public enum FirewallBlockReasons : System.Enum
public enum FirewallBlockReasons : System.Enum
Member | Description |
---|---|
ActiveScanning | Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction. |
AddhockFileAccessDetected | Indicates that an ad-hoc file access attempt has been detected, representing a security violation. |
AgentsConsideredMalicious | Indicates that a suspicious request designed to mimic legitimate requests in an attempt to probe for vulnerabilities has been detected. |
ALL | All flags turned on |
AttemptOnPluginConfiguration | Attempt on plugin configuration is a security violation that occurs when a user attempts to read or write to plugins or plugin configuration files on a system. This can include attempts to access plugins that are not intended to be accessed by regular users or make changes to plugin configurations that could potentially compromise the security of the system. Detection of an attempt on plugin configuration is an indication of potential security threats and may require further investigation or action to prevent unauthorized access or data breaches. The use of AttemptOnPluginConfiguration flag can help identify and track users or systems associated with these types of violations. |
AttemptToAccessSiteBackup | Attempt to access site backup is a security violation that occurs when a user attempts to access backups of an application, API, or web service. This can include attempts to access backup files that contain sensitive information, application or system configurations, or other resources that could be used to exploit vulnerabilities or gain unauthorized access to the system. Detection of an attempt to access site backup is an indication of potential security threats and may require further investigation or action to prevent unauthorized access or data breaches. The use of AttemptToAccessSiteBackup flag can help identify and track users or systems associated with these types of violations. |
AttemptToAccessSiteUsingTheTechnologyStack | Attempt to access site using the technology stack is a security violation that occurs when a user attempts to access an application, API, or web service using a technology stack that is not intended for that use case. This can include attempts to access a service using software tools such as Excel or Postman, or using a protocol or interface that is not supported by the application or system. Detection of an attempt to access site using the technology stack is an indication of potential security threats and may require further investigation or action to prevent unauthorized access or data breaches. The use of AttemptToAccessSiteUsingTheTechnologyStack flag can help identify and track users or systems associated with these types of violations. |
AttemptToAccessSystemFiles | Attempt to access system files is a security violation that occurs when a user attempts to access files or resources on a system that are not intended to be accessed by regular users. This can include system configuration files, system logs, or other sensitive information that may be used to exploit vulnerabilities or gain unauthorized access to the system. Detection of an attempt to access system files is an indication of potential security threats and may require further investigation or action to prevent unauthorized access or data breaches. The use of AttemptToAccessSystemFiles flag can help identify and track users or systems associated with these types of violations. |
BlockedUserGroup | Indicates that a specific group of users has been blocked as a security measure. |
CommonVulnerabilitiesExposuresExploitDetected | Common vulnerabilities and exposures (CVE) exploit detected is a security violation that occurs when a user or system attempts to exploit a known vulnerability in an application, system or service that has been identified and documented in the CVE database. The CVE is a list of common vulnerabilities and exposures maintained by the MITRE Corporation, which is used by security professionals and researchers to identify and track security threats. Detection of a CVE exploit attempt is an indication of potential security threats and may require further investigation or action to prevent unauthorized access or data breaches. The use of CommonVulnerabilitiesExposuresExploitDetected flag can help identify and track users or systems associated with these types of violations. |
CookieManipulations | Indicates that the cookie names used or the content of the cookie is wrong. |
CrossSiteRequestRejected | Indicates that a cross-site request has been rejected as a security measure. |
DataExfiltration | Indicates that an attempt or actual data theft, unauthorized removal, or movement of data from a device has been detected. |
DataSubscription | Indicates that an unauthorized attempt to access data protected behind a paywall or subscription service has been detected. |
DataValidationError | Indicates that the submitted data is invalid and would be incorrect when reading or writing data from an untrusted source. |
DeliberateManipulation | The deliberate manipulation on the data. Indicates that the data is system provided and was not valid, ideal for use in cypher, hashes, ID's. |
DenailOfService | Denial of service (DoS) is a security attack that is designed to disrupt or deny access to a web application or system by overwhelming it with traffic or requests. This can include the use of automated tools, bots, or other means to flood the system with requests, causing it to slow down or become unresponsive. Detection of a denial of service attack is an indication of potential security threats and may require immediate action to mitigate the impact of the attack. The use of a DenialOfService flag can help identify and track users or systems associated with these types of attacks. |
DenySystemAccess | Deny system access is a security measure that prevents a user from accessing any service on a server or network due to previous security detections or violations. This can include attempts to access restricted or unauthorized resources, violations of security policies, or other suspicious activity. Detection of a violation may result in the user or system associated with it being blocked or denied access to any service on the network or server. The use of deny system access can help prevent unauthorized access, reduce the risk of data breaches, and limit the impact of security threats. |
DeveloperTools | Indicates that a specific group of users has been blocked as a security measure. |
GatherVictimHostInformation | Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.). |
HeaderManipulations | Indicates that the headers are not correct either in name or in content or a header is missing that should be present |
HoneyPotSocketDetected | Honey pot socket detected is a security violation that occurs when a user attempts to access a honey pot socket or port. A honey pot socket or port is a decoy or trap that is designed to detect and deflect unauthorized access attempts. Detection of a honey pot socket access attempt is an indication of potential security threats and may require further investigation or action to prevent unauthorized access or data breaches. The use of HoneyPotSocketDetected flag can help identify and track users or systems associated with these types of violations. |
HoneyPotTrap | Represents a firewall-generated trap for hackers hidden from normal users. |
MaliciousUser | Indicates that an individual exhibiting malicious behavior or intent when interacting with a web application or system has been detected. |
MaximumViolationsDetected | Indicates that the maximum number of violations or warnings for a user has been detected, triggering a security measure. |
NetworkServiceDiscovery | Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system |
NoAccessFromRegion | Indicates that a resource is geofenced and an access attempt was made from outside the allowed region. |
NoAccessOutsideofRenderedLinks | No access outside of rendered links is a security measure that prevents a user from accessing resources that were not rendered during a normal request pipeline. This can include attempts to access hidden or restricted pages, scripts, or other resources that were not explicitly made available through the application interface. Detection of no access outside of rendered links can help prevent unauthorized access, reduce the risk of data breaches, and limit the impact of security threats. |
None | No reason specified. |
PageRereshFishing | Indicates that the page request is refreshed to try and obtain a different outcome that does not match the one on the page. |
PenetrationAttempt | Indicates that a penetration attempt targeting the system was detected. |
PhishyRequest | Phishy request is a security violation that occurs when a hacker attempts to probe a web application or system for vulnerabilities using requests that are designed to mimic legitimate requests. These requests can include probing for endpoints such as login pages, configuration files, or other resources that may be vulnerable to attack. Phishy requests can be used to exploit weaknesses in the system or gain unauthorized access to sensitive information or data. Detection of phishy requests is an indication of potential security threats and may require further investigation or action to prevent unauthorized access or data breaches. |
PortScan | Port scan is a security violation that occurs when a user or system attempts to scan a network or system for open ports or vulnerabilities. A port scan is an attempt to discover the services or applications running on a system or network, which can be used to exploit vulnerabilities or gain unauthorized access. Detection of a port scan attempt is an indication of potential security threats and may require further investigation or action to prevent unauthorized access or data breaches. The use of PortScan flag can help identify and track users or systems associated with these types of violations. |
ProxyUser | Indicates that a proxy user was detected where this is not expected and is not allowed. |
QueryStringManipulation | Query string manipulation is a security violation that occurs when a user or system attempts to modify or manipulate the parameters in a query string to bypass security restrictions, gain unauthorized access, or execute malicious code. A query string is a portion of a URL that contains information that is passed to the server as part of a request. Detection of a query string manipulation attempt is an indication of potential security threats and may require further investigation or action to prevent unauthorized access or data breaches. The use of QueryStringManipulation flag can help identify and track users or systems associated with these types of violations. |
RepeatedBlockedRequest | Indicates that a user has repeatedly been blocked and continues to probe the system for access. |
RequestPoisoningDetected | Request poisoning detected is a security violation that occurs when a user or system sends malformed or intentionally crafted requests to a web application or API in an attempt to disrupt or compromise its normal operation. This can include attempts to inject malicious code or data, manipulate input fields or parameters, or exploit vulnerabilities in the system or its components. Detection of request poisoning is an indication of potential security threats and may require further investigation or action to prevent unauthorized access or data breaches. The use of RequestPoisoningDetected flag can help identify and track users or systems associated with these types of violations. |
ResetAttack | Reset attack is a security violation that occurs when a user or system attempts to disrupt or terminate a network or system by sending a high volume of reset packets to reset the established connections. A reset packet is a signal sent to reset or terminate a connection, which can be used by attackers to disrupt the normal functioning of the network or system. Detection of a reset attack attempt is an indication of potential security threats and may require further investigation or action to prevent unauthorized access or data breaches. The use of ResetAttack flag can help identify and track users or systems associated with these types of violations. |
ScrubbingDetected | Indicates that the user is considered to be scrubbing the content, and scrubbing is not allowed for this user. |
SearchVictimOwnedWebsites | Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: Email Addresses). These sites may also have details highlighting business operations and relationships |
SimulatedDevice | Indicates that the user is using a simulated device or masquerading as a device that might be given access. |
UnsafeDevice | Unsafe device is a security violation that occurs when a user or system attempts to access a network or system from a device that is known or suspected to be compromised or unsafe. An unsafe device may be infected with malware or viruses, which can be used to launch attacks, steal sensitive data, or gain unauthorized access. Detection of an unsafe device is an indication of potential security threats and may require further investigation or action to prevent unauthorized access or data breaches. The use of UnsafeDevice flag can help identify and track users or systems associated with these types of violations. |
UserEncryptionManipulations | Indicates that the user's encryption was wrong, this can happen when a hash is trying to get hacked or encrypted data is send that is encrypted with the wrong key or method |
UserGeneratedRejection | Indicates an application-specific violation, ad-hoc reason, or proprietary blocking reason that does not fit into the known attack patterns. |
UserIdFaulty | Indicates that the user identifier is faulty or manipulated, could not be matched, or was not created by the system or firewall. |
UserSessionManipulations | Indicates that the user session keys manipulated, this can happen when cross site scripting or cookie poisoning is detected |
WrongUserGroup | Indicates that the user has been classified as belonging to the wrong user group and is not allowed to access a given resource. |
WrongUserId | Indicates that the wrong user identifier was provided in an attempt to access a resource. |
System.Object
System.ValueType
System.Enum
Walter.BOM.FirewallBlockReasons
Target Platforms: Windows 7, Windows Vista SP1 or later, Windows XP SP3, Windows Server 2008 (Server Core not supported), Windows Server 2008 R2 (Server Core supported with SP1 or later), Windows Server 2003 SP2