DoS rule triggering with static (png) file

[ceandre]

Description

The DoS rule continues to trigger with 'png' even though the extension is in the 'static_extensions' variable.

Audit Logs / Triggered Rule Numbers

setvar:'tx.dos_burst_time_slice=60'
setvar:'tx.dos_counter_threshold=300'
setvar:'tx.dos_block_timeout=600'

setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.tiff/ /.webp/'

[Tue Mar 24 21:36:04.431398 2020] [:error] [pid 19431:tid 139653780846336] [client 172.xxx.xxx.xxx:36358] [client 172.xxx.xxx.xxx] ModSecurity: Access denied with connection close (phase 1). Operator EQ matched 0 at IP. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-912-DOS-PROTECTION.conf"] [line "111"] [id "912120"] [msg "Denial of Service (DoS) attack identified from 172.xxx.xxx.xxx (1 hits since last alert)"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-dos"] [hostname "webmail.xxx.xxx.xxx"] [uri "/horde/imp/themes/graphics/folders/inbox.png"] [unique_id "XnqndD-Uad-QLO08ojZ40AAAAMs"], referer: https://webmail.xxx.xxx.xxx/horde/imp/mailbox.php?page=1

Your Environment

• CRS version (e.g., v3.2.0): 3.0.0
• Paranoia level setting: 3
• ModSecurity version (e.g., 2.9.3): 2.9.2
• Web Server and version (e.g., apache 2.4.41): Apache 2.4.37
• Operating System and version: CentOS 8.1

Confirmation

[x] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.