Difference between revisions of "HIDS 31102"
From Atomicorp Wiki
(Created page with "{{Infobox |header1= Rule 31102 |label2 = Status |data2 = Active |label3 = Alert Message |data3 = ModSecurity: Access denied with code 400. Too many threads }} = Description ...") |
m (→Description) |
||
| Line 9: | Line 9: | ||
= Description = | = Description = | ||
| − | This rule is triggered when a a single IP has opened too many connections to the server, and they are in a READ state. This condition is extremely unusual for a normal client, and occurs when an | + | This rule is triggered when a a single IP has opened too many connections to the server (11 or more), and they are in a READ state. This condition is extremely unusual for a normal client, and occurs when an attacker is trying to use up all the threads on the server to prevent it from servicing any other clients. This occurs when a slowloris attack is occuring. |
| − | This rule does not block anything, it simply reports when apache has stopped accepting READ requests from a client. | + | This rule does not block anything, it simply reports when apache has stopped accepting READ requests from a client. |
= Troubleshooting = | = Troubleshooting = | ||
Revision as of 22:07, 26 September 2013
| Rule 31102 | |
|---|---|
| Status | Active |
| Alert Message | ModSecurity: Access denied with code 400. Too many threads |
Contents |
Description
This rule is triggered when a a single IP has opened too many connections to the server (11 or more), and they are in a READ state. This condition is extremely unusual for a normal client, and occurs when an attacker is trying to use up all the threads on the server to prevent it from servicing any other clients. This occurs when a slowloris attack is occuring.
This rule does not block anything, it simply reports when apache has stopped accepting READ requests from a client.
Troubleshooting
False Positives
There are no known false positives with this rule. The rule looks for when 11 or more threads from a single client IP are in the READ state.
Tuning Guidance
None.
Additional Information
Similar Rules
None.
Knowledge Base Articles
None.
Outside References
None.
