Difference between revisions of "WAF 350000"
m |
m |
||
(4 intermediate revisions by one user not shown) | |||
Line 9: | Line 9: | ||
'''Description''' | '''Description''' | ||
− | This | + | This optional rule detects that when an IP address connecting to your server is listed on the xbl.spamhaus.org blacklist run by the SpamHaus project. |
+ | |||
+ | This rule can only be triggered if you have enabled the optional MODSEC_00_RBL ruleset, which is disabled by default. | ||
+ | |||
+ | The spamhaus project describes this RBL as: | ||
"The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of hijacked PCs infected by illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits." | "The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of hijacked PCs infected by illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits." | ||
Line 15: | Line 19: | ||
'''False Positives''' | '''False Positives''' | ||
− | + | If you believe this is a false positive, '''report this to the spamhaus project.''' '''Atomicorp does not run this RBL, and therefore can not address false positives with IPs.''' You can access their website here: | |
http://www.spamhaus.org/xbl/ | http://www.spamhaus.org/xbl/ | ||
+ | |||
+ | ''Configuration Notes'' | ||
+ | |||
+ | This ruleset requires a very fast local DNS server. If you do not have a local and fast DNS server, you should not use RBL rules. The system will not serve up any webpages until the DNS lookup completes, and if you do not have a fast local DNS server this can result in the false impression that the web server is "slow". The server is actually not impacted by the rules, the server is simply waiting on the DNS server to respond to a query. So the web server, when using RBL rules, will only be as fast as the DNS server it is using. | ||
'''Similar Rules''' | '''Similar Rules''' | ||
− | [WAF_377777] | + | [[WAF_377777]] |
'''Outside References''' | '''Outside References''' | ||
http://www.spamhaus.org/ | http://www.spamhaus.org/ |
Latest revision as of 18:21, 25 September 2013
Rule ID
350000
Alert Message
Global RBL Match: IP is on the xbl.spamhaus.org Blacklist
Description
This optional rule detects that when an IP address connecting to your server is listed on the xbl.spamhaus.org blacklist run by the SpamHaus project.
This rule can only be triggered if you have enabled the optional MODSEC_00_RBL ruleset, which is disabled by default.
The spamhaus project describes this RBL as:
"The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of hijacked PCs infected by illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits."
False Positives
If you believe this is a false positive, report this to the spamhaus project. Atomicorp does not run this RBL, and therefore can not address false positives with IPs. You can access their website here:
Configuration Notes
This ruleset requires a very fast local DNS server. If you do not have a local and fast DNS server, you should not use RBL rules. The system will not serve up any webpages until the DNS lookup completes, and if you do not have a fast local DNS server this can result in the false impression that the web server is "slow". The server is actually not impacted by the rules, the server is simply waiting on the DNS server to respond to a query. So the web server, when using RBL rules, will only be as fast as the DNS server it is using.
Similar Rules
Outside References