Attacks Description - Action Policy
The following table describes the attack actions under each attack group:
- 1 Protocol Violations
- 2 Request Policy Violations
- 3 Response Violations
- 4 Header Violations
- 5 Application Profile Violations
- 6 URL Profile Violations
- 7 Parameter Profile Violations
- 8 Advanced Policy Violations
- 9 XML Firewall DoS Violations
- 10 XML Firewall WSI Assertions
- 11 XML Firewall SOAP Violations
- 12 JSON Policy Violations
- 13 JSON Profile Violations
- 14 Client Violations
- 15 GraphQL Violations
When Web Firewall Logs are exported to the configured log server, the attack IDs are prefixed with "29" in the exported logs. For example, if the attack ID for the "Parameter Name Length Exceeded" attack is 147, the ID in the exported logs is displayed as 29147.
Protocol Violations
Protocol Violations | |||||
|---|---|---|---|---|---|
Attack ID | Attack Name | Attack Name in Export Logs | Description | Severity | Attack Category |
16 | Directory Traversal Beyond Root | DIRECTORY_TRAVERSAL_BEYOND_ROOT | Attempted access to files and commands beyond the document root directory/CGI root directory. | Alert | Forceful Browsing |
125 | Get Request with Content Length | GET_REQUEST_WITH_CONTENT_LENGTH | HTTP GET request with Content-Length request header was detected. | Alert | Protocol Violations |
126 | Missing Host Header | MISSING_HOST_HEADER | An HTTP/ 1.1 version request lacked the mandatory Host request header. | Alert | Protocol Violations |
121 | Invalid Header | INVALID_HEADER | An invalid HTTP request header name-value pair was detected. | Alert | Protocol Violations |
118 | Invalid Method | INVALID_METHOD | An invalid HTTP method detected in request. | Alert | Protocol Violations |
77 | Invalid or Malformed HTTP Request | INVALID_OR_MALFORMED_REQUEST | Normalizing a request URI or header components determined it was invalid or malformed. | Alert | Protocol Violations |
129 | Parameter Too Large | PARAM_TOO_LARGE | An HTTP POST method request had a URL-encoded parameter value exceeding 1024 KB. | Alert | Limits Violation |
123 | Malformed Content Length | MALFORMED_CONTENT_LEN | Content-Length request header contained non-numeric characters (e.g., metacharacters or alphabetic characters). | Alert | Protocol Violations |
124 | Malformed Cookie | MALFORMED_COOKIE | A cookie not conforming to the HTTP cookie specifications was detected. | Alert | Protocol Violations |
120 | Malformed Request Line | MALFORMED_REQUEST_LINE | An HTTP request end of line lacked the mandatory /r/n characters. | Alert | Protocol Violations |
122 | Malformed Header | MALFORMED_HEADER_LINE | A header name did not conform to the HTTP protocol specifications. | Alert | Protocol Violations |
128 | Malformed Parameter | MALFORMED_PARAM | Normalizing and parsing the name or value of a parameter in a query or POST body revealed the request contained a malformed parameter. | Alert | Protocol Violations |
119 | Malformed Version | MALFORMED_VERSION | An HTTP request sent with a protocol version number other than 0.9, 1.0 or 1.1 was detected. | Alert | Protocol Violations |
127 | Multiple Content Length | MULTIPLE_CONTENT_LENGTH | An HTTP request contained more than one Content-Length HTTP request header. | Alert | Protocol Violations |
25 | Post Without Content Length | POST_WITHOUT_CONTENT_LENGTH | A POST request lacked the mandatory Content-Length HTTP request header. | Alert | Protocol Violation |
60 | Pre-1.0 Request | PRE_1_0_REQUEST | An HTTP request lacked a protocol version number, indicating it was an HTTP/0.9 request. | Alert | Protocol Violations |
Request Policy Violations
Request Policy Violations | |||||
|---|---|---|---|---|---|
Attack ID | Attack Name | Attack Name in Export Logs | Description | Severity | Attack Category |
141 | Cookie Count Exceeded | COOKIE_COUNT_EXCEEDED | A request exceeded the maximum number of cookies specified in Max Number of Cookies on the SECURITY POLICIES > Request Limits page. | Alert | Limits Violation |
32 | Cookie Expired | COOKIE_EXPIRED | A session cookie Cookie Max Age on the SECURITY POLICIES > Cookie Security page has been exceeded on the client browser. | Warning | Session Tamper Attacks |
41 | Cookie Length Exceeded | COOKIE_LENGTH_EXCEEDED | A cookie exceeded the maximum allowable length specified in Max Cookie Value Length on the SECURITY POLICIES > Request Limits page. | Alert | Limits Violation |
142 | Cookie Name Length Exceeded | COOKIE_NAME_LENGTH_EXCEEDED | A cookie name length exceeded the maximum allowable length specified in Max Cookie Name Length on the SECURITY POLICIES > Request Limits page. | Alert | Limits Violation |
31 | Cookie Tampered | COOKIE_TAMPERED | A request cookie secured with cookie signing or encryption had been tampered. The cookie Tamper Proof Mode on the SECURITY POLICIES > Cookie Security page was Encrypted or Signed. | Warning | Session Tamper Attacks |
44 | Header Count Exceeded | HEADER_COUNT_EXCEEDED | The number of request headers exceeded the maximum allowed, specified in Max Number of Headers on the SECURITY POLICIES > Request Limits page. | Alert | Limits Violation |
143 | Header Name Length Exceeded | HEADER_NAME_LENGTH_EXCEEDED | The length of the request header name exceeded the maximum allowed, specified in Max Header Name Length on the SECURITY POLICIES > Request Limits page. | Alert | Limits Violation |
6 | Header Value Length Exceeded | HEADER_VALUE_LENGTH_EXCEEDED | The request header value length exceeded the maximum allowed, specified in Max Header Value Length on the SECURITY POLICIES > Request Limits page. | Alert | Limits Violation |
11 | Invalid URL Encoding | INVALID_URL_ENCODING | The characters encoded in the URL do not conform to the URL encoding scheme specified in Default Character Set on the SECURITY POLICIES > URL Normalization page. | Alert | Injection Attacks |
116 | Mismatched Header Cookie Replay Attack | COOKIE_REPLAY_MISMATCHED_HEADER | The embedded and signed cookie header value sent to the client does not match the incoming value in a subsequent client request. Cookie Replay Protection Type is set to "Custom Headers" or "IP and Custom Headers" on the SECURITY POLICIES > Cookie Security page to detect this attack. | Warning | Session Tamper Attacks |
117 | Mismatched IP Cookie Replay Attack | COOKIE_REPLAY_MISMATCHED_IP | The cookie IP address information does not match the source IP address of the incoming client request. Cookie Replay Protection Type is set to “IP” or “IP and Custom Headers” on the SECURITY POLICIES > Cookie Security page to detect this attack. | Warning | Session Tamper Attacks |
14 | Slash-dot in URL Path | SLASH_DOT_IN_URL | Requested URL contained a slash (/) followed by a dot (.). This is a potential hidden file disclosure attack. | Alert | Forceful Browsing |
15 | Tilde in URL Path | TILDE_IN_URL | Requested URL contained a tilde (~). This is a potential hidden file disclosure attack. | Alert | Forceful Browsing |
144 | Too Many Sessions for IP | TOO_MANY_SESSIONS_FOR_IP | Client attempted to exceed New Session Count maximum set under Session Tracking on the WEBSITES > Advanced Security page. | Alert | DDOS Attacks |
0 | Request Length Exceeded | REQUEST_LENGTH_EXCEEDED | The request exceeded the total maximum allowable length (including the Request Line, and all HTTP request headers such as User Agent, Cookies, Referer, etc.) specified in Max Request Length on the SECURITY POLICIES > Request Limits page. | Alert | Limits Violation |
140 | Total Request Line Length Exceeded | REQUEST_LINE_LENGTH_EXCEEDED | The request line exceeded the maximum allowable length specified in Max Request Line Length on the SECURITY POLICIES > Request Limits page. | Alert | Limits Violation |
30 | Unrecognized Cookie | UNRECOGNIZED_COOKIE | The incoming request cookie was unrecognized. Allow Unrecognized Cookies is set to Never or Custom on the SECURITY POLICIES > Cookie Security page. Unrecognized cookies are cookies not encrypted by the Barracuda Web Application Firewall. | Warning | Session Tamper Attacks |
42 | URL Length Exceeded | URL_LENGTH_EXCEEDED | The URL in the request exceeded the maximum allowable URL length specified in Max URL Length on the SECURITY POLICIES > Request Limits page. | Alert | Limits Violation |
43 | Query Length Exceeded | QUERY_LENGTH_EXCEEDED | The length of the query string portion of the URL exceeded the maximum allowable length specified in Max Query Length on the SECURITY POLICIES > Request Limits page. | Alert | Limits Violation |
Response Violations
Response Violations | |||||
|---|---|---|---|---|---|
Attack ID | Attack Name | Attack Name in Export Logs | Description | Severity | Attack Category |
300 | CAPTCHA Validation Required | DDOS_CAPTCHA_SEND_CAPTCHA | The Response Page from the SECURITY POLICIES > Action Policy page was sent to the client because the back-end server was not reached. | Information | Outbound Attacks |
62 | Custom Error Response Page | CUSTOM_ERR_RESPONSE_PAGE | The custom error Response Page from the SECURITY POLICIES > Action Policy page was sent to the client because the back-end server was not reached. | Alert | Other Attacks |
17 | Error Response Suppressed | ERROR_RESPONSE_SUPPRESSED | The response from the back-end server contained a 4xx or 5xx response code and was blocked. The Suppress Return Code is set to Yes on the SECURITY POLICIES > Cloaking page. | Notice | Outbound Attacks |
63 | Identity Theft Pattern Matched | IDENTITY_THEFT_PATTERN_MATCHED | The response body (contents) from the back-end server matched an identity theft pattern on the ADVANCED > Libraries page. | Error | Outbound Attacks |
61 | Response Header Suppressed | RESPONSE_HEADER_SUPPRESSED | Response header suppressed as it matched Headers to Filter on the SECURITY POLICIES > Cloaking page. | Information | Outbound Attacks |
Header Violations
Header Violations | |||||
|---|---|---|---|---|---|
Attack ID | Attack Name | Attack Name in Export Logs | Description | Severity | Attack Category |
331 | Apache Struts Attack in Header | APACHE_STRUTS_ATTACKS_MEDIUM_IN_HEADER | Header value matched an Apache Struts attack pattern defined under Attack Types on the ADVANCED > View Internal Patterns page. | ||
Contact Us
Barracuda Campus
Barracuda Support