Difference between revisions of "WAF 330036"

From Atomicorp Wiki
Jump to: navigation, search
(Created page with "'''Rule ID''' 330036 '''Status''' Active rule currently published. '''Alert Message''' Atomicorp.com WAF Rules: Suspicious User agent detected '''Description''' This ...")
 
m
 
Line 13: Line 13:
 
'''Description'''   
 
'''Description'''   
  
This rule detects if the user agent "indy library" is used.  This client is known to be used for some malicious activity.  If you use this user agent, then disable this rule.
+
This rule detects if the user agent "indy library" is used.  This client is known to be used for some malicious activity, either in the creation of bots or the User Agent field is forged.  Most commonly it is used with spammers, and less commonly its used by worms.  If you use this user agent, then disable this rule.
  
 
'''False Positives'''
 
'''False Positives'''

Latest revision as of 18:28, 4 October 2014

Rule ID

330036

Status

Active rule currently published.

Alert Message

Atomicorp.com WAF Rules: Suspicious User agent detected

Description

This rule detects if the user agent "indy library" is used. This client is known to be used for some malicious activity, either in the creation of bots or the User Agent field is forged. Most commonly it is used with spammers, and less commonly its used by worms. If you use this user agent, then disable this rule.

False Positives

There are no known false positives with this rule. The rule looks at the User-Agent header and if the application identified itself as "indy library" it will trigger.

If you have examined the headers and have identified a case where the agent is not reporting that that is "indy library", please report this as a false positive. Otherwise, if you use this user agent, disable this rule for your syste,.

Instructions to report false positives are detailed on the Reporting False Positives wiki page.

If you wish to tune this rule yourself, please see the Tuning the Atomicorp WAF Rules page for basic information.

Tuning Recommendations

If you know that this behavior is acceptable for your application, you can either disable the rule globally, or run it to only allow it for specific applications or URLs.

Similar Rules


Knowledge Base Articles

None.

Outside References

Personal tools