# WAF Rule ID 333331  

***  

**Alert message:** Atomicorp.com WAF Rules: Acunetix Security Scanner Scanned the Site 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** '3' 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Acunetix Security Scanner Scanned the Site

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330001  

***  

**Alert message:** Atomicorp.com WAF Rules: Spam: Generic spam header detected 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 2 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Spam: Generic spam header detected

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 333301  

***  

**Alert message:** Atomicorp.com WAF Rules: Acunetix Security Scanner Scanned the Site 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** '3' 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Acunetix Security Scanner Scanned the Site

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 333330  

***  

**Alert message:** Atomicorp.com WAF Rules: Cryptoware blocked 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** '4' 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Cryptoware blocked

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 333341  

***  

**Alert message:** Atomicorp.com WAF Rules: Security Scanner Scanned the Site 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** '3' 

**Severity:** Emergency (HIDS: 14)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Security Scanner Scanned the Site

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330305  

***  

**Alert message:** Atomicorp.com WAF Rules: Fake Microsoft Internet Explorer Browser 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 3 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Fake Microsoft Internet Explorer Browser

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330363  

***  

**Alert message:** Atomicorp.com WAF Rules: Known malicious agent and fake baiduspider 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 3 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Known malicious agent and fake baiduspider

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 333332  

***  

**Alert message:** Atomicorp.com WAF Rules: Known malicious agent 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 1 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Known malicious agent

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 333333  

***  

**Alert message:** Atomicorp.com WAF Rules: WAF bypass detected using x-up-devcap-post-charset in combination with prefix \ 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 1 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: WAF bypass detected using x-up-devcap-post-charset in combination with prefix \

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 337741  

***  

**Alert message:** Atomicorp.com WAF Rules: AccessPress Themes backdoor blocked 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 1 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: AccessPress Themes backdoor blocked

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 337764  

***  

**Alert message:** Atomicorp.com WAF Rules: NMAP scanner blocked 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 2 

**Severity:** Error (HIDS: 8)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: NMAP scanner blocked

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 337749  

***  

**Alert message:** Atomicorp.com WAF Rules: Datanyze bot blocked 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 2 

**Severity:** Error (HIDS: 8)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Datanyze bot blocked

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 334749  

***  

**Alert message:** Atomicorp.com WAF Rules: Pcore-HTTP 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 2 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Pcore-HTTP

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 347749  

***  

**Alert message:** Atomicorp.com WAF Rules: Xs_Kontrol bot blocked 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 2 

**Severity:** Error (HIDS: 8)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Xs_Kontrol bot blocked

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 334729  

***  

**Alert message:** Atomicorp.com WAF Rules: Fake SUPEE-5344 malware agent blocked 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 2 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Fake SUPEE-5344 malware agent blocked

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 334739  

***  

**Alert message:** Atomicorp.com WAF Rules: Fake zoominfo search bot blocked 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 2 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Fake zoominfo search bot blocked

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 334719  

***  

**Alert message:** Atomicorp.com WAF Rules: Blackseo Agent blocked 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 2 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Blackseo Agent blocked

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 334709  

***  

**Alert message:** Atomicorp.com WAF Rules: Malicious user-agent header attack 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 3 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Malicious user-agent header attack

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 334009  

***  

**Alert message:** Atomicorp.com WAF Rules: Potentially Malicious Open Proxy Connection Attempt 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 2 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Potentially Malicious Open Proxy Connection Attempt

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 334309  

***  

**Alert message:** Atomicorp.com WAF Rules: CryptoPHP Malicious UserAgent Blocked 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 2 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: CryptoPHP Malicious UserAgent Blocked

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 334003  

***  

**Alert message:** Atomicorp.com WAF Rules: Fake Netscape Browser 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 2 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Fake Netscape Browser

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 334703  

***  

**Alert message:** Atomicorp.com WAF Rules: WinHttp.WinHttpRequest.5 known worm sign detected 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 4 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: WinHttp.WinHttpRequest.5 known worm sign detected

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330003  

***  

**Alert message:** Atomicorp.com WAF Rules: XSS in User Agent field 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 2 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- htmlEntityDecode

- lowercase

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: XSS in User Agent field

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330004  

***  

**Alert message:** Atomicorp.com WAF Rules: PHP code injection via User Agent 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 3 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- htmlEntityDecode

- lowercase

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: PHP code injection via User Agent

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330005  

***  

**Alert message:** Atomicorp.com WAF Rules: PHP code injection via User Agent 2 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 2 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- htmlEntityDecode

- lowercase

- urlDecodeUni

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: PHP code injection via User Agent 2

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330215  

***  

**Alert message:** Atomicorp.com WAF Rules: Sosospider - Known abusive bot 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 2 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330205  

***  

**Alert message:** Atomicorp.com WAF Rules: Joomla Exploit Bot 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 2 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 360205  

***  

**Alert message:** Atomicorp.com WAF Rules: ICS Bot 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 1 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: ICS Bot

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 360215  

***  

**Alert message:** Atomicorp.com WAF Rules: Free Download Manager 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 1 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330206  

***  

**Alert message:** Atomicorp.com WAF Rules: Joomla Exploit Bot 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 2 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Joomla Exploit Bot

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330010  

***  

**Alert message:** Atomicorp.com WAF Rules: Bad User Agent: DataCha0s 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 2 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Bad User Agent: DataCha0s

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330011  

***  

**Alert message:** Atomicorp.com WAF Rules: Bad User Agent: Known Exploit Tool Detected 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 8 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Bad User Agent: Known Exploit Tool Detected

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330015  

***  

**Alert message:** Atomicorp.com WAF Rules: Bad User Agent: Exploit tool 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 1 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Bad User Agent: Exploit tool

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330016  

***  

**Alert message:** Atomicorp.com WAF Rules: Bad User Agent: Wordpress hash grabber 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 1 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Bad User Agent: Wordpress hash grabber

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330019  

***  

**Alert message:** Atomicorp.com WAF Rules: Suspicious Web Client Detected (Disable this rule if you wish to allow these clients) 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 3 

**Severity:** Error (HIDS: 8)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 This rule detects clients or libraries that are known to sometimes used by malicious parties to carry out unauthorized, or potentially malicious purposes. These clients are not necessary conducting malicious or unauthorized behavior, but they are know to be used by malicious parties as spamming tools, worms, web site "scrapers", attack tools and others. Some users prefer to block these clients to prevent malicious activity or excessive use of bandwidth from these clients.

If you wish to allow these clients, just disable this rule.


**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330031  

***  

**Alert message:** Atomicorp.com WAF Rules: Fake Browser User agent detected 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 4 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Fake Browser User agent detected

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330033  

***  

**Alert message:** Atomicorp.com WAF Rules: Malicious bot attack blocked 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 1 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Malicious bot attack blocked

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330034  

***  

**Alert message:** Atomicorp.com WAF Rules: Unauthorized Vulnerability Scanner detected 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 14 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 This rule is triggered when known vulnerability scanners and attack tools attempt to connect to the server. The following tools are detected:

- nsauditor
- n-stealth
- nessus
- network-services-auditor
- nikto
- nmap
- black window
- brutus
- bilbo
- webinspect
- webroot
- pmafind
- paros
- pavuk
- cgichk
- jasscois
- NASL scripts
- metis
- webtrends security analyzer
- w3af
- zemu attack tool
- springenwerk
- arachni
- acunetix
- havij attack tool


**Troubleshooting:**

**False Positives:**

There are no known false positives with this rule, however if you find that this rule is triggered for a client that is not using a vulnerability scanner or attack tool.


Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

If you wish to allow connections from vulnerability scanners or attack tools we recommend you whitelist the source IPs as opposed to disabling this rule. 


If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330035  

***  

**Alert message:** Atomicorp.com WAF Rules: Unauthorized Vulnerability Scanner detected 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 1 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Unauthorized Vulnerability Scanner detected

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330037  

***  

**Alert message:** Atomicorp.com WAF Rules: WhatWeb web scanner detected 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 1 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: WhatWeb web scanner detected

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330036  

***  

**Alert message:** Atomicorp.com WAF Rules: Suspicious User agent detected.  Disable this rule if you use indy library. 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 1 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 This rule detects if the user agent "indy library" is used. This client is known to be used for some malicious activity, either in the creation of bots or the User Agent field is forged. Most commonly it is used with spammers, and less commonly its used by worms. If you use this user agent, then disable this rule.




**Troubleshooting:**

**False Positives:**

There are no known false positives with this rule. The rule looks at the User-Agent header and if the application identified itself as "indy library" it will trigger.

If you have examined the headers and have identified a case where the agent is not reporting that that is "indy library", please report this as a false positive. Otherwise, if you use this user agent, disable this rule for your system.


Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330038  

***  

**Alert message:** Atomicorp.com WAF Rules: Suspicious Unusual User Agent (SAFEXPLORER) 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 1 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Suspicious Unusual User Agent (SAFEXPLORER)

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330039  

***  

**Alert message:** Atomicorp.com WAF Rules: Suspicious Unusual User Agent (libwww-perl).  Disable this rule if you use libwww-perl.  

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 4 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 332039  

***  

**Alert message:** Atomicorp.com WAF Rules: Suspicious Unusual User Agent (python-requests).  Disable this rule if you use python-requests/.  

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 4 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 332139  

***  

**Alert message:** Atomicorp.com WAF Rules: Suspicious Unusual User Agent (libcurl).  Disable this rule if you use libcurl.  

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 4 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 332150  

***  

**Alert message:** Atomicorp.com WAF Rules: Suspicious User Agent (typhoeus).  Disable this rule if you use typhoeus.  

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 1 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Suspicious User Agent (typhoeus).  Disable this rule if you use typhoeus. 

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 331039  

***  

**Alert message:** Atomicorp.com WAF Rules: Suspicious Unusual User Agent (Python-urllib).  Disable this rule if you use Python-urllib.  

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 1 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Suspicious Unusual User Agent (Python-urllib).  Disable this rule if you use Python-urllib. 

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330040  

***  

**Alert message:** Atomicorp.com WAF Rules: Impolite bot - TwengaBot detected.  Disable this rule if you want to allow TwengaBot.  

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 1 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330140  

***  

**Alert message:** Atomicorp.com WAF Rules: Impolite bot - JS-Kit URL Resolver detected.  Disable this rule if you want to allow JS-Kit URL Resolver.  

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 1 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Impolite bot - JS-Kit URL Resolver detected.  Disable this rule if you want to allow JS-Kit URL Resolver. 

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330041  

***  

**Alert message:** Atomicorp.com WAF Rules: Suspicious User agent detected 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 1 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Suspicious User agent detected

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330045  

***  

**Alert message:** Atomicorp.com WAF Rules: Suspicious Unusual User Agent (pycurl).  Disable this rule if you use pycurl.  

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 3 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330056  

***  

**Alert message:** Atomicorp.com WAF Rules: Email Harvester Spambot User agent detected 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 10 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330057  

***  

**Alert message:** Atomicorp.com WAF Rules: DRM Spider User agent detected 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 2 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: DRM Spider User agent detected

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330060  

***  

**Alert message:** Atomicorp.com WAF Rules: Marketing Spider User agent detected 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 1 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Marketing Spider User agent detected

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330061  

***  

**Alert message:** Atomicorp.com WAF Rules: Spambot User agent detected 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 2 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Spambot User agent detected

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330269  

***  

**Alert message:** Atomicorp.com WAF Rules: Suspicious User Agent (POE-Component-Client) 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 1 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Suspicious User Agent (POE-Component-Client)

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330070  

***  

**Alert message:** Atomicorp.com WAF Rules: Suspicious unusual User Agent 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 3 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Suspicious unusual User Agent

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330079  

***  

**Alert message:** Atomicorp.com WAF Rules: Comment Spammer User Agent 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 2 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Comment Spammer User Agent

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330080  

***  

**Alert message:** Atomicorp.com WAF Rules: Comment Spammer User Agent (Fake Gamboy UA) 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 2 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Comment Spammer User Agent (Fake Gamboy UA)

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330081  

***  

**Alert message:** Atomicorp.com WAF Rules: Fake Amiga Web Agent 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 1 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Fake Amiga Web Agent

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330083  

***  

**Alert message:** Atomicorp.com WAF Rules: Fake GoogleBot 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 2 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330082  

***  

**Alert message:** Atomicorp.com WAF Rules: Known Exploit User Agent 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 4 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330090  

***  

**Alert message:** Atomicorp.com WAF Rules: Comment Spammer User Agent (Fake Windows Update Agent) 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 3 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Comment Spammer User Agent (Fake Windows Update Agent)

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330095  

***  

**Alert message:** Atomicorp.com WAF Rules: Vadixbot User Agent String 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 1 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Vadixbot User Agent String

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330096  

***  

**Alert message:** Atomicorp.com WAF Rules: Concealed Defense User Agent String 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 1 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Concealed Defense User Agent String

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330097  

***  

**Alert message:** Atomicorp.com WAF Rules: core-project/1.0 User Agent String 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 2 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: core-project/1.0 User Agent String

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330094  

***  

**Alert message:** Atomicorp.com WAF Rules: Compromised User-Agent Agent Attack blocked 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 5 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330099  

***  

**Alert message:** Atomicorp.com WAF Rules: backdoor User Agent String 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 1 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: backdoor User Agent String

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330100  

***  

**Alert message:** Atomicorp.com WAF Rules: script injection User Agent String 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 1 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: script injection User Agent String

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330101  

***  

**Alert message:** Atomicorp.com WAF Rules: script injection User Agent String 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 1 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: script injection User Agent String

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330102  

***  

**Alert message:** Atomicorp.com WAF Rules: Stress Test User Agent String 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 1 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Stress Test User Agent String

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330103  

***  

**Alert message:** Atomicorp.com WAF Rules: VoidEYE User Agent String 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 1 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: VoidEYE User Agent String

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330105  

***  

**Alert message:** Atomicorp.com WAF Rules: Broken Bot Generic User Agent String Detected 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 2 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330110  

***  

**Alert message:** Atomicorp.com WAF Rules: Scanbot User Agent String Detected 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 1 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Scanbot User Agent String Detected

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330115  

***  

**Alert message:** Atomicorp.com WAF Rules: Fake Google Searchengine User Agent String Detected 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 1 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330116  

***  

**Alert message:** Atomicorp.com WAF Rules: Fake Sogou Searchengine User Agent String Detected 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 1 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Fake Sogou Searchengine User Agent String Detected

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330122  

***  

**Alert message:** Atomicorp.com WAF Rules: Attack Script User Agent String Detected 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 4 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330124  

***  

**Alert message:** Atomicorp.com WAF Rules: Email Harvester Spambot User Agent String Detected 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 2 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Email Harvester Spambot User Agent String Detected

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330125  

***  

**Alert message:** Atomicorp.com WAF Rules: Scanbot User Agent String Detected 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 3 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Scanbot User Agent String Detected

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330132  

***  

**Alert message:** Atomicorp.com WAF Rules: Attacker User Agent String Detected 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 1 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Attacker User Agent String Detected

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330136  

***  

**Alert message:** Atomicorp.com WAF Rules: Badbot User Agent String Detected 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 1 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Badbot User Agent String Detected

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330014  

***  

**Alert message:** Atomicorp.com WAF Rules: Exploit User Agent Detected 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 3 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Exploit User Agent Detected

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 333514  

***  

**Alert message:** Atomicorp.com WAF Rules: Bad Bot www.80legs.com 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 4 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Bad Bot www.80legs.com

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 333515  

***  

**Alert message:** Atomicorp.com WAF Rules: MJ12 Distributed bot detected (Disable this rule if you want to allow this bot) 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 4 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Options:** No active Response

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: MJ12 Distributed bot detected (Disable this rule if you want to allow this bot)

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 309925  

***  

**Alert message:** Atomicorp.com WAF Rules: Suspicious User-Agent, parenthesis closed with a semicolon %{REQUEST_HEADERS.User-Agent} 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 10 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 This rules detects suspicious user agent strings. Specifically, it will detect if a user-agent strings ends with ";)". This is not a pattern used by any browser (Safari, IE, Mozilla, Opera, etc.) or web library. Known browsers and web libraries, when they use the ";" character will use it outside the parentheses, for example using the pattern ");".

The suspicious pattern is typically used by attackers and spammers when they make an error attempting to impersonate a legitimate user-agent. The WAF will detect these clients and will block them by default.

Examples:

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705;)


**Troubleshooting:**

**False Positives:**

A false positive can occur if a web application ends the user-agent header with ";)". We highly recommend you confirm this is legitimate behavior before disabling this rule. There are no known applications that do this, but plenty of malicious applications that do.




Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 357989  

***  

**Alert message:** Atomicorp.com WAF Rules: Joomla DOS bot blocked 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 2 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Joomla DOS bot blocked

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 397989  

***  

**Alert message:** Atomicorp.com WAF Rules: MSIE 6.0 detected (Disable if you want to allow MSIE 6) 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 1 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 354321  

***  

**Alert message:** Atomicorp.com WAF Rules: MSIE 7.0 detected (Disable if you want to allow MSIE 7) 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 2 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: MSIE 7.0 detected (Disable if you want to allow MSIE 7)

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 397999  

***  

**Alert message:** Atomicorp.com WAF Rules: Fake MSIE 6.0 detected 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 3 

**Severity:** Warning (HIDS: 7)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Fake MSIE 6.0 detected

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 397970  

***  

**Alert message:** Atomicorp.com WAF Rules: Fake MSIE 5.01 detected 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 1 

**Severity:** Error (HIDS: 8)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Fake MSIE 5.01 detected

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 397990  

***  

**Alert message:** Atomicorp.com WAF Rules: Fake MSIE 5.5 detected 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 1 

**Severity:** Error (HIDS: 8)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Fake MSIE 5.5 detected

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330131  

***  

**Alert message:** Atomicorp.com WAF Rules: Malicious Bot Blocked (Fake Mozilla User Agent String Detected) 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 3 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 336656  

***  

**Alert message:** Atomicorp.com WAF Rules: Fake MSIE 9./0 browser %{REQUEST_HEADERS.User-Agent}. 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 2 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

**Description:**

 Atomicorp.com WAF Rules: Fake MSIE 9./0 browser %{REQUEST_HEADERS.User-Agent}.

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330130  

***  

**Alert message:** Atomicorp.com WAF Rules: Broken Bot User Agent String Detected 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 1 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Broken Bot User Agent String Detected

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330076  

***  

**Alert message:** Atomicorp.com WAF Rules: Possible Fake User Agent (Spammer converting spaces to plus signs) 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 4 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Possible Fake User Agent (Spammer converting spaces to plus signs)

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330042  

***  

**Alert message:** Atomicorp.com WAF Rules: Suspicious User agent detected 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 2 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Suspicious User agent detected

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 336658  

***  

**Alert message:** Atomicorp.com WAF Rules: Known DOS Attack Tool 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 1 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 1 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Known DOS Attack Tool

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

# WAF Rule ID 330043  

***  

**Alert message:** Atomicorp.com WAF Rules: Suspicious User agent detected 

**Rule Class:** Generic Attack Ruleset (20_asl_useragents.conf)

**Version:** 2 

**Severity:** Critical (HIDS: 9)

**HTTP Protocol Phase:** 2 

**HTTP Status:** 403 

**Action:** deny 

**Transforms:** 

- compressWhitespace

- lowercase

**Log Types:** 

- Basic Information (log)

- Capture full session (auditlog)

**Description:**

 Atomicorp.com WAF Rules: Suspicious User agent detected

**Troubleshooting:**

**False Positives:**

Instructions to report false positives are detailed at [Reporting False Positives](https://wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives)  If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

**Configuration Notes:** 

- enabled by: MODSEC_10_RULES 

- Requires Engine version: 2.9.0 or above

**Tuning guidance Notes:** 

None.

If you know that this behavior is acceptable for your application, you can tune by following the guidance on the Tuning the [Atomicorp WAF Rules](https://wiki.atomicorp.com/wiki/index.php/Mod_security)

**Additional Information:**

**Similar rules:**

None.

**Outside References:**

None.

