|Alert Message||Atomicorp.com WAF Rules: Fake User Agent String|
This rule is triggered if a client sends a completely invalid and fake user agent string. It looks for the case where a client sends two User-Agent headers. In HTTP a client will only send a single User-Agent header, as there can only be one User-Agent. Below are a few examples of an invalid user-agent string.
This is a know mistake some attack tools cause and can be used to detect potentially malicious activities. This is an excellent method for detecting so called zero day attacks. A valid web browser or other web client will never generate a request like this.
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; GTB6.6; User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; http://bsalsa.com) ; .NET CLR 2.0.50727; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.5; OfficeLivePatch.1.3)
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31
User-Agent: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; uk; rv:18.104.22.168) Gecko/20101203 Firefox/3.6.13
We've highlighted the header "User-Agent:". You will notice that it appears twice in these examples. This is always invalid and will never occur with a legitimate browser or web application. Closer observation of the first string above will reveal that they also contradict themselves by claiming the client is both using Internet Explorer 6 and Internet Explorer 7 for the same request, at the same time. This is, of course, also impossible. A client can not send a web request from IE7 and IE6 in the same request.
This technique is used by spammers and attackers that either try to trick tools that filter out known spamming User-Agent headers, or they simply didnt code their attack tool well and its incorrectly adding in the header twice.
In very rare cases this sometimes happens when a user has installed, accidentally or deliberately, a piece of spyware that is trying to mask the users actual web client and has broken this field. The later case is extremely rare, and we do not recommend you assume this is occurring. More than likely this is an attack, and if from a non-attacker this generally means their system is infected with malware, a virus, spyware or some combination thereof.
 False Positives
Some spyware may break the users User-Agent string. Therefore a false positive can occur. If you want to allow all cases, including where a a users system is infected by malware please disable this rule.
If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the Reporting False Positives wiki page.
 Tuning Guidance
If you know that this behaviour is acceptable for your application, you can tune it by disabling this rule for the application or virtual host.
If you wish to tune this rule yourself, please see the Tuning the Atomicorp WAF Rules page for basic information.
 Additional Information
 Similar Rules
 Knowledge Base Articles
 Outside References