Difference between revisions of "HIDS 31102"

From Atomicorp Wiki
Jump to: navigation, search
m (Description)
m
Line 11: Line 11:
 
This rule is triggered when a a single IP has opened too many connections to the server (11 or more), and they are in a READ state.  This condition is extremely unusual for a normal client, and occurs when an attacker is trying to use up all the threads on the server to prevent it from servicing any other clients.  This occurs when a slowloris attack is occuring.
 
This rule is triggered when a a single IP has opened too many connections to the server (11 or more), and they are in a READ state.  This condition is extremely unusual for a normal client, and occurs when an attacker is trying to use up all the threads on the server to prevent it from servicing any other clients.  This occurs when a slowloris attack is occuring.
  
This rule does not block anything, it simply reports when apache has stopped accepting READ requests from a client.
+
This rule does not block anything, it simply reports when apache has stopped accepting READ requests from a client.  You can configure this limit by following the Tuning Guidance below.
  
 
= Troubleshooting =
 
= Troubleshooting =
Line 21: Line 21:
 
== Tuning Guidance ==
 
== Tuning Guidance ==
  
None.
+
This limit is configured by this setting:
 +
 
 +
https://www.atomicorp.com/wiki/index.php/ASL_WAF#WAF_READSTATELIMIT
  
 
= Additional Information =
 
= Additional Information =

Revision as of 15:57, 29 September 2013

Rule 31102
Status Active
Alert Message ModSecurity: Access denied with code 400. Too many threads

Contents

Description

This rule is triggered when a a single IP has opened too many connections to the server (11 or more), and they are in a READ state. This condition is extremely unusual for a normal client, and occurs when an attacker is trying to use up all the threads on the server to prevent it from servicing any other clients. This occurs when a slowloris attack is occuring.

This rule does not block anything, it simply reports when apache has stopped accepting READ requests from a client. You can configure this limit by following the Tuning Guidance below.

Troubleshooting

False Positives

There are no known false positives with this rule. The rule looks for when 11 or more threads from a single client IP are in the READ state.

Tuning Guidance

This limit is configured by this setting:

https://www.atomicorp.com/wiki/index.php/ASL_WAF#WAF_READSTATELIMIT

Additional Information

Similar Rules

None.

Knowledge Base Articles

None.

Outside References

None.

Personal tools