Difference between revisions of "WAF 330790"

From Atomicorp Wiki
Jump to: navigation, search
(Created page with "'''Rule ID''' 330790 '''Status''' Active rule currently published. '''Alert Message''' Apache Error: Invalid URI in Request '''Description''' This rule reports whe...")
 
m
Line 13: Line 13:
 
'''Description'''   
 
'''Description'''   
  
This rule reports when apache reports a critical error in a request.  This rule does not cause this error, nor can disabling it prevent apache from reporting these errors.  This is just a reporting rule.   
+
This rule reports when apache reports a critical error in a request.  This rule does not cause this error, nor can disabling it prevent apache from reporting these errors and rejecting the request.  This is just a reporting rule that occurs after apache itself has rejected the request.   
  
The rule looks for errors from apache itself, which may indicate attacks or just errors in requests to the system.  This rule runs at phase 5, which is a "post" phase that occurs after apache has taken whatever actions it may take.  In most cases this means that apache will block or drop the request.  A 400 Bad Request error is the most common, but not the only errors that apache may produce.
+
The rule looks for errors from apache itself, which may indicate attacks or just invalid requests to the system.  This rule runs at phase 5, which is a "post" phase that occurs after apache has taken whatever actions it may take (including serving the content, or rejecting a request for it).  In most cases this means that apache has rejected the request as invalid to the client.  A 400 Bad Request error is the most common, but other errors are also possible.
  
 
This rule exists to log this event for other parts of [[ASL]] to use to respond to this event, should it be at attack.
 
This rule exists to log this event for other parts of [[ASL]] to use to respond to this event, should it be at attack.

Revision as of 12:43, 2 March 2012

Rule ID

330790

Status

Active rule currently published.

Alert Message

Apache Error: Invalid URI in Request

Description

This rule reports when apache reports a critical error in a request. This rule does not cause this error, nor can disabling it prevent apache from reporting these errors and rejecting the request. This is just a reporting rule that occurs after apache itself has rejected the request.

The rule looks for errors from apache itself, which may indicate attacks or just invalid requests to the system. This rule runs at phase 5, which is a "post" phase that occurs after apache has taken whatever actions it may take (including serving the content, or rejecting a request for it). In most cases this means that apache has rejected the request as invalid to the client. A 400 Bad Request error is the most common, but other errors are also possible.

This rule exists to log this event for other parts of ASL to use to respond to this event, should it be at attack.

False Positives

False positives with this rule are not possible. The rule does not cause this event, nor will disabling it prevent apache from generating these errors. If this occurs, it means apache, and not mod_security, has generating an error with the request. You will want to discuss the actual apache error with your client, application developer, integrator and/or apache vendor. This is not a mod_security or ASL caused event.

Tuning Guidance

None.

Similar Rules

None.

Knowledge Base Articles

None.

Outside References

None.

Personal tools