Open ceandre opened 4 years ago
The DoS rule continues to trigger with 'png' even though the extension is in the 'static_extensions' variable.
setvar:'tx.dos_burst_time_slice=60' setvar:'tx.dos_counter_threshold=300' setvar:'tx.dos_block_timeout=600'
setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.tiff/ /.webp/'
[Tue Mar 24 21:36:04.431398 2020] [:error] [pid 19431:tid 139653780846336] [client 172.xxx.xxx.xxx:36358] [client 172.xxx.xxx.xxx] ModSecurity: Access denied with connection close (phase 1). Operator EQ matched 0 at IP. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-912-DOS-PROTECTION.conf"] [line "111"] [id "912120"] [msg "Denial of Service (DoS) attack identified from 172.xxx.xxx.xxx (1 hits since last alert)"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-dos"] [hostname "webmail.xxx.xxx.xxx"] [uri "/horde/imp/themes/graphics/folders/inbox.png"] [unique_id "XnqndD-Uad-QLO08ojZ40AAAAMs"], referer: https://webmail.xxx.xxx.xxx/horde/imp/mailbox.php?page=1
[x] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.
Description
The DoS rule continues to trigger with 'png' even though the extension is in the 'static_extensions' variable.
Audit Logs / Triggered Rule Numbers
setvar:'tx.dos_burst_time_slice=60' setvar:'tx.dos_counter_threshold=300' setvar:'tx.dos_block_timeout=600'
setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.tiff/ /.webp/'
[Tue Mar 24 21:36:04.431398 2020] [:error] [pid 19431:tid 139653780846336] [client 172.xxx.xxx.xxx:36358] [client 172.xxx.xxx.xxx] ModSecurity: Access denied with connection close (phase 1). Operator EQ matched 0 at IP. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-912-DOS-PROTECTION.conf"] [line "111"] [id "912120"] [msg "Denial of Service (DoS) attack identified from 172.xxx.xxx.xxx (1 hits since last alert)"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-dos"] [hostname "webmail.xxx.xxx.xxx"] [uri "/horde/imp/themes/graphics/folders/inbox.png"] [unique_id "XnqndD-Uad-QLO08ojZ40AAAAMs"], referer: https://webmail.xxx.xxx.xxx/horde/imp/mailbox.php?page=1
Your Environment
Confirmation
[x] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.