search close

Using system signals

access_time Updated Jun 2, 2023

The following information provides you with details about the various system signals:

  • Long name: the name of the signal that you can use to verbally reference or describe it.
  • Short name: the name of the signal that is applied to matched requests and that can be used to search within the Signal Sciences web interface.
  • Usable in: outlines where a signal can be used. The options are Lists, Rate Limit Rules, Request Rules, or Signal Exclusions. None indicates that the signal may be provided but cannot be used outside of its informational context.
  • Description: an outline of what the signal means or what it indicates.

Attacks

Long name Short name Usable in Description
Attack Tooling USERAGENT
  • Lists
  • Rate Limit Rules
  • Request Rules
  • Signal Exclusion
  • Attack Tooling is the use of automated software to identify security vulnerabilities or to attempt to exploit a discovered vulnerability
    AWS SSRF AWS-SSRF
  • Templated Rule
  • Server Side Request Forgery (SSRF) is a request which attempts to send requests made by the web application to target internal systems. AWS SSRF attacks use SSRF to obtain Amazon Web Services (AWS) keys and gain access to S3 buckets and their data.
    Backdoor BACKDOOR
  • Lists
  • Rate Limit Rules
  • Request Rules
  • Signal Exclusion
  • A backdoor signal is a request that attempts to determine if a common backdoor file exists on a system. The signal generally matches known backdoor filenames. Traditionally these filenames appear with PHP file extensions like admin.php and r57.php. For many users, when these paths return a 200 or a larger response than expected, it may indicate that their system has been compromised or they are unknowingly hosting a backdoor file.
    Command Execution CMDEXE
  • Lists
  • Rate Limit Rules
  • Request Rules
  • Signal Exclusion
  • Command Execution is the attempt to gain control or damage a target system through arbitrary system commands by means of user input
    Cross Site Scripting XSS
  • Lists
  • Rate Limit Rules
  • Request Rules
  • Signal Exclusion
  • Cross-Site Scripting is the attempt to hijack a user’s account or web-browsing session through malicious JavaScript code
    Directory Traversal TRAVERSAL
  • Lists
  • Rate Limit Rules
  • Request Rules
  • Signal Exclusion
  • Directory Traversal is the attempt to navigate privileged folders throughout a system in hopes of obtaining sensitive information
    Log4J JNDI LOG4J-JNDI
  • Lists
  • Rate Limit Rules
  • Request Rules
  • Signal Exclusion
  • Log4J JNDI attacks attempt to exploit the Log4Shell vulnerability present in Log4J versions earlier than 2.16.0
    SQL Injection SQLI
  • Lists
  • Rate Limit Rules
  • Request Rules
  • Signal Exclusion
  • SQL Injection is the attempt to gain access to an application or obtain privileged information by executing arbitrary database queries

    Anomalies

    Long name Short name Usable in Description
    Abnormal Path ABNORMALPATH
  • Lists
  • Rate Limit Rules
  • Request Rules
  • Signal Exclusion
  • Abnormal Path indicates the original path differs from the normalized path (e.g., /foo/./bar is normalized to /foo/bar)
    Bad Hop Headers BHH
  • Lists
  • Rate Limit Rules
  • Request Rules
  • Signal Exclusion
  • Bad Hop Headers indicate an HTTP smuggling attempt through either a malformed Transfer-Encoding (TE) or Content-Length (CL) header, or a well-formed TE and CL header
    Blocked Requests BLOCKED None Requests blocked by Signal Sciences
    Code Injection PHP CODEINJECTION
  • Lists
  • Rate Limit Rules
  • Request Rules
  • Signal Exclusion
  • Code Injection is the attempt to gain control or damage a target system through arbitrary application code commands by means of user input.
    Compression Detected COMPRESSED
  • Lists
  • Rate Limit Rules
  • Request Rules
  • Signal Exclusion
  • The POST request body is compressed and cannot be inspected. For example, if a Content-Encoding: gzip request header is specified and the POST body is not plain text.
    Datacenter Traffic DATACENTER
  • Lists
  • Rate Limit Rules
  • Request Rules
  • Signal Exclusion
  • Datacenter Traffic is non-organic traffic originating from identified hosting providers. This type of traffic is not commonly associated with a real end user.
    Double Encoding DOUBLEENCODING
  • Lists
  • Rate Limit Rules
  • Request Rules
  • Signal Exclusion
  • Double Encoding checks for the evasion technique of double encoding html characters
    Duplicate Header Names DUPLICATE-HEADERS
  • Lists
  • Rate Limit Rules
  • Request Rules
  • Signal Exclusion
  • A request that has duplicate header field names. This may represent a programming error or an automated or malicious request. Current detected headers are: Authorization, Content-Length, Content-Type, Host, and Transfer-Encoding.
    Forceful Browsing FORCEFULBROWSING
  • Signal Exclusion
  • Forceful Browsing is the failed attempt to access admin pages
    GraphQL API GRAPHQL-API
  • Lists
  • Rate Limit Rules
  • Request Rules
  • Signal Exclusion
  • Indicates a GraphQL API request.
    GraphQL Duplicate Variables GRAPHQL-DUPLICATE-VARIABLES
  • Lists
  • Rate Limit Rules
  • Request Rules
  • Signal Exclusion
  • Indicates a GraphQL request that contains duplicated variables.
    GraphQL IDE GRAPHQL-IDE
  • Rate Limit Rules
  • Request Rules
  • Indicates a request originating from a GraphQL Interactive Development Environment (IDE).
    GraphQL Introspection GRAPHQL-INTROSPECTION
  • Lists
  • Rate Limit Rules
  • Request Rules
  • Signal Exclusion
  • Indicates an attempt to obtain the schema of a GraphQL API. The schema can be used to identify which resources are available, informing subsequent attacks.
    GraphQL Max Depth GRAPHQL-DEPTH
  • Lists
  • Rate Limit Rules
  • Request Rules
  • Signal Exclusion
  • Indicates a request has reached or exceeded the maximum depth allowed on the server for GraphQL API queries
    GraphQL Missing Required Operation Name GRAPHQL-MISSING-REQUIRED-OPERATION-NAME
  • Lists
  • Rate Limit Rules
  • Request Rules
  • Signal Exclusion
  • Indicates a request has multiple GraphQL operations but does not define which operation to execute.
    GraphQL Syntax GRAPHQL-SYNTAX
  • Lists
  • Rate Limit Rules
  • Request Rules
  • Signal Exclusion
  • Indicates a request that contains invalid GraphQL syntax. This may be related to a programming error or a malicious request.
    GraphQL Undefined Variable GRAPHQL-UNDEFINED-VARIABLES
  • Lists
  • Rate Limit Rules
  • Request Rules
  • Signal Exclusion
  • Indicates a request made to a GraphQL API containing more variables than expected by a function. This can be used to obfuscate malicious requests.
    HTTP 403 Errors HTTP403
  • Signal Exclusion
  • Forbidden. This is commonly seen when the request for a url has been protected by the server’s configuration.
    HTTP 404 Errors HTTP404
  • Signal Exclusion
  • Not Found. This is commonly seen when the request for a page or asset does not exist or cannot be found by the server.
    HTTP 429 Errors HTTP429
  • Signal Exclusion
  • Too Many Requests. This is commonly seen when rate-limiting is used to slow down the number of active connections to a server.
    HTTP 4XX Errors HTTP4XX
  • Signal Exclusion
  • 4xx Status Codes commonly refer to client request errors
    HTTP 500 Errors HTTP500
  • Signal Exclusion
  • Internal Server Error. This is commonly seen when a request generates an unhandled application error.
    HTTP 503 Errors HTTP503
  • Signal Exclusion
  • Service Unavailable. This is commonly seen when a web service is overloaded or sometimes taken down for maintenance.
    HTTP 5XX Errors HTTP5XX
  • Signal Exclusion
  • 5xx Status Codes commonly refer to server related issues
    HTTP Response Splitting RESPONSESPLIT
  • Lists
  • Rate Limit Rules
  • Request Rules
  • Signal Exclusion
  • Identifies when CRLF characters are submitted as input to the application to inject headers into the HTTP response
    Invalid Encoding NOTUTF8
  • Lists
  • Rate Limit Rules
  • Request Rules
  • Signal Exclusion
  • Invalid Encoding can cause the server to translate malicious characters from a request into a response, causing either a denial of service or XSS
    JSON Encoding Error JSON-ERROR
  • Signal Exclusion
  • A POST, PUT, or PATCH request body that is specified as containing JSON within the Content-Type request header but contains JSON parsing errors. This is often related to a programming error or an automated or malicious request.
    Malformed Data in the request body MALFORMED-DATA
  • Lists
  • Rate Limit Rules
  • Request Rules
  • Signal Exclusion
  • A POST, PUT or PATCH request body that is malformed according to the Content-Type request header. For example, if a Content-Type: application/x-www-form-urlencoded request header is specified and contains a POST body that is json. This is often a programming error, automated or malicious request.
    Malicious IP Traffic SANS
  • Lists
  • Rate Limit Rules
  • Request Rules
  • Signal Exclusion
  • Signal Sciences regularly imports SANS Internet Storm Center list of IP addresses that have been reported to have engaged in malicious activity
    Network Effect SIGSCI-IP
  • Lists
  • Rate Limit Rules
  • Request Rules
  • Signal Exclusion
  • Whenever an IP is flagged due to a malicious signal by our decision engine, that IP will be propagated to all customers. We then log subsequent requests from those IP addresses that contain any additional signal for the duration of the flag.
    Missing Content-Type request header NO-CONTENT-TYPE
  • Lists
  • Rate Limit Rules
  • Request Rules
  • Signal Exclusion
  • A POST, PUT or PATCH request that does not have a Content-Type request header. By default application servers should assume Content-Type: text/plain; charset=us-ascii in this case. Many automated and malicious requests may be missing Content Type.
    No User Agent NOUA
  • Lists
  • Rate Limit Rules
  • Request Rules
  • Signal Exclusion
  • Many automated and malicious requests use fake or missing User-Agents to make it difficult to identify the type of device making the requests
    Null Byte NULLBYTE
  • Lists
  • Rate Limit Rules
  • Request Rules
  • Signal Exclusion
  • Null bytes do not normally appear in a request and indicate the request is malformed and potentially malicious
    Private Files PRIVATEFILE
  • Lists
  • Rate Limit Rules
  • Request Rules
  • Signal Exclusion
  • Private files are usually confidential in nature, such as an Apache .htaccess file, or a configuration file which could leak sensitive information
    Scanner SCANNER
  • Lists
  • Rate Limit Rules
  • Request Rules
  • Signal Exclusion
  • Identifies popular scanning services and tools
    SearchBot Impostor IMPOSTOR
  • Templated Rule
  • Search bot impostor is someone pretending to be a Google or Bing search bot, but who is not legitimate
    Site Flagged IP SITE-FLAGGED-IP
  • Lists
  • Rate Limit Rules
  • Request Rules
  • Signal Exclusion
  • Indicates a request was received from an IP that was flagged for exceeding attack thresholds for a specific site.This signal is only included with the Premier platform.
    Tor Traffic TORNODE
  • Lists
  • Rate Limit Rules
  • Request Rules
  • Signal Exclusion
  • Tor is software that conceals a user’s identity. A spike in Tor traffic can indicate an attacker trying to mask their location.
    Weak TLS WEAKTLS
  • Signal Exclusion
  • Weak TLS. A web server’s configuration allows SSL/TLS connections to be established with an obsolete cipher suite or protocol version. This signal is based on inspecting a small percent of requests. Also, some architectures and Signal Sciences’ language SDK modules do not support this signal.
    XML Encoding Error XML-ERROR
  • Signal Exclusion
  • A POST, PUT, or PATCH request body that is specified as containing XML within the Content-Type request header but contains XML parsing errors. This is often related to a programming error or an automated or malicious request.