[edit] Description

This rules detects when a client attempts, and fails to issue what is sometimes referred to as a "session splitting" attack. This type of attack attempts to trick the web server into thinking its serving one request, when its serving another. This attack method is also used to try and trick a WAF into not looking at the second, or "real" request which includes the real payload and attack.

This particular rule catches a method that spammers use to try and post spam to a website, and sometimes to register with a forum, blog, CMS or other web application that requires registration.

[edit] Troubleshooting

[edit] False Positives

None. This rule only detects completely invalid requests, there is no known legitmiate action that would trigger this rule.

[edit] Tuning Guidance

None.

[edit] Additional Information

[edit] Similar Rules

None.

[edit] Knowledge Base Articles

None.

[edit] Outside References

None.

[edit] Notes

None.