Difference between revisions of "WAF 331032"

From Atomicorp Wiki
Jump to: navigation, search
(Created page with "{{Infobox |header1= Rule 331032 |label2 = Status |data2 = Active |label3 = Alert Message |data3 = Atomicorp.com WAF Rules: Suspicious activity detected - Host header is a nume...")
 
m (Description)
Line 9: Line 9:
 
= Description =
 
= Description =
  
This rule detects when a request is made to an IP address on the web server, as opposed to a host name.  For example, if the servers IP address was 1.2.3.4, and the hosts name was www.example.com.  If a web browser made a request to "www.example.com", this rule would not be triggered, however if the client made a request for the actual IP address, 1.2.3.4, this rule would be triggered.
+
This rule detects when a request is made to an IP address on the web server, as opposed to a host name.  For example, if the servers IP address was 1.2.3.4, and the hosts name was www.example.com.  If a client/web browser made a request to "www.example.com", this rule would not be triggered, however if the client made a request for the actual IP address, 1.2.3.4, this rule would be triggered.
  
This rule does not block traffic, it simply alerts that the connection may be suspicious.  Very few clients will ever make requests to the IP address of the system.  However, a high volume of malicious connections are made to the systems IP address, as the attackers rarely know the systems host named.
+
This rule does not block traffic, it simply alerts that the connection may be suspicious.  Very few clients make requests to the IP address of the system, most users are connecting with a hostname.  However, a high volume of malicious connections are made to systems IP address, as the attackers rarely know the systems host name(s).
  
 
If you do not want to be alerted to these cases, simply disable the rule.
 
If you do not want to be alerted to these cases, simply disable the rule.

Revision as of 15:54, 15 May 2013

Rule 331032
Status Active
Alert Message Atomicorp.com WAF Rules: Suspicious activity detected - Host header is a numeric IP address

Contents

Description

This rule detects when a request is made to an IP address on the web server, as opposed to a host name. For example, if the servers IP address was 1.2.3.4, and the hosts name was www.example.com. If a client/web browser made a request to "www.example.com", this rule would not be triggered, however if the client made a request for the actual IP address, 1.2.3.4, this rule would be triggered.

This rule does not block traffic, it simply alerts that the connection may be suspicious. Very few clients make requests to the IP address of the system, most users are connecting with a hostname. However, a high volume of malicious connections are made to systems IP address, as the attackers rarely know the systems host name(s).

If you do not want to be alerted to these cases, simply disable the rule.

If you wish to block these connections, just set this rule to Active Response in the ASL rule manager.

Troubleshooting

False Positives

None.

Tuning Guidance

If you know that this behavior is acceptable for your application, you can either disable the rule for the server, or you can disable it for the application. Because this type of request is to the systems IP address, you can not disable this type of rule for a domain, as these types of requests are to domains.

Please see the Tuning the Atomicorp WAF Rules page for basic information.

Additional Information

Similar Rules

None.

Knowledge Base Articles

None.

Outside References

None.

Notes

None.

Personal tools