AWS SNS Notifications blocked by WAF rule 981176


AWS SNS Notifications sent to an HTTPS endpoint are blocked by the WAF Managed Rule :

981176 - Inbound Anomaly Score Exceeded (Total Score:, SQLi=, XSS=)

This particular notification was meant to notify about bounced emails. We’ve been able to bypass this rule, but we believe it is a false positive and might need to be fixed.

1 Like

Could you please share the particular request that was blocked? It seems like some special characters in some parameters caused this trigger because of an issue with the anomaly scoring heuristic.

Here’s what the request body looks like :

x-amz-sns-message-type: Notification
x-amz-sns-message-id: 22b80b92-fdea-4c2c-8f9d-bdfb0c7bf324
x-amz-sns-topic-arn: arn:aws:sns:us-west-2:123456789012:MyTopic
x-amz-sns-subscription-arn: arn:aws:sns:us-west-2:123456789012:MyTopic:c9135db0-26c4-47ec-8998-413945fb5a96
Content-Type: text/plain; charset=UTF-8
Connection: Keep-Alive
User-Agent: Amazon Simple Notification Service Agent

  "Type" : "Notification",
  "MessageId" : "22b80b92-fdea-4c2c-8f9d-bdfb0c7bf324",
  "TopicArn" : "arn:aws:sns:us-west-2:123456789012:MyTopic",
  "Message" : "{\"bounceType\":\"Permanent\", \"bounceSubType\": \"General\", \"bouncedRecipients\":[{\"status\":\"5.0.0\", \"action\":\"failed\", \"diagnosticCode\":\"smtp; 550 user unknown\", \"emailAddress\":\"[email protected]\"} ], \"reportingMTA\": \"\", \"timestamp\":\"2012-05-25T14:59:38.605Z\", \"feedbackId\":\"000001378603176d-5a4b5ad9-6f30-4198-a8c3-b1eb0c270a1d-000000\", \"remoteMtaIp\":\"\"}",
  "Timestamp" : "2012-05-02T00:54:06.655Z",
  "SignatureVersion" : "1",
  "Signature" : "EXAMPLEw6JRN...",
  "SigningCertURL" : "",
  "UnsubscribeURL" : ""

More details from WAF logs :


This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.