search close

System Signals

access_time Updated Sep 21, 2021


Long name Short name Search/URL name Description
Attack Tooling Attack Tooling USERAGENT Attack Tooling is the use of automated software to identify security vulnerabilities or to attempt to exploit a discovered vulnerability
AWS SSRF AWS SSRF AWS-SSRF Server Side Request Forgery (SSRF) is a request which attempts to send requests made by the web application to target internal systems. AWS SSRF attacks use SSRF to obtain Amazon Web Services (AWS) keys and gain access to S3 buckets and their data.
Backdoor Backdoor BACKDOOR A backdoor signal is a request which attempts to determine if a common backdoor file is present on the system
Command Execution CMDEXE CMDEXE Command Execution is the attempt to gain control or damage a target system through arbitrary system commands by means of user input
Cross Site Scripting XSS XSS Cross-Site Scripting is the attempt to hijack a user's account or web-browsing session through malicious JavaScript code
Directory Traversal Traversal TRAVERSAL Directory Traversal is the attempt to navigate privileged folders throughout a system in hopes of obtaining sensitive information
SQL Injection SQLI SQLI SQL Injection is the attempt to gain access to an application or obtain privileged information by executing arbitrary database queries


Long name Short name Search/URL name Description
Abnormal Path ABNORMALPATH ABNORMALPATH Abnormal Path indicates the original path differs from the normalized path (e.g /foo/./bar is normalized to /foo/bar)
Bad Hop Headers BHH BHH Bad Hop Headers indicate an HTTP smuggling attempt through either a malformed Transfer-Encoding (TE) and/or Content-Length (CL) header, or a well-formed TE and CL header
Blocked Requests Blocked Request BLOCKED Requests blocked by Signal Sciences
Code Injection PHP Code Injection CODEINJECTION Code Injection is the attempt to gain control or damage a target system through arbitrary application code commands by means of user input. Note, this signal only covers PHP code and is currently in an experimental phase. Contact support if you encounter any issues with this signal.
Datacenter Traffic Datacenter DATACENTER Datacenter Traffic is non-organic traffic originating from identified hosting providers. This type of traffic is not commonly associated with a real end user. Datacenter IP ranges are sourced from ipcat.
Double Encoding Double Encoding DOUBLEENCODING Double Encoding checks for the evasion technique of double encoding html characters
Forceful Browsing Forceful Browsing FORCEFULBROWSING Forceful Browsing is the failed attempt to access admin pages
HTTP 403 Errors HTTP 403 HTTP403 Forbidden. This is commonly seen when the request for a url has been protected by the server's configuration.
HTTP 404 Errors HTTP 404 HTTP404 Not Found. This is commonly seen when the request for a page or asset does not exist or cannot be found by the server.
HTTP 429 Errors HTTP 429 HTTP429 Too Many Requests. This is commonly seen when rate-limiting is used to slow down the number of active connections to a server.
HTTP 4XX Errors HTTP4XX HTTP4XX 4xx Status Codes commonly refer to client request errors
HTTP 500 Errors HTTP 500 HTTP500 Internal Server Error. This is commonly seen when a request generates an unhandled application error.
HTTP 503 Errors HTTP 503 HTTP503 Service Unavailable. This is commonly seen when a web service is overloaded or sometimes taken down for maintenance.
HTTP 5XX Errors HTTP5XX HTTP5XX 5xx Status Codes commonly refer to server related issues
HTTP Response Splitting Response Splitting RESPONSESPLIT Identifies when CRLF characters are submitted as input to the application to inject headers into the HTTP response
Invalid Encoding Invalid Encoding NOTUTF8 Invalid Encoding can cause the server to translate malicious characters from a request into a response, causing either a denial of service or XSS
Malformed Data in the request body Malformed Data MALFORMED-DATA A POST, PUT or PATCH request body that is malformed according to the "Content-Type" request header. For example, if a "Content-Type: application/x-www-form-urlencoded" request header is specified and contains a POST body that is json. This is often a programming error, automated or malicious request. Requires agent 3.2 or higher.
Malicious IP Traffic Malicious IP SANS Signal Sciences regularly imports SANS Internet Storm Center list of IP addresses that have been reported to have engaged in malicious activity
Network Effect SigSci IP SIGSCI-IP Whenever an IP is flagged due to a malicious signal by our decision engine, that IP will be propagated to all customers. We then log subsequent requests from those IPs that contain any additional signal for the duration of the flag.
Missing "Content-Type" request header No Content Type NO-CONTENT-TYPE A POST, PUT or PATCH request that does not have a "Content-Type" request header. By default application servers should assume "Content-Type: text/plain; charset=us-ascii" in this case. Many automated and malicious requests may be missing "Content Type".
No User Agent No UA NOUA Many automated and malicious requests use fake or missing User-Agents to make it difficult to identify the type of device making the requests
Null Byte Null Byte NULLBYTE Null bytes do not normally appear in a request and indicate the request is malformed and potentially malicious
Private Files Private File PRIVATEFILE Private files are usually confidential in nature, such as an Apache .htaccess file, or a configuration file which could leak sensitive information
Scanner Scanner SCANNER Identifies popular scanning services and tools
SearchBot Impostor Impostor IMPOSTOR Search bot impostor is someone pretending to be a Google or Bing search bot, but who is not legitimate
Tor Traffic Tor Traffic TORNODE Tor is software that conceals a user's identity. A spike in Tor traffic can indicate an attacker trying to mask their location.
Weak TLS Weak TLS WEAKTLS Weak TLS. A web server's configuration allows SSL/TLS connections to be established with an obsolete cipher suite or protocol version. This signal is based on inspecting a small percent of requests. Also, some architectures and Signal Sciences' language SDK modules do not support this signal.