Difference between revisions of "HIDS 31102"

From Atomicorp Wiki
Jump to: navigation, search
(Created page with "{{Infobox |header1= Rule 31102 |label2 = Status |data2 = Active |label3 = Alert Message |data3 = ModSecurity: Access denied with code 400. Too many threads }} = Description ...")
 
m (Tuning Guidance)
 
(16 intermediate revisions by one user not shown)
Line 9: Line 9:
 
= Description =
 
= Description =
  
This rule is triggered when a a single IP has opened too many connections to the server, and they are in a READ state.  This condition is extremely unusual for a normal client, and occurs when an attack is trying to use up all the threads on the server to prevent it from servicing any other clients.  This occurs when a slowloris attack is occuring.
+
This rule is triggered when a a single IP has opened too many connections to the apache webserver in a READ state.  This condition is unusual for a normal client, and occurs when either an attacker is trying to use up all the threads on the server to prevent it from servicing any other clients (Denial of Service Attack) or if a single IP needs to open an unusually high number of READ connections.   
  
This rule does not block anything, it simply reports when apache has stopped accepting READ requests from a client.   
+
This alert will also occur when a slowloris attack is occurring.
 +
 
 +
This rule reports when apache has stopped accepting READ requests from a client.  You can configure this limit by following the Tuning Guidance below.
 +
 
 +
== Log example ==
 +
 
 +
''[warn] ModSecurity: Access denied with code 400. Too many threads [11] of 10 allowed in READ state from 1.2.3.4 - Possible DoS Consumption Attack [Rejected''
  
 
= Troubleshooting =
 
= Troubleshooting =
Line 17: Line 23:
 
== False Positives ==
 
== False Positives ==
  
There are no known false positives with this rule.  The rule looks for when 11 or more threads from a single client IP are in the READ state.
+
The rule alerts when the configured WAF_READSTATELIMIT value is exceeded.  The rule does not cause this event to occur, it just reports when it occurs. 
 +
 
 +
'''Disabling this rule will not prevent this event from occurring''', it will just prevent ASL from alerting you that this is occurring.
 +
 
 +
We do not recommend you disable this rule.  If you do not wish to shun on this rule, just change the Rules configuration for Active Response to "no".  See below for tuning guidance if the default READ state limit is too low for your system.
  
 
== Tuning Guidance ==
 
== Tuning Guidance ==
  
None.
+
This limit is configured by this setting:
 +
 
 +
https://www.atomicorp.com/wiki/index.php/ASL_WAF#WAF_READSTATELIMIT
 +
 
 +
Increasing this limit may make your system vulnerable to slowloris attacks.  Setting this too low may cause legitimate clients from being able to connect to your system.
  
 
= Additional Information =
 
= Additional Information =
Line 32: Line 46:
  
 
None.
 
None.
 +
 +
== Notes ==
 +
 +
The default limit in ASL3 is 10, the default limit in ASL4 is 100.  ASL4 contains additional safeguards against Denial of Service attacks and can safely allow a higher limit without a decrease in protection.
  
 
== Outside References ==  
 
== Outside References ==  
  
 
None.
 
None.

Latest revision as of 10:23, 25 January 2014

Rule 31102
Status Active
Alert Message ModSecurity: Access denied with code 400. Too many threads

Contents

[edit] Description

This rule is triggered when a a single IP has opened too many connections to the apache webserver in a READ state. This condition is unusual for a normal client, and occurs when either an attacker is trying to use up all the threads on the server to prevent it from servicing any other clients (Denial of Service Attack) or if a single IP needs to open an unusually high number of READ connections.

This alert will also occur when a slowloris attack is occurring.

This rule reports when apache has stopped accepting READ requests from a client. You can configure this limit by following the Tuning Guidance below.

[edit] Log example

[warn] ModSecurity: Access denied with code 400. Too many threads [11] of 10 allowed in READ state from 1.2.3.4 - Possible DoS Consumption Attack [Rejected

[edit] Troubleshooting

[edit] False Positives

The rule alerts when the configured WAF_READSTATELIMIT value is exceeded. The rule does not cause this event to occur, it just reports when it occurs.

Disabling this rule will not prevent this event from occurring, it will just prevent ASL from alerting you that this is occurring.

We do not recommend you disable this rule. If you do not wish to shun on this rule, just change the Rules configuration for Active Response to "no". See below for tuning guidance if the default READ state limit is too low for your system.

[edit] Tuning Guidance

This limit is configured by this setting:

https://www.atomicorp.com/wiki/index.php/ASL_WAF#WAF_READSTATELIMIT

Increasing this limit may make your system vulnerable to slowloris attacks. Setting this too low may cause legitimate clients from being able to connect to your system.

[edit] Additional Information

[edit] Similar Rules

None.

[edit] Knowledge Base Articles

None.

[edit] Notes

The default limit in ASL3 is 10, the default limit in ASL4 is 100. ASL4 contains additional safeguards against Denial of Service attacks and can safely allow a higher limit without a decrease in protection.

[edit] Outside References

None.

Personal tools