Manual Chapter :
Alert types that can trigger automated system responses
Applies To:
Show VersionsBIG-IP FPS
- 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.0
Alert types that can trigger automated system responses
In the Rules area of the Anti-Fraud Profile Properties screen, there are 13 alert
types that you can select for triggering automated system responses. The tables in this section
describe the various alerts that correspond to these 13 alert types.
Generic Malware
Alert | Description |
---|---|
Trojan validator | Created when bait strings in the HTML of the client's
browser wake up Trojan malware. |
Detection of disabled enter
key | Created if
the FPS JavaScript detects that malware has disabled the Enter key on the client's
keyboard. |
Web Injection
Alert | Description |
---|---|
Ajax Validator | Created when an Ajax request is sent to a domain that is
not in the whitelist. |
External Sources | Created when a resource is requested from a domain not
in the whitelist. In addition to the standard alert information, this alert contains
a field called Min , which
shows the forbidden added HTML element and its contents in a URI encoded base-64
format. |
Self-Removing Script | Created when the system detects a self-removing
malicious script on a web page. |
Detection of matched URL patterns | Created if the system detects a match between a URL pattern in an AJAX request
from the client and a URL pattern entered in the BIG-IP system when configuring a
user-defined malware
type. |
Detection of matched SRC patterns | Created if the system detects a match between a SRC pattern in an external
script from the client's web browser and a SRC pattern entered in the BIG-IP system
when configuring a user-defined malware type. |
Detection of malware's function names | Created if the system detects a malware function name in an AJAX request from a
web page in the anti-fraud profile. |
Self Bait External | Created when FPS Removed Scripts detection identifies an external script that
was removed from the web page. |
Same Domain Script Validation | Created when a script from the same domain as the protected web site is served
by a malicious server. |
Phishing
Alert | Description |
---|---|
Phishing Detected | Created when a phishing site has been detected by JavaScript. |
Old JS | Created when the JavaScript engine on a site is out of date. This is a sign
that the alert was generated from a copied site. |
CSS Checks | Created when the system detects a phishing site with removed or disabled
JavaScript. |
Image Checks | Created when the system detects a phishing site with removed
JavaScript. |
Phishing Users
Alert | Description |
---|---|
Phishing Users | Created when a phishing victim enters user credentials onto a phishing web
site. The user name that appears in the alert is the user name that was entered into
the phishing site. |
RAT Detection
Alert | Description |
---|---|
RAT Detected | Created when a Remote Access Trojan is detected. |
Xtreme RAT Detected | Created when XtremeRAT malware is detected on a web page configured for FPS
detection. |
Mandatory Words
Alert | Description |
---|---|
Is Visible | Created when text that was configured to always be visible is missing or
hidden. |
Client Network Connection
Alert | Description |
---|---|
Domain Availability | Created when the user's internet access to important domains appears
restricted. |
Client Side Missing Components
Alert | Description |
---|---|
Config not loaded | Created when FPS configurations can not be parsed. |
Cookie Deleted | Created when the compulsory FPS cookie is missing despite FPS successfully
creating the cookie. |
Secure Alert Check Failed | This is a test alert used to check that alerts are properly sent from the
client to the plugin. |
Source Integrity
Alert | Description |
---|---|
Source Integrity | Created if there is an unexpected number of HTML tags on
the web page of the URL. |
Deferred Execution Detected | Created when the FPS JavaScript detects that it's execution was deferred until
after the client's web page finished loading. |
Self Bait Inline | Created when FPS Removed Scripts detection identifies an inline script that was
removed from the web page. |
Referrer Checks
Alert | Description |
---|---|
Referrer Check | Created when the system detects that a user was referred to the real site from
a suspicious source. |
Server Side Missing Components
Alert | Description |
---|---|
Missing Cookie | Created when the compulsory FPS cookie is missing. |
Cmp check error | Created when one of the FPS client-side components did not complete
successfully. This may indicate a dedicated malware attack. |
URL error | Created when the compulsory FPS cookie does not match the web page that was
viewed. |
Encryption Failure
Alert | Description |
---|---|
Got real password | Created when FPS receives unencrypted data that was supposed to be
encrypted. |
Wrong input size | Created when the actual size of the encrypted data does not match the expected
size. |
Unseal failed | Created when secure channel decryption fails. |
Time Exceeded | Created when the lifetime of the encrypted value was exceeded. This lifetime
can be configured in the BIG-IP system (4 hours by
default). |
Vcrypt disabled | Created when encryption has failed for this user in the past and is now
disabled. |
Too long value | Created when the length of the encrypted parameter is too long to
decrypt. |
- Failed to extract
- Append buff failed
- Unseal len failed
- RSA retrieve failed
- Binary from hex failed
- RSA init failed
- RSA init padding failed
- RSA decrypt failed
- Binary from Hex Symmetric Key Failed
- Init symmetric key failed
Automatic Transactions
Alert | Description |
---|---|
Validation Error | Created when the expected cookie is missing or corrupted. |
Data Integrity | Created when the system detects that post-data has been modified after it was
submitted. |
Browser Automation | Created when the system detects an automatic transaction on a web page. |
Parameter too long | Created when at least one of the parameter values is too long to be checked by
the data integrity module. |