WAF 331032

From Atomicorp Wiki
Jump to: navigation, search
Rule 331032
Status Active
Alert Message Atomicorp.com WAF Rules: Suspicious activity detected - Host header is a numeric IP address


[edit] Description

Note: By default this rule, when used with ASL, does not block anything. It only alerts.

This rule detects when a request is made to an IP address on the web server, as opposed to a host name. For example, if the servers IP address was, and the hosts name was www.example.com. If a client/web browser made a request to "www.example.com", this rule would not be triggered, however if the client made a request for the actual IP address,, this rule would be triggered.

This rule does not block traffic, it simply alerts that the connection may be suspicious. Very few clients make requests to the IP address of the system, most users are connecting with a hostname. However, a high volume of malicious connections are made to systems IP address, as the attackers rarely know the systems host name(s).

If you do not want to be alerted to these cases, simply disable the rule.

If you wish to block these connections, just set this rule to Active Response in the ASL rule manager.

[edit] Troubleshooting

[edit] False Positives


[edit] Tuning Guidance

If you know that this behavior is acceptable for your application, you can either disable the rule for the server, or you can disable it for the application. Because this type of request is to the systems IP address, you can not disable this type of rule for a domain, as these types of requests are to the systems IP.

Please see the Tuning the Atomicorp WAF Rules page for basic information.

[edit] Additional Information

[edit] Similar Rules


[edit] Knowledge Base Articles


[edit] Outside References


[edit] Notes


Personal tools