Cirrus
NimbostratusPossibly your request does not match the particular attack detection signature since 'rui' string is directly appended to 'mount%20d'? Depending on signature update revision, it may or may not be seen as arbitrary code execution attempt. Give another try with the same request, but without 'rui' appendix.
In any case, you're looking at a possible HTTP Query parameter violation. If a blocking occurs due to request where the violation is in HTTP Query, it can only match the 3rd scenario (mount execution attempt URI). In the scope of Attack Detection Signatures, any HTTP Query parameters are not handled as parameters. (For a parameter to be considered a parameter, it must be inside request payload, not in header)
Requests for your testing
Test cases for 1st scenario (Parameter/Cookie, XML, JSON, GWT)
In POST parameter
curl 'https://x.x.x' --data 'postParameter=mount%20d'
In JSON data
curl 'https://x.x.x' -H 'Content-Type: application/json' -X POST -d '{"jsonData":"mount%20d"}
Test case for 2nd scenario (HTTP Header)
curl 'https://x.x.x' -H 'httpHeader=mount%20d'
Test cases for 3rd scenario (HTTP URI)
In HTTP path
curl 'https://x.x.x/mount%20d/'
In HTTP query
curl 'https://x.x.x/?queryParameter=mount%20d'Hope it will get you closer
Regards,