https://wiki.atomicorp.com/wiki/index.php?title=WAF_300001&feed=atom&action=historyWAF 300001 - Revision history2024-03-28T14:12:51ZRevision history for this page on the wikiMediaWiki 1.20.2https://wiki.atomicorp.com/wiki/index.php?title=WAF_300001&diff=4948&oldid=prevMshinn at 16:53, 21 June 20142014-06-21T16:53:57Z<p></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 16:53, 21 June 2014</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 23:</td>
<td colspan="2" class="diff-lineno">Line 23:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div><pre>--5f3acc73-H--</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div><pre>--5f3acc73-H--</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>Message: [file "/etc/httpd/modsecurity.d/30_asl_antispam.conf"] [line "52"]</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>Message: [file "/etc/httpd/modsecurity.d/30_asl_antispam.conf"] [line "52"]</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>  [id "300001"] [rev "23"] [msg "Atomicorp.com WAF Rules: <del class="diffchange diffchange-inline">Blacklist </del>Spam Domain"]  </div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>  [id "300001"] [rev "23"] [msg "Atomicorp.com WAF Rules: <ins class="diffchange diffchange-inline">Abusive or </ins>Spam Domain <ins class="diffchange diffchange-inline">detected in argument</ins>"]  </div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>[data ""] [severity "CRITICAL"] Access denied with code 403 (phase 2).  </div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>[data ""] [severity "CRITICAL"] Access denied with code 403 (phase 2).  </div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>Matched phrase "www.example.com" at ARGS:message.</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>Matched phrase "www.example.com" at ARGS:message.</div></td></tr>
</table>Mshinnhttps://wiki.atomicorp.com/wiki/index.php?title=WAF_300001&diff=4947&oldid=prevMshinn at 16:49, 21 June 20142014-06-21T16:49:24Z<p></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 16:49, 21 June 2014</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 9:</td>
<td colspan="2" class="diff-lineno">Line 9:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''Alert Message'''   </div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''Alert Message'''   </div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>Atomicorp.com WAF Rules: <del class="diffchange diffchange-inline">Blacklist </del>Spam Domain</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>Atomicorp.com WAF Rules: <ins class="diffchange diffchange-inline">Abusive or </ins>Spam Domain <ins class="diffchange diffchange-inline">detected in argument</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''Description'''   </div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''Description'''   </div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>This rule detects if a domain is <del class="diffchange diffchange-inline">on the </del>spam <del class="diffchange diffchange-inline">blacklist</del>.  These are domains that have been used <del class="diffchange diffchange-inline">to spam </del>either <del class="diffchange diffchange-inline">honeypots operated by Atomicorp </del>or <del class="diffchange diffchange-inline">other </del>trusted sources.</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>This rule detects if a domain is <ins class="diffchange diffchange-inline">either a known abusive or </ins>spam <ins class="diffchange diffchange-inline">domains</ins>.  These are domains that have been used either <ins class="diffchange diffchange-inline">to flood sites, abuse mailing lists/forums </ins>or <ins class="diffchange diffchange-inline">to spam </ins>trusted sources.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>This rules work by detecting the use of a the domain in an argument.   </div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>This rules work by detecting the use of a the domain in an argument.   </div></td></tr>
<tr><td colspan="2" class="diff-lineno">Line 36:</td>
<td colspan="2" class="diff-lineno">Line 36:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''False Positives'''</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''False Positives'''</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>A false positive can occur when a domain is not bounded, due to the parallel matching technique used to do the blocklist searches, or if a domain has previously been used to spam and is no longer engaging in this activity.</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>A false positive can occur when a domain is not bounded, due to the parallel matching technique used to do the blocklist searches, or if a domain has previously been used to <ins class="diffchange diffchange-inline">abuse or </ins>spam and is no longer engaging in this activity.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>It is not recommended that you disable this rule if you have a false positive.  If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system.  Instructions to report false positives are detailed on the [[Reporting False Positives]] wiki page.  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>It is not recommended that you disable this rule if you have a false positive.  If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system.  Instructions to report false positives are detailed on the [[Reporting False Positives]] wiki page.  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.</div></td></tr>
</table>Mshinnhttps://wiki.atomicorp.com/wiki/index.php?title=WAF_300001&diff=1803&oldid=prevMshinn at 16:17, 1 August 20112011-08-01T16:17:14Z<p></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 16:17, 1 August 2011</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 25:</td>
<td colspan="2" class="diff-lineno">Line 25:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>  [id "300001"] [rev "23"] [msg "Atomicorp.com WAF Rules: Blacklist Spam Domain"]  </div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>  [id "300001"] [rev "23"] [msg "Atomicorp.com WAF Rules: Blacklist Spam Domain"]  </div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>[data ""] [severity "CRITICAL"] Access denied with code 403 (phase 2).  </div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>[data ""] [severity "CRITICAL"] Access denied with code 403 (phase 2).  </div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">'''</del>Matched phrase "www.example.com" at ARGS:message.<del class="diffchange diffchange-inline">'''</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>Matched phrase "www.example.com" at ARGS:message.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>Action: Intercepted (phase 2)</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>Action: Intercepted (phase 2)</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>Apache-Handler: php5-script</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>Apache-Handler: php5-script</div></td></tr>
<tr><td colspan="2" class="diff-lineno">Line 32:</td>
<td colspan="2" class="diff-lineno">Line 32:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>Server: Apache/2.2.18 (CentOS)</pre></div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>Server: Apache/2.2.18 (CentOS)</pre></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>The <del class="diffchange diffchange-inline">highted section </del>above shows the phrase that was matched, which in this case was the domain www.example.com.  Please look for that line your audit log entry, which will show you which domain was blocked by this rule.</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>The <ins class="diffchange diffchange-inline">element "Matched phrase "www.example.com" at ARGS:message." </ins>above shows the phrase that was matched, which in this case was the domain www.example.com.  Please look for that line your audit log entry, which will show you which domain was blocked by this rule.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''False Positives'''</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''False Positives'''</div></td></tr>
</table>Mshinnhttps://wiki.atomicorp.com/wiki/index.php?title=WAF_300001&diff=1802&oldid=prevMshinn at 16:16, 1 August 20112011-08-01T16:16:17Z<p></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 16:16, 1 August 2011</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 16:</td>
<td colspan="2" class="diff-lineno">Line 16:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>This rules work by detecting the use of a the domain in an argument.   </div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>This rules work by detecting the use of a the domain in an argument.   </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">'''Determining what domain was blocked'''</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">Please see the [[Modsecurity_audit_log]] article about how to read modsecurity audit log events.  For a 300001 event, you will want to look at the H section of the audit log entry, which will look similar to this example:</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;"><pre>--5f3acc73-H--</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">Message: [file "/etc/httpd/modsecurity.d/30_asl_antispam.conf"] [line "52"]</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;"> [id "300001"] [rev "23"] [msg "Atomicorp.com WAF Rules: Blacklist Spam Domain"] </ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">[data ""] [severity "CRITICAL"] Access denied with code 403 (phase 2). </ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">'''Matched phrase "www.example.com" at ARGS:message.'''</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">Action: Intercepted (phase 2)</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">Apache-Handler: php5-script</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">Stopwatch: 1311655548998047 492700 (405774* 492191 -)</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">WAF: ModSecurity for Apache/2.5.13 ( http://www.modsecurity.org/); 201107251315.</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">Server: Apache/2.2.18 (CentOS)</pre></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">The highted section above shows the phrase that was matched, which in this case was the domain www.example.com.  Please look for that line your audit log entry, which will show you which domain was blocked by this rule.</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''False Positives'''</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''False Positives'''</div></td></tr>
</table>Mshinnhttps://wiki.atomicorp.com/wiki/index.php?title=WAF_300001&diff=1763&oldid=prevMshinn: Created page with "'''Rule ID''' 300001 '''Status''' Active rule currently published. '''Alert Message''' Atomicorp.com WAF Rules: Blacklist Spam Domain '''Description''' This rule dete..."2011-07-26T05:02:52Z<p>Created page with "'''Rule ID''' 300001 '''Status''' Active rule currently published. '''Alert Message''' Atomicorp.com WAF Rules: Blacklist Spam Domain '''Description''' This rule dete..."</p>
<p><b>New page</b></p><div>'''Rule ID''' <br />
<br />
300001<br />
<br />
'''Status'''<br />
<br />
Active rule currently published.<br />
<br />
'''Alert Message''' <br />
<br />
Atomicorp.com WAF Rules: Blacklist Spam Domain<br />
<br />
'''Description''' <br />
<br />
This rule detects if a domain is on the spam blacklist. These are domains that have been used to spam either honeypots operated by Atomicorp or other trusted sources.<br />
<br />
This rules work by detecting the use of a the domain in an argument. <br />
<br />
'''False Positives'''<br />
<br />
A false positive can occur when a domain is not bounded, due to the parallel matching technique used to do the blocklist searches, or if a domain has previously been used to spam and is no longer engaging in this activity.<br />
<br />
It is not recommended that you disable this rule if you have a false positive. If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the [[Reporting False Positives]] wiki page. If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.<br />
<br />
'''Tuning Guidance'''<br />
<br />
If you know that this behavior is acceptable for your application, please see the [[Tuning the Atomicorp WAF Rules]] page for basic information.<br />
<br />
'''Similar Rules'''<br />
<br />
<br />
'''Knowledge Base Articles'''<br />
<br />
https://www.atomicorp.com/wiki/index.php/ASL_FAQ#How_are_spam_domains_added.3F<br />
<br />
https://www.atomicorp.com/wiki/index.php/ASL_FAQ#How_are_spam_domains_aged_out.3F<br />
<br />
https://www.atomicorp.com/wiki/index.php/ASL_FAQ#Do_you_use_third_party_spam_domain_lists.3F<br />
<br />
'''Outside References'''<br />
<br />
None.</div>Mshinn