# WAF Rule ID 303831  

***  

**Alert message:** Atomicorp.com WAF Rules: Fake twitter bot 

**Rule Class:** Generic Attack Ruleset (00_asl_y_searchengines.conf)

**Version:** 1 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 1 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Fake twitter bot

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 303890  

***  

**Alert message:** Atomicorp.com WAF Rules: Fake Feedly webcrawler 

**Rule Class:** Generic Attack Ruleset (00_asl_y_searchengines.conf)

**Version:** 4 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 1 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Fake Feedly webcrawler

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 303800  

***  

**Alert message:** Atomicorp.com WAF Rules: Fake Googlebot webcrawler 

**Rule Class:** Generic Attack Ruleset (00_asl_y_searchengines.conf)

**Version:** 3 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 1 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 This exclusive capability in the Atomicorp ruleset can detect when a client pretends to be the google webcrawler. This helps to detect and block potential zero day and other suspicious behavior. Attacks have been know to impersonate webcrawlers to trick naive applications that blinding trust webcrawlers. They use this method to gain access that would otherwise be blocked to non-crawlers.

This will not block the real google webcrawler. We do not recommend you disable this rule.

For ASL users, if you enable the option below, ASL will automatically and dynamically whitelist the real google webcrawler from all WAF events:

[WAF_LUA_00_SEARCHENGINE](https://wiki.atomicorp.com/wiki/index.php/ASL_WAF#WAF_LUA_00_SEARCHENGINE)


**Troubleshooting:**

**False Positives:**

There are no known false positives with this rule. Please do not report this as a false positive if you are using a proxy, CDN or other similar service and your web server is not setup per this [article](https://wiki.atomicorp.com/wiki/index.php/Proxy)

If you have confirmed your webserver is setup correctly, per the article above, and you have performed the troubleshooting in that article, and still believe this is a false positive, please report this following the process at the link below.

And be sure to also include the troubleshooting steps you took to ensure your proxy and/or CDN is setup correctly to use these rules. If you are unable to do this troubleshooting yourself, please let us know and we would be happy to have our professional services team put a quote together for you and take care of this for you.


Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 303833  

***  

**Alert message:** Atomicorp.com WAF Rules: Fake Google Feedfetcher webcrawler 

**Rule Class:** Generic Attack Ruleset (00_asl_y_searchengines.conf)

**Version:** 5 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 1 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 This exclusive capability in the Atomicorp ruleset can detect when a client pretends to be a google feedfetcher webcrawler. This is part of googles search engine technology used with feeds (e.g. RSS). This helps to detect and block potential zero day and other suspicious behavior. Attackers have been know to impersonate webcrawlers to trick naive applications that blinding trust webcrawlers. They use this method to gain access that would otherwise be blocked to non-crawlers.

This will not block the real google webcrawler. We do not recommend you disable this rule.

For ASL users, if you enable the option below, ASL will automatically and dynamically whitelist the real google webcrawler from all WAF events:

https://www.atomicorp.com/wiki/index.php/ASL_WAF#MODSEC_00_AUTOWHITELIST_SEARCHENGINE


**Troubleshooting:**

**False Positives:**

There are no known false positives with this rule. Please do not report this as a false positive if you are using a proxy, CDN or other similar service and your web server is not setup per this article: https://www.atomicorp.com/wiki/index.php/Proxy




Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 303801  

***  

**Alert message:** Atomicorp.com WAF Rules: Fake msnbot/bingbot webcrawler 

**Rule Class:** Generic Attack Ruleset (00_asl_y_searchengines.conf)

**Version:** 6 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 1 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 This exclusive capability in the Atomicorp ruleset can detect when a client pretends to be the bing webcrawler. This helps to detect and block potential zero day and other suspicious behavior. Attacks have been know to impersonate webcrawlers to trick naive applications that blinding trust webcrawlers. They use this method to gain access that would otherwise be blocked to non-crawlers.

This will not block the real bing webcrawler. We do not recommend you disable this rule.

For ASL users, if you enable the option below, ASL will automatically and dynamically whitelist the real bing webcrawler from all WAF events:

https://wiki.atomicorp.com/wiki/index.php/ASL_WAF#WAF_LUA_00_SEARCHENGINE


**Troubleshooting:**

**False Positives:**

There are no known false positives with this rule. Please do not report this as a false positive if you are using a proxy, CDN or other similar service and your web server is not setup per this article: https://www.atomicorp.com/wiki/index.php/Proxy

If you have confirmed your webserver is setup correctly, per the article above, and you have performed the troubleshooting in that article, and still believe this is a false positive, please report this following the process at the link below.


And be sure to also include the troubleshooting steps you took to ensure your proxy and/or CDN is setup correctly to use these rules. If you are unable to do this troubleshooting yourself, please let us know and we would be happy to have our professional services team put a quote together for you and take care of this for you.


Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 303802  

***  

**Alert message:** Atomicorp.com WAF Rules: Fake Yahoo! Slurp webcrawler 

**Rule Class:** Generic Attack Ruleset (00_asl_y_searchengines.conf)

**Version:** 5 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 1 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Fake Yahoo! Slurp webcrawler

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 303803  

***  

**Alert message:** Atomicorp.com WAF Rules: Fake Yahoo Pipes webcrawler 

**Rule Class:** Generic Attack Ruleset (00_asl_y_searchengines.conf)

**Version:** 2 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 1 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Fake Yahoo Pipes webcrawler

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 303804  

***  

**Alert message:** Atomicorp.com WAF Rules: Fake Yeti webcrawler 

**Rule Class:** Generic Attack Ruleset (00_asl_y_searchengines.conf)

**Version:** 4 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 1 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Fake Yeti webcrawler

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 303805  

***  

**Alert message:** Atomicorp.com WAF Rules: Fake Hailoobot webcrawler. 

**Rule Class:** Generic Attack Ruleset (00_asl_y_searchengines.conf)

**Version:** 1 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 1 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Fake Hailoobot webcrawler.

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 303806  

***  

**Alert message:** Atomicorp.com WAF Rules: Fake Technoratibot webcrawler. 

**Rule Class:** Generic Attack Ruleset (00_asl_y_searchengines.conf)

**Version:** 1 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 1 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Fake Technoratibot webcrawler.

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 303807  

***  

**Alert message:** Atomicorp.com WAF Rules: Fake FriendFeed/Facebook webcrawler 

**Rule Class:** Generic Attack Ruleset (00_asl_y_searchengines.conf)

**Version:** 1 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 1 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Fake FriendFeed/Facebook webcrawler

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 303808  

***  

**Alert message:** Atomicorp.com WAF Rules: Fake Yandex webcrawler. 

**Rule Class:** Generic Attack Ruleset (00_asl_y_searchengines.conf)

**Version:** 2 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 1 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Fake Yandex webcrawler.

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 303810  

***  

**Alert message:** Atomicorp.com WAF Rules: Fake Bloglines webcrawler. 

**Rule Class:** Generic Attack Ruleset (00_asl_y_searchengines.conf)

**Version:** 1 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 1 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Fake Bloglines webcrawler.

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 303811  

***  

**Alert message:** Atomicorp.com WAF Rules: Fake Gist webcrawler 

**Rule Class:** Generic Attack Ruleset (00_asl_y_searchengines.conf)

**Version:** 1 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 1 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Fake Gist webcrawler

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 303812  

***  

**Alert message:** Atomicorp.com WAF Rules: Fake BlogScope webcrawler 

**Rule Class:** Generic Attack Ruleset (00_asl_y_searchengines.conf)

**Version:** 1 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 1 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Fake BlogScope webcrawler

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 303813  

***  

**Alert message:** Atomicorp.com WAF Rules: Fake NewsGatorOnline webcrawler 

**Rule Class:** Generic Attack Ruleset (00_asl_y_searchengines.conf)

**Version:** 1 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 1 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Fake NewsGatorOnline webcrawler

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 303814  

***  

**Alert message:** Atomicorp.com WAF Rules: Fake Netvibes webcrawler 

**Rule Class:** Generic Attack Ruleset (00_asl_y_searchengines.conf)

**Version:** 1 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 1 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Fake Netvibes webcrawler

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 303937  

***  

**Alert message:** Atomicorp.com WAF Rules: Fake Baidu webcrawler 

**Rule Class:** Generic Attack Ruleset (00_asl_y_searchengines.conf)

**Version:** 7 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 1 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 This exclusive capability in the Atomicorp ruleset can detect when a client pretends to be the Baidu webcrawler. This helps to detect and block potential zero day and other suspicious behavior. Attacks have been know to impersonate webcrawlers to trick naive applications that blinding trust webcrawlers. They use this method to gain access that would otherwise be blocked to non-crawlers.

This will not block the real Baidu webcrawler. We do not recommend you disable this rule.

For ASL users, if you enable the option below, ASL will automatically and dynamically whitelist the real Baidu webcrawler from all WAF events:

https://wiki.atomicorp.com/wiki/index.php/ASL_WAF#WAF_LUA_00_SEARCHENGINE


**Troubleshooting:**

**False Positives:**

There are no known false positives with this rule. Please do not report this as a false positive if you are using a proxy, CDN or other similar service and your web server is not setup per this article: https://www.atomicorp.com/wiki/index.php/Proxy

If you have confirmed your webserver is setup correctly, per the article above, and you have performed the troubleshooting in that article, and still believe this is a false positive, please report this following the process at the link below.

And be sure to also include the troubleshooting steps you took to ensure your proxy and/or CDN is setup correctly to use these rules. If you are unable to do this troubleshooting yourself, please let us know and we would be happy to have our professional services team put a quote together for you and take care of this for you.


Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

