https://wiki.atomicorp.com/wiki/index.php?title=WAF_390149&feed=atom&action=historyWAF 390149 - Revision history2024-03-29T09:57:14ZRevision history for this page on the wikiMediaWiki 1.20.2https://wiki.atomicorp.com/wiki/index.php?title=WAF_390149&diff=3550&oldid=prevMshinn at 19:33, 25 June 20132013-06-25T19:33:22Z<p></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 19:33, 25 June 2013</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 14:</td>
<td colspan="2" class="diff-lineno">Line 14:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>This rule detects if a running web application appears to be a known or suspected remote shell or bot.  It does this by looking at the output from the application.</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>This rule detects if a running web application appears to be a known or suspected remote shell or bot.  It does this by looking at the output from the application.</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">Note:  This rule, and all content inspection rules, require a fast server.  If your server is not fast enough to support outbound content inspection rules you will need to disable SecResponseBodyAccess.</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''False Positives'''</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''False Positives'''</div></td></tr>
</table>Mshinnhttps://wiki.atomicorp.com/wiki/index.php?title=WAF_390149&diff=3140&oldid=prevBreun: Fixed a typo2013-02-05T08:24:00Z<p>Fixed a typo</p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 08:24, 5 February 2013</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 13:</td>
<td colspan="2" class="diff-lineno">Line 13:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''Description'''   </div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''Description'''   </div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>This rule detects if a running web <del class="diffchange diffchange-inline">pplication </del>appears to be a known or suspected remote shell or bot.  It does this by looking at the output from the application.</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>This rule detects if a running web <ins class="diffchange diffchange-inline">application </ins>appears to be a known or suspected remote shell or bot.  It does this by looking at the output from the application.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''False Positives'''</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''False Positives'''</div></td></tr>
</table>Breunhttps://wiki.atomicorp.com/wiki/index.php?title=WAF_390149&diff=1677&oldid=prevMshinn: Created page with "'''Rule ID''' 390149 '''Status''' Active rule currently published. '''Alert Message''' Atomicorp.com WAF Rules: Possible remote shell or bot access denied '''Description..."2011-07-15T19:52:28Z<p>Created page with "'''Rule ID''' 390149 '''Status''' Active rule currently published. '''Alert Message''' Atomicorp.com WAF Rules: Possible remote shell or bot access denied '''Description..."</p>
<p><b>New page</b></p><div>'''Rule ID''' <br />
<br />
390149<br />
<br />
'''Status'''<br />
<br />
Active rule currently published.<br />
<br />
'''Alert Message''' <br />
<br />
Atomicorp.com WAF Rules: Possible remote shell or bot access denied<br />
<br />
'''Description''' <br />
<br />
This rule detects if a running web pplication appears to be a known or suspected remote shell or bot. It does this by looking at the output from the application.<br />
<br />
'''False Positives'''<br />
<br />
A false positive can occur when an application legitimately behaves in a manner similar to a shell or bot like tool, or if its output matches known patterns used by shells and bots. The rules contain a large library of known web applications and safe methods that a non-malicious, and can detect these known safe web applications and non-malicious methods and ignore them. However it is possible for a new or custom application to trigger this application and incorrectly trigger this rule. <br />
<br />
It is not recommended that you disable this rule if you have a false positive. If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the [[Reporting False Positives]] wiki page. If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.<br />
<br />
'''Tuning Guidance'''<br />
<br />
If you know that this behaviour is acceptable for your application, you can tune it by following the [[Tuning the Atomicorp WAF Rules]] page.<br />
<br />
'''Similar Rules'''<br />
<br />
<br />
'''Knowledge Base Articles'''<br />
<br />
None.<br />
<br />
'''Outside References'''<br />
<br />
None.</div>Mshinn