Manual Chapter : Alert types that can trigger automated system responses

Applies To:

Show Versions Show Versions

BIG-IP FPS

  • 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.0
Manual Chapter

Alert types that can trigger automated system responses

In the Rules area of the Anti-Fraud Profile Properties screen, there are 13 alert types that you can select for triggering automated system responses. The tables in this section describe the various alerts that correspond to these 13 alert types.

Generic Malware

Alert
Description
Trojan validator
Created when bait strings in the HTML of the client's browser wake up Trojan malware.
Detection of disabled enter key
Created if the FPS JavaScript detects that malware has disabled the Enter key on the client's keyboard.

Web Injection

Alert
Description
Ajax Validator
Created when an Ajax request is sent to a domain that is not in the whitelist.
External Sources
Created when a resource is requested from a domain not in the whitelist. In addition to the standard alert information, this alert contains a field called
Min
, which shows the forbidden added HTML element and its contents in a URI encoded base-64 format.
Self-Removing Script
Created when the system detects a self-removing malicious script on a web page.
Detection of matched URL patterns
Created if the system detects a match between a URL pattern in an AJAX request from the client and a URL pattern entered in the BIG-IP system when configuring a user-defined malware type.
Detection of matched SRC patterns
Created if the system detects a match between a SRC pattern in an external script from the client's web browser and a SRC pattern entered in the BIG-IP system when configuring a user-defined malware type.
Detection of malware's function names
Created if the system detects a malware function name in an AJAX request from a web page in the anti-fraud profile.
Self Bait External
Created when FPS Removed Scripts detection identifies an external script that was removed from the web page.
Same Domain Script Validation
Created when a script from the same domain as the protected web site is served by a malicious server.

Phishing

Alert
Description
Phishing Detected
Created when a phishing site has been detected by JavaScript.
Old JS
Created when the JavaScript engine on a site is out of date. This is a sign that the alert was generated from a copied site.
CSS Checks
Created when the system detects a phishing site with removed or disabled JavaScript.
Image Checks
Created when the system detects a phishing site with removed JavaScript.

Phishing Users

Alert
Description
Phishing Users
Created when a phishing victim enters user credentials onto a phishing web site. The user name that appears in the alert is the user name that was entered into the phishing site.

RAT Detection

Alert
Description
RAT Detected
Created when a Remote Access Trojan is detected.
Xtreme RAT Detected
Created when XtremeRAT malware is detected on a web page configured for FPS detection.

Mandatory Words

Alert
Description
Is Visible
Created when text that was configured to always be visible is missing or hidden.

Client Network Connection

Alert
Description
Domain Availability
Created when the user's internet access to important domains appears restricted.

Client Side Missing Components

Alert
Description
Config not loaded
Created when FPS configurations can not be parsed.
Cookie Deleted
Created when the compulsory FPS cookie is missing despite FPS successfully creating the cookie.
Secure Alert Check Failed
This is a test alert used to check that alerts are properly sent from the client to the plugin.

Source Integrity

Alert
Description
Source Integrity
Created if there is an unexpected number of HTML tags on the web page of the URL.
Deferred Execution Detected
Created when the FPS JavaScript detects that it's execution was deferred until after the client's web page finished loading.
Self Bait Inline
Created when FPS Removed Scripts detection identifies an inline script that was removed from the web page.

Referrer Checks

Alert
Description
Referrer Check
Created when the system detects that a user was referred to the real site from a suspicious source.

Server Side Missing Components

Alert
Description
Missing Cookie
Created when the compulsory FPS cookie is missing.
Cmp check error
Created when one of the FPS client-side components did not complete successfully. This may indicate a dedicated malware attack.
URL error
Created when the compulsory FPS cookie does not match the web page that was viewed.

Encryption Failure

Alert
Description
Got real password
Created when FPS receives unencrypted data that was supposed to be encrypted.
Wrong input size
Created when the actual size of the encrypted data does not match the expected size.
Unseal failed
Created when secure channel decryption fails.
Time Exceeded
Created when the lifetime of the encrypted value was exceeded. This lifetime can be configured in the BIG-IP system (4 hours by default).
Vcrypt disabled
Created when encryption has failed for this user in the past and is now disabled.
Too long value
Created when the length of the encrypted parameter is too long to decrypt.
The following types of Encryption Error alerts are created when an internal encryption error occurs in the BIG-IP system:
  • Failed to extract
  • Append buff failed
  • Unseal len failed
  • RSA retrieve failed
  • Binary from hex failed
  • RSA init failed
  • RSA init padding failed
  • RSA decrypt failed
  • Binary from Hex Symmetric Key Failed
  • Init symmetric key failed

Automatic Transactions

Alert
Description
Validation Error
Created when the expected cookie is missing or corrupted.
Data Integrity
Created when the system detects that post-data has been modified after it was submitted.
Browser Automation
Created when the system detects an automatic transaction on a web page.
Parameter too long
Created when at least one of the parameter values is too long to be checked by the data integrity module.