Frontdoor - Default Rule Set 2.1¶
Generated: 22 February 2026 | Total Rules: 189
Microsoft_DefaultRuleSet 2.1¶
MS-ThreatIntel-WebShells - Web shell attacks¶
| Rule ID | Rule Group | Description | Action | State | CRS Source |
|---|---|---|---|---|---|
| 99005002 | MS-ThreatIntel-WebShells | Web Shell Interaction Attempt (POST) | AnomalyScoring | Enabled | |
| 99005003 | MS-ThreatIntel-WebShells | Web Shell Upload Attempt (POST) - CHOPPER PHP | AnomalyScoring | Enabled | |
| 99005004 | MS-ThreatIntel-WebShells | Web Shell Upload Attempt (POST) - CHOPPER ASPX | AnomalyScoring | Enabled | |
| 99005005 | MS-ThreatIntel-WebShells | Web Shell Interaction Attempt | AnomalyScoring | Enabled | |
| 99005006 | MS-ThreatIntel-WebShells | Spring4Shell Interaction Attempt | AnomalyScoring | Disabled |
MS-ThreatIntel-AppSec - Path traversal evasion¶
| Rule ID | Rule Group | Description | Action | State | CRS Source |
|---|---|---|---|---|---|
| 99030001 | MS-ThreatIntel-AppSec | Path Traversal Evasion in Headers (/.././../) | AnomalyScoring | Enabled | |
| 99030002 | MS-ThreatIntel-AppSec | Path Traversal Evasion in Request Body (/.././../) | AnomalyScoring | Enabled |
MS-ThreatIntel-SQLI - SQL injection¶
| Rule ID | Rule Group | Description | Action | State | CRS Source |
|---|---|---|---|---|---|
| 99031001 | MS-ThreatIntel-SQLI | SQL Injection Attack: Common Injection Testing Detected (replacing rule #942110) | AnomalyScoring | Enabled | |
| 99031002 | MS-ThreatIntel-SQLI | SQL Comment Sequence Detected (replacing rule #942440). | AnomalyScoring | Enabled | |
| 99031003 | MS-ThreatIntel-SQLI | SQL Injection Attack (replacing rule #942150) | AnomalyScoring | Enabled | |
| 99031004 | MS-ThreatIntel-SQLI | Detects basic SQL authentication bypass attempts ⅔ (replacing rule #942260) | AnomalyScoring | Enabled |
MS-ThreatIntel-CVEs - Rest API exploitation¶
| Rule ID | Rule Group | Description | Action | State | CRS Source |
|---|---|---|---|---|---|
| 99001001 | MS-ThreatIntel-CVEs | Attempted F5 tmui (CVE-2020-5902) REST API Exploitation with known credentials | AnomalyScoring | Enabled | |
| 99001002 | MS-ThreatIntel-CVEs | Attempted Citrix NSC_USER directory traversal (CVE-2019-19781) | AnomalyScoring | Enabled | |
| 99001003 | MS-ThreatIntel-CVEs | Attempted Atlassian Confluence Widget Connector exploitation (CVE-2019-3396) | AnomalyScoring | Enabled | |
| 99001004 | MS-ThreatIntel-CVEs | Attempted Pulse Secure custom template exploitation (CVE-2020-8243) | AnomalyScoring | Enabled | |
| 99001005 | MS-ThreatIntel-CVEs | Attempted SharePoint type converter exploitation (CVE-2020-0932) | AnomalyScoring | Enabled | |
| 99001006 | MS-ThreatIntel-CVEs | Attempted Pulse Connect directory traversal (CVE-2019-11510) | AnomalyScoring | Enabled | |
| 99001007 | MS-ThreatIntel-CVEs | Attempted Junos OS J-Web local file inclusion (CVE-2020-1631) | AnomalyScoring | Enabled | |
| 99001008 | MS-ThreatIntel-CVEs | Attempted Fortinet path traversal (CVE-2018-13379) | AnomalyScoring | Enabled | |
| 99001009 | MS-ThreatIntel-CVEs | Attempted Apache struts ognl injection (CVE-2017-5638) | AnomalyScoring | Enabled | |
| 99001010 | MS-ThreatIntel-CVEs | Attempted Apache struts ognl injection (CVE-2017-12611) | AnomalyScoring | Enabled | |
| 99001011 | MS-ThreatIntel-CVEs | Attempted Oracle WebLogic path traversal (CVE-2020-14882) | AnomalyScoring | Enabled | |
| 99001012 | MS-ThreatIntel-CVEs | Attempted Telerik WebUI insecure deserialization exploitation (CVE-2019-18935) | AnomalyScoring | Enabled | |
| 99001013 | MS-ThreatIntel-CVEs | Attempted SharePoint insecure XML deserialization (CVE-2019-0604) | AnomalyScoring | Enabled | |
| 99001014 | MS-ThreatIntel-CVEs | Attempted Spring Cloud routing-expression injection (CVE-2022-22963) | AnomalyScoring | Disabled | |
| 99001015 | MS-ThreatIntel-CVEs | Attempted Spring Framework unsafe class object exploitation (CVE-2022-22965) | AnomalyScoring | Disabled | |
| 99001016 | MS-ThreatIntel-CVEs | Attempted Spring Cloud Gateway Actuator injection (CVE-2022-22947) | AnomalyScoring | Disabled | |
| 99001017 | MS-ThreatIntel-CVEs | Attempted Apache Struts file upload exploitation (CVE-2023-50164) | AnomalyScoring | Disabled | |
| 99001018 | MS-ThreatIntel-CVEs | Attempted React2Shell remote code execution exploitation (CVE-2025-55182) | AnomalyScoring | Enabled |
PROTOCOL-ATTACK - Protocol attack¶
| Rule ID | Rule Group | Description | Action | State | CRS Source |
|---|---|---|---|---|---|
| 921110 | PROTOCOL-ATTACK | HTTP Request Smuggling Attack | AnomalyScoring | Enabled | source |
| 921120 | PROTOCOL-ATTACK | HTTP Response Splitting Attack | AnomalyScoring | Enabled | source |
| 921130 | PROTOCOL-ATTACK | HTTP Response Splitting Attack | AnomalyScoring | Enabled | source |
| 921140 | PROTOCOL-ATTACK | HTTP Header Injection Attack via headers | AnomalyScoring | Enabled | source |
| 921150 | PROTOCOL-ATTACK | HTTP Header Injection Attack via payload (CR/LF detected) | AnomalyScoring | Enabled | source |
| 921160 | PROTOCOL-ATTACK | HTTP Header Injection Attack via payload (CR/LF and header-name detected) | AnomalyScoring | Enabled | source |
| 921151 | PROTOCOL-ATTACK | HTTP Header Injection Attack via payload (CR/LF detected) | AnomalyScoring | Enabled | source |
| 921190 | PROTOCOL-ATTACK | HTTP Splitting (CR/LF in request filename detected) | AnomalyScoring | Enabled | source |
| 921200 | PROTOCOL-ATTACK | LDAP Injection Attack | AnomalyScoring | Enabled | source |
LFI - Local file inclusion¶
| Rule ID | Rule Group | Description | Action | State | CRS Source |
|---|---|---|---|---|---|
| 930100 | LFI | Path Traversal Attack (/../) | AnomalyScoring | Enabled | source |
| 930110 | LFI | Path Traversal Attack (/../) | AnomalyScoring | Enabled | source |
| 930120 | LFI | OS File Access Attempt | AnomalyScoring | Enabled | source |
| 930130 | LFI | Restricted File Access Attempt | AnomalyScoring | Enabled | source |
RFI - Remote file inclusion¶
| Rule ID | Rule Group | Description | Action | State | CRS Source |
|---|---|---|---|---|---|
| 931100 | RFI | Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address | AnomalyScoring | Enabled | source |
| 931110 | RFI | Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload | AnomalyScoring | Enabled | source |
| 931120 | RFI | Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?) | AnomalyScoring | Enabled | source |
| 931130 | RFI | Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link | AnomalyScoring | Enabled | source |
RCE - Remote Command Execution attacks¶
| Rule ID | Rule Group | Description | Action | State | CRS Source |
|---|---|---|---|---|---|
| 932100 | RCE | Remote Command Execution: Unix Command Injection | AnomalyScoring | Enabled | source |
| 932105 | RCE | Remote Command Execution: Unix Command Injection | AnomalyScoring | Enabled | source |
| 932110 | RCE | Remote Command Execution: Windows Command Injection | AnomalyScoring | Enabled | source |
| 932115 | RCE | Remote Command Execution: Windows Command Injection | AnomalyScoring | Enabled | source |
| 932120 | RCE | Remote Command Execution: Windows PowerShell Command Found | AnomalyScoring | Enabled | source |
| 932130 | RCE | Remote Command Execution: Unix Shell Expression or Confluence Vulnerability (CVE-2022-26134) Found | AnomalyScoring | Enabled | source |
| 932140 | RCE | Remote Command Execution: Windows FOR/IF Command Found | AnomalyScoring | Enabled | source |
| 932150 | RCE | Remote Command Execution: Direct Unix Command Execution | AnomalyScoring | Enabled | source |
| 932160 | RCE | Remote Command Execution: Unix Shell Code Found | AnomalyScoring | Enabled | source |
| 932170 | RCE | Remote Command Execution: Shellshock (CVE-2014-6271) | AnomalyScoring | Enabled | source |
| 932171 | RCE | Remote Command Execution: Shellshock (CVE-2014-6271) | AnomalyScoring | Enabled | source |
| 932180 | RCE | Restricted File Upload Attempt | AnomalyScoring | Enabled | source |
PHP - PHP attacks¶
| Rule ID | Rule Group | Description | Action | State | CRS Source |
|---|---|---|---|---|---|
| 933100 | PHP | PHP Injection Attack: PHP Open Tag Found | AnomalyScoring | Enabled | source |
| 933110 | PHP | PHP Injection Attack: PHP Script File Upload Found | AnomalyScoring | Enabled | source |
| 933120 | PHP | PHP Injection Attack: Configuration Directive Found | AnomalyScoring | Enabled | source |
| 933130 | PHP | PHP Injection Attack: Variables Found | AnomalyScoring | Enabled | source |
| 933140 | PHP | PHP Injection Attack: I/O Stream Found | AnomalyScoring | Enabled | source |
| 933150 | PHP | PHP Injection Attack: High-Risk PHP Function Name Found | AnomalyScoring | Enabled | source |
| 933151 | PHP | PHP Injection Attack: Medium-Risk PHP Function Name Found | AnomalyScoring | Enabled | source |
| 933160 | PHP | PHP Injection Attack: High-Risk PHP Function Call Found | AnomalyScoring | Enabled | source |
| 933170 | PHP | PHP Injection Attack: Serialized Object Injection | AnomalyScoring | Enabled | source |
| 933180 | PHP | PHP Injection Attack: Variable Function Call Found | AnomalyScoring | Enabled | source |
| 933200 | PHP | PHP Injection Attack: Wrapper scheme detected | AnomalyScoring | Enabled | source |
| 933210 | PHP | PHP Injection Attack: Variable Function Call Found | AnomalyScoring | Enabled | source |
XSS - Cross-site scripting¶
| Rule ID | Rule Group | Description | Action | State | CRS Source |
|---|---|---|---|---|---|
| 941100 | XSS | XSS Attack Detected via libinjection | AnomalyScoring | Enabled | source |
| 941101 | XSS | XSS Attack Detected via libinjection | AnomalyScoring | Enabled | source |
| 941110 | XSS | XSS Filter - Category 1: Script Tag Vector | AnomalyScoring | Enabled | source |
| 941120 | XSS | XSS Filter - Category 2: Event Handler Vector | AnomalyScoring | Enabled | source |
| 941130 | XSS | XSS Filter - Category 3: Attribute Vector | AnomalyScoring | Enabled | source |
| 941140 | XSS | XSS Filter - Category 4: Javascript URI Vector | AnomalyScoring | Enabled | source |
| 941150 | XSS | XSS Filter - Category 5: Disallowed HTML Attributes | AnomalyScoring | Enabled | source |
| 941160 | XSS | NoScript XSS InjectionChecker: HTML Injection | AnomalyScoring | Enabled | source |
| 941170 | XSS | NoScript XSS InjectionChecker: Attribute Injection | AnomalyScoring | Enabled | source |
| 941180 | XSS | Node-Validator Blacklist Keywords | AnomalyScoring | Enabled | source |
| 941190 | XSS | IE XSS Filters - Attack Detected. | AnomalyScoring | Enabled | source |
| 941200 | XSS | IE XSS Filters - Attack Detected. | AnomalyScoring | Enabled | source |
| 941210 | XSS | IE XSS Filters - Attack Detected. | AnomalyScoring | Enabled | source |
| 941220 | XSS | IE XSS Filters - Attack Detected. | AnomalyScoring | Enabled | source |
| 941230 | XSS | IE XSS Filters - Attack Detected. | AnomalyScoring | Enabled | source |
| 941240 | XSS | IE XSS Filters - Attack Detected. | AnomalyScoring | Enabled | source |
| 941250 | XSS | IE XSS Filters - Attack Detected. | AnomalyScoring | Enabled | source |
| 941260 | XSS | IE XSS Filters - Attack Detected. | AnomalyScoring | Enabled | source |
| 941270 | XSS | IE XSS Filters - Attack Detected. | AnomalyScoring | Enabled | source |
| 941280 | XSS | IE XSS Filters - Attack Detected. | AnomalyScoring | Enabled | source |
| 941290 | XSS | IE XSS Filters - Attack Detected. | AnomalyScoring | Enabled | source |
| 941300 | XSS | IE XSS Filters - Attack Detected. | AnomalyScoring | Enabled | source |
| 941310 | XSS | US-ASCII Malformed Encoding XSS Filter - Attack Detected. | AnomalyScoring | Enabled | source |
| 941320 | XSS | Possible XSS Attack Detected - HTML Tag Handler | AnomalyScoring | Enabled | source |
| 941330 | XSS | IE XSS Filters - Attack Detected. | AnomalyScoring | Enabled | source |
| 941340 | XSS | IE XSS Filters - Attack Detected. | AnomalyScoring | Enabled | source |
| 941350 | XSS | UTF-7 Encoding IE XSS - Attack Detected. | AnomalyScoring | Enabled | source |
| 941360 | XSS | JSFuck / Hieroglyphy obfuscation detected | AnomalyScoring | Enabled | source |
| 941370 | XSS | JavaScript global variable found | AnomalyScoring | Enabled | source |
| 941380 | XSS | AngularJS client side template injection detected | AnomalyScoring | Enabled | source |
SQLI - SQL injection¶
| Rule ID | Rule Group | Description | Action | State | CRS Source |
|---|---|---|---|---|---|
| 942100 | SQLI | SQL Injection Attack Detected via libinjection | AnomalyScoring | Enabled | source |
| 942110 | SQLI | SQL Injection Attack: Common Injection Testing Detected | AnomalyScoring | Disabled | source |
| 942120 | SQLI | SQL Injection Attack: SQL Operator Detected | AnomalyScoring | Enabled | source |
| 942140 | SQLI | SQL Injection Attack: Common DB Names Detected | AnomalyScoring | Enabled | source |
| 942150 | SQLI | SQL Injection Attack (replaced by rule #99031003) | AnomalyScoring | Disabled | source |
| 942160 | SQLI | Detects blind sqli tests using sleep() or benchmark(). | AnomalyScoring | Enabled | source |
| 942170 | SQLI | Detects SQL benchmark and sleep injection attempts including conditional queries | AnomalyScoring | Enabled | source |
| 942180 | SQLI | Detects basic SQL authentication bypass attempts ⅓ | AnomalyScoring | Enabled | source |
| 942190 | SQLI | Detects MSSQL code execution and information gathering attempts | AnomalyScoring | Enabled | source |
| 942200 | SQLI | Detects MySQL comment-/space-obfuscated injections and backtick termination | AnomalyScoring | Enabled | source |
| 942210 | SQLI | Detects chained SQL injection attempts ½ | AnomalyScoring | Enabled | source |
| 942220 | SQLI | Looking for integer overflow attacks, these are taken from skipfish, except 3.0.00738585072007e-308 is the "magic number" crash | AnomalyScoring | Enabled | source |
| 942230 | SQLI | Detects conditional SQL injection attempts | AnomalyScoring | Enabled | source |
| 942240 | SQLI | Detects MySQL charset switch and MSSQL DoS attempts | AnomalyScoring | Enabled | source |
| 942250 | SQLI | Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections | AnomalyScoring | Enabled | source |
| 942260 | SQLI | Detects basic SQL authentication bypass attempts ⅔ (replaced by rule #99031004) | AnomalyScoring | Disabled | source |
| 942270 | SQLI | Looking for basic sql injection. Common attack string for mysql, oracle and others. | AnomalyScoring | Enabled | source |
| 942280 | SQLI | Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts | AnomalyScoring | Enabled | source |
| 942290 | SQLI | Finds basic MongoDB SQL injection attempts | AnomalyScoring | Enabled | source |
| 942300 | SQLI | Detects MySQL comments, conditions and ch(a)r injections | AnomalyScoring | Enabled | source |
| 942310 | SQLI | Detects chained SQL injection attempts 2/2 | AnomalyScoring | Enabled | source |
| 942320 | SQLI | Detects MySQL and PostgreSQL stored procedure/function injections | AnomalyScoring | Enabled | source |
| 942330 | SQLI | Detects classic SQL injection probings ⅓ | AnomalyScoring | Enabled | source |
| 942340 | SQLI | Detects basic SQL authentication bypass attempts 3/3 (replaced by rule #99031006) | AnomalyScoring | Enabled | source |
| 942350 | SQLI | Detects MySQL UDF injection and other data/structure manipulation attempts | AnomalyScoring | Enabled | source |
| 942360 | SQLI | Detects concatenated basic SQL injection and SQLLFI attempts | AnomalyScoring | Enabled | source |
| 942361 | SQLI | Detects basic SQL injection based on keyword alter or union | AnomalyScoring | Enabled | source |
| 942370 | SQLI | Detects classic SQL injection probings ⅔ | AnomalyScoring | Enabled | source |
| 942380 | SQLI | SQL Injection Attack | AnomalyScoring | Enabled | source |
| 942390 | SQLI | SQL Injection Attack | AnomalyScoring | Enabled | source |
| 942400 | SQLI | SQL Injection Attack | AnomalyScoring | Enabled | source |
| 942410 | SQLI | SQL Injection Attack | AnomalyScoring | Enabled | source |
| 942430 | SQLI | Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12) (replaced by rule #99031005) | AnomalyScoring | Disabled | source |
| 942440 | SQLI | SQL Comment Sequence Detected (replaced by rule #99031002). | AnomalyScoring | Disabled | source |
| 942450 | SQLI | SQL Hex Encoding Identified | AnomalyScoring | Enabled | source |
| 942470 | SQLI | SQL Injection Attack | AnomalyScoring | Enabled | source |
| 942480 | SQLI | SQL Injection Attack | AnomalyScoring | Enabled | source |
| 942500 | SQLI | MySQL in-line comment detected. | AnomalyScoring | Enabled | source |
| 942510 | SQLI | SQLi bypass attempt by ticks or backticks detected. | AnomalyScoring | Enabled | source |
FIX - Session Fixation attacks¶
| Rule ID | Rule Group | Description | Action | State | CRS Source |
|---|---|---|---|---|---|
| 943100 | FIX | Possible Session Fixation Attack: Setting Cookie Values in HTML | AnomalyScoring | Enabled | source |
| 943110 | FIX | Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer | AnomalyScoring | Enabled | source |
| 943120 | FIX | Possible Session Fixation Attack: SessionID Parameter Name with No Referer | AnomalyScoring | Enabled | source |
JAVA - Java attacks¶
| Rule ID | Rule Group | Description | Action | State | CRS Source |
|---|---|---|---|---|---|
| 944100 | JAVA | Remote Command Execution: Suspicious Java class detected | AnomalyScoring | Enabled | source |
| 944110 | JAVA | Remote Command Execution: Java process spawn (CVE-2017-9805) | AnomalyScoring | Enabled | source |
| 944120 | JAVA | Remote Command Execution: Java serialization (CVE-2015-5842) | AnomalyScoring | Enabled | source |
| 944130 | JAVA | Suspicious Java class detected | AnomalyScoring | Enabled | source |
| 944200 | JAVA | Magic bytes Detected, probable java serialization in use | AnomalyScoring | Enabled | source |
| 944210 | JAVA | Magic bytes Detected Base64 Encoded, probable java serialization in use | AnomalyScoring | Enabled | source |
| 944240 | JAVA | Remote Command Execution: Java serialization and Log4j vulnerability (CVE-2021-44228, CVE-2021-45046) | AnomalyScoring | Enabled | source |
| 944250 | JAVA | Remote Command Execution: Suspicious Java method detected | AnomalyScoring | Enabled | source |
METHOD-ENFORCEMENT - Method Enforcement¶
| Rule ID | Rule Group | Description | Action | State | CRS Source |
|---|---|---|---|---|---|
| 911100 | METHOD-ENFORCEMENT | Method is not allowed by policy | AnomalyScoring | Enabled | source |
PROTOCOL-ENFORCEMENT - Protocol Enforcement¶
| Rule ID | Rule Group | Description | Action | State | CRS Source |
|---|---|---|---|---|---|
| 920100 | PROTOCOL-ENFORCEMENT | Invalid HTTP Request Line | AnomalyScoring | Enabled | source |
| 920120 | PROTOCOL-ENFORCEMENT | Attempted multipart/form-data bypass | AnomalyScoring | Enabled | source |
| 920121 | PROTOCOL-ENFORCEMENT | Attempted multipart/form-data bypass | AnomalyScoring | Enabled | source |
| 920160 | PROTOCOL-ENFORCEMENT | Content-Length HTTP header is not numeric. | AnomalyScoring | Enabled | source |
| 920170 | PROTOCOL-ENFORCEMENT | GET or HEAD Request with Body Content. | AnomalyScoring | Enabled | source |
| 920171 | PROTOCOL-ENFORCEMENT | GET or HEAD Request with Transfer-Encoding. | AnomalyScoring | Enabled | source |
| 920180 | PROTOCOL-ENFORCEMENT | POST without Content-Length or Transfer-Encoding headers. | AnomalyScoring | Enabled | source |
| 920190 | PROTOCOL-ENFORCEMENT | Range: Invalid Last Byte Value. | AnomalyScoring | Enabled | source |
| 920200 | PROTOCOL-ENFORCEMENT | Range: Too many fields (6 or more) | AnomalyScoring | Enabled | source |
| 920201 | PROTOCOL-ENFORCEMENT | Range: Too many fields for pdf request (63 or more) | AnomalyScoring | Enabled | source |
| 920210 | PROTOCOL-ENFORCEMENT | Multiple/Conflicting Connection Header Data Found. | AnomalyScoring | Enabled | source |
| 920220 | PROTOCOL-ENFORCEMENT | URL Encoding Abuse Attack Attempt | AnomalyScoring | Enabled | source |
| 920230 | PROTOCOL-ENFORCEMENT | Multiple URL Encoding Detected | AnomalyScoring | Enabled | source |
| 920240 | PROTOCOL-ENFORCEMENT | URL Encoding Abuse Attack Attempt | AnomalyScoring | Enabled | source |
| 920260 | PROTOCOL-ENFORCEMENT | Unicode Full/Half Width Abuse Attack Attempt | AnomalyScoring | Enabled | source |
| 920270 | PROTOCOL-ENFORCEMENT | Invalid character in request (null character) | AnomalyScoring | Enabled | source |
| 920271 | PROTOCOL-ENFORCEMENT | Invalid character in request (non printable characters) | AnomalyScoring | Enabled | source |
| 920280 | PROTOCOL-ENFORCEMENT | Request Missing a Host Header | AnomalyScoring | Enabled | source |
| 920290 | PROTOCOL-ENFORCEMENT | Empty Host Header | AnomalyScoring | Enabled | source |
| 920300 | PROTOCOL-ENFORCEMENT | Request Missing an Accept Header | AnomalyScoring | Enabled | source |
| 920310 | PROTOCOL-ENFORCEMENT | Request Has an Empty Accept Header | AnomalyScoring | Enabled | source |
| 920311 | PROTOCOL-ENFORCEMENT | Request Has an Empty Accept Header | AnomalyScoring | Enabled | source |
| 920320 | PROTOCOL-ENFORCEMENT | Missing User Agent Header | AnomalyScoring | Enabled | source |
| 920330 | PROTOCOL-ENFORCEMENT | Empty User Agent Header | AnomalyScoring | Enabled | source |
| 920340 | PROTOCOL-ENFORCEMENT | Request Containing Content, but Missing Content-Type header | AnomalyScoring | Enabled | source |
| 920341 | PROTOCOL-ENFORCEMENT | Request Containing Content Requires Content-Type header | AnomalyScoring | Enabled | source |
| 920350 | PROTOCOL-ENFORCEMENT | Host header is a numeric IP address | AnomalyScoring | Enabled | source |
| 920420 | PROTOCOL-ENFORCEMENT | Request content type is not allowed by policy | AnomalyScoring | Enabled | source |
| 920430 | PROTOCOL-ENFORCEMENT | HTTP protocol version is not allowed by policy | AnomalyScoring | Enabled | source |
| 920440 | PROTOCOL-ENFORCEMENT | URL file extension is restricted by policy | AnomalyScoring | Enabled | source |
| 920450 | PROTOCOL-ENFORCEMENT | HTTP header is restricted by policy | AnomalyScoring | Enabled | source |
| 920470 | PROTOCOL-ENFORCEMENT | Illegal Content-Type header | AnomalyScoring | Enabled | source |
| 920480 | PROTOCOL-ENFORCEMENT | Request content type charset is not allowed by policy | AnomalyScoring | Enabled | source |
| 920181 | PROTOCOL-ENFORCEMENT | Content-Length and Transfer-Encoding headers present | AnomalyScoring | Enabled | source |
| 920500 | PROTOCOL-ENFORCEMENT | Attempt to access a backup or working file | AnomalyScoring | Enabled | source |
General - Method Enforcement¶
| Rule ID | Rule Group | Description | Action | State | CRS Source |
|---|---|---|---|---|---|
| 200002 | General | Failed to parse request body. | AnomalyScoring | Enabled | |
| 200003 | General | Multipart request body failed strict validation | AnomalyScoring | Enabled |
NODEJS - Node JS Attacks¶
| Rule ID | Rule Group | Description | Action | State | CRS Source |
|---|---|---|---|---|---|
| 934100 | NODEJS | Node.js Injection Attack | AnomalyScoring | Enabled | source |