Difference between revisions of "WAF 355504"

From Atomicorp Wiki
Jump to: navigation, search
m (Similar Rules)
m
 
(One intermediate revision by one user not shown)
Line 10: Line 10:
  
 
This rules detects when an IP address connecting to your server is listed on the Atomicorp.com Threat Intelligence database.  This means the IP is a known attacker, which means it has been detected attacking other systems running [[ASL]].
 
This rules detects when an IP address connecting to your server is listed on the Atomicorp.com Threat Intelligence database.  This means the IP is a known attacker, which means it has been detected attacking other systems running [[ASL]].
 +
 +
You can lookup details on this IP address at this URL:
 +
 +
http://www.atomicrbl.com/lookup
  
 
This rule can only be triggered if you have enabled the optional MODSEC_00_THREAT ruleset, which is disabled by default.  
 
This rule can only be triggered if you have enabled the optional MODSEC_00_THREAT ruleset, which is disabled by default.  
Line 19: Line 23:
 
If you believe this is a false positive, that is this IP address is not compromised and has not been used recently to attack other systems, please report this to us at the URL below:
 
If you believe this is a false positive, that is this IP address is not compromised and has not been used recently to attack other systems, please report this to us at the URL below:
  
http://www.atomicorp.com/report/
+
http://www.atomicbl.com/report/
  
 
==Configuration Notes==
 
==Configuration Notes==

Latest revision as of 13:54, 24 September 2014

Rule 355504
Status Active
Alert Message Atomicorp.com WAF Rules: Threat Intelligence Match for Known attacker Source on Atomicorp Threat Intelligence RBL (TI-4)

Contents

[edit] Description

This rules detects when an IP address connecting to your server is listed on the Atomicorp.com Threat Intelligence database. This means the IP is a known attacker, which means it has been detected attacking other systems running ASL.

You can lookup details on this IP address at this URL:

http://www.atomicrbl.com/lookup

This rule can only be triggered if you have enabled the optional MODSEC_00_THREAT ruleset, which is disabled by default.

[edit] Troubleshooting

[edit] False Positives

If you believe this is a false positive, that is this IP address is not compromised and has not been used recently to attack other systems, please report this to us at the URL below:

http://www.atomicbl.com/report/

[edit] Configuration Notes

This ruleset requires a very fast local DNS server. If you do not have a local and fast DNS server, you should not use these rules. The system will not serve up any webpages until the DNS lookup completes, and if you do not have a fast local DNS server this can result in the false impression that the web server is "slow". The server is actually not impacted by the rules, the server is simply waiting on the DNS server to respond to a query. So the web server, when using these rules, will only be as fast as the DNS server it is using.

[edit] Tuning Guidance

Please see the Tuning the Atomicorp WAF Rules page for basic information.

[edit] Additional Information

[edit] Similar Rules

WAF_355500

WAF_355501

WAF_355503

WAF_355506

WAF_350051

WAF_350052

WAF_350053

WAF_350054

WAF_350055

[edit] Knowledge Base Articles

None.

[edit] Outside References

None.

[edit] Notes

Personal tools