Difference between revisions of "HIDS 31102"
From Atomicorp Wiki
(Created page with "{{Infobox |header1= Rule 31102 |label2 = Status |data2 = Active |label3 = Alert Message |data3 = ModSecurity: Access denied with code 400. Too many threads }} = Description ...") |
Revision as of 21:06, 26 September 2013
Rule 31102 | |
---|---|
Status | Active |
Alert Message | ModSecurity: Access denied with code 400. Too many threads |
Contents |
Description
This rule is triggered when a a single IP has opened too many connections to the server, and they are in a READ state. This condition is extremely unusual for a normal client, and occurs when an attack is trying to use up all the threads on the server to prevent it from servicing any other clients. This occurs when a slowloris attack is occuring.
This rule does not block anything, it simply reports when apache has stopped accepting READ requests from a client.
Troubleshooting
False Positives
There are no known false positives with this rule. The rule looks for when 11 or more threads from a single client IP are in the READ state.
Tuning Guidance
None.
Additional Information
Similar Rules
None.
Knowledge Base Articles
None.
Outside References
None.