I just discovered that ALL requests to ALL of my websites that come from the Brave browser are being blocked by Sophos UTM.
Even with just "Basic Protection" enabled, UTM interprets every http request as an attack.
Here is an example log entry.
2021:02:16-07:56:00 firewall httpd[8091]: [security2:error] [pid 8091:tid 4126894960] [client 192.168.0.20:54126] [client 192.168.0.20] ModSecurity: Warning. Pattern match "(^[\\"'\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98;]+|[\\"'\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98;]+$)" at REQUESTCOOKIES:ajsanonymousid. [file "/usr/apache/conf/waf/modsecuritycrssqlinjectionattacks.conf"] [line "64"] [id "981318"] [rev "2"] [msg "SQL Injection Attack: Common Injection Testing Detected"] [data "Matched Data: \\x22 found within REQUESTCOOKIES:ajsanonymousid: \\x226c2ac757-d188-4b33-aeb4-8d452677db52\\x22"] [severity "CRITICAL"] [ver "OWASPCRS/2.2.7"] [maturity "9"] [accuracy "8"] [tag "OWASPCRS/WEBATTACK/SQLINJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASPTOP10/A1"] [tag "OWASPAppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "meet.aquilatech.com"] [uri "/pwa-worker.js"] [uniqueid "YCvA4B-N3mke-3EtLGGhewAAAAA"], referer: https://meet.aquilatech.com/pwa-worker.js 2021:02:16-07:56:00 firewall httpd[8091]: [security2:error] [pid 8091:tid 4126894960] [client 192.168.0.20:54126] [client 192.168.0.20] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(.*)" at TX:981318-OWASPCRS/WEBATTACK/SQLINJECTION-REQUESTCOOKIES:ajsanonymousid. [file "/usr/apache/conf/waf/modsecuritycrsinboundblocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5, SQLi=5, XSS=): Last Matched Message: SQL Injection Attack: Common Injection Testing Detected"] [data "Last Matched Data: \\x22"] [hostname "meet.aquilatech.com"] [uri "/pwa-worker.js"] [uniqueid "YCvA4B-N3mke-3EtLGGhewAAAAA"], referer: https://meet.aquilatech.com/pwa-worker.js 2021:02:16-07:56:00 firewall httpd[8091]: [security2:error] [pid 8091:tid 4126894960] [client 192.168.0.20:54126] [client 192.168.0.20] ModSecurity: Warning. Operator GE matched 5 at TX:inboundanomalyscore. [file "/usr/apache/conf/waf/modsecuritycrscorrelation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5, SQLi=5, XSS=): SQL Injection Attack: Common Injection Testing Detected"] [hostname "meet.aquilatech.com"] [uri "/pwa-worker.js"] [unique_id "YCvA4B-N3mke-3EtLGGhewAAAAA"], referer: https://meet.aquilatech.com/pwa-worker.js 2021:02:16-07:56:00 firewall httpd: id="0299" srcip="192.168.0.20" localip="108.22.254.9" size="222" user="-" host="192.168.0.20" method="GET" statuscode="403" reason="waf" extra="Inbound Anomaly Score Exceeded (Total Score: 5, SQLi=5, XSS=): Last Matched Message: SQL Injection Attack: Common Injection Testing Detected" exceptions="-" time="3749" url="/pwa-worker.js" server="meet.aquilatech.com" port="443" query="" referer="https://meet.aquilatech.com/pwa-worker.js" cookie="_cfduid=d9401aa3bec727b3d9833971325b2f8d21613331266; ajsgroupid=null; ajsanonymousid=%226c2ac757-d188-4b33-aeb4-8d452677db52%22" set-cookie="-" websocketscheme="-" websocketprotocol="-" websocketkey="-" websocket_version="-" uid="YCvA4B-N3mke-3EtLGGhewAAAAA"
This thread was automatically locked due to age.