Difference between revisions of "HIDS 31102"

From Atomicorp Wiki
Jump to: navigation, search
(Created page with "{{Infobox |header1= Rule 31102 |label2 = Status |data2 = Active |label3 = Alert Message |data3 = ModSecurity: Access denied with code 400. Too many threads }} = Description ...")

Revision as of 21:06, 26 September 2013

Rule 31102
Status Active
Alert Message ModSecurity: Access denied with code 400. Too many threads

Contents

Description

This rule is triggered when a a single IP has opened too many connections to the server, and they are in a READ state. This condition is extremely unusual for a normal client, and occurs when an attack is trying to use up all the threads on the server to prevent it from servicing any other clients. This occurs when a slowloris attack is occuring.

This rule does not block anything, it simply reports when apache has stopped accepting READ requests from a client.

Troubleshooting

False Positives

There are no known false positives with this rule. The rule looks for when 11 or more threads from a single client IP are in the READ state.

Tuning Guidance

None.

Additional Information

Similar Rules

None.

Knowledge Base Articles

None.

Outside References

None.

Personal tools