Difference between revisions of "WAF 331030"

From Atomicorp Wiki
Jump to: navigation, search
m
m
 
(One intermediate revision by one user not shown)
Line 15: Line 15:
  
 
'''This rule does not block or shun.'''  It merely alerts when this occurs.  If you wish to shun these events, just set Active Response in the ASL rule manager for rule 331030 to "yes".  
 
'''This rule does not block or shun.'''  It merely alerts when this occurs.  If you wish to shun these events, just set Active Response in the ASL rule manager for rule 331030 to "yes".  
 +
 +
Attackers are known to send HTTP requests to the IP address of a server when they do not know what vhosts or domains are hosted on the server.  It is very rare for a non-malicious user to send a request to a web server for an IP address, as opposed to for a host.  However, this may occur in some rare cases, which is why this rule does not shun by default.
 +
 +
You should investigate this event as it may be part of a broader attacker.  If you wish to shun on this event, just set active response on this rule to yes.  For most hosting servers that host actual named sites (e.g. www.example.com), it is generally safe to shun on this rule.
  
 
= Troubleshooting =
 
= Troubleshooting =
Line 22: Line 26:
 
There are no known false positives with this rule.  The rule looks for when the Host: header is missing.
 
There are no known false positives with this rule.  The rule looks for when the Host: header is missing.
  
Attackers will sometimes connect to the IP address on the system when they do not know what domains or hosts are hosted on the system.  
+
Attackers will sometimes connect to the IP address on the system when they do not know what domains or hosts are hosted on the system. If you wish to allow this, disable this rule.
  
 
== Tuning Guidance ==
 
== Tuning Guidance ==

Latest revision as of 10:49, 14 April 2014

Rule 331030
Status Active
Alert Message Atomicorp.com WAF Rules: Suspicious activity detected - HTTP Request Missing a Host Header

Contents

[edit] Description

This rule is triggered when a connection does not use a Host: header. This can happen in one of two ways:

  1. A client connects directly to the IP address of the system (localhost connections are ignored)
  2. A client directly connects to the HTTP port, and does not request resources from any domain hosted on the system

This rule does not block or shun. It merely alerts when this occurs. If you wish to shun these events, just set Active Response in the ASL rule manager for rule 331030 to "yes".

Attackers are known to send HTTP requests to the IP address of a server when they do not know what vhosts or domains are hosted on the server. It is very rare for a non-malicious user to send a request to a web server for an IP address, as opposed to for a host. However, this may occur in some rare cases, which is why this rule does not shun by default.

You should investigate this event as it may be part of a broader attacker. If you wish to shun on this event, just set active response on this rule to yes. For most hosting servers that host actual named sites (e.g. www.example.com), it is generally safe to shun on this rule.

[edit] Troubleshooting

[edit] False Positives

There are no known false positives with this rule. The rule looks for when the Host: header is missing.

Attackers will sometimes connect to the IP address on the system when they do not know what domains or hosts are hosted on the system. If you wish to allow this, disable this rule.

[edit] Tuning Guidance

Please see the Tuning the Atomicorp WAF Rules page for more information if you wish to disable or modify this rule.

[edit] Additional Information

[edit] Similar Rules

None.

[edit] Knowledge Base Articles

None.

[edit] Outside References

None.

Personal tools