WAF 330122
Rule ID
330122
Status
Active rule currently published.
Alert Message
Atomicorp.com WAF Rules: Attack Script User Agent String Detected
Description
This rule detects when a client connects to a system with a User-Agent header that is known to be used by an exploit tool. The specific User-Agents this rule detects are:
- bwh3_user_agent
- zemu
- mama casper
- mama cyber
- mana sox
- mama xirio
- kmccrew bot search
- sasqia bot search
- casper bot search
- planetwork bot search
- dex bot search
- jcomers bot search
- sledink bot search
- goblox bot search
- indocom bot search
- indonetwork bot search
- ^perl post$
- rk q kangen
- t34mh4k
- ^revolt$
False Positives
No know conditions exists where a False Positive should occur. There User-Agents are known to be used my malicious applications. If you have confirmed that an application is using one of these User-Agent headers, and it is not malicious, please provide a copy of the application to our support team for analysis.
It is not recommended that you disable this rule if you have a false positive. If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the Reporting False Positives wiki page. If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Tuning Guidance
None.
Similar Rules
None.
Knowledge Base Articles
None.
Outside References
None.
