WAF 309925
Rule 309925 | |
---|---|
Status | Active |
Alert Message | Atomicorp.com WAF Rules: Suspicious User-Agent, parenthesis closed with a semicolon |
Contents |
Description
This rules detects suspicious user agent strings. Specifically, it will detect if a user-agent strings ends with ";)". This is not a pattern used by any browser (Safari, IE, Mozilla, Opera, etc.) or web library. This pattern is typically used by attackers and spammers, and the WAF will detect these clients and will block them.
Troubleshooting
False Positives
A false positive can occur if a web application ends the user-agent header with ";)". We highly recommend you confirm this is legitimate behavior before disabling this rule. There are no known applications that do this, but plenty of malicious applications that do.
It is not recommended that you disable this rule if you have a false positive. If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the Reporting False Positives wiki page. If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Tuning Guidance
Please see the Tuning the Atomicorp WAF Rules page for basic information.
Additional Information
Similar Rules
None.
Knowledge Base Articles
None.
Outside References
None.
Notes
Attackers will often use invalid client user-agent headers to try to trick web administrators and applications into trusting them, or to hide activity by pretending to be a legitimate user.