WAF 343434

From Atomicorp Wiki
Jump to: navigation, search

Rule ID

343434

Status

Active rule currently published.

Alert Message

Atomicorp.com WAF Rules: Client Connection dropped by Apache due to slow connection, possible Slowaris attack

Description

This rule detects when apache has generated a 408 error, and has dropped the connection. The rule does not block anything (because apache has already taken action), it just reports when this occurs.

Disabling this rule has no effect on apache dropping the connection.

False Positives

No false positive with this rule can occur. The rule just detects 408 errors from apache.

It is not recommended that you disable this rule if you have a false positive. If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the Reporting False Positives wiki page. If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Tuning Guidance

If you are using a module like apaches modreqtimeout to detect slow connections, it may be possible your configuration needs to be adjusted to allow slower connections. This module, and others like it generate 408 errors when they detect slow connections. "Slowness" is determined by your configuration. The modsecurity rules does not detect slowness, it just reports the 408 error apache generates.

Similar Rules None.

Knowledge Base Articles

None.

Outside References

None.

Personal tools