WAF 350000

From Atomicorp Wiki
Revision as of 12:15, 29 October 2012 by Mshinn (Talk | contribs)

Jump to: navigation, search

Rule ID

350000

Alert Message

Global RBL Match: IP is on the xbl.spamhaus.org Blacklist

Description

This optional rule detects that when an IP address connecting to your server is listed on the xbl.spamhaus.org blacklist run by the SpamHaus project.

This rule can only be triggered if you have enabled the optional MODSEC_00_RBL ruleset.

The spamhaus project describes this RBL as:

"The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of hijacked PCs infected by illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits."

False Positives

If you believe this is a false positive, report this to the spamhaus project. Atomicorp does not run this RBL, and therefore can not address false positives with IPs. You can access their website here:

http://www.spamhaus.org/xbl/

Configuration Notes

This ruleset requires a very fast local DNS server. If you do not have a local and fast DNS server, you should not use RBL rules. The system will not serve up any webpages until the DNS lookup completes, and if you do not have a fast local DNS server this can result in the false impression that the web server is "slow". The server is actually not impacted by the rules, the server is simply waiting on the DNS server to respond to a query. So the web server, when using RBL rules, will only be as fast as the DNS server it is using.

Similar Rules

WAF_377777

Outside References

http://www.spamhaus.org/

Personal tools