# WAF Rule ID 392301  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE Request Containing Content, but Missing Content-Type header 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 5 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 This rule detects when a request is made using an improper method. By default, if a request body is sent it must define its Content-Type so the backend application knows how to handle it. The WAF also needs to understand the Content-Type. he WAF works by inspecting content based on the "type" defined by the request. This of this as a foreign language. The WAF needs to understand the type to be able to properly inspect its contents.

Attacks use this method to get past WAFs by not defining the Content-Type, so the WAF has to guess what its reading. The attacker relies on this and that the WAF will assume its reading one content type, when another content type is being used. This can be used to bypass the WAF entirely.

This rule prevents this method. Any application that causes this to occur should be fixed to define its Content-Type.


**Troubleshooting:**

**False Positives:**

A false positive can occur when an application legitimately does not set the Content-Type. However, this should never be allowed. All request bodies should define the Content-Type, and there is no reason for an application to not do this. We highly recommend you do not disable this rule, and rather fix the application.


Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 



If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**



# WAF Rule ID 390707  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE Too many arguments in request (max set to 1000, increase as necessary for your system) 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 4 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 This rule simply detects if a single request has more that 1000 arguments. This rule is designed to help protect your system from certain Denial of Service (DOS) attacks, such as the PHP Hash DOS attack.



**Troubleshooting:**

**False Positives:**

This rule can not generate a false positive. This rule simply sets a limit of 1000 arguments in a request. If this limit is too low for you, then either disable this rule for the domain or increase the limit by following the advice in Tuning Recommendations below.

If you believe this is a true false positive, that is the request does not have 1000 arguments, please report this to our security team. 

Please do not report cases where the rule is working correctly.


Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

If you do not wish to restrict the number of arguments in a request, just disable this rule.



If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

https://www.exploit-db.com/exploits/18305

https://arstechnica.com/information-technology/2011/12/huge-portions-of-web-vulnerable-to-hashing-denial-of-service-attack/


# WAF Rule ID 390614  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE Invalid character in ARGS 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 9 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 This rules detects NULL characters in unusual arguments. NULL characters are often used by attackers to try an bypass intrusion detection systems, as there have been vulnerabilities in IDS' (including modsecurity) that have allowed attackers to bypass IDS systems. WAFs will commonly ignore everything after the null but pass the entire string to web server where it is processed. The Rules will detect the use of NULL characters and will block them.

Example attack'

GET /index.php?option=com_shoutbox&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1

The last character in this request is a null, which is invalid and is part of an actual attack on the system. The above example is an attacker attempting to access the Linux /proc file system via a recursion attack, with an added NULL character at the end to attempt to evade the IDS system.


**Troubleshooting:**

**False Positives:**

The rule contains logic to detect cases where the use of NULL characters is non-malicious. In some cases, an application may do this in a new way that logic can not detect. 


Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

If you do not wish to restrict the number of arguments in a request, just disable this rule.



If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

[WAF_340613](https://docs.atomicorp.com/rules/waf/WAF_340613)


**Outside References:**

https://www.exploit-db.com/exploits/18305

https://arstechnica.com/information-technology/2011/12/huge-portions-of-web-vulnerable-to-hashing-denial-of-service-attack/


# WAF Rule ID 390708  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE Session Fixation Attack 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 5 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 501 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- htmlEntityDecode

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: PARANOID MODE Session Fixation Attack

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 340007  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE Generic Path Recursion denied 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 39 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:**  

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 This rule is detecting the use of path recursion in an Argument or in the URI. This rule attempts to detect encoded recursions, an example of a recursion attack may look like:

 ../..

An example attack could be to get to a protected file on the system. For example:

 ../../../../../etc/passwd


**Troubleshooting:**

**False Positives:**

Some applications may use recursions to get some files. Therefore a false positive can occur. It is not recommended that you disable this rule. If this is a false positive, please report this to our security team can determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the Reporting False Positives wiki page.

If you wish to tune this rule yourself, please see the Tuning the Atomicorp WAF Rules page for basic information.


Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

If you know that this behavior is acceptable for your application, you can tune it by identifying the argument that is being triggered, and specifically allowing that argument for that application to allow recursions.




If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

[WAF_340006](https://docs.atomicorp.com/rules/waf/WAF_340006)


**Outside References:**

None.

# WAF Rule ID 340006  

***  

**Alert message:** Atomicorp.com WAF Rules: Generic Path Recursion denied in URI/ARGS 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 54 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:**  

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- normalisePath

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

If you know that this behavior is acceptable for your application, you can tune it by identifying the argument that is being triggered, and specifically allowing that argument for that application to allow recursions.




If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 347008  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE Suspicious deep path recursion denied 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 12 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- normalisePath

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: PARANOID MODE Suspicious deep path recursion denied

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 340008  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE Bogus Path denied 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 7 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- normalisePath

- replaceNulls

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 This rule is detecting the use of a bogus path. An example of a bogus path would be:

 /.../some_file
There is no such valid path in any operating system. "..." is an invalid directory. This would be an indication of a possible attempt to access hidden content on the system, or to create a hidden directory.


**Troubleshooting:**

**False Positives:**

There are no known valid conditions in which this can occur.

If you believe this to be a a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the Reporting False Positives wiki page.

If you wish to tune this rule yourself, please see the Tuning the Atomicorp WAF Rules page for basic information.


Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

There are no known valid conditions in which this can occur, therefore it is not recommended that you tune the system to allow this.




If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

[WAF_340006](https://docs.atomicorp.com/rules/waf/WAF_340006)


**Outside References:**

None.

# WAF Rule ID 340009  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE Protected Path Access denied in URI/ARGS 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 56 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

- normalisePath

- replaceNulls

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 This rule detects if a protected path is accessed by a web request. A protected path includes key parts of the operating system, such as c:/windows, /bin, /lib, /dev, /proc and other important parts of the OS.




**Troubleshooting:**

**False Positives:**

If a web application needs to access these parts of the OS this rule can be triggered. Check to ensure that your application actually needs to access this part of the OS and that this is not an attack. It is not recommended you disable this rule, but rather that you report it as a false positive so we can put out an update for your application.

Instructions to report false positives are detailed on the Reporting False Positives wiki page.

If you wish to tune this rule yourself, please see the Tuning the Atomicorp WAF Rules page for basic information.


Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

There are no known valid conditions in which this can occur, therefore it is not recommended that you tune the system to allow this.




If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

[WAF_340006](https://docs.atomicorp.com/rules/waf/WAF_340006)


**Outside References:**

None.

# WAF Rule ID 390709  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE Attempt to Access protect file Remotely 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 24 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- htmlEntityDecode

- lowercase

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 This rule detects when a protected file is accessed remotely. This rule specifically protects sensitive OS and application configuration files, such as webserver configuration files, operating system configuration files, password files, and command history files.



**Troubleshooting:**

**False Positives:**

A false positive can occur when an application legitimately requires access to these files. The rules contain a large library of known web applications and safe methods for access these highly sensitive files, and can detect known safe methods and ignore them. However it is possible for a new or custom application to do this in an unknown manner and incorrectly trigger this rule.


Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

There are no known valid conditions in which this can occur, therefore it is not recommended that you tune the system to allow this.




If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

[WAF_390719](https://docs.atomicorp.com/rules/waf/WAF_390719)


**Outside References:**

None.

# WAF Rule ID 390719  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE Attempt to Access protect file Remotely 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 6 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- htmlEntityDecode

- lowercase

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 This rule detects when a protected file name is used in an HTTP header (other than the URL, Cookie or Referer headers). This rule specifically protects sensitive OS and application configuration files, such as webserver configuration files, operating system configuration files, password files, and command history files from disclosure.



**Troubleshooting:**

**False Positives:**

A false positive can occur when an application legitimately uses this information in an HTTP header. There are no known cases where this occurs.




Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

If you know that this behavior is acceptable for your application, you can either disable the rule for the domain, or you can disable it for the application. 


If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

[WAF_390709](https://docs.atomicorp.com/rules/waf/WAF_390709)


**Outside References:**

None.

# WAF Rule ID 390709  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE Attempt to Access protect file Remotely 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 23 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- compressWhitespace

- htmlEntityDecode

- lowercase

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 This rule detects when a protected file is accessed remotely. This rule specifically protects sensitive OS and application configuration files, such as webserver configuration files, operating system configuration files, password files, and command history files.



**Troubleshooting:**

**False Positives:**

A false positive can occur when an application legitimately requires access to these files. The rules contain a large library of known web applications and safe methods for access these highly sensitive files, and can detect known safe methods and ignore them. However it is possible for a new or custom application to do this in an unknown manner and incorrectly trigger this rule.


Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

If you know that this behavior is acceptable for your application, you can either disable the rule for the domain, or you can disable it for the application. 


If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

[WAF_390719](https://docs.atomicorp.com/rules/waf/WAF_390719)


**Outside References:**

None.

# WAF Rule ID 390719  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE Attempt to Access protect file Remotely 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 6 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- compressWhitespace

- htmlEntityDecode

- lowercase

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 This rule detects when a protected file name is used in an HTTP header (other than the URL, Cookie or Referer headers). This rule specifically protects sensitive OS and application configuration files, such as webserver configuration files, operating system configuration files, password files, and command history files from disclosure.



**Troubleshooting:**

**False Positives:**

A false positive can occur when an application legitimately uses this information in an HTTP header. There are no known cases where this occurs.




Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

If you know that this behavior is acceptable for your application, you can either disable the rule for the domain, or you can disable it for the application. 


If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

[WAF_390709](https://docs.atomicorp.com/rules/waf/WAF_390709)


**Outside References:**

None.

# WAF Rule ID 340155  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE Generic SQL Injection protection 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 21 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- compressWhitespace

- replaceComments

- urlDecodeUni

**Log Types:** 

**Description:**

 This rule detects SQL injection attacks. If this rule is being triggered, this means that someone has attempted to inject a SQL statement into an application.



**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

If you know that this behavior is acceptable for your application, you can either disable the rule for the domain, or you can disable it for the application. 


If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 380023  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE Generic SQL Injection protection 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 8 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- base64Decode

- compressWhitespace

- replaceComments

- replaceNulls

**Log Types:** 

**Description:**

 Atomicorp.com WAF Rules: PARANOID MODE Generic SQL Injection protection

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 380024  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE Generic SQL Injection protection 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 5 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- compressWhitespace

- hexDecode

- replaceComments

- replaceNulls

**Log Types:** 

**Description:**

 Atomicorp.com WAF Rules: PARANOID MODE Generic SQL Injection protection

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 380122  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE MySQL and PostgreSQL stored procedure/function injections 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 4 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- compressWhitespace

- lowercase

- replaceComments

- urlDecodeUni

**Log Types:** 

**Description:**

 This rule detects when either database store procedure or function content is detected in a POST from a client to the server. In most cases this indicates that the server is being attacked.



**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 380025  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE SQL injection with PHP/PERL payload 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 5 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- compressWhitespace

- lowercase

- replaceComments

- urlDecodeUni

**Log Types:** 

**Description:**

 Atomicorp.com WAF Rules: PARANOID MODE SQL injection with PHP/PERL payload

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 340013  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE Generic SQL injection in cookie or UA 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 3 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- compressWhitespace

- lowercase

- replaceComments

- replaceNulls

- urlDecodeUni

**Log Types:** 

**Description:**

 Atomicorp.com WAF Rules: PARANOID MODE Generic SQL injection in cookie or UA

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 340016  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE Generic SQL injection protection 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 24 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- compressWhitespace

- lowercase

- replaceComments

- replaceNulls

- urlDecodeUni

**Log Types:** 

**Description:**

 This rule detects SQL content. It is tuned to try and ignore this in cases where this may be normal (SQL application for example). An example attack could be to get dump user passwords from a database:

 union select from usernames


**Troubleshooting:**

**False Positives:**

Some applications use SQL in their arguments in ways that we may not have seen before, and therefore we have not tuned the rules to ignore this legitimate behavior. Some applications are vulnerable to SQL injection attacks and this may be an actual attack, and in some very bad cases an application may use raw SQL in an unprotected argument to function properly. Therefore a false positive can occur, and we recommend that you not disable this rule.

Instead, we recommend that you report this to use as a false positive. Our security team can determine if this is a legitimate case for you, or if its clever attack on your system and we will put out an update to the rules to make sure your application can function and that you are not opening your system to further attack. Instructions to report false positives are detailed on the Reporting False Positives wiki page.

If you wish to tune this rule yourself, please see the Tuning the Atomicorp WAF Rules page for basic information.


Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

If you know that this behavior is acceptable for your application, you can tune it by identifying the argument that is being triggered, and specifically allowing that argument for that application to SQL.




If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

[WAF_340017](https://docs.atomicorp.com/rules/waf/WAF_340017)


**Outside References:**

None.

# WAF Rule ID 340017  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE Generic SQL injection protection in ARGS 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 48 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- compressWhitespace

- lowercase

- replaceComments

**Log Types:** 

**Description:**

 This rule detects SQL content. It is tuned to try and ignore this in cases where this may be normal (SQL application for example). An example attack could be to get dump user passwords from a database:

 union select from usernames


**Troubleshooting:**

**False Positives:**

Some applications use SQL in their arguments in ways that we may not have seen before, and therefore we have not tuned the rules to ignore this legitimate behavior. Some applications are vulnerable to SQL injection attacks and this may be an actual attack, and in some very bad cases an application may use raw SQL in an unprotected argument to function properly. Therefore a false positive can occur, and we recommend that you not disable this rule.

Instead, we recommend that you report this to use as a false positive. Our security team can determine if this is a legitimate case for you, or if its clever attack on your system and we will put out an update to the rules to make sure your application can function and that you are not opening your system to further attack. Instructions to report false positives are detailed on the Reporting False Positives wiki page.

If you wish to tune this rule yourself, please see the Tuning the Atomicorp WAF Rules page for basic information.


Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

If you know that this behavior is acceptable for your application, you can tune it by identifying the argument that is being triggered, and specifically allowing that argument for that application to SQL.




If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

[WAF_340016](https://docs.atomicorp.com/rules/waf/WAF_340016)


**Outside References:**

None.

# WAF Rule ID 340144  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE Generic SQL injection protection 2 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 34 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- compressWhitespace

- lowercase

- replaceComments

- urlDecodeUni

**Log Types:** 

**Description:**

 Atomicorp.com WAF Rules: PARANOID MODE Generic SQL injection protection 2

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 340145  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE Possible SQL injection probe 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 40 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- compressWhitespace

- lowercase

- replaceComments

- replaceNulls

- urlDecodeUni

**Log Types:** 

**Description:**

 Atomicorp.com WAF Rules: PARANOID MODE Possible SQL injection probe

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 390572  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE Possible SQL injection probe 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 20 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- compressWhitespace

- lowercase

- replaceNulls

- urlDecodeUni

**Log Types:** 

**Description:**

 Atomicorp.com WAF Rules: PARANOID MODE Possible SQL injection probe

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 340146  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE Generic SQL metacharacter URI injection protection 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 8 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- compressWhitespace

- lowercase

- replaceComments

- replaceNulls

- urlDecodeUni

**Log Types:** 

**Description:**

 Atomicorp.com WAF Rules: PARANOID MODE Generic SQL metacharacter URI injection protection

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 381025  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE SQL injection with payload - base64 encoded 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 3 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- base64Decode

- compressWhitespace

- lowercase

- replaceComments

- urlDecodeUni

**Log Types:** 

**Description:**

 Atomicorp.com WAF Rules: PARANOID MODE SQL injection with payload - base64 encoded

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 381026  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE SQL injection with PHP/PERL payload - hex encoded 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 2 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- compressWhitespace

- hexDecode

- lowercase

- replaceComments

- urlDecodeUni

**Log Types:** 

**Description:**

 Atomicorp.com WAF Rules: PARANOID MODE SQL injection with PHP/PERL payload - hex encoded

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 340159  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE Generic SQL inline command protection (MM) 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 35 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- base64Decode

- compressWhitespace

- hexDecode

- lowercase

- replaceComments

- replaceNulls

- urlDecodeUni

**Log Types:** 

**Description:**

 This rule detects SQL content. It is tuned to try and ignore this in cases where this may be normal (SQL application for example). An example attack could be to get dump user passwords from a database:

 union select from usernames


**Troubleshooting:**

**False Positives:**

Some applications use SQL in their arguments in ways that we may not have seen before, and therefore we have not tuned the rules to ignore this legitimate behavior. Some applications are vulnerable to SQL injection attacks and this may be an actual attack, and in some very bad cases an application may use raw SQL in an unprotected argument to function properly. Therefore a false positive can occur, and we recommend that you not disable this rule.


Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

If you know that this behavior is acceptable for your application, you can tune it by identifying the argument that is being triggered, and specifically allowing that argument for that application to SQL.




If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

[WAF_340016](https://docs.atomicorp.com/rules/waf/WAF_340016)


**Outside References:**

None.

# WAF Rule ID 340164  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE SQL Injection Attack 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 10 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- compressWhitespace

- lowercase

- replaceComments

**Log Types:** 

**Description:**

 Atomicorp.com WAF Rules: PARANOID MODE SQL Injection Attack

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 340157  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE Generic SQL inline command protection 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 35 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- compressWhitespace

- htmlEntityDecode

- lowercase

- replaceComments

- urlDecodeUni

**Log Types:** 

**Description:**

 This rule detects when SQL code is sent from the client to the server via either an untrusted argument, or application. This is likely an attack against the system.




**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 340014  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE CMD injection 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 10 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- compressWhitespace

- lowercase

- replaceNulls

- urlDecodeUni

**Log Types:** 

**Description:**

 This rule detects when a client attempts to access a command line tool on the server via the web server. This means the client either tried to access or find the tool on the system. This can indicate that an attacker is attempting to run commands on the server.



**Troubleshooting:**

**False Positives:**

If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system. Do not disable this rule.

Instructions to report false positives are detailed on the Reporting False Positives wiki page. If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.


Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 340018  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE Generic command line attack filter 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 10 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- urlDecodeUni

**Log Types:** 

**Description:**

 Atomicorp.com WAF Rules: PARANOID MODE Generic command line attack filter

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 340029  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE Possible command in REQUEST_URI or Argument 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 14 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- compressWhitespace

- lowercase

- replaceNulls

- urlDecodeUni

**Log Types:** 

**Description:**

 This rule detects when a Linux command is used in a URL or an argument. It specifically looks for these types of commands:

process management tools (kill, nice, etc.)
file management tools (cp, chown, rm, etc.)
shells (bash, tcsh, etc.)
compilers (gcc, c++, etc.)
web downloading tools (wget, curl, etc.)
interpreters (perl, php, etc.)
other downloading tools (scp, ftp, etc.)

Some attack tools are known to blindly look for software tools and to see if it can use them. Therefore, the fact that this rule is triggered does not mean that the software tool is installed on the system.

If your system is being targeted with these kinds of attacks we do not recommend you disable this rule. This rule may be telling you that someone is attacking your system, and therefore you should block this source. 



**Troubleshooting:**

**False Positives:**

A false positive could occur if an application either safely allows the use of these tools, or if the data is used in a non-command context such as in a document. The rule contains a large number of known safe applications that may either use these tools securely, or may allow this data in non-command mode. If you have confirmed that your application is safely using these commands, or this data in a non-command format, please let us know what the application is, how you confirmed this so we can duplicate this in our test environment, and report the issue as a False Positive.



Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

If you want to disable this rule, please see the Tuning the Atomicorp WAF Rules page for basic information.



# WAF Rule ID 340162  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE Remote File Injection attempt in ARGS (AE) 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 276 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- compressWhitespace

- lowercase

- replaceNulls

- urlDecodeUni

**Log Types:** 

**Description:**

 This rule detects possible Remote File Injection attempts. These types of attacks work by tricking an application into download software into itself, which will allow the attacker to download any software they want unto the victims systems, thereby compromising it.

This rule works by detecting the use of a URL as an argument.


**Troubleshooting:**

**False Positives:**

A false positive can occur when an application legitimately sets an argument to a URL, and does this using a previously unknown argument or method to store this URL. The rules contain a large library of known web applications and safe methods for using URLs, and can detect known safe methods and ignore them. However it is possible for a new or custom application to do this in an unknown manner and incorrectly trigger this rule.


Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

If you know that this behavior is acceptable for your application, you can tune it by identifying the argument that is being triggered, and specifically allowing that argument for that application to allow a URL. Please see the Tuning the Atomicorp WAF Rules page for basic information.




If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

[WAF_340165](https://docs.atomicorp.com/rules/waf/WAF_340165)


**Outside References:**

If you want to disable this rule, please see the Tuning the Atomicorp WAF Rules page for basic information.



# WAF Rule ID 340165  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE Uniencoded possible Remote File Injection attempt in URI (AE) 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 277 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- compressWhitespace

- lowercase

- replaceNulls

- urlDecodeUni

**Log Types:** 

**Description:**

 This rule detects Remote File Injection attempts. These types of attacks work by tricking an application into download software into itself, which will allow the attacker to download any software they want unto the victims systems, thereby compromising it.

This rules work by detecting the use of a URL as an argument in the URL, for example:

GET /foo.php?foo=http://www.example.com

It will also try to determine if this is a local request, and if it is the local request will be allowed.


**Troubleshooting:**

**False Positives:**

A false positive can occur when an application legitimately sets an argument to a URL, and does this using a previously unknown argument or method to store this URL. The rules contain a large library of known web applications and safe methods for using URLs, and can detect known safe methods and ignore them. However it is possible for a new or custom application to do this in an unknown manner and incorrectly trigger this rule.


Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

If you know that this behavior is acceptable for your application, you can tune it by identifying the argument that is being triggered, and specifically allowing that argument for that application to allow a URL. 


If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

[WAF_340162](https://docs.atomicorp.com/rules/waf/WAF_340162)


**Outside References:**

If you want to disable this rule, please see the Tuning the Atomicorp WAF Rules page for basic information.



# WAF Rule ID 340855  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE Include Remote File Injection attempt in argument 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 9 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- compressWhitespace

- lowercase

- replaceComments

- replaceNulls

- urlDecodeUni

**Log Types:** 

**Description:**

 Atomicorp.com WAF Rules: PARANOID MODE Include Remote File Injection attempt in argument

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 340031  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE Remote file inclusion 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 4 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- lowercase

- urlDecodeUni

**Log Types:** 

**Description:**

 Atomicorp.com WAF Rules: PARANOID MODE Remote file inclusion

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 380012  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE PDF XSS attack 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 5 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- compressWhitespace

- htmlEntityDecode

- lowercase

- urlDecodeUni

**Log Types:** 

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: PARANOID MODE PDF XSS attack

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 340163  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE Remote File Injection attempt in ARGS (MM) 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 276 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- base64Decode

- hexDecode

- lowercase

- urlDecodeUni

**Log Types:** 

**Description:**

 This rule detects Remote File Injection attempts that are encoded. These types of attacks work by tricking an application into download software into itself, which will allow the attacker to download any software they want unto the victims systems, thereby compromising it.

This rules work by detecting the use of a URL as an argument, and tries to detect encoding methods that may used to hide this.


**Troubleshooting:**

**False Positives:**

A false positive can occur when an application legitimately sets an argument to a URL, and does this using a previously unknown argument or method to store this URL. The rules contain a large library of known web applications and safe methods for using URLs, and can detect known safe methods and ignore them. However it is possible for a new or custom application to do this in an unknown manner and incorrectly trigger this rule. Some applications may also legitimately use encoding methods.


Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

[WAF_340165](https://docs.atomicorp.com/rules/waf/WAF_340165)


**Outside References:**

None.

# WAF Rule ID 340039  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE PHP command injection attempt 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 1 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- lowercase

- urlDecodeUni

**Log Types:** 

**Description:**

 Atomicorp.com WAF Rules: PARANOID MODE PHP command injection attempt

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 340021  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE PHP Injection Attack 1 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 5 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- compressWhitespace

- lowercase

- normalisePath

- replaceNulls

**Log Types:** 

**Description:**

 

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 340035  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE Bogus file extensions 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 5 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- urlDecodeUni

**Log Types:** 

**Description:**

 This rule detects "bogus" file extensions, that is file extensions that should not be valid. For example, a file named "shell.php.wmv". This method is used by attackers to try to bypass upload managers that try to enforce valid files by looking at file extensions, and deny certain types of files.




**Troubleshooting:**

**False Positives:**

A false positive can occur when a file or application is legitimately named in this non-standard fashion. We recommend that you follow a standard naming convention, as most upload managers will also follow these conventions and allowing non-standard files may allow an attacker to bypass the file type checks in some web applications.

The rules also contain a large library of known web applications and safe methods that use non standard naming conventions, and can detect known safe methods and ignore them. However it is possible for a new or custom application to do this in an unknown manner and incorrectly trigger this rule.

It is not recommended that you disable this rule if you have a false positive. If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system.


Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules page.



If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 340195  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE Possible Base64 Encoded PHP function in Argument - this may be an attack. 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 1 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- base64Decode

- compressWhitespace

- lowercase

- replaceNulls

**Log Types:** 

**Description:**

 This rule detects when base64 encoded PHP code is found in an untrusted argument in a POST request from a client. This means that the client is sending base64 encoded PHP code to your server. If this is not a trusted user using a trusted web application, this is an attack on your system.


**Troubleshooting:**

**False Positives:**

If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system. Do not disable this rule.




Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the Atomicorp WAF Rules page.



If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 340095  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE Possible PHP function in Argument - this may be an attack. 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 40 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- compressWhitespace

- lowercase

- replaceNulls

- urlDecodeUni

**Log Types:** 

**Description:**

 Atomicorp.com WAF Rules: PARANOID MODE Possible PHP function in Argument - this may be an attack.

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 340077  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE PHP policy violation 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 5 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- lowercase

- removeWhitespace

- urlDecodeUni

**Log Types:** 

**Description:**

 Atomicorp.com WAF Rules: PARANOID MODE PHP policy violation

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 340128  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE Remote PHP command execution 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 21 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- lowercase

- urlDecodeUni

**Log Types:** 

**Description:**

 Atomicorp.com WAF Rules: PARANOID MODE Remote PHP command execution

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 390715  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE  PHP Injection Attack 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 14 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- compressWhitespace

- htmlEntityDecode

- lowercase

**Log Types:** 

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: PARANOID MODE  PHP Injection Attack

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 380018  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE Potentially malicious PHP code injection attempt 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 22 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- compressWhitespace

- htmlEntityDecode

- lowercase

- replaceComments

- replaceNulls

- urlDecodeUni

**Log Types:** 

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: PARANOID MODE Potentially malicious PHP code injection attempt

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 380019  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE Potentially malicious PHP code injection attempt - base64 encoded 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 7 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- base64Decode

- compressWhitespace

- lowercase

- replaceComments

- replaceNulls

**Log Types:** 

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: PARANOID MODE Potentially malicious PHP code injection attempt - base64 encoded

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 380020  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE Potentially malicious PHP code injection attempt - hex encoded 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 10 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- compressWhitespace

- hexDecode

- lowercase

- replaceComments

- urlDecodeUni

**Log Types:** 

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: PARANOID MODE Potentially malicious PHP code injection attempt - hex encoded

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 340102  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE cross site scripting attempt 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 2 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- compressWhitespace

- lowercase

- urlDecodeUni

**Log Types:** 

**Description:**

 Atomicorp.com WAF Rules: PARANOID MODE cross site scripting attempt

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 340003  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE XSS attack in request headers 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 8 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- compressWhitespace

- htmlEntityDecode

- lowercase

- replaceNulls

- urlDecodeUni

**Log Types:** 

**Description:**

 Cross Site Scripting attack detected in the request headers.



**Troubleshooting:**

**False Positives:**

There are no known False Positives for this.

If you believe this is a false positive, it is recommended that you report this to our security team can determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the Reporting False Positives wiki page.


Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

[WAF_340020](https://docs.atomicorp.com/rules/waf/WAF_340020)


**Outside References:**

http://en.wikipedia.org/wiki/Cross-site_scripting

http://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29


# WAF Rule ID 340211  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE cross site scripting stealth attempt to access shell 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 2 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- htmlEntityDecode

- lowercase

- normalisePath

- urlDecodeUni

**Log Types:** 

**Description:**

 Atomicorp.com WAF Rules: PARANOID MODE cross site scripting stealth attempt to access shell

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 340210  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE cross site scripting stealth attempt to access shell 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 2 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- htmlEntityDecode

- lowercase

- normalisePath

- urlDecodeUni

**Log Types:** 

**Description:**

 Atomicorp.com WAF Rules: PARANOID MODE cross site scripting stealth attempt to access shell

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 340113  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE cross site scripting stealth attempt to inject javascript  

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 28 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- htmlEntityDecode

- lowercase

- normalisePath

- urlDecodeUni

**Log Types:** 

**Description:**

 Atomicorp.com WAF Rules: PARANOID MODE cross site scripting stealth attempt to inject javascript 

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 340020  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE XSS in referrer and UA headers 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 30 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- compressWhitespace

- htmlEntityDecode

- lowercase

- replaceComments

- replaceNulls

- urlDecodeUni

**Log Types:** 

**Description:**

 

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 340147  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE Potential Cross Site Scripting Attack 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 132 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- compressWhitespace

- htmlEntityDecode

- lowercase

- replaceComments

- replaceNulls

- urlDecodeUni

**Log Types:** 

**Description:**

 This rules detects when a potential cross site scripting attack may have occurred. For example, if javascript is included in a variable that appears to not be used for this purpose, or if web code is included in a portion of a request that is not known to be used for this purpose.


**Troubleshooting:**

**False Positives:**

This rule may produce a false positive if an application is used in a previously unknown or untested manner. The rules contain a large library of known trusted methods, however it is possible an application may be using a previously untested method. It is not recommended that you disable this rule if you have a false positive. If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the Reporting False Positives wiki page. If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.


Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

[WAF_340149](https://docs.atomicorp.com/rules/waf/WAF_340149)


**Outside References:**

None.

# WAF Rule ID 340149  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE Potential Cross Site Scripting Attack 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 146 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- compressWhitespace

- htmlEntityDecode

- lowercase

- replaceComments

- replaceNulls

- urlDecodeUni

**Log Types:** 

**Description:**

 This rules detects when a potential cross site scripting attack may have occurred. For example, if javascript is included in a variable that appears to not be used for this purpose, or if web code is included in a portion of a request that is not known to be used for this purpose. This rule looks for encoded methods.




**Troubleshooting:**

**False Positives:**

This rule may produce a false positive if an application is used in a previously unknown or untested manner. The rules contain a large library of known trusted methods, however it is possible an application may be using a previously untested method. It is not recommended that you disable this rule if you have a false positive. 


Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

[WAF_340147](https://docs.atomicorp.com/rules/waf/WAF_340147)


**Outside References:**

None.

# WAF Rule ID 350147  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE Potentially Untrusted Web Content Detected 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 114 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- compressWhitespace

- htmlEntityDecode

- lowercase

- replaceComments

- replaceNulls

- urlDecodeUni

**Log Types:** 

**Description:**

 This rules detects when potentially untrusted web content is used in a client request. For example, if javascript is included in a variable that appears to not be used for this purpose, or if web code is included in a portion of a request that is not known to be used for this purpose.




**Troubleshooting:**

**False Positives:**

This rule may produce a false positive if an application is used in a previously unknown or untested manner. The rules contain a large library of known trusted methods, however it is possible an application may be using a previously untested method. It is not recommended that you disable this rule if you have a false positive.


Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

[WAF_350148](https://docs.atomicorp.com/rules/waf/WAF_350148)


**Outside References:**

None.

# WAF Rule ID 340158  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE XSS in referrer 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 14 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- compressWhitespace

- htmlEntityDecode

- lowercase

- replaceComments

- replaceNulls

- urlDecodeUni

**Log Types:** 

**Description:**

 Atomicorp.com WAF Rules: PARANOID MODE XSS in referrer

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 340152  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE Cross Site Scripting Attack (IE variant) 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 23 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 340148  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE Potential Cross Site Scripting Attack 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 144 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- compressWhitespace

- htmlEntityDecode

- lowercase

- replaceComments

- replaceNulls

- urlDecodeUni

**Log Types:** 

**Description:**

 This rules detects when a potential cross site scripting attack may have occurred. For example, if javascript is included in a variable that appears to not be used for this purpose, or if web code is included in a portion of a request that is not known to be used for this purpose. This rule looks for encoded methods.




**Troubleshooting:**

**False Positives:**

This rule may produce a false positive if an application is used in a previously unknown or untested manner. The rules contain a large library of known trusted methods, however it is possible an application may be using a previously untested method. It is not recommended that you disable this rule if you have a false positive. If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system. 


Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

[WAF_340149](https://docs.atomicorp.com/rules/waf/WAF_340149)


**Outside References:**

None.

# WAF Rule ID 350148  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE Potentially Untrusted Web Content Detected  

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 123 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- compressWhitespace

- htmlEntityDecode

- lowercase

- replaceComments

- replaceNulls

- urlDecodeUni

**Log Types:** 

**Description:**

 This rules detects when potentially untrusted web content is used in a client request. For example, if javascript is included in a variable that appears to not be used for this purpose, or if web code is included in a portion of a request that is not known to be used for this purpose. This rule looks for various encoded methods.




**Troubleshooting:**

**False Positives:**

This rule may produce a false positive if an application is used in a previously unknown or untested manner. The rules contain a large library of known trusted methods, however it is possible an application may be using a previously untested method. It is not recommended that you disable this rule if you have a false positive. 


Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

[WAF_350147](https://docs.atomicorp.com/rules/waf/WAF_350147)


**Outside References:**

None.

# WAF Rule ID 380006  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE XSS Generic attack 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 10 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

**Log Types:** 

**Description:**

 Atomicorp.com WAF Rules: PARANOID MODE XSS Generic attack

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 380007  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE SQL Inject Generic signature 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 5 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- lowercase

**Log Types:** 

**Description:**

 Atomicorp.com WAF Rules: PARANOID MODE SQL Inject Generic signature

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 380016  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE SSI injection Attack 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 3 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- compressWhitespace

- htmlEntityDecode

- lowercase

- urlDecodeUni

**Log Types:** 

**Description:**

 Atomicorp.com WAF Rules: PARANOID MODE SSI injection Attack

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 380121  

***  

**Alert message:** Atomicorp.com WAF Rules: PARANOID MODE Perl echo shellcode injection 

**Rule Class:** Generic Attack Ruleset (15_asl_paranoid_rules.conf)

**Version:** 2 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** pass 

**Transforms:** 

- compressWhitespace

- hexDecode

- lowercase

- replaceComments

**Log Types:** 

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: PARANOID MODE Perl echo shellcode injection

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

