AWS SNS Notifications blocked by WAF rule 981176

Hi,

AWS SNS Notifications sent to an HTTPS endpoint are blocked by the WAF Managed Rule :

981176 - Inbound Anomaly Score Exceeded (Total Score:, SQLi=, XSS=)

This particular notification was meant to notify about bounced emails. We’ve been able to bypass this rule, but we believe it is a false positive and might need to be fixed.

1 Like

Could you please share the particular request that was blocked? It seems like some special characters in some parameters caused this trigger because of an issue with the anomaly scoring heuristic.

Here’s what the request body looks like :

POST / HTTP/1.1
x-amz-sns-message-type: Notification
x-amz-sns-message-id: 22b80b92-fdea-4c2c-8f9d-bdfb0c7bf324
x-amz-sns-topic-arn: arn:aws:sns:us-west-2:123456789012:MyTopic
x-amz-sns-subscription-arn: arn:aws:sns:us-west-2:123456789012:MyTopic:c9135db0-26c4-47ec-8998-413945fb5a96
Content-Type: text/plain; charset=UTF-8
Host: myhost.example.com
Connection: Keep-Alive
User-Agent: Amazon Simple Notification Service Agent

{
  "Type" : "Notification",
  "MessageId" : "22b80b92-fdea-4c2c-8f9d-bdfb0c7bf324",
  "TopicArn" : "arn:aws:sns:us-west-2:123456789012:MyTopic",
  "Message" : "{\"bounceType\":\"Permanent\", \"bounceSubType\": \"General\", \"bouncedRecipients\":[{\"status\":\"5.0.0\", \"action\":\"failed\", \"diagnosticCode\":\"smtp; 550 user unknown\", \"emailAddress\":\"[email protected]\"} ], \"reportingMTA\": \"example.com\", \"timestamp\":\"2012-05-25T14:59:38.605Z\", \"feedbackId\":\"000001378603176d-5a4b5ad9-6f30-4198-a8c3-b1eb0c270a1d-000000\", \"remoteMtaIp\":\"127.0.2.0\"}",
  "Timestamp" : "2012-05-02T00:54:06.655Z",
  "SignatureVersion" : "1",
  "Signature" : "EXAMPLEw6JRN...",
  "SigningCertURL" : "https://sns.us-west-2.amazonaws.com/SimpleNotificationService-f3ecfb7224c7233fe7bb5f59f96de52f.pem",
  "UnsubscribeURL" : "https://sns.us-west-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-west-2:123456789012:MyTopic:c9135db0-26c4-47ec-8998-413945fb5a96"
}

More details from WAF logs :

image

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.