https://wiki.atomicorp.com/wiki/index.php?title=WAF_330094&feed=atom&action=historyWAF 330094 - Revision history2024-03-28T14:28:27ZRevision history for this page on the wikiMediaWiki 1.20.2https://wiki.atomicorp.com/wiki/index.php?title=WAF_330094&diff=4767&oldid=prevMshinn: /* Examples */2014-04-10T19:49:34Z<p><span dir="auto"><span class="autocomment">Examples</span></span></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 19:49, 10 April 2014</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 29:</td>
<td colspan="2" class="diff-lineno">Line 29:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>We've highlighted the header "User-Agent:".  '''You will notice that it appears twice in these examples.'''  This is always invalid and will never occur with a legitimate browser or web application.  Closer observation of the first string above will reveal that they also contradict themselves by claiming the client is both using Internet Explorer 6 and Internet Explorer 7 for the same request, at the same time.  This is, of course, also impossible.  A client can not send a web request from IE7 and IE6 in the same request.</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>We've highlighted the header "User-Agent:".  '''You will notice that it appears twice in these examples.'''  This is always invalid and will never occur with a legitimate browser or web application.  Closer observation of the first string above will reveal that they also contradict themselves by claiming the client is both using Internet Explorer 6 and Internet Explorer 7 for the same request, at the same time.  This is, of course, also impossible.  A client can not send a web request from IE7 and IE6 in the same request.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>This technique is used by spammers<del class="diffchange diffchange-inline">, </del>attackers <del class="diffchange diffchange-inline">to </del>try to trick tools that filter out known spamming User-Agent headers.  <del class="diffchange diffchange-inline">This is also known to happen with poorly coded attack tools, and </del>very <del class="diffchange diffchange-inline">rarely </del>sometimes when a user has installed, accidentally or deliberately, a piece of spyware that is trying to mask the users actual web client and has broken this field.  The later case is extremely rare, and we do not recommend you assume this is occurring.  More than likely this is an attack, and if from a non-attacker this generally means their system is infected with malware, a virus, spyware or some combination thereof.</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>This technique is used by spammers <ins class="diffchange diffchange-inline">and </ins>attackers <ins class="diffchange diffchange-inline">that either </ins>try to trick tools that filter out known spamming User-Agent headers<ins class="diffchange diffchange-inline">, or they simply didnt code their attack tool well and its incorrectly adding in the header twice</ins>.   </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">In </ins>very <ins class="diffchange diffchange-inline">rare cases this </ins>sometimes <ins class="diffchange diffchange-inline">happens </ins>when a user has installed, accidentally or deliberately, a piece of spyware that is trying to mask the users actual web client and has broken this field.  The later case is extremely rare, and we do not recommend you assume this is occurring.  More than likely this is an attack, and if from a non-attacker this generally means their system is infected with malware, a virus, spyware or some combination thereof.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>= Troubleshooting =</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>= Troubleshooting =</div></td></tr>
</table>Mshinnhttps://wiki.atomicorp.com/wiki/index.php?title=WAF_330094&diff=4766&oldid=prevMshinn: /* Description */2014-04-10T19:46:33Z<p><span dir="auto"><span class="autocomment">Description</span></span></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 19:46, 10 April 2014</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 9:</td>
<td colspan="2" class="diff-lineno">Line 9:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>= Description =</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>= Description =</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>This rule is triggered if a client sends a completely invalid and fake user agent string.  It looks for the case where a client sends two User-Agent headers.  In HTTP a client will only send a single header, as there can only be one <del class="diffchange diffchange-inline">header</del>.  Below are a few examples of an invalid user-agent string.</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>This rule is triggered if a client sends a completely invalid and fake user agent string.  It looks for the case where a client sends two User-Agent headers.  In HTTP a client will only send a single <ins class="diffchange diffchange-inline">User-Agent </ins>header, as there can only be one <ins class="diffchange diffchange-inline">User-Agent</ins>.  Below are a few examples of an invalid user-agent string.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>This is a know mistake some attack tools cause and can be used to detect potentially malicious activities.  This is an excellent method for detecting so called zero day attacks.  A valid web browser or other web client will never generate a request like this.   </div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>This is a know mistake some attack tools cause and can be used to detect potentially malicious activities.  This is an excellent method for detecting so called zero day attacks.  A valid web browser or other web client will never generate a request like this.   </div></td></tr>
</table>Mshinnhttps://wiki.atomicorp.com/wiki/index.php?title=WAF_330094&diff=4765&oldid=prevMshinn: /* Description */2014-04-10T19:39:51Z<p><span dir="auto"><span class="autocomment">Description</span></span></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 19:39, 10 April 2014</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 10:</td>
<td colspan="2" class="diff-lineno">Line 10:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>This rule is triggered if a client sends a completely invalid and fake user agent string.  It looks for the case where a client sends two User-Agent headers.  In HTTP a client will only send a single header, as there can only be one header.  Below are a few examples of an invalid user-agent string.</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>This rule is triggered if a client sends a completely invalid and fake user agent string.  It looks for the case where a client sends two User-Agent headers.  In HTTP a client will only send a single header, as there can only be one header.  Below are a few examples of an invalid user-agent string.</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">This is a know mistake some attack tools cause and can be used to detect potentially malicious activities.  This is an excellent method for detecting so called zero day attacks.  A valid web browser or other web client will never generate a request like this.  </ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>== Examples ==</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>== Examples ==</div></td></tr>
<tr><td colspan="2" class="diff-lineno">Line 25:</td>
<td colspan="2" class="diff-lineno">Line 27:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''User-Agent: User-Agent:''' Mozilla/5.0 (Windows; U; Windows NT 6.1; uk; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''User-Agent: User-Agent:''' Mozilla/5.0 (Windows; U; Windows NT 6.1; uk; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>We've highlighted the header "User-Agent:".  You will notice that it appears twice in these examples.  This is always invalid and <del class="diffchange diffchange-inline">should </del>never occur with a legitimate browser or web application.  Closer observation of the first string above will reveal that they also contradict themselves by claiming the client is both using Internet Explorer 6 and Internet Explorer 7 for the same request, at the same time.  This is, of course, impossible.  A client can not send a web request from IE7 and IE6 in the same request.</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>We've highlighted the header "User-Agent:".  <ins class="diffchange diffchange-inline">'''</ins>You will notice that it appears twice in these examples.<ins class="diffchange diffchange-inline">''' </ins> This is always invalid and <ins class="diffchange diffchange-inline">will </ins>never occur with a legitimate browser or web application.  Closer observation of the first string above will reveal that they also contradict themselves by claiming the client is both using Internet Explorer 6 and Internet Explorer 7 for the same request, at the same time.  This is, of course, <ins class="diffchange diffchange-inline">also </ins>impossible.  A client can not send a web request from IE7 and IE6 in the same request.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>This technique is used by spammers, attackers to try to trick tools that filter out known spamming User-Agent headers.  This is also known to happen sometimes when a user has installed, accidentally or deliberately, a piece of spyware that is trying to mask the users actual web client.</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>This technique is used by spammers, attackers to try to trick tools that filter out known spamming User-Agent headers.  This is also known to happen <ins class="diffchange diffchange-inline">with poorly coded attack tools, and very rarely </ins>sometimes when a user has installed, accidentally or deliberately, a piece of spyware that is trying to mask the users actual web client <ins class="diffchange diffchange-inline">and has broken this field.  The later case is extremely rare, and we do not recommend you assume this is occurring.  More than likely this is an attack, and if from a non-attacker this generally means their system is infected with malware, a virus, spyware or some combination thereof</ins>.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>= Troubleshooting =</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>= Troubleshooting =</div></td></tr>
</table>Mshinnhttps://wiki.atomicorp.com/wiki/index.php?title=WAF_330094&diff=4764&oldid=prevMshinn: /* Description */2014-04-10T19:36:53Z<p><span dir="auto"><span class="autocomment">Description</span></span></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 19:36, 10 April 2014</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 9:</td>
<td colspan="2" class="diff-lineno">Line 9:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>= Description =</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>= Description =</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>This rule is triggered if a client sends a completely invalid and fake user agent string.  It looks for the case where a client sends two User-Agent headers.  In HTTP a client will only send a single header, as there can only be one header.  <del class="diffchange diffchange-inline">Here </del>are a few examples of an invalid user-agent string.</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>This rule is triggered if a client sends a completely invalid and fake user agent string.  It looks for the case where a client sends two User-Agent headers.  In HTTP a client will only send a single header, as there can only be one header.  <ins class="diffchange diffchange-inline">Below </ins>are a few examples of an invalid user-agent string.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>== Examples ==</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>== Examples ==</div></td></tr>
</table>Mshinnhttps://wiki.atomicorp.com/wiki/index.php?title=WAF_330094&diff=4763&oldid=prevMshinn at 19:36, 10 April 20142014-04-10T19:36:27Z<p></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 19:36, 10 April 2014</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 1:</td>
<td colspan="2" class="diff-lineno">Line 1:</td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">'''</del>Rule <del class="diffchange diffchange-inline">ID</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">{{Infobox</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">|header1= </ins>Rule <ins class="diffchange diffchange-inline">330094</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">|label2 = Status</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">|data2 = Active</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">|label3 = Alert Message</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">|data3 =  Atomicorp.com WAF Rules: Fake User Agent String</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">}}</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">330094</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">= Description =</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">'''Status'''</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">This rule is triggered if a client sends a completely invalid and fake user agent string.  It looks for the case where a client sends two User-Agent headers.  In HTTP a client will only send a single header, as there can only be one header.  Here are a few examples of an invalid user-agent string.</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">Active rule currently published.</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">== Examples ==</ins></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div> </div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">'''Alert Message'''  </del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div> </div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">Atomicorp.com WAF Rules: Fake User Agent String</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div> </div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">'''Description'''  </del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div> </div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">This rule is triggered if a client sends a completely invalid and fake user agent string.  It looks for the case where a client sends two User-Agent headers.  In HTTP a client will only send a single header, as there can only be one header.  Here are a few examples of an invalid user-agent string.</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>Example 1:</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>Example 1:</div></td></tr>
<tr><td colspan="2" class="diff-lineno">Line 31:</td>
<td colspan="2" class="diff-lineno">Line 29:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>This technique is used by spammers, attackers to try to trick tools that filter out known spamming User-Agent headers.  This is also known to happen sometimes when a user has installed, accidentally or deliberately, a piece of spyware that is trying to mask the users actual web client.</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>This technique is used by spammers, attackers to try to trick tools that filter out known spamming User-Agent headers.  This is also known to happen sometimes when a user has installed, accidentally or deliberately, a piece of spyware that is trying to mask the users actual web client.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">'''False Positives'''</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">= Troubleshooting =</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>Some spyware may break the users User-Agent string.  Therefore a false positive can occur.  If you want to allow all cases, including where a  </div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">== False Positives ==</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>Some spyware may break the users User-Agent string.  Therefore a false positive can occur.  If you want to allow all cases, including where a <ins class="diffchange diffchange-inline">a users system is infected by malware please disable this rule.</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system.  Instructions to report false positives are detailed on the [[Reporting False Positives]] wiki page.</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system.  Instructions to report false positives are detailed on the [[Reporting False Positives]] wiki page.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">'''</del>Tuning <del class="diffchange diffchange-inline">Recommendations'''</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">== </ins>Tuning <ins class="diffchange diffchange-inline">Guidance ==</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>If you know that this behaviour is acceptable for your application, you can tune it by disabling this rule for the application or virtual host.</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>If you know that this behaviour is acceptable for your application, you can tune it by disabling this rule for the application or virtual host.</div></td></tr>
<tr><td colspan="2" class="diff-lineno">Line 43:</td>
<td colspan="2" class="diff-lineno">Line 43:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>If you wish to tune this rule yourself, please see the [[Tuning the Atomicorp WAF Rules]] page for basic information.</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>If you wish to tune this rule yourself, please see the [[Tuning the Atomicorp WAF Rules]] page for basic information.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">'''</del>Similar Rules<del class="diffchange diffchange-inline">'''</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">= Additional Information =</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">== </ins>Similar Rules <ins class="diffchange diffchange-inline">==</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>None.</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>None.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">'''</del>Knowledge Base Articles<del class="diffchange diffchange-inline">'''</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">== </ins>Knowledge Base Articles<ins class="diffchange diffchange-inline">== </ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>None.</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>None.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">'''</del>Outside References<del class="diffchange diffchange-inline">'''</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">== </ins>Outside References <ins class="diffchange diffchange-inline">== </ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>None.</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>None.</div></td></tr>
</table>Mshinnhttps://wiki.atomicorp.com/wiki/index.php?title=WAF_330094&diff=4762&oldid=prevMshinn at 19:33, 10 April 20142014-04-10T19:33:54Z<p></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 19:33, 10 April 2014</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 1:</td>
<td colspan="2" class="diff-lineno">Line 1:</td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>'''Rule ID<del class="diffchange diffchange-inline">''' </del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>'''Rule ID</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>330094</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>330094</div></td></tr>
<tr><td colspan="2" class="diff-lineno">Line 22:</td>
<td colspan="2" class="diff-lineno">Line 22:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''User-Agent: User-Agent:''' Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''User-Agent: User-Agent:''' Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">Example 3:</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">'''User-Agent: User-Agent:''' Mozilla/5.0 (Windows; U; Windows NT 6.1; uk; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>We've highlighted the header "User-Agent:".  You will notice that it appears twice in these examples.  This is always invalid and should never occur with a legitimate browser or web application.  Closer observation of the first string above will reveal that they also contradict themselves by claiming the client is both using Internet Explorer 6 and Internet Explorer 7 for the same request, at the same time.  This is, of course, impossible.  A client can not send a web request from IE7 and IE6 in the same request.</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>We've highlighted the header "User-Agent:".  You will notice that it appears twice in these examples.  This is always invalid and should never occur with a legitimate browser or web application.  Closer observation of the first string above will reveal that they also contradict themselves by claiming the client is both using Internet Explorer 6 and Internet Explorer 7 for the same request, at the same time.  This is, of course, impossible.  A client can not send a web request from IE7 and IE6 in the same request.</div></td></tr>
</table>Mshinnhttps://wiki.atomicorp.com/wiki/index.php?title=WAF_330094&diff=3595&oldid=prevMshinn at 17:39, 8 July 20132013-07-08T17:39:02Z<p></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 17:39, 8 July 2013</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 23:</td>
<td colspan="2" class="diff-lineno">Line 23:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''User-Agent: User-Agent:''' Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''User-Agent: User-Agent:''' Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>We've highlighted the header "User-Agent:".  You will notice that it appears twice in these examples.  This is always invalid and should never occur with a legitimate browser or web application.  Closer observation of the <del class="diffchange diffchange-inline">strings </del>above will reveal that they also <del class="diffchange diffchange-inline">contradicts </del>themselves by claiming the client is both <del class="diffchange diffchange-inline">running </del>Internet Explorer 6 and Internet Explorer 7, <del class="diffchange diffchange-inline">or both running Chrome and Safari</del>.  This is, of course, impossible.  A client can not send a web request from IE7 and IE6<del class="diffchange diffchange-inline">, or Chrome and Safari </del>in the same request.</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>We've highlighted the header "User-Agent:".  You will notice that it appears twice in these examples.  This is always invalid and should never occur with a legitimate browser or web application.  Closer observation of the <ins class="diffchange diffchange-inline">first string </ins>above will reveal that they also <ins class="diffchange diffchange-inline">contradict </ins>themselves by claiming the client is both <ins class="diffchange diffchange-inline">using </ins>Internet Explorer 6 and Internet Explorer 7 <ins class="diffchange diffchange-inline">for the same request</ins>, <ins class="diffchange diffchange-inline">at the same time</ins>.  This is, of course, impossible.  A client can not send a web request from IE7 and IE6 in the same request.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>This technique is used by spammers, attackers to try to trick tools that filter out known spamming User-Agent headers.  This is also <del class="diffchange diffchange-inline">know </del>to happen <del class="diffchange diffchange-inline"> </del>sometimes when a user has installed, accidentally or deliberately, a piece of spyware that is trying to mask the users actual web client.</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>This technique is used by spammers, attackers to try to trick tools that filter out known spamming User-Agent headers.  This is also <ins class="diffchange diffchange-inline">known </ins>to happen sometimes when a user has installed, accidentally or deliberately, a piece of spyware that is trying to mask the users actual web client.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''False Positives'''</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''False Positives'''</div></td></tr>
</table>Mshinnhttps://wiki.atomicorp.com/wiki/index.php?title=WAF_330094&diff=3425&oldid=prevMshinn at 23:13, 6 May 20132013-05-06T23:13:58Z<p></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 23:13, 6 May 2013</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 13:</td>
<td colspan="2" class="diff-lineno">Line 13:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''Description'''   </div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''Description'''   </div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>This rule is triggered if a client sends a completely invalid and fake user agent string.  It looks for the case where a client sends two User-Agent headers.  In HTTP a client will only send a single header, as there can only be one header.  Here <del class="diffchange diffchange-inline">is an example </del>of an invalid user-agent string:</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>This rule is triggered if a client sends a completely invalid and fake user agent string.  It looks for the case where a client sends two User-Agent headers.  In HTTP a client will only send a single header, as there can only be one header.  Here <ins class="diffchange diffchange-inline">are a few examples </ins>of an invalid user-agent string<ins class="diffchange diffchange-inline">.</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">Example 1</ins>:</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''User-Agent:''' Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; GTB6.6; '''User-agent:''' Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; http://bsalsa.com)  ; .NET CLR 2.0.50727; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.5; OfficeLivePatch.1.3)</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''User-Agent:''' Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; GTB6.6; '''User-agent:''' Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; http://bsalsa.com)  ; .NET CLR 2.0.50727; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.5; OfficeLivePatch.1.3)</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>We've highlighted the header "User-Agent:".  You will notice that it appears twice.  This is always invalid and should never occur with a legitimate browser or web application.  Closer observation of the <del class="diffchange diffchange-inline">string </del>above will reveal that <del class="diffchange diffchange-inline">it </del>contradicts <del class="diffchange diffchange-inline">itself </del>by claiming the client is both running Internet Explorer 6 and Internet Explorer 7.  This is, of course, impossible.  A client can not send a web request from IE7 and IE6 in the same request.</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">Example 2:</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">'''User-Agent: User-Agent:''' Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>We've highlighted the header "User-Agent:".  You will notice that it appears twice <ins class="diffchange diffchange-inline">in these examples</ins>.  This is always invalid and should never occur with a legitimate browser or web application.  Closer observation of the <ins class="diffchange diffchange-inline">strings </ins>above will reveal that <ins class="diffchange diffchange-inline">they also </ins>contradicts <ins class="diffchange diffchange-inline">themselves </ins>by claiming the client is both running Internet Explorer 6 and Internet Explorer 7<ins class="diffchange diffchange-inline">, or both running Chrome and Safari</ins>.  This is, of course, impossible.  A client can not send a web request from IE7 and IE6<ins class="diffchange diffchange-inline">, or Chrome and Safari </ins>in the same request.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>This technique is used by spammers, attackers to try to trick tools that filter out known spamming User-Agent headers.  This is also know to happen  sometimes when a user has installed, accidentally or deliberately, a piece of spyware that is trying to mask the users actual web client.</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>This technique is used by spammers, attackers to try to trick tools that filter out known spamming User-Agent headers.  This is also know to happen  sometimes when a user has installed, accidentally or deliberately, a piece of spyware that is trying to mask the users actual web client.</div></td></tr>
</table>Mshinnhttps://wiki.atomicorp.com/wiki/index.php?title=WAF_330094&diff=1065&oldid=prevMshinn: Created page with ''''Rule ID''' 330094 '''Status''' Active rule currently published. '''Alert Message''' Atomicorp.com WAF Rules: Fake User Agent String '''Description''' This rule is …'2010-10-29T15:48:21Z<p>Created page with ''''Rule ID''' 330094 '''Status''' Active rule currently published. '''Alert Message''' Atomicorp.com WAF Rules: Fake User Agent String '''Description''' This rule is …'</p>
<p><b>New page</b></p><div>'''Rule ID''' <br />
<br />
330094<br />
<br />
'''Status'''<br />
<br />
Active rule currently published.<br />
<br />
'''Alert Message''' <br />
<br />
Atomicorp.com WAF Rules: Fake User Agent String<br />
<br />
'''Description''' <br />
<br />
This rule is triggered if a client sends a completely invalid and fake user agent string. It looks for the case where a client sends two User-Agent headers. In HTTP a client will only send a single header, as there can only be one header. Here is an example of an invalid user-agent string:<br />
<br />
'''User-Agent:''' Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; GTB6.6; '''User-agent:''' Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; http://bsalsa.com) ; .NET CLR 2.0.50727; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.5; OfficeLivePatch.1.3)<br />
<br />
We've highlighted the header "User-Agent:". You will notice that it appears twice. This is always invalid and should never occur with a legitimate browser or web application. Closer observation of the string above will reveal that it contradicts itself by claiming the client is both running Internet Explorer 6 and Internet Explorer 7. This is, of course, impossible. A client can not send a web request from IE7 and IE6 in the same request.<br />
<br />
This technique is used by spammers, attackers to try to trick tools that filter out known spamming User-Agent headers. This is also know to happen sometimes when a user has installed, accidentally or deliberately, a piece of spyware that is trying to mask the users actual web client.<br />
<br />
'''False Positives'''<br />
<br />
Some spyware may break the users User-Agent string. Therefore a false positive can occur. If you want to allow all cases, including where a <br />
<br />
If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the [[Reporting False Positives]] wiki page.<br />
<br />
'''Tuning Recommendations'''<br />
<br />
If you know that this behaviour is acceptable for your application, you can tune it by disabling this rule for the application or virtual host.<br />
<br />
If you wish to tune this rule yourself, please see the [[Tuning the Atomicorp WAF Rules]] page for basic information.<br />
<br />
'''Similar Rules'''<br />
<br />
None.<br />
<br />
'''Knowledge Base Articles'''<br />
<br />
None.<br />
<br />
'''Outside References'''<br />
<br />
None.</div>Mshinn