Re: [mod-security-users] Strange Botnet detection issue
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Strange Botnet detection issue
|
From: Cris H. <cri...@gm...> - 2019-10-28 13:49:42
|
This is from whoever's is hacking my phone . On Mon, Oct 28, 2019, 8:46 AM Chaim Sanders <cha...@gm...> wrote: > This looks to be a exceedingly broad rule. Probably the only route going > forward is to disable this rule. Failing that I think you could expect more > false positives. > > On Mon, Oct 28, 2019, 6:11 AM AbdelMonem ElMesery <abd...@tr...> > wrote: > >> Hi, >> >> We've implemented ModSecurity commercial rules on our API gateway server, >> and during a POST request that upload a PDF file, the request was blocked >> by this rule: >> >> BOTNET: "SLR: Common IRC Botnet Attack Command String Identified" >> >> The request was showing the below error: >> >> >> *ModSecurity: Access denied with code 403 (phase 2). * >> >> >> *Matched "Operator `Pm' with parameter` !tum !zero !lfi !rfi !e107 !sql >> !osco !zen !adm !op !oscoo !sqle !whmz !cmdlfi !cmde107 !cmdxml' against >> variable `REQUEST_BODY' form-data; name="bu (229583 characters omitted)' ) * >> >> *[msg "SLR: Common IRC Botnet Attack Command String Identified"] [data >> "Matched Data: !sql found within REQUEST_BODY: * >> >> *----------------------------099685253547753370295846\x0d\x0aContent-Disposition: >> form-data; name="buffer"; * >> >> *filename="1571931264160-1-test error pdf.pdf"\x0d\x0aConten (93192 >> characters omitted)"] [severity "2"] [ver "SLR"] [maturity "8"] [accuracy >> "8"] [tag "SLR/MALICIOUS_SOFTWARE/BOTNET"] [tag "WASCTC/WASC-01"] [tag >> "OWASP_TOP_10/A7"] [tag "PCI/5.1.1"] [tag "attack-botnet"] [uri >> "/onespan/packages/addDocument"] [ref "o78051,4v491,93348t:urlDecodeUni"], >> request: "POST /onespan/packages/addDocument HTTP/1.1"* >> >> >> Any advise on the root cause of this pdf being blocked. >> >> >> Regards, >> Ali >> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
