WAF 330793

From Atomicorp Wiki
Revision as of 12:20, 30 March 2013 by Mshinn (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Rule ID

340162

Status

Active rule currently published.

Alert Message

Multipart request body failed strict validation

Description

This is not a rule. This is an internal error from the multipart assembly engine in the WAF.

When this error occurs, the alert will also include a line similar to this:


msg "Multipart request body failed strict validation: PE 0, BQ 0, BW 0, DB 0, DA 0, HF 0, LF 0, SM , IQ 1, IH 0, IP 0, FL 0

Each capitalized two letter combination indicates what the specific invalid condition, or conditions are for the invalid multipart request. A "0" means that error does not exist, a "1" means that error does. So in the example above the invalid request has an IQ error. These are further documented below:


Code Error
PE REQBODY_PROCESSOR_ERROR
BQ MULTIPART_BOUNDARY_QUOTED
BW MULTIPART_BOUNDARY_WHITESPACE
DB MULTIPART_DATA_BEFORE
DA MULTIPART_DATA_AFTER
HF MULTIPART_HEADER_FOLDING
LF MULTIPART_LF_LINE
SM MULTIPART_SEMICOLON_MISSING
IQ MULTIPART_INVALID_QUOTING
IH MULTIPART_INVALID_HEADER_FOLDING
IP MULTIPART_INVALID_PART
FL MULTIPART_FILE_LIMIT_EXCEEDED


False Positives

None. There are no valid conditions when this can occur. If you are seeing this error, it means the multi-part request is invalid.

Tuning Guidance

None. Do not disable this rule. This will allow attackers to bypass the WAF. Instead you should investigate your application, server and client to determine which specific type of issue this multipart message has and why the client, application or server is generating these invalid messages.

Similar Rules

None.

Knowledge Base Articles

None.

Outside References

None.

Personal tools