Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DoH blocked? #3216

Closed
1 task done
Zoey2936 opened this issue May 18, 2023 · 19 comments
Closed
1 task done

DoH blocked? #3216

Zoey2936 opened this issue May 18, 2023 · 19 comments
Labels
➕ False Positive

Comments

@Zoey2936
Copy link

Zoey2936 commented May 18, 2023
edited by RedXanadu

Description

The REQUEST-949-BLOCKING-EVALUATION.conf file (ID: 949110) seems to block DoH requests. If I remove the file, everything works. If I do the same requests on another host which does not proxy to a DoH server, I get a 404, no 403, so the problem seems to come from the response of the DoH server.

How to reproduce the misbehavior (-> curl call)

No Idea how a curl command could look like, but using doh-cli
doh-cli --url https://dns.domain.de/dns-query www.example.com A on a nginx host (with this ruleset), which proxies to an adguardhome server results in: 403 Client Error: Forbidden for url: https://dns.domain.de/dns-query?dns=r2wBAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB

Logs

ModSecurity: Access denied with code 403 (phase 2). Matched "Operator \`Ge' with parameter \`5' against variable \`TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: \`5' ) [file "/usr/local/nginx/conf/conf.d/include/coreruleset/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "176"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.0.0-rc1"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "*.*.*.*"] [uri "/dns-query"] [unique_id "168444845218.573577"] [ref ""], client: *.*.*.*, server: *.dns.domain.de, request: "POST /dns-query HTTP/2.0", host: "dns.domain.de"

Your Environment

  • CRS version (e.g., v3.3.4): v4.0/dev branch (default branch)
  • Paranoia level setting (e.g. PL1) : default (1)
  • ModSecurity version (e.g., 2.9.6): latest commit on v3/master branch (default branch), same for nginx module
  • Web Server and version or cloud provider / CDN (e.g., Apache httpd 2.4.54): nginx built from nginx-quic repo (quic branch)
  • Operating System and version: debian 11 (bullseye-backports), but docker container is based on alpine linux v3.18
  • Dockerfile 1 and Dockerfile 2 (docker image: zoeyvid/nginx-proxy-manager:develop)

Confirmation

  • I have removed any personal data (email addresses, IP addresses,
    passwords, domain names) from any logs posted.
@Zoey2936 Zoey2936 mentioned this issue May 18, 2023
Closed
@azurit
Copy link
Member

azurit commented May 19, 2023

Hi @Zoey2936 and thanks for reporting this. Can you, please, provide full logs related to this request? Rule 949110 ID is doing only blocking based on score from another rules so this is no going to help us.

By the way, you have completely disabled the whole WAF by removing rule 949110 - it is now adding score to requests but never block them.

@Zoey2936
Copy link
Author 

[168451336790.523740] [/dns-query] [8] Saving variable: TX:blocking_outbound_anomaly_score with value: 0
[168451336790.523740] [/dns-query] [4] Running [independent] (non-disruptive) action: setvar
[168451336790.523740] [/dns-query] [8] Saving variable: TX:detection_outbound_anomaly_score with value: 0
[168451336790.523740] [/dns-query] [4] Running [independent] (non-disruptive) action: setvar
[168451336790.523740] [/dns-query] [8] Saving variable: TX:outbound_anomaly_score_pl1 with value: 0
[168451336790.523740] [/dns-query] [4] Running [independent] (non-disruptive) action: setvar
[168451336790.523740] [/dns-query] [8] Saving variable: TX:outbound_anomaly_score_pl2 with value: 0
[168451336790.523740] [/dns-query] [4] Running [independent] (non-disruptive) action: setvar
[168451336790.523740] [/dns-query] [8] Saving variable: TX:outbound_anomaly_score_pl3 with value: 0
[168451336790.523740] [/dns-query] [4] Running [independent] (non-disruptive) action: setvar
[168451336790.523740] [/dns-query] [8] Saving variable: TX:outbound_anomaly_score_pl4 with value: 0
[168451336790.523740] [/dns-query] [4] Running [independent] (non-disruptive) action: setvar
[168451336790.523740] [/dns-query] [8] Saving variable: TX:anomaly_score with value: 0
[168451336790.523740] [/dns-query] [9] Running action: log
[168451336790.523740] [/dns-query] [9] Saving transaction to logs
[168451336790.523740] [/dns-query] [9] Running action: auditlog
[168451336790.523740] [/dns-query] [9] Saving transaction to logs
[168451336790.523740] [/dns-query] [9] Running action: nolog
[168451336790.523740] [/dns-query] [4] Running (disruptive)     action: pass.
[168451336790.523740] [/dns-query] [8] Running action pass
[168451336790.523740] [/dns-query] [4] (Rule: 901320) Executing operator "Eq" with param "1" against TX:ENABLE_DEFAULT_COLLECTIONS.
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 901340) Executing operator "Rx" with param "(?:URLENCODED|MULTIPART|XML|JSON)" against REQBODY_PROCESSOR.
[168451336790.523740] [/dns-query] [9] Target value: "" (Variable: REQBODY_PROCESSOR)
[168451336790.523740] [/dns-query] [9] Matched vars updated.
[168451336790.523740] [/dns-query] [4] Rule returned 1.
[168451336790.523740] [/dns-query] [9] Running action: log
[168451336790.523740] [/dns-query] [9] Saving transaction to logs
[168451336790.523740] [/dns-query] [9] Running action: auditlog
[168451336790.523740] [/dns-query] [9] Saving transaction to logs
[168451336790.523740] [/dns-query] [9] Saving msg: Enabling body inspection
[168451336790.523740] [/dns-query] [9] Running action: nolog
[168451336790.523740] [/dns-query] [9] Running action: noauditlog
[168451336790.523740] [/dns-query] [9] Running action: ctl
[168451336790.523740] [/dns-query] [4] Running (disruptive)     action: pass.
[168451336790.523740] [/dns-query] [8] Running action pass
[168451336790.523740] [/dns-query] [4] (Rule: 901350) Executing operator "Eq" with param "1" against TX:enforce_bodyproc_urlencoded.
[168451336790.523740] [/dns-query] [9]  T (0) t:urlDecodeUni: "0"
[168451336790.523740] [/dns-query] [9] Target value: "0" (Variable: TX:enforce_bodyproc_urlencoded)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 901400) Executing operator "Eq" with param "100" against TX:sampling_percentage.
[168451336790.523740] [/dns-query] [9] Target value: "100" (Variable: TX:sampling_percentage)
[168451336790.523740] [/dns-query] [9] Matched vars updated.
[168451336790.523740] [/dns-query] [4] Rule returned 1.
[168451336790.523740] [/dns-query] [9] Running action: log
[168451336790.523740] [/dns-query] [9] Saving transaction to logs
[168451336790.523740] [/dns-query] [9] Running action: auditlog
[168451336790.523740] [/dns-query] [9] Saving transaction to logs
[168451336790.523740] [/dns-query] [9] Running action: nolog
[168451336790.523740] [/dns-query] [9] Running action: skipAfter
[168451336790.523740] [/dns-query] [5] Setting skipAfter for: END-SAMPLING
[168451336790.523740] [/dns-query] [4] Running (disruptive)     action: pass.
[168451336790.523740] [/dns-query] [8] Running action pass
[168451336790.523740] [/dns-query] [9] Skipped rule id '901410' due to a SecMarker: END-SAMPLING
[168451336790.523740] [/dns-query] [9] Skipped rule id '901450' due to a SecMarker: END-SAMPLING
[168451336790.523740] [/dns-query] [4] (Rule: 901500) Executing operator "Lt" with param "1" Was: "" against TX:detection_paranoia_level.
[168451336790.523740] [/dns-query] [9] Target value: "1" (Variable: TX:detection_paranoia_level)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 905100) Executing operator "StrEq" with param "GET /" against REQUEST_LINE.
[168451336790.523740] [/dns-query] [9] Target value: "POST /dns-query HTTP/2.0" (Variable: REQUEST_LINE)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 905110) Executing operator "IpMatch" with param "127.0.0.1,::1" against REMOTE_ADDR.
[168451336790.523740] [/dns-query] [9] Target value: "192.168.168.2" (Variable: REMOTE_ADDR)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 911011) Executing operator "Lt" with param "1" against TX:DETECTION_PARANOIA_LEVEL.
[168451336790.523740] [/dns-query] [9] Target value: "1" (Variable: TX:DETECTION_PARANOIA_LEVEL)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 911100) Executing operator "Within" with param "GET HEAD POST OPTIONS" Was: "" against REQUEST_METHOD.
[168451336790.523740] [/dns-query] [9] Target value: "POST" (Variable: REQUEST_METHOD)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 911013) Executing operator "Lt" with param "2" against TX:DETECTION_PARANOIA_LEVEL.
[168451336790.523740] [/dns-query] [9] Target value: "1" (Variable: TX:DETECTION_PARANOIA_LEVEL)
[168451336790.523740] [/dns-query] [9] Matched vars updated.
[168451336790.523740] [/dns-query] [4] Rule returned 1.
[168451336790.523740] [/dns-query] [9] Running action: log
[168451336790.523740] [/dns-query] [9] Saving transaction to logs
[168451336790.523740] [/dns-query] [9] Running action: auditlog
[168451336790.523740] [/dns-query] [9] Saving transaction to logs
[168451336790.523740] [/dns-query] [9] Running action: nolog
[168451336790.523740] [/dns-query] [9] Running action: skipAfter
[168451336790.523740] [/dns-query] [5] Setting skipAfter for: END-REQUEST-911-METHOD-ENFORCEMENT
[168451336790.523740] [/dns-query] [4] Running (disruptive)     action: pass.
[168451336790.523740] [/dns-query] [8] Running action pass
[168451336790.523740] [/dns-query] [9] Skipped rule id '911015' due to a SecMarker: END-REQUEST-911-METHOD-ENFORCEMENT
[168451336790.523740] [/dns-query] [9] Skipped rule id '911017' due to a SecMarker: END-REQUEST-911-METHOD-ENFORCEMENT
[168451336790.523740] [/dns-query] [4] (Rule: 913011) Executing operator "Lt" with param "1" against TX:DETECTION_PARANOIA_LEVEL.
[168451336790.523740] [/dns-query] [9] Target value: "1" (Variable: TX:DETECTION_PARANOIA_LEVEL)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 913100) Executing operator "PmFromFile" with param "scanners-user-agents.data" against REQUEST_HEADERS:User-Agent.
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 913110) Executing operator "PmFromFile" with param "scanners-headers.data" against REQUEST_HEADERS_NAMES|REQUEST_HEADERS.
[168451336790.523740] [/dns-query] [9] Target value: "host" (Variable: REQUEST_HEADERS_NAMES:host)
[168451336790.523740] [/dns-query] [9] Target value: "content-type" (Variable: REQUEST_HEADERS_NAMES:content-type)
[168451336790.523740] [/dns-query] [9] Target value: "accept" (Variable: REQUEST_HEADERS_NAMES:accept)
[168451336790.523740] [/dns-query] [9] Target value: "content-length" (Variable: REQUEST_HEADERS_NAMES:content-length)
[168451336790.523740] [/dns-query] [9] Target value: "dns.domain.de" (Variable: REQUEST_HEADERS:host)
[168451336790.523740] [/dns-query] [9] Target value: "application/dns-message" (Variable: REQUEST_HEADERS:content-type)
[168451336790.523740] [/dns-query] [9] Target value: "application/dns-message" (Variable: REQUEST_HEADERS:accept)
[168451336790.523740] [/dns-query] [9] Target value: "39" (Variable: REQUEST_HEADERS:content-length)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 913013) Executing operator "Lt" with param "2" against TX:DETECTION_PARANOIA_LEVEL.
[168451336790.523740] [/dns-query] [9] Target value: "1" (Variable: TX:DETECTION_PARANOIA_LEVEL)
[168451336790.523740] [/dns-query] [9] Matched vars updated.
[168451336790.523740] [/dns-query] [4] Rule returned 1.
[168451336790.523740] [/dns-query] [9] Running action: log
[168451336790.523740] [/dns-query] [9] Saving transaction to logs
[168451336790.523740] [/dns-query] [9] Running action: auditlog
[168451336790.523740] [/dns-query] [9] Saving transaction to logs
[168451336790.523740] [/dns-query] [9] Running action: nolog
[168451336790.523740] [/dns-query] [9] Running action: skipAfter
[168451336790.523740] [/dns-query] [5] Setting skipAfter for: END-REQUEST-913-SCANNER-DETECTION
[168451336790.523740] [/dns-query] [4] Running (disruptive)     action: pass.
[168451336790.523740] [/dns-query] [8] Running action pass
[168451336790.523740] [/dns-query] [9] Skipped rule id '913101' due to a SecMarker: END-REQUEST-913-SCANNER-DETECTION
[168451336790.523740] [/dns-query] [9] Skipped rule id '913102' due to a SecMarker: END-REQUEST-913-SCANNER-DETECTION
[168451336790.523740] [/dns-query] [9] Skipped rule id '913015' due to a SecMarker: END-REQUEST-913-SCANNER-DETECTION
[168451336790.523740] [/dns-query] [9] Skipped rule id '913017' due to a SecMarker: END-REQUEST-913-SCANNER-DETECTION
[168451336790.523740] [/dns-query] [4] (Rule: 920011) Executing operator "Lt" with param "1" against TX:DETECTION_PARANOIA_LEVEL.
[168451336790.523740] [/dns-query] [9] Target value: "1" (Variable: TX:DETECTION_PARANOIA_LEVEL)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 920100) Executing operator "Rx" with param "(?i)^(?:get /[^#\?]*(?:\?[^\s\v#]*)?(?:#[^\s\v]*)?|(?:connect (?:(?:[0-9]{1,3}\.){3}[0-9]{1,3}\.?(?::[0-9]+)?|[\--9A-Z_a-z]+:[0-9]+)|options \*|[a-z]{3,10}[\s\v]+(?:[0-9A-Z_a-z]{3,7}?://[\--9A-Z_a-z]*(?::[0-9]+)?)?/[^#\?]*(?:\?[^\s\v#]*)?(?:#[^\s\v]*)?)[\s\v]+[\.-9A-Z_a-z]+)$" against REQUEST_LINE.
[168451336790.523740] [/dns-query] [9] Target value: "POST /dns-query HTTP/2.0" (Variable: REQUEST_LINE)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 920160) Executing operator "Rx" with param "^\d+$" against REQUEST_HEADERS:Content-Length.
[168451336790.523740] [/dns-query] [9] Target value: "39" (Variable: REQUEST_HEADERS:content-length)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 920170) Executing operator "Rx" with param "^(?:GET|HEAD)$" against REQUEST_METHOD.
[168451336790.523740] [/dns-query] [9] Target value: "POST" (Variable: REQUEST_METHOD)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 920171) Executing operator "Rx" with param "^(?:GET|HEAD)$" against REQUEST_METHOD.
[168451336790.523740] [/dns-query] [9] Target value: "POST" (Variable: REQUEST_METHOD)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 920180) Executing operator "Within" with param "HTTP/2 HTTP/2.0" against REQUEST_PROTOCOL.
[168451336790.523740] [/dns-query] [9] Target value: "HTTP/2.0" (Variable: REQUEST_PROTOCOL)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 920181) Executing operator "Eq" with param "0" against REQUEST_HEADERS:Transfer-Encoding.
[168451336790.523740] [/dns-query] [9] Target value: "0" (Variable: REQUEST_HEADERS:Transfer-Encoding)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 920190) Executing operator "Rx" with param "(\d+)-(\d+)" against REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range.
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 920210) Executing operator "Rx" with param "\b(?:keep-alive|close),\s?(?:keep-alive|close)\b" against REQUEST_HEADERS:Connection.
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 920220) Executing operator "Rx" with param "\x25" against REQUEST_URI.
[168451336790.523740] [/dns-query] [9] Target value: "/dns-query" (Variable: REQUEST_URI)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 920280) Executing operator "Eq" with param "0" against REQUEST_HEADERS:Host.
[168451336790.523740] [/dns-query] [9] Target value: "1" (Variable: REQUEST_HEADERS:Host)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 920290) Executing operator "Rx" with param "^$" against REQUEST_HEADERS:Host.
[168451336790.523740] [/dns-query] [9] Target value: "dns.domain.de" (Variable: REQUEST_HEADERS:host)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 920310) Executing operator "Rx" with param "^$" against REQUEST_HEADERS:Accept.
[168451336790.523740] [/dns-query] [9] Target value: "application/dns-message" (Variable: REQUEST_HEADERS:accept)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 920311) Executing operator "Rx" with param "^$" against REQUEST_HEADERS:Accept.
[168451336790.523740] [/dns-query] [9] Target value: "application/dns-message" (Variable: REQUEST_HEADERS:accept)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 920330) Executing operator "Rx" with param "^$" against REQUEST_HEADERS:User-Agent.
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 920340) Executing operator "Rx" with param "^0$" against REQUEST_HEADERS:Content-Length.
[168451336790.523740] [/dns-query] [9] Target value: "39" (Variable: REQUEST_HEADERS:content-length)
[168451336790.523740] [/dns-query] [9] Matched vars updated.
[168451336790.523740] [/dns-query] [4] Rule returned 1.
[168451336790.523740] [/dns-query] [4] Executing chained rule.
[168451336790.523740] [/dns-query] [4] (Rule: 0) Executing operator "Eq" with param "0" against REQUEST_HEADERS:Content-Type.
[168451336790.523740] [/dns-query] [9] Target value: "1" (Variable: REQUEST_HEADERS:Content-Type)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 920350) Executing operator "Rx" with param "(?:^([\d.]+|\[[\da-f:]+\]|[\da-f:]+)(:[\d]+)?$)" against REQUEST_HEADERS:Host.
[168451336790.523740] [/dns-query] [9] Target value: "dns.domain.de" (Variable: REQUEST_HEADERS:host)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 920400) Executing operator "Eq" with param "1" against TX:MAX_FILE_SIZE.
[168451336790.523740] [/dns-query] [9] Target value: "0" (Variable: TX:MAX_FILE_SIZE)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 920470) Executing operator "Rx" with param "^[\w/.+*-]+(?:\s?;\s?(?:action|boundary|charset|component|start(?:-info)?|type|version)\s?=\s?['\"\w.()+,/:=?<>@#*-]+)*$" against REQUEST_HEADERS:Content-Type.
[168451336790.523740] [/dns-query] [9]  T (0) t:lowercase: "application/dns-message"
[168451336790.523740] [/dns-query] [9] Target value: "application/dns-message" (Variable: REQUEST_HEADERS:content-type)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 920420) Executing operator "Rx" with param "^[^;\s]+" against REQUEST_HEADERS:Content-Type.
[168451336790.523740] [/dns-query] [9] Target value: "application/dns-message" (Variable: REQUEST_HEADERS:content-type)
[168451336790.523740] [/dns-query] [7] Added regex subexpression TX.0: application/dns-message
[168451336790.523740] [/dns-query] [9] Matched vars updated.
[168451336790.523740] [/dns-query] [4] Running [independent] (non-disruptive) action: setvar
[168451336790.523740] [/dns-query] [8] Saving variable: TX:content_type with value: |application/dns-message|
[168451336790.523740] [/dns-query] [4] Rule returned 1.
[168451336790.523740] [/dns-query] [4] Executing chained rule.
[168451336790.523740] [/dns-query] [4] (Rule: 0) Executing operator "Within" with param "|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|" Was: "" against TX:content_type.
[168451336790.523740] [/dns-query] [9]  T (0) t:lowercase: "|application/dns-message|"
[168451336790.523740] [/dns-query] [9] Target value: "|application/dns-message|" (Variable: TX:content_type)
[168451336790.523740] [/dns-query] [9] Matched vars updated.
[168451336790.523740] [/dns-query] [4] Running [independent] (non-disruptive) action: setvar
[168451336790.523740] [/dns-query] [8] Saving variable: TX:inbound_anomaly_score_pl1 with value: 5
[168451336790.523740] [/dns-query] [4] Rule returned 1.
[168451336790.523740] [/dns-query] [9] Running action: log
[168451336790.523740] [/dns-query] [9] Saving transaction to logs
[168451336790.523740] [/dns-query] [9] Running action: auditlog
[168451336790.523740] [/dns-query] [9] Saving transaction to logs
[168451336790.523740] [/dns-query] [9] Running action: log
[168451336790.523740] [/dns-query] [9] Saving transaction to logs
[168451336790.523740] [/dns-query] [9] Running action: auditlog
[168451336790.523740] [/dns-query] [9] Saving transaction to logs
[168451336790.523740] [/dns-query] [4] Running (non-disruptive) action: tag
[168451336790.523740] [/dns-query] [9] Rule tag: application-multi
[168451336790.523740] [/dns-query] [4] Running (non-disruptive) action: tag
[168451336790.523740] [/dns-query] [9] Rule tag: language-multi
[168451336790.523740] [/dns-query] [4] Running (non-disruptive) action: tag
[168451336790.523740] [/dns-query] [9] Rule tag: platform-multi
[168451336790.523740] [/dns-query] [4] Running (non-disruptive) action: tag
[168451336790.523740] [/dns-query] [9] Rule tag: attack-protocol
[168451336790.523740] [/dns-query] [4] Running (non-disruptive) action: tag
[168451336790.523740] [/dns-query] [9] Rule tag: paranoia-level/1
[168451336790.523740] [/dns-query] [4] Running (non-disruptive) action: tag
[168451336790.523740] [/dns-query] [9] Rule tag: OWASP_CRS
[168451336790.523740] [/dns-query] [4] Running (non-disruptive) action: tag
[168451336790.523740] [/dns-query] [9] Rule tag: capec/1000/255/153
[168451336790.523740] [/dns-query] [4] Running (non-disruptive) action: tag
[168451336790.523740] [/dns-query] [9] Rule tag: PCI/12.1
[168451336790.523740] [/dns-query] [9] This rule severity is: 2 current transaction is: 255
[168451336790.523740] [/dns-query] [9] Saving msg: Request content type is not allowed by policy
[168451336790.523740] [/dns-query] [4] Running (disruptive)     action: block.
[168451336790.523740] [/dns-query] [8] Marking request as disruptive.
[168451336790.523740] [/dns-query] [8] Running action pass
[168451336790.523740] [/dns-query] [4] (Rule: 920480) Executing operator "Rx" with param "charset\s*=\s*[\"']?([^;\"'\s]+)" against REQUEST_HEADERS:Content-Type.
[168451336790.523740] [/dns-query] [9] Target value: "application/dns-message" (Variable: REQUEST_HEADERS:content-type)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 920530) Executing operator "Rx" with param "charset.*?charset" against REQUEST_HEADERS:Content-Type.
[168451336790.523740] [/dns-query] [9]  T (0) t:lowercase: "application/dns-message"
[168451336790.523740] [/dns-query] [9] Target value: "application/dns-message" (Variable: REQUEST_HEADERS:content-type)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 920430) Executing operator "Within" with param "HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0" Was: "" against REQUEST_PROTOCOL.
[168451336790.523740] [/dns-query] [9] Target value: "HTTP/2.0" (Variable: REQUEST_PROTOCOL)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 920440) Executing operator "Rx" with param "\.([^.]+)$" against REQUEST_BASENAME.
[168451336790.523740] [/dns-query] [9] Target value: "dns-query" (Variable: REQUEST_BASENAME)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 920500) Executing operator "Rx" with param "\.[^.~]+~(?:/.*|)$" against REQUEST_FILENAME.
[168451336790.523740] [/dns-query] [9]  T (0) t:urlDecodeUni: "/dns-query"
[168451336790.523740] [/dns-query] [9] Target value: "/dns-query" (Variable: REQUEST_FILENAME)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 920450) Executing operator "Rx" with param "^.*$" against REQUEST_HEADERS_NAMES.
[168451336790.523740] [/dns-query] [9]  T (0) t:lowercase: "host"
[168451336790.523740] [/dns-query] [9] Target value: "host" (Variable: REQUEST_HEADERS_NAMES:host)
[168451336790.523740] [/dns-query] [7] Added regex subexpression TX.0: host
[168451336790.523740] [/dns-query] [9] Matched vars updated.
[168451336790.523740] [/dns-query] [4] Running [independent] (non-disruptive) action: setvar
[168451336790.523740] [/dns-query] [8] Saving variable: TX:header_name_host with value: /host/
[168451336790.523740] [/dns-query] [9]  T (0) t:lowercase: "content-type"
[168451336790.523740] [/dns-query] [9] Target value: "content-type" (Variable: REQUEST_HEADERS_NAMES:content-type)
[168451336790.523740] [/dns-query] [7] Added regex subexpression TX.0: content-type
[168451336790.523740] [/dns-query] [9] Matched vars updated.
[168451336790.523740] [/dns-query] [4] Running [independent] (non-disruptive) action: setvar
[168451336790.523740] [/dns-query] [8] Saving variable: TX:header_name_content-type with value: /content-type/
[168451336790.523740] [/dns-query] [9]  T (0) t:lowercase: "accept"
[168451336790.523740] [/dns-query] [9] Target value: "accept" (Variable: REQUEST_HEADERS_NAMES:accept)
[168451336790.523740] [/dns-query] [7] Added regex subexpression TX.0: accept
[168451336790.523740] [/dns-query] [9] Matched vars updated.
[168451336790.523740] [/dns-query] [4] Running [independent] (non-disruptive) action: setvar
[168451336790.523740] [/dns-query] [8] Saving variable: TX:header_name_accept with value: /accept/
[168451336790.523740] [/dns-query] [9]  T (0) t:lowercase: "content-length"
[168451336790.523740] [/dns-query] [9] Target value: "content-length" (Variable: REQUEST_HEADERS_NAMES:content-length)
[168451336790.523740] [/dns-query] [7] Added regex subexpression TX.0: content-length
[168451336790.523740] [/dns-query] [9] Matched vars updated.
[168451336790.523740] [/dns-query] [4] Running [independent] (non-disruptive) action: setvar
[168451336790.523740] [/dns-query] [8] Saving variable: TX:header_name_content-length with value: /content-length/
[168451336790.523740] [/dns-query] [4] Rule returned 1.
[168451336790.523740] [/dns-query] [4] Executing chained rule.
[168451336790.523740] [/dns-query] [4] (Rule: 0) Executing operator "Within" with param "/accept-charset/ /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/" Was: "" against TX:regex(^header_name_).
[168451336790.523740] [/dns-query] [9] Target value: "/host/" (Variable: TX:header_name_host)
[168451336790.523740] [/dns-query] [9] Target value: "/content-type/" (Variable: TX:header_name_content-type)
[168451336790.523740] [/dns-query] [9] Target value: "/accept/" (Variable: TX:header_name_accept)
[168451336790.523740] [/dns-query] [9] Target value: "/content-length/" (Variable: TX:header_name_content-length)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 920520) Executing operator "Gt" with param "50" against REQUEST_HEADERS:Accept-Encoding.
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 920600) Executing operator "Rx" with param "^(?:(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)/(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\v]*;[\s\v]*(?:charset[\s\v]*=[\s\v]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\v -\"\(-\),/:-\?\[-\]c\{\}]|c(?:[^!-\"\(-\),/:-\?\[-\]h\{\}]|h(?:[^!-\"\(-\),/:-\?\[-\]a\{\}]|a(?:[^!-\"\(-\),/:-\?\[-\]r\{\}]|r(?:[^!-\"\(-\),/:-\?\[-\]s\{\}]|s(?:[^!-\"\(-\),/:-\?\[-\]e\{\}]|e[^!-\"\(-\),/:-\?\[-\]t\{\}]))))))[^!-\"\(-\),/:-\?\[-\]\{\}]*[\s\v]*=[\s\v]*[^!\(-\),/:-\?\[-\]\{\}]+);?)*(?:[\s\v]*,[\s\v]*(?:(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)/(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\v]*;[\s\v]*(?:charset[\s\v]*=[\s\v]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\v -\"\(-\),/:-\?\[-\]c\{\}]|c(?:[^!-\"\(-\),/:-\?\[-\]h\{\}]|h(?:[^!-\"\(-\),/:-\?\[-\]a\{\}]|a(?:[^!-\"\(-\),/:-\?\[-\]r\{\}]|r(?:[^!-\"\(-\),/:-\?\[-\]s\{\}]|s(?:[^!-\"\(-\),/:-\?\[-\]e\{\}]|e[^!-\"\(-\),/:-\?\[-\]t\{\}]))))))[^!-\"\(-\),/:-\?\[-\]\{\}]*[\s\v]*=[\s\v]*[^!\(-\),/:-\?\[-\]\{\}]+);?)*)*$" against REQUEST_HEADERS:Accept.
[168451336790.523740] [/dns-query] [9]  T (0) t:lowercase: "application/dns-message"
[168451336790.523740] [/dns-query] [9] Target value: "application/dns-message" (Variable: REQUEST_HEADERS:accept)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 920610) Executing operator "Contains" with param "#" against REQUEST_URI_RAW.
[168451336790.523740] [/dns-query] [9] Target value: "/dns-query" (Variable: REQUEST_URI_RAW)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 920013) Executing operator "Lt" with param "2" against TX:DETECTION_PARANOIA_LEVEL.
[168451336790.523740] [/dns-query] [9] Target value: "1" (Variable: TX:DETECTION_PARANOIA_LEVEL)
[168451336790.523740] [/dns-query] [9] Matched vars updated.
[168451336790.523740] [/dns-query] [4] Rule returned 1.
[168451336790.523740] [/dns-query] [9] Running action: log
[168451336790.523740] [/dns-query] [9] Saving transaction to logs
[168451336790.523740] [/dns-query] [9] Running action: auditlog
[168451336790.523740] [/dns-query] [9] Saving transaction to logs
[168451336790.523740] [/dns-query] [9] Running action: nolog
[168451336790.523740] [/dns-query] [9] Running action: skipAfter
[168451336790.523740] [/dns-query] [5] Setting skipAfter for: END-REQUEST-920-PROTOCOL-ENFORCEMENT
[168451336790.523740] [/dns-query] [4] Running (disruptive)     action: pass.
[168451336790.523740] [/dns-query] [8] Running action pass
[168451336790.523740] [/dns-query] [9] Skipped rule id '920200' due to a SecMarker: END-REQUEST-920-PROTOCOL-ENFORCEMENT
[168451336790.523740] [/dns-query] [9] Skipped rule id '920201' due to a SecMarker: END-REQUEST-920-PROTOCOL-ENFORCEMENT
[168451336790.523740] [/dns-query] [9] Skipped rule id '920320' due to a SecMarker: END-REQUEST-920-PROTOCOL-ENFORCEMENT
[168451336790.523740] [/dns-query] [9] Skipped rule id '920341' due to a SecMarker: END-REQUEST-920-PROTOCOL-ENFORCEMENT
[168451336790.523740] [/dns-query] [9] Skipped rule id '920015' due to a SecMarker: END-REQUEST-920-PROTOCOL-ENFORCEMENT
[168451336790.523740] [/dns-query] [9] Skipped rule id '920300' due to a SecMarker: END-REQUEST-920-PROTOCOL-ENFORCEMENT
[168451336790.523740] [/dns-query] [9] Skipped rule id '920490' due to a SecMarker: END-REQUEST-920-PROTOCOL-ENFORCEMENT
[168451336790.523740] [/dns-query] [9] Skipped rule id '920510' due to a SecMarker: END-REQUEST-920-PROTOCOL-ENFORCEMENT
[168451336790.523740] [/dns-query] [9] Skipped rule id '920521' due to a SecMarker: END-REQUEST-920-PROTOCOL-ENFORCEMENT
[168451336790.523740] [/dns-query] [9] Skipped rule id '920017' due to a SecMarker: END-REQUEST-920-PROTOCOL-ENFORCEMENT
[168451336790.523740] [/dns-query] [9] Skipped rule id '920202' due to a SecMarker: END-REQUEST-920-PROTOCOL-ENFORCEMENT
[168451336790.523740] [/dns-query] [9] Skipped rule id '920274' due to a SecMarker: END-REQUEST-920-PROTOCOL-ENFORCEMENT
[168451336790.523740] [/dns-query] [9] Skipped rule id '920275' due to a SecMarker: END-REQUEST-920-PROTOCOL-ENFORCEMENT
[168451336790.523740] [/dns-query] [4] (Rule: 921011) Executing operator "Lt" with param "1" against TX:DETECTION_PARANOIA_LEVEL.
[168451336790.523740] [/dns-query] [9] Target value: "1" (Variable: TX:DETECTION_PARANOIA_LEVEL)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 921140) Executing operator "Rx" with param "[\n\r]" against REQUEST_HEADERS_NAMES|REQUEST_HEADERS.
[168451336790.523740] [/dns-query] [9]  T (0) t:htmlEntityDecode: "host"
[168451336790.523740] [/dns-query] [9] Target value: "host" (Variable: REQUEST_HEADERS_NAMES:host)
[168451336790.523740] [/dns-query] [9]  T (0) t:htmlEntityDecode: "content-type"
[168451336790.523740] [/dns-query] [9] Target value: "content-type" (Variable: REQUEST_HEADERS_NAMES:content-type)
[168451336790.523740] [/dns-query] [9]  T (0) t:htmlEntityDecode: "accept"
[168451336790.523740] [/dns-query] [9] Target value: "accept" (Variable: REQUEST_HEADERS_NAMES:accept)
[168451336790.523740] [/dns-query] [9]  T (0) t:htmlEntityDecode: "content-length"
[168451336790.523740] [/dns-query] [9] Target value: "content-length" (Variable: REQUEST_HEADERS_NAMES:content-length)
[168451336790.523740] [/dns-query] [9]  T (0) t:htmlEntityDecode: "dns.domain.de"
[168451336790.523740] [/dns-query] [9] Target value: "dns.domain.de" (Variable: REQUEST_HEADERS:host)
[168451336790.523740] [/dns-query] [9]  T (0) t:htmlEntityDecode: "application/dns-message"
[168451336790.523740] [/dns-query] [9] Target value: "application/dns-message" (Variable: REQUEST_HEADERS:content-type)
[168451336790.523740] [/dns-query] [9]  T (0) t:htmlEntityDecode: "application/dns-message"
[168451336790.523740] [/dns-query] [9] Target value: "application/dns-message" (Variable: REQUEST_HEADERS:accept)
[168451336790.523740] [/dns-query] [9]  T (0) t:htmlEntityDecode: "39"
[168451336790.523740] [/dns-query] [9] Target value: "39" (Variable: REQUEST_HEADERS:content-length)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 921160) Executing operator "Rx" with param "[\n\r]+(?:\s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))\s*:" against ARGS_GET_NAMES|ARGS_GET.
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 921190) Executing operator "Rx" with param "[\n\r]" against REQUEST_FILENAME.
[168451336790.523740] [/dns-query] [9]  T (0) t:urlDecodeUni: "/dns-query"
[168451336790.523740] [/dns-query] [9] Target value: "/dns-query" (Variable: REQUEST_FILENAME)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 921421) Executing operator "Rx" with param "^[^\s\v,;]+[\s\v,;].*?(?:application/(?:.+\+)?json|(?:application/(?:soap\+)?|text/)xml)" against REQUEST_HEADERS:Content-Type.
[168451336790.523740] [/dns-query] [9]  T (0) t:lowercase: "application/dns-message"
[168451336790.523740] [/dns-query] [9] Target value: "application/dns-message" (Variable: REQUEST_HEADERS:content-type)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 921240) Executing operator "Rx" with param "unix:[^|]*\|" against REQUEST_URI.
[168451336790.523740] [/dns-query] [9]  T (0) t:lowercase: "/dns-query"
[168451336790.523740] [/dns-query] [9] Target value: "/dns-query" (Variable: REQUEST_URI)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 921013) Executing operator "Lt" with param "2" against TX:DETECTION_PARANOIA_LEVEL.
[168451336790.523740] [/dns-query] [9] Target value: "1" (Variable: TX:DETECTION_PARANOIA_LEVEL)
[168451336790.523740] [/dns-query] [9] Matched vars updated.
[168451336790.523740] [/dns-query] [4] Rule returned 1.
[168451336790.523740] [/dns-query] [9] Running action: log
[168451336790.523740] [/dns-query] [9] Saving transaction to logs
[168451336790.523740] [/dns-query] [9] Running action: auditlog
[168451336790.523740] [/dns-query] [9] Saving transaction to logs
[168451336790.523740] [/dns-query] [9] Running action: nolog
[168451336790.523740] [/dns-query] [9] Running action: skipAfter
[168451336790.523740] [/dns-query] [5] Setting skipAfter for: END-REQUEST-921-PROTOCOL-ATTACK
[168451336790.523740] [/dns-query] [4] Running (disruptive)     action: pass.
[168451336790.523740] [/dns-query] [8] Running action pass
[168451336790.523740] [/dns-query] [9] Skipped rule id '921151' due to a SecMarker: END-REQUEST-921-PROTOCOL-ATTACK
[168451336790.523740] [/dns-query] [9] Skipped rule id '921422' due to a SecMarker: END-REQUEST-921-PROTOCOL-ATTACK
[168451336790.523740] [/dns-query] [9] Skipped rule id '921015' due to a SecMarker: END-REQUEST-921-PROTOCOL-ATTACK
[168451336790.523740] [/dns-query] [9] Skipped rule id '921230' due to a SecMarker: END-REQUEST-921-PROTOCOL-ATTACK
[168451336790.523740] [/dns-query] [9] Skipped rule id '921017' due to a SecMarker: END-REQUEST-921-PROTOCOL-ATTACK
[168451336790.523740] [/dns-query] [4] (Rule: 930011) Executing operator "Lt" with param "1" against TX:DETECTION_PARANOIA_LEVEL.
[168451336790.523740] [/dns-query] [9] Target value: "1" (Variable: TX:DETECTION_PARANOIA_LEVEL)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 930130) Executing operator "PmFromFile" with param "restricted-files.data" against REQUEST_FILENAME.
[168451336790.523740] [/dns-query] [9]  T (0) t:utf8toUnicode: "/dns-query"
[168451336790.523740] [/dns-query] [9]  T (0) t:urlDecodeUni: "/dns-query"
[168451336790.523740] [/dns-query] [9]  T (0) t:normalizePathWin: "/dns-query"
[168451336790.523740] [/dns-query] [9] Target value: "/dns-query" (Variable: REQUEST_FILENAME)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 930013) Executing operator "Lt" with param "2" against TX:DETECTION_PARANOIA_LEVEL.
[168451336790.523740] [/dns-query] [9] Target value: "1" (Variable: TX:DETECTION_PARANOIA_LEVEL)
[168451336790.523740] [/dns-query] [9] Matched vars updated.
[168451336790.523740] [/dns-query] [4] Rule returned 1.
[168451336790.523740] [/dns-query] [9] Running action: log
[168451336790.523740] [/dns-query] [9] Saving transaction to logs
[168451336790.523740] [/dns-query] [9] Running action: auditlog
[168451336790.523740] [/dns-query] [9] Saving transaction to logs
[168451336790.523740] [/dns-query] [9] Running action: nolog
[168451336790.523740] [/dns-query] [9] Running action: skipAfter
[168451336790.523740] [/dns-query] [5] Setting skipAfter for: END-REQUEST-930-APPLICATION-ATTACK-LFI
[168451336790.523740] [/dns-query] [4] Running (disruptive)     action: pass.
[168451336790.523740] [/dns-query] [8] Running action pass
[168451336790.523740] [/dns-query] [9] Skipped rule id '930121' due to a SecMarker: END-REQUEST-930-APPLICATION-ATTACK-LFI
[168451336790.523740] [/dns-query] [9] Skipped rule id '930015' due to a SecMarker: END-REQUEST-930-APPLICATION-ATTACK-LFI
[168451336790.523740] [/dns-query] [9] Skipped rule id '930017' due to a SecMarker: END-REQUEST-930-APPLICATION-ATTACK-LFI
[168451336790.523740] [/dns-query] [4] (Rule: 931011) Executing operator "Lt" with param "1" against TX:DETECTION_PARANOIA_LEVEL.
[168451336790.523740] [/dns-query] [9] Target value: "1" (Variable: TX:DETECTION_PARANOIA_LEVEL)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 931013) Executing operator "Lt" with param "2" against TX:DETECTION_PARANOIA_LEVEL.
[168451336790.523740] [/dns-query] [9] Target value: "1" (Variable: TX:DETECTION_PARANOIA_LEVEL)
[168451336790.523740] [/dns-query] [9] Matched vars updated.
[168451336790.523740] [/dns-query] [4] Rule returned 1.
[168451336790.523740] [/dns-query] [9] Running action: log
[168451336790.523740] [/dns-query] [9] Saving transaction to logs
[168451336790.523740] [/dns-query] [9] Running action: auditlog
[168451336790.523740] [/dns-query] [9] Saving transaction to logs
[168451336790.523740] [/dns-query] [9] Running action: nolog
[168451336790.523740] [/dns-query] [9] Running action: skipAfter
[168451336790.523740] [/dns-query] [5] Setting skipAfter for: END-REQUEST-931-APPLICATION-ATTACK-RFI
[168451336790.523740] [/dns-query] [4] Running (disruptive)     action: pass.
[168451336790.523740] [/dns-query] [8] Running action pass
[168451336790.523740] [/dns-query] [9] Skipped rule id '931131' due to a SecMarker: END-REQUEST-931-APPLICATION-ATTACK-RFI
[168451336790.523740] [/dns-query] [9] Skipped rule id '931015' due to a SecMarker: END-REQUEST-931-APPLICATION-ATTACK-RFI
[168451336790.523740] [/dns-query] [9] Skipped rule id '931017' due to a SecMarker: END-REQUEST-931-APPLICATION-ATTACK-RFI
[168451336790.523740] [/dns-query] [4] (Rule: 932011) Executing operator "Lt" with param "1" against TX:DETECTION_PARANOIA_LEVEL.
[168451336790.523740] [/dns-query] [9] Target value: "1" (Variable: TX:DETECTION_PARANOIA_LEVEL)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 932170) Executing operator "Rx" with param "^\(\s*\)\s+{" against REQUEST_HEADERS|REQUEST_LINE.
[168451336790.523740] [/dns-query] [9]  T (0) t:urlDecode: "dns.domain.de"
[168451336790.523740] [/dns-query] [9] Target value: "dns.domain.de" (Variable: REQUEST_HEADERS:host)
[168451336790.523740] [/dns-query] [9]  T (0) t:urlDecode: "application/dns-message"
[168451336790.523740] [/dns-query] [9] Target value: "application/dns-message" (Variable: REQUEST_HEADERS:content-type)
[168451336790.523740] [/dns-query] [9]  T (0) t:urlDecode: "application/dns-message"
[168451336790.523740] [/dns-query] [9] Target value: "application/dns-message" (Variable: REQUEST_HEADERS:accept)
[168451336790.523740] [/dns-query] [9]  T (0) t:urlDecode: "39"
[168451336790.523740] [/dns-query] [9] Target value: "39" (Variable: REQUEST_HEADERS:content-length)
[168451336790.523740] [/dns-query] [9]  T (0) t:urlDecode: "POST /dns-query HTTP/2.0"
[168451336790.523740] [/dns-query] [9] Target value: "POST /dns-query HTTP/2.0" (Variable: REQUEST_LINE)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 932013) Executing operator "Lt" with param "2" against TX:DETECTION_PARANOIA_LEVEL.
[168451336790.523740] [/dns-query] [9] Target value: "1" (Variable: TX:DETECTION_PARANOIA_LEVEL)
[168451336790.523740] [/dns-query] [9] Matched vars updated.
[168451336790.523740] [/dns-query] [4] Rule returned 1.
[168451336790.523740] [/dns-query] [9] Running action: log
[168451336790.523740] [/dns-query] [9] Saving transaction to logs
[168451336790.523740] [/dns-query] [9] Running action: auditlog
[168451336790.523740] [/dns-query] [9] Saving transaction to logs
[168451336790.523740] [/dns-query] [9] Running action: nolog
[168451336790.523740] [/dns-query] [9] Running action: skipAfter
[168451336790.523740] [/dns-query] [5] Setting skipAfter for: END-REQUEST-932-APPLICATION-ATTACK-RCE
[168451336790.523740] [/dns-query] [4] Running (disruptive)     action: pass.
[168451336790.523740] [/dns-query] [8] Running action pass
[168451336790.523740] [/dns-query] [9] Skipped rule id '932131' due to a SecMarker: END-REQUEST-932-APPLICATION-ATTACK-RCE
[168451336790.523740] [/dns-query] [9] Skipped rule id '932015' due to a SecMarker: END-REQUEST-932-APPLICATION-ATTACK-RCE
[168451336790.523740] [/dns-query] [9] Skipped rule id '932017' due to a SecMarker: END-REQUEST-932-APPLICATION-ATTACK-RCE
[168451336790.523740] [/dns-query] [4] (Rule: 933011) Executing operator "Lt" with param "1" against TX:DETECTION_PARANOIA_LEVEL.
[168451336790.523740] [/dns-query] [9] Target value: "1" (Variable: TX:DETECTION_PARANOIA_LEVEL)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 933013) Executing operator "Lt" with param "2" against TX:DETECTION_PARANOIA_LEVEL.
[168451336790.523740] [/dns-query] [9] Target value: "1" (Variable: TX:DETECTION_PARANOIA_LEVEL)
[168451336790.523740] [/dns-query] [9] Matched vars updated.
[168451336790.523740] [/dns-query] [4] Rule returned 1.
[168451336790.523740] [/dns-query] [9] Running action: log
[168451336790.523740] [/dns-query] [9] Saving transaction to logs
[168451336790.523740] [/dns-query] [9] Running action: auditlog
[168451336790.523740] [/dns-query] [9] Saving transaction to logs
[168451336790.523740] [/dns-query] [9] Running action: nolog
[168451336790.523740] [/dns-query] [9] Running action: skipAfter
[168451336790.523740] [/dns-query] [5] Setting skipAfter for: END-REQUEST-933-APPLICATION-ATTACK-PHP
[168451336790.523740] [/dns-query] [4] Running (disruptive)     action: pass.
[168451336790.523740] [/dns-query] [8] Running action pass
[168451336790.523740] [/dns-query] [9] Skipped rule id '933015' due to a SecMarker: END-REQUEST-933-APPLICATION-ATTACK-PHP
[168451336790.523740] [/dns-query] [9] Skipped rule id '933017' due to a SecMarker: END-REQUEST-933-APPLICATION-ATTACK-PHP
[168451336790.523740] [/dns-query] [4] (Rule: 934011) Executing operator "Lt" with param "1" against TX:DETECTION_PARANOIA_LEVEL.
[168451336790.523740] [/dns-query] [9] Target value: "1" (Variable: TX:DETECTION_PARANOIA_LEVEL)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 934013) Executing operator "Lt" with param "2" against TX:DETECTION_PARANOIA_LEVEL.
[168451336790.523740] [/dns-query] [9] Target value: "1" (Variable: TX:DETECTION_PARANOIA_LEVEL)
[168451336790.523740] [/dns-query] [9] Matched vars updated.
[168451336790.523740] [/dns-query] [4] Rule returned 1.
[168451336790.523740] [/dns-query] [9] Running action: log
[168451336790.523740] [/dns-query] [9] Saving transaction to logs
[168451336790.523740] [/dns-query] [9] Running action: auditlog
[168451336790.523740] [/dns-query] [9] Saving transaction to logs
[168451336790.523740] [/dns-query] [9] Running action: nolog
[168451336790.523740] [/dns-query] [9] Running action: skipAfter
[168451336790.523740] [/dns-query] [5] Setting skipAfter for: END-REQUEST-934-APPLICATION-ATTACK-GENERIC
[168451336790.523740] [/dns-query] [4] Running (disruptive)     action: pass.
[168451336790.523740] [/dns-query] [8] Running action pass
[168451336790.523740] [/dns-query] [9] Skipped rule id '934015' due to a SecMarker: END-REQUEST-934-APPLICATION-ATTACK-GENERIC
[168451336790.523740] [/dns-query] [9] Skipped rule id '934017' due to a SecMarker: END-REQUEST-934-APPLICATION-ATTACK-GENERIC
[168451336790.523740] [/dns-query] [4] (Rule: 941011) Executing operator "Lt" with param "1" against TX:DETECTION_PARANOIA_LEVEL.
[168451336790.523740] [/dns-query] [9] Target value: "1" (Variable: TX:DETECTION_PARANOIA_LEVEL)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 941010) Executing operator "ValidateByteRange" with param "20, 45-47, 48-57, 65-90, 95, 97-122" against REQUEST_FILENAME.
[168451336790.523740] [/dns-query] [9] Target value: "/dns-query" (Variable: REQUEST_FILENAME)
[168451336790.523740] [/dns-query] [9] Matched vars updated.
[168451336790.523740] [/dns-query] [4] Rule returned 1.
[168451336790.523740] [/dns-query] [9] Running action: log
[168451336790.523740] [/dns-query] [9] Saving transaction to logs
[168451336790.523740] [/dns-query] [9] Running action: auditlog
[168451336790.523740] [/dns-query] [9] Saving transaction to logs
[168451336790.523740] [/dns-query] [9] Running action: nolog
[168451336790.523740] [/dns-query] [9] Running action: ctl
[168451336790.523740] [/dns-query] [4] Running (disruptive)     action: pass.
[168451336790.523740] [/dns-query] [8] Running action pass
[168451336790.523740] [/dns-query] [4] (Rule: 941013) Executing operator "Lt" with param "2" against TX:DETECTION_PARANOIA_LEVEL.
[168451336790.523740] [/dns-query] [9] Target value: "1" (Variable: TX:DETECTION_PARANOIA_LEVEL)
[168451336790.523740] [/dns-query] [9] Matched vars updated.
[168451336790.523740] [/dns-query] [4] Rule returned 1.
[168451336790.523740] [/dns-query] [9] Running action: log
[168451336790.523740] [/dns-query] [9] Saving transaction to logs
[168451336790.523740] [/dns-query] [9] Running action: auditlog
[168451336790.523740] [/dns-query] [9] Saving transaction to logs
[168451336790.523740] [/dns-query] [9] Running action: nolog
[168451336790.523740] [/dns-query] [9] Running action: skipAfter
[168451336790.523740] [/dns-query] [5] Setting skipAfter for: END-REQUEST-941-APPLICATION-ATTACK-XSS
[168451336790.523740] [/dns-query] [4] Running (disruptive)     action: pass.
[168451336790.523740] [/dns-query] [8] Running action pass
[168451336790.523740] [/dns-query] [9] Skipped rule id '941101' due to a SecMarker: END-REQUEST-941-APPLICATION-ATTACK-XSS
[168451336790.523740] [/dns-query] [9] Skipped rule id '941015' due to a SecMarker: END-REQUEST-941-APPLICATION-ATTACK-XSS
[168451336790.523740] [/dns-query] [9] Skipped rule id '941017' due to a SecMarker: END-REQUEST-941-APPLICATION-ATTACK-XSS
[168451336790.523740] [/dns-query] [4] (Rule: 942011) Executing operator "Lt" with param "1" against TX:DETECTION_PARANOIA_LEVEL.
[168451336790.523740] [/dns-query] [9] Target value: "1" (Variable: TX:DETECTION_PARANOIA_LEVEL)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 942013) Executing operator "Lt" with param "2" against TX:DETECTION_PARANOIA_LEVEL.
[168451336790.523740] [/dns-query] [9] Target value: "1" (Variable: TX:DETECTION_PARANOIA_LEVEL)
[168451336790.523740] [/dns-query] [9] Matched vars updated.
[168451336790.523740] [/dns-query] [4] Rule returned 1.
[168451336790.523740] [/dns-query] [9] Running action: log
[168451336790.523740] [/dns-query] [9] Saving transaction to logs
[168451336790.523740] [/dns-query] [9] Running action: auditlog
[168451336790.523740] [/dns-query] [9] Saving transaction to logs
[168451336790.523740] [/dns-query] [9] Running action: nolog
[168451336790.523740] [/dns-query] [9] Running action: skipAfter
[168451336790.523740] [/dns-query] [5] Setting skipAfter for: END-REQUEST-942-APPLICATION-ATTACK-SQLI
[168451336790.523740] [/dns-query] [4] Running (disruptive)     action: pass.
[168451336790.523740] [/dns-query] [8] Running action pass
[168451336790.523740] [/dns-query] [9] Skipped rule id '942101' due to a SecMarker: END-REQUEST-942-APPLICATION-ATTACK-SQLI
[168451336790.523740] [/dns-query] [9] Skipped rule id '942152' due to a SecMarker: END-REQUEST-942-APPLICATION-ATTACK-SQLI
[168451336790.523740] [/dns-query] [9] Skipped rule id '942321' due to a SecMarker: END-REQUEST-942-APPLICATION-ATTACK-SQLI
[168451336790.523740] [/dns-query] [9] Skipped rule id '942015' due to a SecMarker: END-REQUEST-942-APPLICATION-ATTACK-SQLI
[168451336790.523740] [/dns-query] [9] Skipped rule id '942420' due to a SecMarker: END-REQUEST-942-APPLICATION-ATTACK-SQLI
[168451336790.523740] [/dns-query] [9] Skipped rule id '942017' due to a SecMarker: END-REQUEST-942-APPLICATION-ATTACK-SQLI
[168451336790.523740] [/dns-query] [9] Skipped rule id '942421' due to a SecMarker: END-REQUEST-942-APPLICATION-ATTACK-SQLI
[168451336790.523740] [/dns-query] [4] (Rule: 943011) Executing operator "Lt" with param "1" against TX:DETECTION_PARANOIA_LEVEL.
[168451336790.523740] [/dns-query] [9] Target value: "1" (Variable: TX:DETECTION_PARANOIA_LEVEL)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 943013) Executing operator "Lt" with param "2" against TX:DETECTION_PARANOIA_LEVEL.
[168451336790.523740] [/dns-query] [9] Target value: "1" (Variable: TX:DETECTION_PARANOIA_LEVEL)
[168451336790.523740] [/dns-query] [9] Matched vars updated.
[168451336790.523740] [/dns-query] [4] Rule returned 1.
[168451336790.523740] [/dns-query] [9] Running action: log
[168451336790.523740] [/dns-query] [9] Saving transaction to logs
[168451336790.523740] [/dns-query] [9] Running action: auditlog
[168451336790.523740] [/dns-query] [9] Saving transaction to logs
[168451336790.523740] [/dns-query] [9] Running action: nolog
[168451336790.523740] [/dns-query] [9] Running action: skipAfter
[168451336790.523740] [/dns-query] [5] Setting skipAfter for: END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION
[168451336790.523740] [/dns-query] [4] Running (disruptive)     action: pass.
[168451336790.523740] [/dns-query] [8] Running action pass
[168451336790.523740] [/dns-query] [9] Skipped rule id '943015' due to a SecMarker: END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION
[168451336790.523740] [/dns-query] [9] Skipped rule id '943017' due to a SecMarker: END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION
[168451336790.523740] [/dns-query] [4] (Rule: 944011) Executing operator "Lt" with param "1" against TX:DETECTION_PARANOIA_LEVEL.
[168451336790.523740] [/dns-query] [9] Target value: "1" (Variable: TX:DETECTION_PARANOIA_LEVEL)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 944013) Executing operator "Lt" with param "2" against TX:DETECTION_PARANOIA_LEVEL.
[168451336790.523740] [/dns-query] [9] Target value: "1" (Variable: TX:DETECTION_PARANOIA_LEVEL)
[168451336790.523740] [/dns-query] [9] Matched vars updated.
[168451336790.523740] [/dns-query] [4] Rule returned 1.
[168451336790.523740] [/dns-query] [9] Running action: log
[168451336790.523740] [/dns-query] [9] Saving transaction to logs
[168451336790.523740] [/dns-query] [9] Running action: auditlog
[168451336790.523740] [/dns-query] [9] Saving transaction to logs
[168451336790.523740] [/dns-query] [9] Running action: nolog
[168451336790.523740] [/dns-query] [9] Running action: skipAfter
[168451336790.523740] [/dns-query] [5] Setting skipAfter for: END-REQUEST-944-APPLICATION-ATTACK-JAVA
[168451336790.523740] [/dns-query] [4] Running (disruptive)     action: pass.
[168451336790.523740] [/dns-query] [8] Running action pass
[168451336790.523740] [/dns-query] [9] Skipped rule id '944015' due to a SecMarker: END-REQUEST-944-APPLICATION-ATTACK-JAVA
[168451336790.523740] [/dns-query] [9] Skipped rule id '944017' due to a SecMarker: END-REQUEST-944-APPLICATION-ATTACK-JAVA
[168451336790.523740] [/dns-query] [4] (Rule: 949052) Executing operator "Ge" with param "1" against TX:BLOCKING_PARANOIA_LEVEL.
[168451336790.523740] [/dns-query] [9] Target value: "1" (Variable: TX:BLOCKING_PARANOIA_LEVEL)
[168451336790.523740] [/dns-query] [9] Matched vars updated.
[168451336790.523740] [/dns-query] [4] Running [independent] (non-disruptive) action: setvar
[168451336790.523740] [/dns-query] [8] Saving variable: TX:blocking_inbound_anomaly_score with value: 5
[168451336790.523740] [/dns-query] [4] Rule returned 1.
[168451336790.523740] [/dns-query] [9] Running action: log
[168451336790.523740] [/dns-query] [9] Saving transaction to logs
[168451336790.523740] [/dns-query] [9] Running action: auditlog
[168451336790.523740] [/dns-query] [9] Saving transaction to logs
[168451336790.523740] [/dns-query] [9] Running action: nolog
[168451336790.523740] [/dns-query] [4] Running (disruptive)     action: pass.
[168451336790.523740] [/dns-query] [8] Running action pass
[168451336790.523740] [/dns-query] [4] (Rule: 949152) Executing operator "Ge" with param "1" against TX:DETECTION_PARANOIA_LEVEL.
[168451336790.523740] [/dns-query] [9] Target value: "1" (Variable: TX:DETECTION_PARANOIA_LEVEL)
[168451336790.523740] [/dns-query] [9] Matched vars updated.
[168451336790.523740] [/dns-query] [4] Running [independent] (non-disruptive) action: setvar
[168451336790.523740] [/dns-query] [8] Saving variable: TX:detection_inbound_anomaly_score with value: 5
[168451336790.523740] [/dns-query] [4] Rule returned 1.
[168451336790.523740] [/dns-query] [9] Running action: log
[168451336790.523740] [/dns-query] [9] Saving transaction to logs
[168451336790.523740] [/dns-query] [9] Running action: auditlog
[168451336790.523740] [/dns-query] [9] Saving transaction to logs
[168451336790.523740] [/dns-query] [9] Running action: nolog
[168451336790.523740] [/dns-query] [4] Running (disruptive)     action: pass.
[168451336790.523740] [/dns-query] [8] Running action pass
[168451336790.523740] [/dns-query] [4] (Rule: 949053) Executing operator "Ge" with param "2" against TX:BLOCKING_PARANOIA_LEVEL.
[168451336790.523740] [/dns-query] [9] Target value: "1" (Variable: TX:BLOCKING_PARANOIA_LEVEL)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 949153) Executing operator "Ge" with param "2" against TX:DETECTION_PARANOIA_LEVEL.
[168451336790.523740] [/dns-query] [9] Target value: "1" (Variable: TX:DETECTION_PARANOIA_LEVEL)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 949054) Executing operator "Ge" with param "3" against TX:BLOCKING_PARANOIA_LEVEL.
[168451336790.523740] [/dns-query] [9] Target value: "1" (Variable: TX:BLOCKING_PARANOIA_LEVEL)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 949154) Executing operator "Ge" with param "3" against TX:DETECTION_PARANOIA_LEVEL.
[168451336790.523740] [/dns-query] [9] Target value: "1" (Variable: TX:DETECTION_PARANOIA_LEVEL)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 949055) Executing operator "Ge" with param "4" against TX:BLOCKING_PARANOIA_LEVEL.
[168451336790.523740] [/dns-query] [9] Target value: "1" (Variable: TX:BLOCKING_PARANOIA_LEVEL)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 949155) Executing operator "Ge" with param "4" against TX:DETECTION_PARANOIA_LEVEL.
[168451336790.523740] [/dns-query] [9] Target value: "1" (Variable: TX:DETECTION_PARANOIA_LEVEL)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 949111) Executing operator "Ge" with param "5" Was: "" against TX:BLOCKING_INBOUND_ANOMALY_SCORE.
[168451336790.523740] [/dns-query] [9] Target value: "5" (Variable: TX:BLOCKING_INBOUND_ANOMALY_SCORE)
[168451336790.523740] [/dns-query] [9] Matched vars updated.
[168451336790.523740] [/dns-query] [4] Rule returned 1.
[168451336790.523740] [/dns-query] [4] Executing chained rule.
[168451336790.523740] [/dns-query] [4] (Rule: 0) Executing operator "Eq" with param "1" against TX:EARLY_BLOCKING.
[168451336790.523740] [/dns-query] [9] Target value: "0" (Variable: TX:EARLY_BLOCKING)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 949011) Executing operator "Lt" with param "1" against TX:DETECTION_PARANOIA_LEVEL.
[168451336790.523740] [/dns-query] [9] Target value: "1" (Variable: TX:DETECTION_PARANOIA_LEVEL)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 949013) Executing operator "Lt" with param "2" against TX:DETECTION_PARANOIA_LEVEL.
[168451336790.523740] [/dns-query] [9] Target value: "1" (Variable: TX:DETECTION_PARANOIA_LEVEL)
[168451336790.523740] [/dns-query] [9] Matched vars updated.
[168451336790.523740] [/dns-query] [4] Rule returned 1.
[168451336790.523740] [/dns-query] [9] Running action: log
[168451336790.523740] [/dns-query] [9] Saving transaction to logs
[168451336790.523740] [/dns-query] [9] Running action: auditlog
[168451336790.523740] [/dns-query] [9] Saving transaction to logs
[168451336790.523740] [/dns-query] [9] Running action: nolog
[168451336790.523740] [/dns-query] [9] Running action: skipAfter
[168451336790.523740] [/dns-query] [5] Setting skipAfter for: END-REQUEST-949-BLOCKING-EVALUATION
[168451336790.523740] [/dns-query] [4] Running (disruptive)     action: pass.
[168451336790.523740] [/dns-query] [8] Running action pass
[168451336790.523740] [/dns-query] [9] Skipped rule id '949015' due to a SecMarker: END-REQUEST-949-BLOCKING-EVALUATION
[168451336790.523740] [/dns-query] [9] Skipped rule id '949017' due to a SecMarker: END-REQUEST-949-BLOCKING-EVALUATION
[168451336790.523740] [/dns-query] [4] (Rule: 980011) Executing operator "Lt" with param "1" against TX:DETECTION_PARANOIA_LEVEL.
[168451336790.523740] [/dns-query] [9] Target value: "1" (Variable: TX:DETECTION_PARANOIA_LEVEL)
[168451336790.523740] [/dns-query] [4] Rule returned 0.
[168451336790.523740] [/dns-query] [9] Matched vars cleaned.
[168451336790.523740] [/dns-query] [4] (Rule: 980013) Executing operator "Lt" with param "2" against TX:DETECTION_PARANOIA_LEVEL.
[168451336790.523740] [/dns-query] [9] Target value: "1" (Variable: TX:DETECTION_PARANOIA_LEVEL)
[168451336790.523740] [/dns-query] [9] Matched vars updated.
[168451336790.523740] [/dns-query] [4] Rule returned 1.
[168451336790.523740] [/dns-query] [9] Running action: log
[168451336790.523740] [/dns-query] [9] Saving transaction to logs
[168451336790.523740] [/dns-query] [9] Running action: auditlog
[168451336790.523740] [/dns-query] [9] Saving transaction to logs

@Zoey2936
Copy link
Author

thats just a part, because I get many dns reuqests every second I can't sent the entire log, so maybe there is some important parts missing

@azurit
Copy link
Member

azurit commented May 19, 2023

The standard (not debug) log would be sufficient.

@Zoey2936
Copy link
Author

how do I get it? nginx only logs the part I sent you, I can only provide a lower lever debug log

@airween
Copy link
Contributor

airween commented May 20, 2023

how do I get it? nginx only logs the part I sent you, I can only provide a lower lever debug log

Are you sure there isn't other line than you paste above (in your first comment)?

In your debug.log, there is this part:

[168451336790.523740] [/dns-query] [4] (Rule: 920420) Executing operator "Rx" with param "^[^;\s]+" against REQUEST_HEADERS:Content-Type.
[168451336790.523740] [/dns-query] [9] Target value: "application/dns-message" (Variable: REQUEST_HEADERS:content-type)
[168451336790.523740] [/dns-query] [7] Added regex subexpression TX.0: application/dns-message
[168451336790.523740] [/dns-query] [9] Matched vars updated.
[168451336790.523740] [/dns-query] [4] Running [independent] (non-disruptive) action: setvar
[168451336790.523740] [/dns-query] [8] Saving variable: TX:content_type with value: |application/dns-message|
[168451336790.523740] [/dns-query] [4] Rule returned 1.

It seems that rule 920420 triggered, which increases the anomaly score by 5 - this is enough to trigger the rule 949110.

Perhaps you should set your own allowed_request_content_type variable in crs-setup.conf.

@Zoey2936
Copy link
Author

so the problem is that the content type is blocked? and no, nginx only logs the part I sent at the beggining. But another question, below the lines you mentiioned arfe http version listed and they don't contains http3, could this also cause a block, since I compiled nginx with http3 support?

@azurit
Copy link
Member

azurit commented May 20, 2023

so the problem is that the content type is blocked?

Yes, you need to allow application/dns-message content type, which you can do in crs-setup.conf, as @airween already mentioned.

But another question, below the lines you mentiioned arfe http version listed and they don't contains http3, could this also cause a block, since I compiled nginx with http3 support?

You did a HTTP2 request, see: request: "POST /dns-query HTTP/2.0"

@Zoey2936
Copy link
Author

Zoey2936 commented May 20, 2023
edited

You did a HTTP2 request, see: request: "POST /dns-query HTTP/2.0"

yes in this example, but would it mean that HTTP/3 requests would be fast blocked?

@Zoey2936
Copy link
Author

so the problem is that the content type is blocked?

Yes, you need to allow application/dns-message content type, which you can do in crs-setup.conf, as @airween already mentioned.

will this be something I need to add forever now to the crs-setup.conf, or will this be added to the coreruleset at some point?

@azurit
Copy link
Member

azurit commented May 20, 2023

You did a HTTP2 request, see: request: "POST /dns-query HTTP/2.0"

yes in this example, but would it mean that HTTP/3 requests would be fast blocked?

It depends on your configuration, see crs-setup.conf.

@azurit
Copy link
Member

azurit commented May 20, 2023

so the problem is that the content type is blocked?

Yes, you need to allow application/dns-message content type, which you can do in crs-setup.conf, as @airween already mentioned.

will this be something I need to add forever now to the crs-setup.conf, or will this be added to the coreruleset at some point?

You need to add it to your configuration, it won't be part of CRS.

@Zoey2936
Copy link
Author

so the problem is that the content type is blocked?

Yes, you need to allow application/dns-message content type, which you can do in crs-setup.conf, as @airween already mentioned.

will this be something I need to add forever now to the crs-setup.conf, or will this be added to the coreruleset at some point?

You need to add it to your configuration, it won't be part of CRS.

thanks, adding application/dns-message to the crs-setup.conf fixed it.

@Zoey2936
Copy link
Author

You did a HTTP2 request, see: request: "POST /dns-query HTTP/2.0"

yes in this example, but would it mean that HTTP/3 requests would be fast blocked?

It depends on your configuration, see crs-setup.conf.

You did a HTTP2 request, see: request: "POST /dns-query HTTP/2.0"

yes in this example, but would it mean that HTTP/3 requests would be fast blocked?

It depends on your configuration, see crs-setup.conf.

Will HTTP/3 be added to coreruleset at some point?

@Zoey2936
Copy link
Author

if I set tx.allowed_http_versions to HTTP/3, will it be added to the default or will it override the default?

@azurit
Copy link
Member

azurit commented May 20, 2023

if I set tx.allowed_http_versions to HTTP/3, will it be added to the default or will it override the default?

It will override the default so you probably want to keep all versions.

@Zoey2936
Copy link
Author

is it possible to add it without override?

@azurit
Copy link
Member

azurit commented May 20, 2023

No.

@azurit
Copy link
Member

azurit commented May 20, 2023

Will HTTP/3 be added to coreruleset at some point?

See #3218.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
➕ False Positive
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@airween @azurit @Zoey2936