I had several notices on this rule on my own custom application, Although I also had another issue at the same time so I'm trying to determine the cause.
https://www.atomicorp.com/wiki/index.php/WAF_330791

When I got up from a nap lol. I saw asl -s had 3 intances running and 3 crons, and 3 yum processes. So some how these got stuck. I had to do a manually pid kill to be able to re-run asl -s -f and clear out all those bad dead pids. But I'm trying to find out if the WAF rule trigger has anything to do with this problem also.

The application function that triggered this rule is a simple upload in php. Basically users have the ability to upload a .tga file or .jpg files in 2 different forms. The TGA file is used as a custom skin for them and the jpg's are for a 3d modeled picture of that skin. Of course the system has mime types associated with file types. So you can't really try to upload anything but those file types. This is a system that's been functional and working for 2 years, and still works perfectly. So I'm wondering if this tga file is the cause of the request body size. I'd understand if this couldn't be read as it's a bit of uncommon file type. However After I did asl -s -f I don't seem to have any issues with these upload forms. So I'm thinking maybe it was a connection issue. I don't think it was an attack simply because these was not happening in a large rate, and was over a few different ip addresses. I can match these ip's up with legit users, at the same rate I rather know what the issue is.

So if anyone has any advice would be greatly appreciated.

Edit: Now that I look closer I see it had this error on other image upload systems. jpg files too. So I think it must have been a connection error. This is the data message below
[data "Multipart parsing error: Multipart: Final boundary missing."]

Shawn

Okay I did more checking on this, and have tracked down that for some reason Internet Explorer is the problem. But this used to work until today. Was there a rule update that could cause this?

I can upload a file for example fine in firefox, but in internet explorer it triggers this security rule.

Google Chrome is working fine as well.

Any suggestions?

Thought I may have fixed the issue, but still persists.

Edit: Now it;'s just randomly out of the blue working fine again. I didn't have any real load on the server. So I'm confused. It seemed like my connection was getting cut for good reason in IE, but now it's not. Can anyone shed any light on what could cause that?

Yeah no change in the rule. The rule basically means "Wow! Thats a munged up incomprehensible mess! I have no idea how to process this!"

So generally it means either a broken request, a broken client/library, broken proxy, or even a broken backend application that tool the client to do this.

Hi Mike,

Ah I see Makes sense though. I don't seem to be having any of these today so maybe just some weird connection issue that IE didn't like. It only seemed to happen on larger files. Like if I uploaded a 300KB JPG it was fine, but these 3MB TGA files caused problems more often than smaller TGA's of like 500KB or 1MB. But seems good now.

Thanks for the info.