Re: [mod-security-users] Strange Botnet detection issue

[Chaim S. <cha...@gm...>]

This looks to be a exceedingly broad rule. Probably the only route going
forward is to disable this rule. Failing that I think you could expect more
false positives.

On Mon, Oct 28, 2019, 6:11 AM AbdelMonem ElMesery <abd...@tr...>
wrote:

> Hi,
>
> We've implemented ModSecurity commercial rules on our API gateway server,
> and during a POST request that upload a PDF file, the request was blocked
> by this rule:
>
> BOTNET: "SLR: Common IRC Botnet Attack Command String Identified"
>
> The request was showing the below error:
>
>
> *ModSecurity: Access denied with code 403 (phase 2). *
>
>
> *Matched "Operator `Pm' with parameter` !tum !zero !lfi !rfi !e107 !sql
> !osco !zen !adm !op !oscoo !sqle !whmz !cmdlfi !cmde107 !cmdxml' against
> variable `REQUEST_BODY' form-data; name="bu (229583 characters omitted)' ) *
>
> *[msg "SLR: Common IRC Botnet Attack Command String Identified"] [data
> "Matched Data: !sql found within REQUEST_BODY: *
>
> *----------------------------099685253547753370295846\x0d\x0aContent-Disposition:
> form-data; name="buffer"; *
>
> *filename="1571931264160-1-test error pdf.pdf"\x0d\x0aConten (93192
> characters omitted)"] [severity "2"] [ver "SLR"] [maturity "8"] [accuracy
> "8"] [tag "SLR/MALICIOUS_SOFTWARE/BOTNET"] [tag "WASCTC/WASC-01"] [tag
> "OWASP_TOP_10/A7"] [tag "PCI/5.1.1"] [tag "attack-botnet"] [uri
> "/onespan/packages/addDocument"] [ref "o78051,4v491,93348t:urlDecodeUni"],
> request: "POST /onespan/packages/addDocument HTTP/1.1"*
>
>
> Any advise on the root cause of this pdf being blocked.
>
>
> Regards,
> Ali
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>