WAF 330072

From Atomicorp Wiki
Revision as of 14:47, 4 March 2012 by Mshinn (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Rule ID

330072

Status

Active rule currently published.

Alert Message

Atomicorp.com WAF Rules: Comment Spammer User Agent (Fake IE)

Description

This rule detects if a connecting client reports that it is using a "User Agent" that is known to be fake. This particular rule detects clients that claim to be using Internet Explorer, however the reported information is clearly fake.

Attacker and spammers sometimes use fake user-agent strings to either hide the real software they are using, or to hope to fool some web applications into believing a legitimate user is connecting.

False Positives

A false positive can occur if a user's client software is deliberately creating a fake, and invalid user-agent string. Its important to note that this rule does not trigger if a client uses a valid Internet Explorer version string. This only detects if the reporting information is completely fake, for example, a client that is reporting it is running "Internet Explorer 9999". There is no version "9999" of Internet Explorer.

It is not recommended that you disable this rule if you have a false positive. If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the Reporting False Positives wiki page. If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Tuning Guidance

If you know that this behavior is acceptable for your application, you can tune it by following guidance on the Tuning the Atomicorp WAF Rules page for basic information.

Similar Rules

None.

Knowledge Base Articles

None.

Outside References

None.

Personal tools