Description

This rule is triggered when known vulnerability scanners and attack tools attempt to connect to the server. The following tools are detected:

• nsauditor
• n-stealth
• nessus
• network-services-auditor
• nikto
• nmap
• black window
• brutus
• bilbo
• webinspect
• webroot
• pmafind
• paros
• pavuk
• cgichk
• jasscois
• NASL scripts
• metis
• webtrends security analyzer
• w3af
• zemu attack tool
• springenwerk
• arachni
• acunetix
• havij attack tool

Troubleshooting

False Positives

There are no known false positives with this rule, however if you find that this rule is triggered for a client that is not using a vulnerability scanner or attack tool please report this to us using the procedure documented in the Reporting_False_Positives page.

Tuning Guidance

If you wish to allow connections from vulnerability scanners or attack tools we recommend you whitelist the source IPs as opposed to disabling this rule. Please see the Tuning the Atomicorp WAF Rules page for more information.

Additional Information

Similar Rules

None.

Knowledge Base Articles

None.

Outside References

None.