WAF 300034

Rule ID

300034

Status

Active rule currently published.

Alert Message

Atomicorp.com WAF Rules: Possible Spam or Malware: URL to temporary directory

Description

This rule detects posts that contain links to temporary directories commonly used by CMS systems, blogs and other content management systems. These systems do not generally link to objects in these directories, however attackers and spammers will often hide objects, malware, spamming tools and graphics in these directories. This rule specific looks for content in directories such as:

/wp-content/uploads/ /wp-content/uploads| /wp-content/themes /wp-content/gallery /blogs/templates

False Positives

A false positive can occur when an application legitimately uses these directories. The rules contain a large library of known web applications that use these directories, and can detect these conditions and will allow them. However it is possible for a new or custom application to do this in an unknown manner and incorrectly trigger this rule.

It is not recommended that you disable this rule if you have a false positive. If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the Reporting False Positives wiki page. If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Tuning Guidance

Please see the Tuning the Atomicorp WAF Rules page for basic tuning guidance.

Similar Rules

Knowledge Base Articles

None.

Outside References

None.