WAF 340029
| Rule 340029 | |
|---|---|
| Status | Active |
| Alert Message | Atomicorp.com WAF Rules: Possible command in REQUEST_URI or Argument |
Contents |
Description
This rule detects when a Linux command is used in a URL or an argument. It specifically looks for these types of commands:
- process management tools (kill, nice, etc.)
- file management tools (cp, chown, rm, etc.)
- shells (bash, tcsh, etc.)
- compilers (gcc, c++, etc.)
- web downloading tools (wget, curl, etc.)
- interpreters (perl, php, etc.)
- other downloading tools (scp, ftp, etc.)
Some attack tools are known to blindly look for software tools and to see if it can use them. Therefore, the fact that this rule is triggered does not mean that the software tool is installed on the system.
If your system is being targeted with these kinds of attacks we do not recommend you disable this rule. This rule may be telling you that someone is attacking your system, and therefore you should block this source. Please see the blog post referenced below for information about leaving rules enabled for applications you may not have installed.
Troubleshooting
False Positives
A false positive could occur if an application either safely allows the use of these tools, or if the data is used in a non-command context such as in a document. The rule contains a large number of known safe applications that may either use these tools securely, or may allow this data in non-command mode. If you have confirmed that your application is safely using these commands, or this data in a non-command format, please let us know what the application is, how you confirmed this so we can duplicate this in our test environment, and report the issue as a False Positive per the article below:
Tuning Guidance
If you want to disable this rule, please see the Tuning the Atomicorp WAF Rules page for basic information.
Additional Information
Blog Articles
None.
Similar Rules
None.
Knowledge Base Articles
None.
Outside References
None.
