Q1. Is there a list of what attack A10 Harmony can detect and block concretely?
1-1. "Remote Command Execusion" of "Generic Categories"
What command does "Remote Command Execusion" detect and block?
For example, Xpath Injection, OS command Injection, SSI Injection, etc...
A10 : These rules look for attempts to access OS commands such as curl, wget and cc.These commands are often used in injection attacks to force the victim web application to initiate a connection out to a hacker site to download, compile and install malicious toolkits such as those to participate in Botnets.
There are no specific rules to block Xpath Injection and SSI Injection.
1-2. "Malware Detection"
What type of Malware can "Malware Detection" detect?
A10 : Malware Detection checks the response data for malicous code aimed at attacking clients. Payloads are matched against:
1) Location Response Headers - that redirect users to malware sites, and
2) Response Body Payloads - that may contain off site links (scripts and iframes) or full payloads.
Q3. How does "BotNet" detect Bot?
A10: BotNet looks at URL, Parameters, User Agent and Request Body in some cases to detect a bot.
In particular, the following categories are checked to detect Bot:
1. Common IRC Botnet Attack Command String
2. Common types of Remote File Inclusion (RFI) attack methods.
- URL Contains an IP Address
- The PHP "include()" Function
- RFI Data Ends with Question Mark(s) (?)
3. Local File Inclusion Attack
4. Local File Inclusion ENV Attack in User-Agent
5. e107 PHP Injection Attack
6. XML-RPC PHP Injection Attack
7. osCommerce File Upload Attack
8. Zen Cart local file disclosure vulnerability
9. Opencart Remote File Upload Vulnerability
10. e107 Plugin my_gallery Exploit
Q4. Is "WAF Mode" applied to the following features?
- Malware Detection
- IP Reputation
- Web Shell
- Bot Net
A10 - Yes WAF mode is applied to Malware Detection,IP Reputation,Web Shell,Bot Net.