# WAF Rule ID 330792  

***  

**Alert message:** Multipart parser detected a possible unmatched boundary. This may be an impedance mismatch attack, a broken application or a broken connection.  This is not a false positive.  Check your application or client for errors. 

**Rule Class:** Generic Attack Ruleset (00_asl_zz_strict.conf)

**Version:** 2 

**Severity:** Notice (HIDS: 6)

**HTTP Protocol Phase:** 2 

**HTTP Status:**  

**Action:** pass 

**Options:** No active Response

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 



If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**



# WAF Rule ID 330793  

***  

**Alert message:** Multipart request body failed strict validation:  PE %{REQBODY_PROCESSOR_ERROR},  BQ %{MULTIPART_BOUNDARY_QUOTED},  BW %{MULTIPART_BOUNDARY_WHITESPACE},  DB %{MULTIPART_DATA_BEFORE},  DA %{MULTIPART_DATA_AFTER},  HF %{MULTIPART_HEADER_FOLDING},  LF %{MULTIPART_LF_LINE},  SM %{MULTIPART_SEMICOLON_MISSING},  IQ %{MULTIPART_INVALID_QUOTING},  IH %{MULTIPART_INVALID_HEADER_FOLDING},  IP %{MULTIPART_INVALID_PART},  FL %{MULTIPART_FILE_LIMIT_EXCEEDED} 

**Rule Class:** Generic Attack Ruleset (00_asl_zz_strict.conf)

**Version:** 3 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 



If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**



# WAF Rule ID 350708  

***  

**Alert message:** ModSecurity internal error flagged: %{MATCHED_VAR_NAME} 

**Rule Class:** Generic Attack Ruleset (00_asl_zz_strict.conf)

**Version:**  

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 ModSecurity internal error flagged: %{MATCHED_VAR_NAME}

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 350709  

***  

**Alert message:** Request Body Larger than SecRequestBodyLimit Setting 

**Rule Class:** Generic Attack Ruleset (00_asl_zz_strict.conf)

**Version:**  

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 1 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Request Body Larger than SecRequestBodyLimit Setting

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 350710  

***  

**Alert message:** Response Body Larger than SecResponseBodyLimit Setting 

**Rule Class:** Generic Attack Ruleset (00_asl_zz_strict.conf)

**Version:**  

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 1 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Response Body Larger than SecResponseBodyLimit Setting

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 314681  

***  

**Alert message:** Atomicorp.com WAF Rules: Invalid HTTP method detected 

**Rule Class:** Generic Attack Ruleset (00_asl_zz_strict.conf)

**Version:** 1 

**Severity:** Error (HIDS: 8)

**HTTP Protocol Phase:** 1 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Invalid HTTP method detected

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 390703  

***  

**Alert message:** Atomicorp.com WAF Rules: Possible URL Encoding Abuse Attack Attempt 

**Rule Class:** Generic Attack Ruleset (00_asl_zz_strict.conf)

**Version:** 5 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 400 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 390704  

***  

**Alert message:** Atomicorp.com WAF Rules: Possible Encoding Abuse Attack Attempt 

**Rule Class:** Generic Attack Ruleset (00_asl_zz_strict.conf)

**Version:** 1 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 400 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Possible Encoding Abuse Attack Attempt

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 331030  

***  

**Alert message:** Atomicorp.com WAF Rules: Suspicious activity detected - HTTP Request Missing a Host Header 

**Rule Class:** Generic Attack Ruleset (00_asl_zz_strict.conf)

**Version:** 2 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 400 

**Action:** pass 

**Options:** No active Response

**Transforms:** 

**Log Types:** 

**Description:**

 

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 331031  

***  

**Alert message:** Atomicorp.com WAF Rules: Suspicious activity detected - Empty Host Header detected in HTTP request 

**Rule Class:** Generic Attack Ruleset (00_asl_zz_strict.conf)

**Version:** 1 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 400 

**Action:** pass 

**Options:** No active Response

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Suspicious activity detected - Empty Host Header detected in HTTP request

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 331032  

***  

**Alert message:** Atomicorp.com WAF Rules: Suspicious activity detected - Host header is a numeric IP address 

**Rule Class:** Generic Attack Ruleset (00_asl_zz_strict.conf)

**Version:** 4 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 400 

**Action:** pass 

**Options:** No active Response

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 390713  

***  

**Alert message:** Atomicorp.com WAF Rules:  HTTP Response Splitting Attack 

**Rule Class:** Generic Attack Ruleset (00_asl_zz_strict.conf)

**Version:** 4 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules:  HTTP Response Splitting Attack

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 390714  

***  

**Alert message:** Atomicorp.com WAF Rules: HTTP Splitting (CR/LF in request filename detected) 

**Rule Class:** Generic Attack Ruleset (00_asl_zz_strict.conf)

**Version:** 2 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 1 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

**Description:**

 Atomicorp.com WAF Rules: HTTP Splitting (CR/LF in request filename detected)

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 390716  

***  

**Alert message:** Atomicorp.com WAF Rules: URL file extension is restricted by policy 

**Rule Class:** Generic Attack Ruleset (00_asl_zz_strict.conf)

**Version:** 2 

**Severity:** Error (HIDS: 8)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: URL file extension is restricted by policy

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 390621  

***  

**Alert message:** Atomicorp.com WAF Rules: Unicode Width Attack Attempt 

**Rule Class:** Generic Attack Ruleset (00_asl_zz_strict.conf)

**Version:** 5 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 390763  

***  

**Alert message:** Atomicorp.com WAF Rules: Command Line style Encoding Abuse Attack Attempt 

**Rule Class:** Generic Attack Ruleset (00_asl_zz_strict.conf)

**Version:** 5 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Command Line style Encoding Abuse Attack Attempt

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 390708  

***  

**Alert message:** Atomicorp.com WAF Rules: Session Fixation Attack 

**Rule Class:** Generic Attack Ruleset (00_asl_zz_strict.conf)

**Version:** 5 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 501 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- htmlEntityDecode

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Session Fixation Attack

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 390718  

***  

**Alert message:** Atomicorp.com WAF Rules: Session Fixation Attack 

**Rule Class:** Generic Attack Ruleset (00_asl_zz_strict.conf)

**Version:** 1 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 501 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- htmlEntityDecode

- lowercase

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Session Fixation Attack

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 390739  

***  

**Alert message:** Atomicorp.com WAF Rules: Possible Session Fixation attack 

**Rule Class:** Generic Attack Ruleset (00_asl_zz_strict.conf)

**Version:** 1 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Possible Session Fixation attack

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330700  

***  

**Alert message:** Atomicorp.com WAF Rules: Invalid HTTP Request Line in violation of RFC (if you do not wish to follow HTTP RFCs, disable this rule) 

**Rule Class:** Generic Attack Ruleset (00_asl_zz_strict.conf)

**Version:** 2 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330773  

***  

**Alert message:** Atomicorp.com WAF Rules: client redefining HTTP_PROXY value denied 

**Rule Class:** Generic Attack Ruleset (00_asl_zz_strict.conf)

**Version:** 2 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 356331  

***  

**Alert message:** Atomicorp.com WAF Rules: Code injection in HTTP header attack blocked 

**Rule Class:** Generic Attack Ruleset (00_asl_zz_strict.conf)

**Version:** 2 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Code injection in HTTP header attack blocked

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 356332  

***  

**Alert message:** Atomicorp.com WAF Rules: invalid characters in User-Agent header 

**Rule Class:** Generic Attack Ruleset (00_asl_zz_strict.conf)

**Version:** 1 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- removeWhitespace

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: invalid characters in User-Agent header

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 390720  

***  

**Alert message:** Atomicorp.com WAF Rules: Possible Impedance Mismatch attack on PHP application using space to start argument name 

**Rule Class:** Generic Attack Ruleset (00_asl_zz_strict.conf)

**Version:** 6 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Options:** No active Response

**Transforms:** 

- lowercase

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

**Description:**

 Atomicorp.com WAF Rules: Possible Impedance Mismatch attack on PHP application using space to start argument name

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 390722  

***  

**Alert message:** Atomicorp.com WAF Rules: HTTP Header Injection Attack via payload (CR/LF detected) 

**Rule Class:** Generic Attack Ruleset (00_asl_zz_strict.conf)

**Version:** 3 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- htmlEntityDecode

- urlDecodeUni

**Log Types:** 

**Description:**

 Atomicorp.com WAF Rules: HTTP Header Injection Attack via payload (CR/LF detected)

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

