Difference between revisions of "WAF 300001"

From Atomicorp Wiki
Jump to: navigation, search
m
 
(2 intermediate revisions by one user not shown)
Line 9: Line 9:
 
'''Alert Message'''   
 
'''Alert Message'''   
  
Atomicorp.com WAF Rules: Blacklist Spam Domain
+
Atomicorp.com WAF Rules: Abusive or Spam Domain detected in argument
  
 
'''Description'''   
 
'''Description'''   
  
This rule detects if a domain is on the spam blacklist.  These are domains that have been used to spam either honeypots operated by Atomicorp or other trusted sources.
+
This rule detects if a domain is either a known abusive or spam domains.  These are domains that have been used either to flood sites, abuse mailing lists/forums or to spam trusted sources.
  
 
This rules work by detecting the use of a the domain in an argument.   
 
This rules work by detecting the use of a the domain in an argument.   
Line 23: Line 23:
 
<pre>--5f3acc73-H--
 
<pre>--5f3acc73-H--
 
Message: [file "/etc/httpd/modsecurity.d/30_asl_antispam.conf"] [line "52"]
 
Message: [file "/etc/httpd/modsecurity.d/30_asl_antispam.conf"] [line "52"]
  [id "300001"] [rev "23"] [msg "Atomicorp.com WAF Rules: Blacklist Spam Domain"]  
+
  [id "300001"] [rev "23"] [msg "Atomicorp.com WAF Rules: Abusive or Spam Domain detected in argument"]  
 
[data ""] [severity "CRITICAL"] Access denied with code 403 (phase 2).  
 
[data ""] [severity "CRITICAL"] Access denied with code 403 (phase 2).  
'''Matched phrase "www.example.com" at ARGS:message.'''
+
Matched phrase "www.example.com" at ARGS:message.
 
Action: Intercepted (phase 2)
 
Action: Intercepted (phase 2)
 
Apache-Handler: php5-script
 
Apache-Handler: php5-script
Line 32: Line 32:
 
Server: Apache/2.2.18 (CentOS)</pre>
 
Server: Apache/2.2.18 (CentOS)</pre>
  
The highted section above shows the phrase that was matched, which in this case was the domain www.example.com.  Please look for that line your audit log entry, which will show you which domain was blocked by this rule.
+
The element "Matched phrase "www.example.com" at ARGS:message." above shows the phrase that was matched, which in this case was the domain www.example.com.  Please look for that line your audit log entry, which will show you which domain was blocked by this rule.
  
 
'''False Positives'''
 
'''False Positives'''
  
A false positive can occur when a domain is not bounded, due to the parallel matching technique used to do the blocklist searches, or if a domain has previously been used to spam and is no longer engaging in this activity.
+
A false positive can occur when a domain is not bounded, due to the parallel matching technique used to do the blocklist searches, or if a domain has previously been used to abuse or spam and is no longer engaging in this activity.
  
 
It is not recommended that you disable this rule if you have a false positive.  If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system.  Instructions to report false positives are detailed on the [[Reporting False Positives]] wiki page.  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
 
It is not recommended that you disable this rule if you have a false positive.  If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system.  Instructions to report false positives are detailed on the [[Reporting False Positives]] wiki page.  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Latest revision as of 11:53, 21 June 2014

Rule ID

300001

Status

Active rule currently published.

Alert Message

Atomicorp.com WAF Rules: Abusive or Spam Domain detected in argument

Description

This rule detects if a domain is either a known abusive or spam domains. These are domains that have been used either to flood sites, abuse mailing lists/forums or to spam trusted sources.

This rules work by detecting the use of a the domain in an argument.

Determining what domain was blocked

Please see the Modsecurity_audit_log article about how to read modsecurity audit log events. For a 300001 event, you will want to look at the H section of the audit log entry, which will look similar to this example:

--5f3acc73-H--
Message: [file "/etc/httpd/modsecurity.d/30_asl_antispam.conf"] [line "52"]
 [id "300001"] [rev "23"] [msg "Atomicorp.com WAF Rules: Abusive or Spam Domain detected in argument"] 
[data ""] [severity "CRITICAL"] Access denied with code 403 (phase 2). 
Matched phrase "www.example.com" at ARGS:message.
Action: Intercepted (phase 2)
Apache-Handler: php5-script
Stopwatch: 1311655548998047 492700 (405774* 492191 -)
WAF: ModSecurity for Apache/2.5.13 ( http://www.modsecurity.org/); 201107251315.
Server: Apache/2.2.18 (CentOS)

The element "Matched phrase "www.example.com" at ARGS:message." above shows the phrase that was matched, which in this case was the domain www.example.com. Please look for that line your audit log entry, which will show you which domain was blocked by this rule.

False Positives

A false positive can occur when a domain is not bounded, due to the parallel matching technique used to do the blocklist searches, or if a domain has previously been used to abuse or spam and is no longer engaging in this activity.

It is not recommended that you disable this rule if you have a false positive. If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the Reporting False Positives wiki page. If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Tuning Guidance

If you know that this behavior is acceptable for your application, please see the Tuning the Atomicorp WAF Rules page for basic information.

Similar Rules


Knowledge Base Articles

https://www.atomicorp.com/wiki/index.php/ASL_FAQ#How_are_spam_domains_added.3F

https://www.atomicorp.com/wiki/index.php/ASL_FAQ#How_are_spam_domains_aged_out.3F

https://www.atomicorp.com/wiki/index.php/ASL_FAQ#Do_you_use_third_party_spam_domain_lists.3F

Outside References

None.

Personal tools