com WAF Rules: SQL injection with PHP/PERL payload - hex encoded

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 3

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • hexDecode

  • lowercase

  • replaceComments

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: SQL injection with PHP/PERL payload - hex encoded

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340159


Alert message: Atomicorp.com WAF Rules: Generic SQL inline command protection (MM)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 39

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • base64Decode

  • compressWhitespace

  • hexDecode

  • lowercase

  • replaceComments

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

This rule detects SQL content. It is tuned to try and ignore this in cases where this may be normal (SQL application for example). An example attack could be to get dump user passwords from a database:

union select from usernames

Troubleshooting:

False Positives:

Some applications use SQL in their arguments in ways that we may not have seen before, and therefore we have not tuned the rules to ignore this legitimate behavior. Some applications are vulnerable to SQL injection attacks and this may be an actual attack, and in some very bad cases an application may use raw SQL in an unprotected argument to function properly. Therefore a false positive can occur, and we recommend that you not disable this rule.

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

If you know that this behavior is acceptable for your application, you can tune it by identifying the argument that is being triggered, and specifically allowing that argument for that application to SQL.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

WAF_340016

Outside References:

None.

WAF Rule ID 340164


Alert message: Atomicorp.com WAF Rules: SQL Injection Attack

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 11

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • replaceComments

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: SQL Injection Attack

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340156


Alert message: Atomicorp.com WAF Rules: Generic SQL injection protection

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 14

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • htmlEntityDecode

  • lowercase

  • replaceComments

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Generic SQL injection protection

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340157


Alert message: Atomicorp.com WAF Rules: Generic SQL inline command protection

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 38

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • htmlEntityDecode

  • lowercase

  • replaceComments

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

This rule detects when SQL code is sent from the client to the server via either an untrusted argument, or application. This is likely an attack against the system.

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340181


Alert message: Atomicorp.com WAF Rules: Generic SQL inline command protection

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • htmlEntityDecode

  • lowercase

  • replaceComments

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Generic SQL inline command protection

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 393653


Alert message: Atomicorp.com WAF Rules - command injection in URL blocked

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • cmdLine

  • compressWhitespace

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules - command injection in URL blocked

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340014


Alert message: Atomicorp.com WAF Rules: CMD injection

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 18

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • cmdLine

  • normalisePath

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

This rule detects when a client attempts to access a command line tool on the server via the web server. This means the client either tried to access or find the tool on the system. This can indicate that an attacker is attempting to run commands on the server.

Troubleshooting:

False Positives:

If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system. Do not disable this rule.

Instructions to report false positives are detailed on the Reporting False Positives wiki page. If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340193


Alert message: Atomicorp.com WAF Rules: CMD injection in URI

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 17

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • cmdLine

  • normalisePath

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: CMD injection in URI

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340029


Alert message: Atomicorp.com WAF Rules: Attack Blocked - command in REQUEST_URI or Argument

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 35

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • cmdLine

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

This rule detects when a Linux command is used in a URL or an argument. It specifically looks for these types of commands:

process management tools (kill, nice, etc.) file management tools (cp, chown, rm, etc.) shells (bash, tcsh, etc.) compilers (gcc, c++, etc.) web downloading tools (wget, curl, etc.) interpreters (perl, php, etc.) other downloading tools (scp, ftp, etc.)

Some attack tools are known to blindly look for software tools and to see if it can use them. Therefore, the fact that this rule is triggered does not mean that the software tool is installed on the system.

If your system is being targeted with these kinds of attacks we do not recommend you disable this rule. This rule may be telling you that someone is attacking your system, and therefore you should block this source.

Troubleshooting:

False Positives:

A false positive could occur if an application either safely allows the use of these tools, or if the data is used in a non-command context such as in a document. The rule contains a large number of known safe applications that may either use these tools securely, or may allow this data in non-command mode. If you have confirmed that your application is safely using these commands, or this data in a non-command format, please let us know what the application is, how you confirmed this so we can duplicate this in our test environment, and report the issue as a False Positive.

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

If you want to disable this rule, please see the Tuning the Atomicorp WAF Rules page for basic information.

WAF Rule ID 340030


Alert message: Atomicorp.com WAF Rules: Pipe command line probe

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 2

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Pipe command line probe

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340082


Alert message: Atomicorp.com WAF Rules: SMTP redirect over http attempt

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 3

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: SMTP redirect over http attempt

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340019


Alert message: Atomicorp.com WAF Rules: Generic PHP bad functions protection

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 2

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Generic PHP bad functions protection

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340162


Alert message: Atomicorp.com WAF Rules: Remote File Injection Attack detected (Unauthorized URL detected as argument)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 305

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

This rule detects possible Remote File Injection attempts. These types of attacks work by tricking an application into download software into itself, which will allow the attacker to download any software they want unto the victims systems, thereby compromising it.

This rule works by detecting the use of a URL as an argument.

Troubleshooting:

False Positives:

A false positive can occur when an application legitimately sets an argument to a URL, and does this using a previously unknown argument or method to store this URL. The rules contain a large library of known web applications and safe methods for using URLs, and can detect known safe methods and ignore them. However it is possible for a new or custom application to do this in an unknown manner and incorrectly trigger this rule.

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

If you know that this behavior is acceptable for your application, you can tune it by identifying the argument that is being triggered, and specifically allowing that argument for that application to allow a URL. Please see the Tuning the Atomicorp WAF Rules page for basic information.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

WAF_340165

Outside References:

None.

WAF Rule ID 340165


Alert message: Atomicorp.com WAF Rules: Uniencoded possible Remote File Injection attempt in URI (AE)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 292

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

This rule detects Remote File Injection attempts. These types of attacks work by tricking an application into download software into itself, which will allow the attacker to download any software they want unto the victims systems, thereby compromising it.

This rules work by detecting the use of a URL as an argument in the URL, for example:

GET /foo.php?foo=http://www.example.com

It will also try to determine if this is a local request, and if it is the local request will be allowed.

Troubleshooting:

False Positives:

A false positive can occur when an application legitimately sets an argument to a URL, and does this using a previously unknown argument or method to store this URL. The rules contain a large library of known web applications and safe methods for using URLs, and can detect known safe methods and ignore them. However it is possible for a new or custom application to do this in an unknown manner and incorrectly trigger this rule.

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

If you know that this behavior is acceptable for your application, you can tune it by identifying the argument that is being triggered, and specifically allowing that argument for that application to allow a URL.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

WAF_340162

Outside References:

None.

WAF Rule ID 340855


Alert message: Atomicorp.com WAF Rules: Include Remote File Injection attempt in argument

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 9

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • replaceComments

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Include Remote File Injection attempt in argument

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340031


Alert message: Atomicorp.com WAF Rules: Remote file inclusion

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 4

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote file inclusion

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340163


Alert message: Atomicorp.com WAF Rules: Remote File Injection Attack Blocked (Unauthorized URL detected as argument)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 302

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • base64Decode

  • hexDecode

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

This rule detects Remote File Injection attempts that are encoded. These types of attacks work by tricking an application into download software into itself, which will allow the attacker to download any software they want unto the victims systems, thereby compromising it.

This rules work by detecting the use of a URL as an argument, and tries to detect encoding methods that may used to hide this.

Troubleshooting:

False Positives:

A false positive can occur when an application legitimately sets an argument to a URL, and does this using a previously unknown argument or method to store this URL. The rules contain a large library of known web applications and safe methods for using URLs, and can detect known safe methods and ignore them. However it is possible for a new or custom application to do this in an unknown manner and incorrectly trigger this rule. Some applications may also legitimately use encoding methods.

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

WAF_340165

Outside References:

None.

WAF Rule ID 340023


Alert message: Atomicorp.com WAF Rules: Attack Blocked - remote command execution

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 7

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • cmdLine

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Attack Blocked - remote command execution

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340117


Alert message: Atomicorp.com WAF Rules: General [url] php forum protections

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: General [url] php forum protections

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340039


Alert message: Atomicorp.com WAF Rules: PHP command injection attempt

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: PHP command injection attempt

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340035


Alert message: Atomicorp.com WAF Rules: Bogus file extensions

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 5

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

This rule detects “bogus” file extensions, that is file extensions that should not be valid. For example, a file named “shell.php.wmv”. This method is used by attackers to try to bypass upload managers that try to enforce valid files by looking at file extensions, and deny certain types of files.

Troubleshooting:

False Positives:

A false positive can occur when a file or application is legitimately named in this non-standard fashion. We recommend that you follow a standard naming convention, as most upload managers will also follow these conventions and allowing non-standard files may allow an attacker to bypass the file type checks in some web applications.

The rules also contain a large library of known web applications and safe methods that use non standard naming conventions, and can detect known safe methods and ignore them. However it is possible for a new or custom application to do this in an unknown manner and incorrectly trigger this rule.

It is not recommended that you disable this rule if you have a false positive. If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system.

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules page.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 341137


Alert message: Atomicorp.com WAF Rules: Potentially Bogus PHP file

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 2

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Potentially Bogus PHP file

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340069


Alert message: Atomicorp.com WAF Rules: Web vulnerability scanner

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 4

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

This rule is triggered when known vulnerability scanner actions are detected. This looks for events that vulnerability scanners do on purpose to identify themselves to the system they are testing.

Troubleshooting:

False Positives:

There are no known false positives with this rule. The rule looks for the known actions that vulnerability scanners take to specifically identify that they are testing the system, and that do this on purpose so that the operators of the system know that they are being scanned. This is a bit akin to asking the police to check your home for security issues, and upon arriving the police ring your doorbell and tell you they will be starting the assessment. Some vulnerability scanners “announce” themselves, and that is what this rule looks for.

False positives with this rule are essentially unheard of.

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

Please see the Tuning the Atomicorp WAF Rules page for more information.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340076


Alert message: Atomicorp.com WAF Rules: PHP Session attack

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 2

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: PHP Session attack

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340079


Alert message: Atomicorp.com WAF Rules: PHP policy violation

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 10

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: PHP policy violation

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340114


Alert message: Atomicorp.com WAF Rules: Apache admin service access attempt

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 2

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Apache admin service access attempt

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340116


Alert message: Atomicorp.com WAF Rules: Common HTTP vulnerability

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 2

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Common HTTP vulnerability

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340097


Alert message: Atomicorp.com WAF Rules: Tomcat view source attempt

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Tomcat view source attempt

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340195


Alert message: Atomicorp.com WAF Rules: Attack Blocked - Base64 Encoded PHP function in Argument - this may be an attack.

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 3

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • base64Decode

  • compressWhitespace

  • lowercase

  • replaceNulls

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

This rule detects when base64 encoded PHP code is found in an untrusted argument in a POST request from a client. This means that the client is sending base64 encoded PHP code to your server. If this is not a trusted user using a trusted web application, this is an attack on your system.

Troubleshooting:

False Positives:

If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system. Do not disable this rule.

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340095


Alert message: Atomicorp.com WAF Rules: Attack Blocked - PHP function in Argument - this may be an attack.

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 53

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

  • removeWhitespace

  • removeComments

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Attack Blocked - PHP function in Argument - this may be an attack.

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340077


Alert message: Atomicorp.com WAF Rules: PHP policy violation

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 5

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

  • removeWhitespace

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: PHP policy violation

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340096


Alert message: Atomicorp.com WAF Rules: PHP policy violation

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 2

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: PHP policy violation

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340128


Alert message: Atomicorp.com WAF Rules: Remote PHP command exection

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 25

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • removeComments

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote PHP command exection

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340133


Alert message: Atomicorp.com WAF Rules: HTTP header PHP code injection attack

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 5

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: HTTP header PHP code injection attack

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340011


Alert message: Atomicorp.com WAF Rules: Generic PHP exploit pattern denied

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 11

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Generic PHP exploit pattern denied

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 390715


Alert message: Atomicorp.com WAF Rules: PHP Injection Attack

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 15

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • htmlEntityDecode

  • lowercase

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: PHP Injection Attack

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 380018


Alert message: Atomicorp.com WAF Rules: Potentially malicious PHP code injection attempt

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 25

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • htmlEntityDecode

  • lowercase

  • replaceComments

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Potentially malicious PHP code injection attempt

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 380019


Alert message: Atomicorp.com WAF Rules: Potentially malicious PHP code injection attempt - base64 encoded

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 8

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • base64Decode

  • compressWhitespace

  • lowercase

  • replaceComments

  • replaceNulls

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Potentially malicious PHP code injection attempt - base64 encoded

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 380020


Alert message: Atomicorp.com WAF Rules: Potentially malicious PHP code injection attempt - hex encoded

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 10

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • hexDecode

  • lowercase

  • replaceComments

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Potentially malicious PHP code injection attempt - hex encoded

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340118


Alert message: Atomicorp.com WAF Rules: Generic XML-RPC attack

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 8

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Generic XML-RPC attack

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 390636


Alert message: Atomicorp.com WAF Rules: XMLRPC SQL injection attack

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 2

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • replaceComments

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: XMLRPC SQL injection attack

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340121


Alert message: Atomicorp.com WAF Rules: XML-RPC attacks on xmlrpc.php

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 6

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • replaceComments

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: XML-RPC attacks on xmlrpc.php

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340122


Alert message: Atomicorp.com WAF Rules: XML-RPC SQL injection

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 7

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • replaceComments

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: XML-RPC SQL injection

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 390635


Alert message: Atomicorp.com WAF Rules: XMLRPC encoded command injection attack

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 2

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: XMLRPC encoded command injection attack

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 393635


Alert message: Atomicorp.com WAF Rules: XMLRPC base64 encoded command injection attack

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 403

Action: deny

Transforms:

  • base64Decode

  • compressWhitespace

  • lowercase

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: XMLRPC base64 encoded command injection attack

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340123


Alert message: Atomicorp.com WAF Rules: XML-RPC base64 encoded SQL injection

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 7

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 403

Action: deny

Transforms:

  • base64Decode

  • compressWhitespace

  • lowercase

  • replaceComments

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: XML-RPC base64 encoded SQL injection

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340120


Alert message: Atomicorp.com WAF Rules: Generic XML-RPC attack

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 5

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 403

Action: deny

Transforms:

  • base64Decode

  • compressWhitespace

  • lowercase

  • replaceComments

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Generic XML-RPC attack

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 393636


Alert message: Atomicorp.com WAF Rules: XMLRPC base64 encoded SQL injection attack

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 2

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 403

Action: deny

Transforms:

  • base64Decode

  • compressWhitespace

  • lowercase

  • replaceComments

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: XMLRPC base64 encoded SQL injection attack

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340134


Alert message: Atomicorp.com WAF Rules: Worm signature

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 2

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Worm signature

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340138


Alert message: Atomicorp.com WAF Rules: Fake image file shell attack

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 4

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

This rule detects non image content on an image file. This method is sometimes used to hide shells and other unauthorized files as image files.

Troubleshooting:

False Positives:

There are no known false positives for this rule. It is not recommended that you disable this rule if you have a false positive. If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system.

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules page.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

WAF_340140

Outside References:

None.

WAF Rule ID 340140


Alert message: Atomicorp.com WAF Rules: Bogus graphics file

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 5

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

This rule detects non image content on an image file. This method is sometimes used to hide shells and other unauthorized files as image files.

Troubleshooting:

False Positives:

There are no known false positives for this rule. It is not recommended that you disable this rule if you have a false positive. If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system.

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules page.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

WAF_340138

Outside References:

None.

WAF Rule ID 340141


Alert message: Atomicorp.com WAF Rules: Attack Blocked - upload attack - Attempt to upload a non-graphics file as a graphics file blocked

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Attack Blocked - upload attack - Attempt to upload a non-graphics file as a graphics file blocked

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 347099


Alert message: Atomicorp.com WAF Rules: Vulnerability scanner attempting cross site scripting attempt

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 6

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • cssDecode

  • htmlEntityDecode

  • jsDecode

  • lowercase

  • removeNulls

  • removeWhitespace

  • removeComments

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Vulnerability scanner attempting cross site scripting attempt

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340099


Alert message: Atomicorp.com WAF Rules: cross site scripting attempt

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 4

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • cssDecode

  • htmlEntityDecode

  • jsDecode

  • lowercase

  • removeNulls

  • removeComments

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: cross site scripting attempt

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 341099


Alert message: Atomicorp.com WAF Rules: cross site scripting attempt

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 3

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • removeNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: cross site scripting attempt

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340102


Alert message: Atomicorp.com WAF Rules: cross site scripting attempt

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 4

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • cssDecode

  • htmlEntityDecode

  • jsDecode

  • lowercase

  • removeNulls

  • removeComments

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: cross site scripting attempt

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340106


Alert message: Atomicorp.com WAF Rules: cross site scripting attempt STYLE + EXPRESSION

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 4

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • cssDecode

  • htmlEntityDecode

  • jsDecode

  • lowercase

  • removeNulls

  • removeComments

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: cross site scripting attempt STYLE + EXPRESSION

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340109


Alert message: Atomicorp.com WAF Rules: cross site scripting attempt using XML

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 2

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • cssDecode

  • htmlEntityDecode

  • jsDecode

  • lowercase

  • removeNulls

  • removeComments

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: cross site scripting attempt using XML

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340110


Alert message: Atomicorp.com WAF Rules: cross site scripting attempt executing hidden Javascript

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 2

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • cssDecode

  • htmlEntityDecode

  • jsDecode

  • lowercase

  • removeNulls

  • removeComments

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: cross site scripting attempt executing hidden Javascript

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340112


Alert message: Atomicorp.com WAF Rules: cross site scripting attempt to execute Javascript code

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 3

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • cssDecode

  • htmlEntityDecode

  • jsDecode

  • lowercase

  • removeNulls

  • removeComments

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

This rule detects when a client is attempting to inject javascript via either an untrusted argument, untrusted application or both. This may be a cross site scripting attack.

Troubleshooting:

False Positives:

If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system. Do not disable this rule.

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340003


Alert message: Atomicorp.com WAF Rules: XSS attack in request headers

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 10

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • cssDecode

  • htmlEntityDecode

  • jsDecode

  • lowercase

  • removeNulls

  • removeComments

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Cross Site Scripting attack detected in the request headers.

Troubleshooting:

False Positives:

There are no known False Positives for this.

If you believe this is a false positive, it is recommended that you report this to our security team can determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the Reporting False Positives wiki page.

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

WAF_340020

Outside References:

http://en.wikipedia.org/wiki/Cross-site_scripting

http://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29

WAF Rule ID 340211


Alert message: Atomicorp.com WAF Rules: cross site scripting stealth attempt to access shell

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 2

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • cssDecode

  • htmlEntityDecode

  • jsDecode

  • lowercase

  • normalisePath

  • removeNulls

  • removeComments

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: cross site scripting stealth attempt to access shell

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 341211


Alert message: Atomicorp.com WAF Rules: potentially untrusted encoded javascript detected

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 2

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • cssDecode

  • htmlEntityDecode

  • jsDecode

  • lowercase

  • removeNulls

  • removeComments

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: potentially untrusted encoded javascript detected

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340210


Alert message: Atomicorp.com WAF Rules: cross site scripting stealth attempt to access shell

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 2

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • htmlEntityDecode

  • lowercase

  • normalisePath

  • removeNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: cross site scripting stealth attempt to access shell

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340113


Alert message: Atomicorp.com WAF Rules: Potential attempt to inject javascript

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 36

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • htmlEntityDecode

  • lowercase

  • normalisePath

  • removeNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Potential attempt to inject javascript

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 320474


Alert message: Atomicorp.com WAF Rules: Generic XSS filter

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 14

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Generic XSS filter

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340147


Alert message: Atomicorp.com WAF Rules: Potential Cross Site Scripting Attack

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 159

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • cssDecode

  • htmlEntityDecode

  • jsDecode

  • lowercase

  • removeNulls

  • replaceComments

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

This rules detects when a potential cross site scripting attack may have occurred. For example, if javascript is included in a variable that appears to not be used for this purpose, or if web code is included in a portion of a request that is not known to be used for this purpose.

Troubleshooting:

False Positives:

This rule may produce a false positive if an application is used in a previously unknown or untested manner. The rules contain a large library of known trusted methods, however it is possible an application may be using a previously untested method. It is not recommended that you disable this rule if you have a false positive. If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the Reporting False Positives wiki page. If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

WAF_340149

Outside References:

None.

WAF Rule ID 340149


Alert message: Atomicorp.com WAF Rules: Potential Cross Site Scripting Attack

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 160

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • cssDecode

  • htmlEntityDecode

  • jsDecode

  • lowercase

  • removeNulls

  • removeComments

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

This rules detects when a potential cross site scripting attack may have occurred. For example, if javascript is included in a variable that appears to not be used for this purpose, or if web code is included in a portion of a request that is not known to be used for this purpose. This rule looks for encoded methods.

Troubleshooting:

False Positives:

This rule may produce a false positive if an application is used in a previously unknown or untested manner. The rules contain a large library of known trusted methods, however it is possible an application may be using a previously untested method. It is not recommended that you disable this rule if you have a false positive.

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

WAF_340147

Outside References:

None.

WAF Rule ID 350147


Alert message: Atomicorp.com WAF Rules: Potentially Untrusted Web Content Detected

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 157

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • htmlEntityDecode

  • lowercase

  • replaceComments

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

This rules detects when potentially untrusted web content is used in a client request. For example, if javascript is included in a variable that appears to not be used for this purpose, or if web code is included in a portion of a request that is not known to be used for this purpose.

Troubleshooting:

False Positives:

This rule may produce a false positive if an application is used in a previously unknown or untested manner. The rules contain a large library of known trusted methods, however it is possible an application may be using a previously untested method. It is not recommended that you disable this rule if you have a false positive.

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

WAF_350148

Outside References:

None.

WAF Rule ID 340158


Alert message: Atomicorp.com WAF Rules: XSS in referrer

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 20

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • cssDecode

  • htmlEntityDecode

  • jsDecode

  • lowercase

  • removeNulls

  • removeComments

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: XSS in referrer

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 320476


Alert message: Atomicorp.com WAF Rules: Cross Site Scripting Attack

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 6

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Cross Site Scripting Attack

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 320475


Alert message: Atomicorp.com WAF Rules: Cross Site Scripting Attack

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 3

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • htmlEntityDecode

  • lowercase

  • replaceComments

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Cross Site Scripting Attack

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340148


Alert message: Atomicorp.com WAF Rules: Potential Cross Site Scripting Attack

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 160

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • cssDecode

  • htmlEntityDecode

  • jsDecode

  • lowercase

  • removeNulls

  • removeComments

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

This rules detects when a potential cross site scripting attack may have occurred. For example, if javascript is included in a variable that appears to not be used for this purpose, or if web code is included in a portion of a request that is not known to be used for this purpose. This rule looks for encoded methods.

Troubleshooting:

False Positives:

This rule may produce a false positive if an application is used in a previously unknown or untested manner. The rules contain a large library of known trusted methods, however it is possible an application may be using a previously untested method. It is not recommended that you disable this rule if you have a false positive. If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system.

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

WAF_340149

Outside References:

None.

WAF Rule ID 350148


Alert message: Atomicorp.com WAF Rules: Potentially Untrusted Web Content Detected

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 166

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

This rules detects when potentially untrusted web content is used in a client request. For example, if javascript is included in a variable that appears to not be used for this purpose, or if web code is included in a portion of a request that is not known to be used for this purpose. This rule looks for various encoded methods.

Troubleshooting:

False Positives:

This rule may produce a false positive if an application is used in a previously unknown or untested manner. The rules contain a large library of known trusted methods, however it is possible an application may be using a previously untested method. It is not recommended that you disable this rule if you have a false positive.

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

WAF_350147

Outside References:

None.

WAF Rule ID 380002


Alert message: Atomicorp.com WAF Rules: PHP session cookie attack

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 2

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: PHP session cookie attack

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 380006


Alert message: Atomicorp.com WAF Rules: XSS Generic attack

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 11

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: XSS Generic attack

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 380007


Alert message: Atomicorp.com WAF Rules: SQL Inject Generic signature

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 5

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: SQL Inject Generic signature

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 380016


Alert message: Atomicorp.com WAF Rules: SSI injection Attack

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 3

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • htmlEntityDecode

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: SSI injection Attack

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340213


Alert message: Atomicorp.com WAF Rules: LDAP Injection Attack

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 8

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 2

HTTP Status: 501

Action: deny

Transforms:

  • htmlEntityDecode

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: LDAP Injection Attack

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 390597


Alert message: Atomicorp.com WAF Rules: Attack Blocked - Data Leakage - attempt to access backup system/application config file (disable this rule only if you want to allow anyone access to these backup files)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 2

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

This rule detects attempts to access backup copies of configuration files. For example, config.backup, config.old, config.save.

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 390581


Alert message: Atomicorp.com WAF Rules: Attack Blocked - Data Leakage - attempt to access backup file (disable this rule if you require access to files that end with a tilde)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

This rule detects if a file is access that starts with a ~. For example, the file:

~file

Some applications on Linux use a ~ to make a file as temporary. Sensitive information is often stored in such temporary files.

Troubleshooting:

False Positives:

A false positive can occur when you need to access files with ~’s in the name.

This rule is not triggered when a a directory is accessed with a ~, such as ~user/.

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

If you know that this behavior is acceptable for your application, you can tune it by identifying the argument that is being triggered, and specifically allowing that argument for that application to allow a URL.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

WAF_390584

Outside References:

None.

WAF Rule ID 390582


Alert message: Atomicorp.com WAF Rules: Attack Blocked - Data leakage - attempt to access backup file (disable this rule if you require access to files that nclude .bak)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 2

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

This rule detects if a file that ends in the .bak extension.

Some applications use .bak to store temporary or backup files. Sensitive information is often stored in such temporary files.

Troubleshooting:

False Positives:

A false positive can occur when you need to access a file with .bak extension.

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

If you know that this behavior is acceptable for your application, you can tune it by identifying the argument that is being triggered, and specifically allowing that argument for that application to allow a URL.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

WAF_390587

Outside References:

None.

WAF Rule ID 390583


Alert message: Atomicorp.com WAF Rules: Attack Blocked - Data leakage - attempt to access backup file (disable this rule if you require access to files that end with .old)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

This rule detects if a file that ends in the .old extension.

Some applications use the .old extension to save files that store temporary or backup files. Sensitive information is often stored in such temporary files.

Troubleshooting:

False Positives:

A false positive can occur when you need to access a file with .old extension.

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

If you know that this behavior is acceptable for your application, you can tune it by identifying the argument that is being triggered, and specifically allowing that argument for that application to allow a URL.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

WAF_390587

Outside References:

None.

WAF Rule ID 390584


Alert message: Atomicorp.com WAF Rules: Attack Blocked - Data leakage - attempt to access backup file (disable this rule if you require access to files that end with .orig)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

This rule detects if a file that ends in the .orig extension.

Some applications use the .orig extension when creating files that store temporary or backup files. Sensitive information is often stored in such temporary files.

Troubleshooting:

False Positives:

A false positive can occur when you need to access a file with .orig extension.

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

If you know that this behavior is acceptable for your application, you can tune it by identifying the argument that is being triggered, and specifically allowing that argument for that application to allow a URL.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

WAF_390587

Outside References:

None.

WAF Rule ID 390586


Alert message: Atomicorp.com WAF Rules: Attack Blocked - Data leakage - attempt to access backup file (disable this rule if you require access to files that end with .copy)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

This rule detects if a file that ends in the .copy extension.

Some applications use the .copy extension when creating files that store temporary or backup files. Sensitive information is often stored in such temporary files.

Troubleshooting:

False Positives:

A false positive can occur when you need to access a file with .copy extension.

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

If you know that this behavior is acceptable for your application, you can tune it by identifying the argument that is being triggered, and specifically allowing that argument for that application to allow a URL.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

WAF_390587

Outside References:

None.

WAF Rule ID 390587


Alert message: Atomicorp.com WAF Rules: Attack Blocked - Data leakage - attempt to access backup file (disable this rule if you require access to files that end with .sw)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 5

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

This rule detects if a file that ends in the .swp extension, and other variants. Some applications use the .swp extension when creating files that store temporary or backup files. Sensitive information is often stored in such temporary files, such as database passwords and other sensitive information when developers work on web files, such as .php, .cgi, .asp and other languages where an attacker can not view the source of those files. Attackers regularly scan for these files to steal credentials that then use to break into systems. This is one of the easier methods for penetrating systems, which is why it so popular with attackers.

Troubleshooting:

False Positives:

A false positive can occur when you need to access a file with .swp extension.

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

If you know that this behavior is acceptable for your application, you can tune it by identifying the argument that is being triggered, and specifically allowing that argument for that application to allow a URL.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

WAF_390586

Outside References:

None.

WAF Rule ID 390588


Alert message: Atomicorp.com WAF Rules: Attack Blocked - Data leakage - attempt to access backup file (disable this rule if you require access to files that end with .backup)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Attack Blocked - Data leakage - attempt to access backup file (disable this rule if you require access to files that end with .backup)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 390589


Alert message: Atomicorp.com WAF Rules: Attack Blocked - Data leakage - attempt to access backup file (disable this rule if you require access to files that end with .mdb)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Attack Blocked - Data leakage - attempt to access backup file (disable this rule if you require access to files that end with .mdb)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 350589


Alert message: Atomicorp.com WAF Rules: Attack Blocked - Data leakage - attempt to access vi recovery file (disable this rule if you require access to files that end with .mdb)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Attack Blocked - Data leakage - attempt to access vi recovery file (disable this rule if you require access to files that end with .mdb)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 350590


Alert message: Atomicorp.com WAF Rules: Attack Blocked - Data leakage - attempt to access raw SQL files (disable this rule if you require access to files that end with .sql)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 3

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Attack Blocked - Data leakage - attempt to access raw SQL files (disable this rule if you require access to files that end with .sql)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 350591


Alert message: Atomicorp.com WAF Rules: Attack Blocked - Data leakage - attempt to access raw Private cryto keys

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Attack Blocked - Data leakage - attempt to access raw Private cryto keys

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 350592


Alert message: Atomicorp.com WAF Rules: Attack Blocked - Data leakage - attempt to access AWS credentials

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 2

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Attack Blocked - Data leakage - attempt to access AWS credentials

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 350593


Alert message: Atomicorp.com WAF Rules: Attack Blocked - Data leakage - attempt to access stored vscode passwords

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Attack Blocked - Data leakage - attempt to access stored vscode passwords

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 380013


Alert message: Atomicorp.com WAF Rules: ASL Configuration Leak Prevented

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 4

HTTP Status: 404

Action: deny

Transforms:

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: ASL Configuration Leak Prevented

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 360013


Alert message: Atomicorp.com WAF Rules: Horde system configuration Leak Prevented

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Emergency (HIDS: 14)

HTTP Protocol Phase: 4

HTTP Status: 404

Action: deny

Transforms:

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Horde system configuration Leak Prevented

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 390585


Alert message: Atomicorp.com WAF Rules: Attack Blocked - XSS probe

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 4

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • cssDecode

  • htmlEntityDecode

  • jsDecode

  • lowercase

  • removeNulls

  • removeComments

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Attack Blocked - XSS probe

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 393585


Alert message: Atomicorp.com WAF Rules: XSS attack on ASL GUI

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 5

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: XSS attack on ASL GUI

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340463


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (modules.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 9

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 403

Action: deny

Transforms:

  • base64Decode

  • compressWhitespace

  • hexDecode

  • htmlEntityDecode

  • lowercase

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (modules.php)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340462


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (modules.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 9

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Inbound undefined compressed content (not be confused with compressed files or properly defined compressed content) is invisible to all Web Application Firewalls. Therefore they can not see or evaluate any traffic encoded in this manner. If an attack were to be encoded in this way the WAF would not catch it, therefore WAFs are configured to block this traffic.

This rule looks for this header:

Content-Encoding: Identity

If this header exists, the request is rejected because the WAF can not decode this kind of content. It is invisible to the WAF (because its compressed, but the method of compression is not defined, so the WAF has no idea how to uncompress it), and therefore an attack can simply bypass the WAF by compressing an attack.

Do not disable this rule.

Background

The use of this method is also consider invalid by the HTTP 1.1 RFC. This content-coding is used only in the Accept-Encoding header, and SHOULD NOT be used in the Content-Encoding header. This rule detects this RFC non-compliant compressed inbound content and blocks it correctly. The content is both invalid, and invisible to the WAF. The use of this method is extremely rare in practice, as properly designed client applications will not do this. If you have an application that performs in this manner the application is not in compliance with RFCs, is generating invalid encodings, is producing content the WAF will not be able to decompress (and which it will therefore block) and should be modified to be in compliance with the HTTP 1.1 RFC.

See the RFC in the references section below for technical details.

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340464


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (admin.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 58

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • base64Decode

  • hexDecode

  • htmlEntityDecode

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (admin.php)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340465


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (admin.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 58

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (admin.php)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340466


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (cpinquiry.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 403

Action: deny

Transforms:

  • base64Decode

  • hexDecode

  • htmlEntityDecode

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (cpinquiry.php)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340467


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (cpinquiry.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (cpinquiry.php)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340468


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (save-page.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 2

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 403

Action: deny

Transforms:

  • base64Decode

  • hexDecode

  • htmlEntityDecode

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (save-page.php)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340469


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (save-page.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 2

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (save-page.php)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340470


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (guestbook.pl)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 2

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 403

Action: deny

Transforms:

  • base64Decode

  • hexDecode

  • htmlEntityDecode

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (guestbook.pl)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340471


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (guestbook.pl)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 2

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (guestbook.pl)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340472


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/modules/wysiwyg/save.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 403

Action: deny

Transforms:

  • base64Decode

  • hexDecode

  • htmlEntityDecode

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/modules/wysiwyg/save.php)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340473


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/modules/wysiwyg/save.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/modules/wysiwyg/save.php)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 370144


Alert message: Atomicorp.com WAF Rules: Generic SQL injection protection 2

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • replaceComments

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Generic SQL injection protection 2

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 370016


Alert message: Atomicorp.com WAF Rules: Generic SQL injection protection

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • replaceComments

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Generic SQL injection protection

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340247


Alert message: Atomicorp.com WAF Rules: Potential Cross Site Scripting Attack

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 2

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Potential Cross Site Scripting Attack

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340248


Alert message: Atomicorp.com WAF Rules: Potential Cross Site Scripting Attack

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 2

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Potential Cross Site Scripting Attack

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340249


Alert message: Atomicorp.com WAF Rules: Potential Cross Site Scripting Attack

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 3

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • removeNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Potential Cross Site Scripting Attack

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340457


Alert message: Atomicorp.com WAF Rules: Generic SQL inline command protection (/admin/index.php exclude)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • htmlEntityDecode

  • lowercase

  • replaceComments

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Generic SQL inline command protection (/admin/index.php exclude)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340476


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/admin/index.php exclude)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 32

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/admin/index.php exclude)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340477


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/admin/index.php exclude)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 30

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/admin/index.php exclude)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340478


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/forums/admincp/user.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 2

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 403

Action: deny

Transforms:

  • base64Decode

  • hexDecode

  • htmlEntityDecode

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/forums/admincp/user.php)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340479


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/forums/admincp/user.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 2

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/forums/admincp/user.php)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340482


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/forum/admincp/template.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 2

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 403

Action: deny

Transforms:

  • base64Decode

  • hexDecode

  • htmlEntityDecode

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/forum/admincp/template.php)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340483


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/forum/admincp/template.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 2

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/forum/admincp/template.php)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340484


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (contact.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 8

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 403

Action: deny

Transforms:

  • base64Decode

  • hexDecode

  • htmlEntityDecode

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (contact.php)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340485


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (contact.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 8

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (contact.php)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340486


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/admin/conf.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 403

Action: deny

Transforms:

  • base64Decode

  • hexDecode

  • htmlEntityDecode

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/admin/conf.php)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340487


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/admin/conf.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/admin/conf.php)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340488


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/admin/posted/edit_listing.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 403

Action: deny

Transforms:

  • base64Decode

  • hexDecode

  • htmlEntityDecode

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/admin/posted/edit_listing.php)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340489


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/admin/posted/edit_listing.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/admin/posted/edit_listing.php)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340490


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/forums/private.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase:

HTTP Status: 403

Action: deny

Transforms:

  • base64Decode

  • hexDecode

  • htmlEntityDecode

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/forums/private.php)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340491


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/forums/private.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/forums/private.php)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340492


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/forums/newreply.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • base64Decode

  • hexDecode

  • htmlEntityDecode

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/forums/newreply.php)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340493


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/forums/newreply.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/forums/newreply.php)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340444


Alert message: Atomicorp.com WAF Rules: Generic SQL injection protection (/forums/newreply.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • htmlEntityDecode

  • lowercase

  • replaceComments

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Generic SQL injection protection (/forums/newreply.php)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340494


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/forums/newreply.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • base64Decode

  • hexDecode

  • htmlEntityDecode

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/forums/newreply.php)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340495


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/forums/newreply.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/forums/newreply.php)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340496


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/links.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 4

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • base64Decode

  • hexDecode

  • htmlEntityDecode

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/links.php)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340497


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/links.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 4

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/links.php)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340498


Alert message: Atomicorp.com WAF Rules: Generic SQL injection protection (/forums/newreply.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 7

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • htmlEntityDecode

  • lowercase

  • replaceComments

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Generic SQL injection protection (/forums/newreply.php)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340499


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/wysiwyg-edit)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • base64Decode

  • hexDecode

  • htmlEntityDecode

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/wysiwyg-edit)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340500


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/wysiwyg-edit)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/wysiwyg-edit)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340503


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/cgi-bin/mt4/mt-comments.cgi)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • base64Decode

  • hexDecode

  • htmlEntityDecode

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/cgi-bin/mt4/mt-comments.cgi)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340504


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/cgi-bin/mt4/mt-comments.cgi)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/cgi-bin/mt4/mt-comments.cgi)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340505


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/ubbthreads/admin/dogen_display.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 2

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • base64Decode

  • hexDecode

  • htmlEntityDecode

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/ubbthreads/admin/dogen_display.php)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340506


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/ubbthreads/admin/dogen_display.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 2

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/ubbthreads/admin/dogen_display.php)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340509


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/modernbill5/app-modernbill-admin/clients.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • base64Decode

  • hexDecode

  • htmlEntityDecode

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/modernbill5/app-modernbill-admin/clients.php)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340510


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/modernbill5/app-modernbill-admin/clients.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/modernbill5/app-modernbill-admin/clients.php)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340511


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/cgi-bin/database/dbpro.cgi)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • base64Decode

  • hexDecode

  • htmlEntityDecode

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/cgi-bin/database/dbpro.cgi)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340512


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/cgi-bin/database/dbpro.cgi)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/cgi-bin/database/dbpro.cgi)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340515


Alert message: Atomicorp.com WAF Rules: Generic SQL injection protection (/admin/patch.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • htmlEntityDecode

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Generic SQL injection protection (/admin/patch.php)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 344516


Alert message: Atomicorp.com WAF Rules: Generic SQL inline command protection (/admin/patch.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 11

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • htmlEntityDecode

  • lowercase

  • replaceComments

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Generic SQL inline command protection (/admin/patch.php)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340517


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/images/logdnet.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • base64Decode

  • hexDecode

  • htmlEntityDecode

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/images/logdnet.php)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340518


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/images/logdnet.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/images/logdnet.php)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340519


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/contact_form.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 2

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • base64Decode

  • hexDecode

  • htmlEntityDecode

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/contact_form.php)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340520


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/contact_form.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 2

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/contact_form.php)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340521


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/forum/register.ph)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 2

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • base64Decode

  • hexDecode

  • htmlEntityDecode

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/forum/register.ph)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340522


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/forum/register.ph)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 2

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/forum/register.ph)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 360128


Alert message: Atomicorp.com WAF Rules: Remote PHP command exection

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 3

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote PHP command exection

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340523


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/manager/index.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 5

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • base64Decode

  • hexDecode

  • htmlEntityDecode

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/manager/index.php)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340524


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/manager/index.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 5

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/manager/index.php)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 350855


Alert message: Atomicorp.com WAF Rules: Include File Injection attempt in argument

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Include File Injection attempt in argument

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 350160


Alert message: Atomicorp.com WAF Rules: Generic SQL Injection protection

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • base64Decode

  • compressWhitespace

  • hexDecode

  • htmlEntityDecode

  • replaceComments

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Generic SQL Injection protection

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 350159


Alert message: Atomicorp.com WAF Rules: Generic SQL inline command protection (MM)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 28

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • base64Decode

  • compressWhitespace

  • hexDecode

  • htmlEntityDecode

  • lowercase

  • replaceComments

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Generic SQL inline command protection (MM)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 350157


Alert message: Atomicorp.com WAF Rules: Generic SQL inline command protection

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 32

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • htmlEntityDecode

  • lowercase

  • replaceComments

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Generic SQL inline command protection

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340525


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/cgi-bin/class/class_add.pl)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 2

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • base64Decode

  • hexDecode

  • htmlEntityDecode

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/cgi-bin/class/class_add.pl)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340526


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/cgi-bin/class/class_add.pl)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 2

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/cgi-bin/class/class_add.pl)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340527


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/insert_image)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/insert_image)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340528


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/insert_uimage)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • base64Decode

  • hexDecode

  • htmlEntityDecode

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/insert_uimage)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340529


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS ( /administration/news.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS ( /administration/news.php)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340530


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/administration/news.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • base64Decode

  • hexDecode

  • htmlEntityDecode

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/administration/news.php)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340531


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/admin/editor.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 2

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/admin/editor.php)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340532


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/admin/editor.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 2

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • base64Decode

  • hexDecode

  • htmlEntityDecode

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/admin/editor.php)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340533


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/cgi-sys/FormMail.cgi)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 4

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/cgi-sys/FormMail.cgi)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340544


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/cgi-sys/FormMail.cgi)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 4

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • base64Decode

  • hexDecode

  • htmlEntityDecode

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/cgi-sys/FormMail.cgi)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340545


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/frame.aspx)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/frame.aspx)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340546


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/frame.aspx)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • base64Decode

  • hexDecode

  • htmlEntityDecode

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/frame.aspx)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340547


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/spaw/gethref.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/spaw/gethref.php)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340548


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/spaw/gethref.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • base64Decode

  • hexDecode

  • htmlEntityDecode

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/spaw/gethref.php)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340549


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/cgi-bin/mt/mt.fcgi)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 3

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/cgi-bin/mt/mt.fcgi)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340550


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/cgi-bin/mt/mt.fcgi)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 4

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • base64Decode

  • hexDecode

  • htmlEntityDecode

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/cgi-bin/mt/mt.fcgi)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340551


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/runmodule.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/runmodule.php)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340552


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/runmodule.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • base64Decode

  • hexDecode

  • htmlEntityDecode

  • lowercase

  • urlDecodeUni

Log Types:

  • Basic Information (log)

  • Capture full session (auditlog)

Description:

Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/runmodule.php)

Troubleshooting:

False Positives:

Instructions to report false positives are detailed at Reporting False Positives If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Configuration Notes:

  • enabled by: MODSEC_10_RULES

  • Requires Engine version: 2.9.0 or above

Tuning guidance Notes:

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules

Additional Information:

Similar rules:

None.

Outside References:

None.

WAF Rule ID 340553


Alert message: Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/admin/frame.php)

Rule Class: Generic Attack Ruleset (10_asl_rules.conf)

Version: 1

Severity: Critical (HIDS: 9)

HTTP Protocol Phase: 2

HTTP Status: 403

Action: deny

Transforms:

  • compressWhitespace

  • lowercase

  • replaceNulls

  • urlDecodeUni

Log Types:

  • Basic Information (log)