WAF 330122

From Atomicorp Wiki
Jump to: navigation, search

Rule ID

330122

Status

Active rule currently published.

Alert Message

Atomicorp.com WAF Rules: Attack Script User Agent String Detected

Description

This rule detects when a client connects to a system with a User-Agent header that is known to be used by an exploit tool. The specific User-Agents this rule detects are:

  1. bwh3_user_agent
  2. zemu
  3. mama casper
  4. mama cyber
  5. mana sox
  6. mama xirio
  7. kmccrew bot search
  8. sasqia bot search
  9. casper bot search
  10. planetwork bot search
  11. dex bot search
  12. jcomers bot search
  13. sledink bot search
  14. goblox bot search
  15. indocom bot search
  16. indonetwork bot search
  17. ^perl post$
  18. rk q kangen
  19. t34mh4k
  20. ^revolt$

False Positives

No know conditions exists where a False Positive should occur. There User-Agents are known to be used my malicious applications. If you have confirmed that an application is using one of these User-Agent headers, and it is not malicious, please provide a copy of the application to our support team for analysis.

It is not recommended that you disable this rule if you have a false positive. If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the Reporting False Positives wiki page. If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Tuning Guidance

None.

Similar Rules

None.

Knowledge Base Articles

None.

Outside References

None.

Personal tools