Difference between revisions of "WAF 330036"
(Created page with "'''Rule ID''' 330036 '''Status''' Active rule currently published. '''Alert Message''' Atomicorp.com WAF Rules: Suspicious User agent detected '''Description''' This ...") |
m |
||
Line 13: | Line 13: | ||
'''Description''' | '''Description''' | ||
− | This rule detects if the user agent "indy library" is used. This client is known to be used for some malicious activity. If you use this user agent, then disable this rule. | + | This rule detects if the user agent "indy library" is used. This client is known to be used for some malicious activity, either in the creation of bots or the User Agent field is forged. Most commonly it is used with spammers, and less commonly its used by worms. If you use this user agent, then disable this rule. |
'''False Positives''' | '''False Positives''' |
Latest revision as of 17:28, 4 October 2014
Rule ID
330036
Status
Active rule currently published.
Alert Message
Atomicorp.com WAF Rules: Suspicious User agent detected
Description
This rule detects if the user agent "indy library" is used. This client is known to be used for some malicious activity, either in the creation of bots or the User Agent field is forged. Most commonly it is used with spammers, and less commonly its used by worms. If you use this user agent, then disable this rule.
False Positives
There are no known false positives with this rule. The rule looks at the User-Agent header and if the application identified itself as "indy library" it will trigger.
If you have examined the headers and have identified a case where the agent is not reporting that that is "indy library", please report this as a false positive. Otherwise, if you use this user agent, disable this rule for your syste,.
Instructions to report false positives are detailed on the Reporting False Positives wiki page.
If you wish to tune this rule yourself, please see the Tuning the Atomicorp WAF Rules page for basic information.
Tuning Recommendations
If you know that this behavior is acceptable for your application, you can either disable the rule globally, or run it to only allow it for specific applications or URLs.
Similar Rules
Knowledge Base Articles
None.
Outside References