[mod-security-users] Strange Botnet detection issue

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi,

We've implemented ModSecurity commercial rules on our API gateway server, and during a POST request that upload a PDF file, the request was blocked by this rule:

BOTNET: "SLR: Common IRC Botnet Attack Command String Identified"

The request was showing the below error:

ModSecurity: Access denied with code 403 (phase 2).

Matched "Operator `Pm' with parameter` !tum !zero !lfi !rfi !e107 !sql !osco !zen !adm !op !oscoo !sqle !whmz !cmdlfi !cmde107 !cmdxml' against variable `REQUEST_BODY' form-data; name="bu (229583 characters omitted)' )
[msg "SLR: Common IRC Botnet Attack Command String Identified"] [data "Matched Data: !sql found within REQUEST_BODY:
----------------------------099685253547753370295846\x0d\x0aContent-Disposition: form-data; name="buffer";

filename="1571931264160-1-test error pdf.pdf"\x0d\x0aConten (93192 characters omitted)"] [severity "2"] [ver "SLR"] [maturity "8"] [accuracy "8"] [tag "SLR/MALICIOUS_SOFTWARE/BOTNET"] [tag "WASCTC/WASC-01"] [tag "OWASP_TOP_10/A7"] [tag "PCI/5.1.1"] [tag "attack-botnet"] [uri "/onespan/packages/addDocument"] [ref "o78051,4v491,93348t:urlDecodeUni"], request: "POST /onespan/packages/addDocument HTTP/1.1"

Any advise on the root cause of this pdf being blocked.

Regards,
Ali