WAF 330700

From Atomicorp Wiki
Revision as of 12:08, 29 October 2010 by Mshinn (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Rule ID

330700

Status

Active rule currently published.

Alert Message

Atomicorp.com WAF Rules: Invalid HTTP Request Line

Description

This rule is triggered if a client sends a completely invalid request line. Request lines are defined in RFC 2616.

This is an example request line that would be invalid per the RFC:

GET ????????????foo/bar HTTP/1.1

Request lines must start with a "slash" (/). So this request would be invalid, per the RFC.

This technique may be used by attackers to attempt to evade web application firewalls and application security logic to compromise a system.

False Positives

False Positive can occur if a web client sends invalid requests or if an application is designed to work in a manner that is not-RFC compliant. The later is not known to occur, as web browsers will generally not accept grossly invalid requests.

If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the Reporting False Positives wiki page.

Tuning Recommendations

If you know that this behaviour is acceptable for your application, you can tune it by disabling this rule for the application or virtual host.

If you wish to tune this rule yourself, please see the Tuning the Atomicorp WAF Rules page for basic information.

Similar Rules

None.

Knowledge Base Articles

None.

Outside References

http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1

Personal tools