Skip to main content

WAF detection type

Summary

The following information provides you with details about the various waf tags:

  • Name: the name of the signal that you can use to verbally reference or describe it.
  • Tags: the name of the signal that is applied to matched requests and that can be used to search within the Kuroco Edge log.
  • Description: an outline of what the signal means or what it indicates.

Detection type list

Attacks

NameTagsDescription
Attack ToolingUSERAGENTAttack Tooling is the use of automated software to identify security vulnerabilities or to attempt to exploit a discovered vulnerability
AWS SSRFAWS-SSRFServer Side Request Forgery (SSRF) is a request which attempts to send requests made by the web application to target internal systems. AWS SSRF attacks use SSRF to obtain Amazon Web Services (AWS) keys and gain access to S3 buckets and their data.
BackdoorBACKDOORA backdoor signal is a request which attempts to determine if a common backdoor file is present on the system
Command ExecutionCMDEXECommand Execution is the attempt to gain control or damage a target system through arbitrary system commands by means of user input
Cross Site ScriptingXSSCross-Site Scripting is the attempt to hijack a user’s account or web-browsing session through malicious JavaScript code
Directory TraversalTRAVERSALDirectory Traversal is the attempt to navigate privileged folders throughout a system in hopes of obtaining sensitive information
Log4J JNDILOG4J-JNDILog4J JNDI attacks attempt to exploit the_Log4Shell vulnerability_present in Log4J versions earlier than 2.16.0
SQL InjectionSQLISQL Injection is the attempt to gain access to an application or obtain privileged information by executing arbitrary database queries

Anomalies

NameTagsDescription
AnomaliesLong nameShort nameDescription
Abnormal PathABNORMALPATHAbnormal Path indicates the original path differs from the normalized path (e.g.,/foo/./bar_is normalized to/foo/bar)
Bad Hop HeadersBHHBad Hop Headers indicate an HTTP smuggling attempt through either a malformed Transfer-Encoding (TE) or Content-Length (CL) header, or a well-formed TE and CL header
Blocked RequestsBLOCKEDRequests blocked by Signal Sciences
Code Injection PHPCODEINJECTIONCode Injection is the attempt to gain control or damage a target system through arbitrary application code commands by means of user input. Note, this signal only covers PHP code and is currently in an experimental phase. Contact_support_if you encounter any issues with this signal.
Compression DetectedCOMPRESSEDThe POST request body is compressed and cannot be inspected. For example, if a “Content-Encoding: gzip” request header is specified and the POST body is not plain text.
Datacenter TrafficDATACENTERDatacenter Traffic is non-organic traffic originating from identified hosting providers. This type of traffic is not commonly associated with a real end user.
Double EncodingDOUBLEENCODINGDouble Encoding checks for the evasion technique of double encoding html characters
Duplicate Header NamesDUPLICATE-HEADERSA request that has duplicate header field names. This may represent a programming error or an automated or malicious request. Current detected headers are:_Authorization,_Content-Length,_Content-Type,_Host, and_Transfer-Encoding.
Forceful BrowsingFORCEFULBROWSINGForceful Browsing is the failed attempt to access admin pages
GraphQL APIGRAPHQL-APIIndicates a GraphQL API request.
GraphQL Duplicate VariablesGRAPHQL-DUPLICATE-VARIABLESIndicates a GraphQL request that contains duplicated variables.
GraphQL IDEGRAPHQL-IDEIndicates a request originating from a GraphQL Interactive Development Environment (IDE).
GraphQL IntrospectionGRAPHQL-INTROSPECTIONIndicates an attempt to obtain the schema of a GraphQL API. The schema can be used to identify which resources are available, informing subsequent attacks.
GraphQL Max DepthGRAPHQL-DEPTHIndicates a request has reached or exceeded the maximum depth allowed on the server for GraphQL API queries
GraphQL Missing Required Operation NameGRAPHQL-MISSING-REQUIRED-OPERATION-NAMEIndicates a request has multiple GraphQL operations but does not define which operation to execute.
GraphQL SyntaxGRAPHQL-SYNTAXIndicates a request that contains invalid GraphQL syntax. This may be related to a programming error or a malicious request.
GraphQL Undefined VariableGRAPHQL-UNDEFINED-VARIABLESIndicates a request made to a GraphQL API containing more variables than expected by a function. This can be used to obfuscate malicious requests.
HTTP 403 ErrorsHTTP403Forbidden. This is commonly seen when the request for a url has been protected by the server’s configuration.
HTTP 404 ErrorsHTTP404Not Found. This is commonly seen when the request for a page or asset does not exist or cannot be found by the server.
HTTP 429 ErrorsHTTP429Too Many Requests. This is commonly seen when rate-limiting is used to slow down the number of active connections to a server.
HTTP 4XX ErrorsHTTP4XX4xx Status Codes commonly refer to client request errors
HTTP 500 ErrorsHTTP500Internal Server Error. This is commonly seen when a request generates an unhandled application error.
HTTP 503 ErrorsHTTP503Service Unavailable. This is commonly seen when a web service is overloaded or sometimes taken down for maintenance.
HTTP 5XX ErrorsHTTP5XX5xx Status Codes commonly refer to server related issues
HTTP Response SplittingRESPONSESPLITIdentifies when CRLF characters are submitted as input to the application to inject headers into the HTTP response
Invalid EncodingNOTUTF8Invalid Encoding can cause the server to translate malicious characters from a request into a response, causing either a denial of service or XSS
JSON Encoding ErrorJSON-ERRORA POST, PUT, or PATCH request body that is specified as containing JSON within the “Content-Type” request header but contains JSON parsing errors. This is often related to a programming error or an automated or malicious request.
Malformed Data in the request bodyMALFORMED-DATAA POST, PUT or PATCH request body that is malformed according to the “Content-Type” request header. For example, if a “Content-Type: application/x-www-form-urlencoded” request header is specified and contains a POST body that is json. This is often a programming error, automated or malicious request. Requires agent 3.2 or higher.
Malicious IP TrafficSANSSignal Sciences regularly imports_SANS Internet Storm Center_list of IP addresses that have been reported to have engaged in malicious activity
Network EffectSIGSCI-IPWhenever an IP is flagged due to a malicious signal by our decision engine, that IP will be propagated to all customers. We then log subsequent requests from those IP addresses that contain any additional signal for the duration of the flag.
Missing “Content-Type” request headerNO-CONTENT-TYPEA POST, PUT or PATCH request that does not have a “Content-Type” request header. By default application servers should assume “Content-Type: text/plain; charset=us-ascii” in this case. Many automated and malicious requests may be missing “Content Type”.
No User AgentNOUAMany automated and malicious requests use fake or missing User-Agents to make it difficult to identify the type of device making the requests
Null ByteNULLBYTENull bytes do not normally appear in a request and indicate the request is malformed and potentially malicious
Private FilesPRIVATEFILEPrivate files are usually confidential in nature, such as an Apache .htaccess file, or a configuration file which could leak sensitive information
ScannerSCANNERIdentifies popular scanning services and tools
SearchBot ImpostorIMPOSTORSearch bot impostor is someone pretending to be a Google or Bing search bot, but who is not legitimate
Site Flagged IPSITE-FLAGGED-IPIndicates a request was received from an IP that was flagged for exceeding attack thresholds for a specific site.This signal is only included with the_Premier platform.
Tor TrafficTORNODETor is software that conceals a user’s identity. A spike in Tor traffic can indicate an attacker trying to mask their location.
Weak TLSWEAKTLSWeak TLS. A web server’s configuration allows SSL/TLS connections to be established with an obsolete cipher suite or protocol version. This signal is based on inspecting a small percent of requests. Also, some architectures and Signal Sciences’ language SDK modules do not support this signal.
XML Encoding ErrorXML-ERRORA POST, PUT, or PATCH request body that is specified as containing XML within the “Content-Type” request header but contains XML parsing errors. This is often related to a programming error or an automated or malicious request.

More Information


Support

If you have any other questions, please contact us or check out Our Slack Community.