WAF 390148

From Atomicorp Wiki
Revision as of 10:39, 5 August 2011 by Mshinn (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Rule ID

390148

Status

Active rule currently published.

Alert Message

Atomicorp.com WAF Rules: Suspicious filename, possible unauthorized shell or other malicious script. Disable this rule if you know this file is not malicious.

Description

This rule detects if a files name looks suspicious. This a very fast and simple way of looking for potentially malicious scripts and programs. Other rules will attempt to look at the content of a file to determine if its malicious, these rules exist in other rule families and are more CPU intensive, so not all users will be using this more complex rules. Furthermore, these more complex rules are always able to detect every possible piece of malicious software. The intent of this rule is to detect known or suspiscious file names (such as shell.php, or massspam.pl) for action.

False Positives

A false positive can occur when an application or file legitimately uses one of these file names. The rule, when triggered, will tell you what the filename is such as in the example below:

[msg "Atomicorp.com WAF Rules: Suspicious filename, possible unauthorized shell or other malicious script. Disable this rule if you know this file is not malicious."] [data "/ssh2.jpg"]

The highlighted area is the file name.

The rules contain a large library of known web applications and safe methods for using these file names, and can detect known safe methods and ignore them. However it is possible for a new or custom application or file to do this in an unknown manner and incorrectly trigger this rule.

It is not recommended that you disable this rule if you have a false positive. If you believe this is a false positive, the simplest solution is to just rename the file. If you believe this is a more complex false positive please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the Reporting False Positives wiki page. If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Tuning Guidance

If you know that this behavior is acceptable for your application, you can tune it by following the guidance on the Tuning the Atomicorp WAF Rules page.

Similar Rules

WAF_340163

Knowledge Base Articles

None.

Outside References

None.

Personal tools