This repository was archived by the owner on May 14, 2020. It is now read-only.
Description Description
The DoS rule continues to trigger with 'png' even though the extension is in the 'static_extensions' variable.
Audit Logs / Triggered Rule Numbers
setvar:'tx.dos_burst_time_slice=60'
setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.tiff/ /.webp/'
[Tue Mar 24 21:36:04.431398 2020] [:error] [pid 19431:tid 139653780846336] [client 172.xxx.xxx.xxx:36358] [client 172.xxx.xxx.xxx] ModSecurity: Access denied with connection close (phase 1). Operator EQ matched 0 at IP. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-912-DOS-PROTECTION.conf"] [line "111"] [id "912120"] [msg "Denial of Service (DoS) attack identified from 172.xxx.xxx.xxx (1 hits since last alert)"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-dos"] [hostname "webmail.xxx.xxx.xxx"] [uri "/horde/imp/themes/graphics/folders/inbox.png"] [unique_id "XnqndD-Uad-QLO08ojZ40AAAAMs"], referer: https://webmail.xxx.xxx.xxx/horde/imp/mailbox.php?page=1
Your Environment
CRS version (e.g., v3.2.0): 3.0.0
Paranoia level setting: 3
ModSecurity version (e.g., 2.9.3): 2.9.2
Web Server and version (e.g., apache 2.4.41): Apache 2.4.37
Operating System and version: CentOS 8.1
Confirmation
[x] I have removed any personal data (email addresses, IP addresses,
Reactions are currently unavailable
Description
The DoS rule continues to trigger with 'png' even though the extension is in the 'static_extensions' variable.
Audit Logs / Triggered Rule Numbers
setvar:'tx.dos_burst_time_slice=60'
setvar:'tx.dos_counter_threshold=300'
setvar:'tx.dos_block_timeout=600'
setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.tiff/ /.webp/'
[Tue Mar 24 21:36:04.431398 2020] [:error] [pid 19431:tid 139653780846336] [client 172.xxx.xxx.xxx:36358] [client 172.xxx.xxx.xxx] ModSecurity: Access denied with connection close (phase 1). Operator EQ matched 0 at IP. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-912-DOS-PROTECTION.conf"] [line "111"] [id "912120"] [msg "Denial of Service (DoS) attack identified from 172.xxx.xxx.xxx (1 hits since last alert)"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-dos"] [hostname "webmail.xxx.xxx.xxx"] [uri "/horde/imp/themes/graphics/folders/inbox.png"] [unique_id "XnqndD-Uad-QLO08ojZ40AAAAMs"], referer: https://webmail.xxx.xxx.xxx/horde/imp/mailbox.php?page=1
Your Environment
Confirmation
[x] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.