[edit] Description

This rule is triggered when known vulnerability scanner actions are detected. This looks for events that vulnerability scanners do on purpose to identify themselves to the system they are testing.

[edit] Troubleshooting

[edit] False Positives

There are no known false positives with this rule. The rule looks for the known actions that vulnerability scanners take to specifically identify that they are testing the system, and that do this on purpose so that the operators of the system know that they are being scanned. This is a bit akin to asking the police to check your home for security issues, and upon arriving the police ring your doorbell and tell you they will be starting the assessment. Some vulnerability scanners "announce" themselves, and that is what this rule looks for.

False positives with this rule are essentially unheard of. But if you believe you have one, please follow the process documented in the Reporting_False_Positives procedure.

[edit] Tuning Guidance

Please see the Tuning the Atomicorp WAF Rules page for more information.

[edit] Additional Information

[edit] Similar Rules

None.

[edit] Knowledge Base Articles

None.

[edit] Outside References

None.