Difference between revisions of "WAF 330793"
(Created page with "'''Rule ID''' 340162 '''Status''' Active rule currently published. '''Alert Message''' Multipart request body failed strict validation '''Description''' This is no...") |
m |
||
Line 1: | Line 1: | ||
− | '''Rule ID | + | '''Rule ID'' |
− | + | 330793 | |
'''Status''' | '''Status''' |
Latest revision as of 13:02, 12 August 2014
'Rule ID
330793
Status
Active rule currently published.
Alert Message
Multipart request body failed strict validation
Description
This is not a rule. This is an internal error from the multipart assembly engine in the WAF.
When this error occurs, the alert will also include a line similar to this:
msg "Multipart request body failed strict validation: PE 0, BQ 0, BW 0, DB 0, DA 0, HF 0, LF 0, SM , IQ 1, IH 0, IP 0, FL 0
Each capitalized two letter combination indicates what the specific invalid condition, or conditions are for the invalid multipart request. A "0" means that error does not exist, a "1" means that error does. So in the example above the invalid request has an IQ error. These are further documented below:
Code | Error |
---|---|
PE | REQBODY_PROCESSOR_ERROR |
BQ | MULTIPART_BOUNDARY_QUOTED |
BW | MULTIPART_BOUNDARY_WHITESPACE |
DB | MULTIPART_DATA_BEFORE |
DA | MULTIPART_DATA_AFTER |
HF | MULTIPART_HEADER_FOLDING |
LF | MULTIPART_LF_LINE |
SM | MULTIPART_SEMICOLON_MISSING |
IQ | MULTIPART_INVALID_QUOTING |
IH | MULTIPART_INVALID_HEADER_FOLDING |
IP | MULTIPART_INVALID_PART |
FL | MULTIPART_FILE_LIMIT_EXCEEDED |
False Positives
None. There are no valid conditions when this can occur. If you are seeing this error, it means the multi-part request is invalid.
Tuning Guidance
None. Do not disable this rule. This will allow attackers to bypass the WAF. Instead you should investigate your application, server and client to determine which specific type of issue this multipart message has and why the client, application or server is generating these invalid messages.
Similar Rules
None.
Knowledge Base Articles
None.
Outside References
None.