Description

This rules detects suspicious user agent strings. Specifically, it will detect if a user-agent strings ends with ";)". This is not a pattern used by any browser (Safari, IE, Mozilla, Opera, etc.) or web library. Known browsers and web libraries, when they use the ";" character will use it outside the parentheses, for example using the pattern ");".

The suspicious pattern is typically used by attackers and spammers when they make an error attempting to impersonate a legitimate user-agent. The WAF will detect these clients and will block them by default.

Troubleshooting

False Positives

A false positive can occur if a web application ends the user-agent header with ";)". We highly recommend you confirm this is legitimate behavior before disabling this rule. There are no known applications that do this, but plenty of malicious applications that do.

It is not recommended that you disable this rule if you have a false positive. If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the Reporting False Positives wiki page. If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Tuning Guidance

Please see the Tuning the Atomicorp WAF Rules page for basic information.

Additional Information

Similar Rules

None.

Knowledge Base Articles

None.

Outside References

None.

Notes

Attackers will often use invalid client user-agent headers to try to trick web administrators and applications into trusting them, or to hide activity by pretending to be a legitimate user.