WAF 350053
Rule 350053 | |
---|---|
Status | Active |
Alert Message | Atomicorp.com WAF Rules: Threat Intelligence Match for known Brute Force attacker on Atomicorp Threat Intelligence RBL. |
Contents |
[edit] Description
This rules detects when an IP address connecting to your server is listed on the Atomicorp.com Threat Intelligence database. This means the IP has been repored by other systems running ASL as having attempted to login into services and having failed multiple times. This may indicate the system is being used to attempt to brute force accounts and has been compromised, or this may indicate that there is a misconfigure application on the system that is attempting to log into multiple systems and failing multiple times.
You can lookup details on this IP address at this URL:
http://www.atomicrbl.com/lookup
This rule can only be triggered if you have enabled the optional MODSEC_00_THREAT ruleset, which is disabled by default.
[edit] Troubleshooting
[edit] False Positives
If you believe this is a false positive, that is this IP address is not compromised and has not been used recently to attack other systems, please report this to our support desk.
[edit] Configuration Notes
This ruleset requires a very fast local DNS server. If you do not have a local and fast DNS server, you should not use these rules. The system will not serve up any webpages until the DNS lookup completes, and if you do not have a fast local DNS server this can result in the false impression that the web server is "slow". The server is actually not impacted by the rules, the server is simply waiting on the DNS server to respond to a query. So the web server, when using these rules, will only be as fast as the DNS server it is using.
[edit] Tuning Guidance
Please see the Tuning the Atomicorp WAF Rules page for basic information.
[edit] Additional Information
[edit] Similar Rules
WAF_350053
[edit] Knowledge Base Articles
None.
[edit] Outside References
None.