/
etc
/
apache2
/
conf.d
/
modsec2
/
File Upload :
llllll
Current File: //etc/apache2/conf.d/modsec2/20_asl_useragents.conf
# http://www.atomicorp.com/ # Atomicorp (Gotroot.com) ModSecurity rules # User Agent Security Rules for modsec 2.x # # Created by Prometheus Global (http://www.prometheus-group.com) # Copyright 2005-2013 by Prometheus Global, all rights reserved. # Redistribution is strictly prohibited in any form, including whole or in part. # # Distribution of this work or derivative of this work in any form is # prohibited unless prior written permission is obtained from the # copyright holder. # # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF # THE POSSIBILITY OF SUCH DAMAGE. # # ---ASL-CONFIG-FILE--- # Do not edit this file! # This file is generated and changes will be overwritten. # # If you need to make changes to the rules, please follow the procedure here: # http://www.atomicorp.com/wiki/index.php/Mod_security SecDefaultAction "log,deny,auditlog,phase:2,status:403" # Rule 330001: Comment spam header line SecRule REQUEST_HEADERS "x-aaaaaa" \ "phase:2,deny,status:403,t:none,t:lowercase,id:330001,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Spam: Generic spam header detected'" SecRule REQUEST_HEADERS_NAMES "\bacunetix-product\b" \ "phase:2,rev:'2',t:none,t:lowercase,block,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Acunetix Security Scanner Scanned the Site',id:333301,severity:'2'" # Rule 330006: recursion attack in UA field #SecRule REQUEST_HEADERS:User-Agent "\.\./\.\." \ # "id:330006,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: recursion attack in UA field'" #May cause false positives with some software, comment out if it does #SecRule REMOTE_ADDR "!^127\.0\.0\.1$" "chain,id:390000,rev:1,severity:1,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Suspicious Automated or Manual Request'" #SecRule "REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Host|REQUEST_HEADERS:Accept" "^$" #Parallel skip SecRule REQUEST_HEADERS:User-Agent "@pm ICS python-requests bot 5.0 8484 admin@google.com agdm79@mail mua amiga-aweb/3.4 analyzer atomic_email_hunter backdoor bilbo black blackwidow brutus butch__2 bwh3_user_agent cgichk cherrypickernicerspro china combine concealed contentsmartz copyguard copyrightcheck cisco-torch sql springenwerk toata scanner whcc sundayddr nmap prog.customcrawler network-services-auditor grendel-scan get-minimal pymills-spider dav.pm crescent datacha0s dbrowse demo digimarc download dts ebrowse ecollector emailcollector emailwolf exploit exploiter godzilla dirbuster dotdotpwn extractor extractorpro fantombrowser foobar franklin full gameboy grabber grub hole indy injection internet-exprorer isc jaascois k1b larbin@unspecified libwen-us pycurl blacksun cyberdog absinthe autogetcolumn metis missigua morfeus morzilla mosiac mozilla/3 mozilla/2.01 mozilla/4.0 mozilla/4.76 mozilla/5. murzillo nameofagent .nasl nessus arachni havij acunetix whatweb newt nikto ninja nokia-waptoolkit nsauditor n-stealth paros pavuk picscout pe pmafind poe-component-client production prowebwaler psycheclone rainbow safexplorer security shareware siphon sitesnagger sohu spider s.t.a.l.k.e.r stress surf teleport telesoft test voideye vxb webbandit webcopier webemailextract webinspect weblogs webmole webroot webster webstripper webtrends webvulnscan webzip wells wep widow windows-update-agent < php http_get_vars super happy fun psycheclone grub crawl hurt core-project/ winnie poh siphon nutscrape/ missigua emailsiphon digger nutchcvs trackback/ autoemailspider pussycat user-agent: omniexplorer ecollector cherrypicker zemu revolt casper kmccrew planetwork dex sledink perl kangen sasqia t34mh4k mama jcomers indonetwork goblox ayumi_im0etz whitehat zmeu w3af.sourceforge.net yandex chinaclaw googlehttpclient playstation script about applet activex chrome object www.80legs.com" \ "id:333924,rev:3,phase:2,t:none,pass,nolog,skip:1" SecAction phase:2,id:333719,pass,nolog,skipAfter:END_UA_CHECKS_1 # Rule 330003: XSS in the UA field SecRule REQUEST_HEADERS:User-Agent "<(?:.|\s|\n)?(?:script|about|applet|activex|chrome|object)" \ "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,id:330003,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: XSS in User Agent field'" # Rule 330004: PHP code injection attack SecRule REQUEST_HEADERS:User-Agent "(?:< ?\? ?php|^ ?< ?\?)" \ "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,deny,status:403,id:330004,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: PHP code injection via User Agent'" # Rule 330005: PHP code injection attack SecRule REQUEST_HEADERS:User-Agent "http_get_vars" \ "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,deny,status:403,id:330005,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: PHP code injection via User Agent 2'" #Joomla bot #BOT/0.1 (BOT for JCE) SecRule REQUEST_HEADERS:User-Agent "bot for jce" \ "phase:2,t:none,t:compressWhitespace,t:lowercase,deny,status:403,id:330205,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Joomla Exploit Bot'" #Mozilla/4.0 (compatible; ICS)" SecRule REQUEST_HEADERS:User-Agent "Mozilla/4\.0 \(compatible; ICS\)" \ "phase:2,t:none,deny,status:403,id:360205,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: ICS Bot'" #Joomla bot #Mua SecRule REQUEST_HEADERS:User-Agent "^mua$" \ "phase:2,t:none,t:compressWhitespace,t:lowercase,deny,status:403,id:330206,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Joomla Exploit Bot'" # Rule 330010: DataCha0s SecRule REQUEST_HEADERS:User-Agent "datacha0s/2\.0" \ "phase:2,t:none,t:lowercase,deny,status:403,id:330010,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Bad User Agent: DataCha0s'" # Rule 330011: Damn fine UA SecRule REQUEST_HEADERS:User-Agent "(?:exploit|morzilla|cyberdog|blacksun|absinthe|autogetcolumn|bsqlbf|cisco-torch|crimscanner|dav\.pm|pymills-spider|get-minimal|grendel-scan|mysqloit|prog\.customcrawler|sql power injector|sqlmap|sundayddr|friendly-scanner|toata dragostea)" \ "phase:2,t:none,t:lowercase,deny,status:403,id:330011,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Bad User Agent: Exploit Tool'" # Rule 330014: XML RPC exploit tool SecRule REQUEST_HEADERS:User-Agent "(?:dirbuster|dotdotpwn)" \ "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,status:403,id:330015,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Bad User Agent: Exploit tool'" #Playstation #SecRule REQUEST_HEADERS:User-Agent "psp \(playstation portable\)" \ # "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,status:403,id:393716,phase:2,t:lowercase,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Bad User Agent: Playstation Portable',deny,status:403" # Rule 330016: A friendly little exploit banner for a WP vuln SecRule REQUEST_HEADERS:User-Agent "wordpress hash grabber" \ "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,status:403,id:330016,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Bad User Agent: Wordpress hash grabber'" # Rule 330017: Blocks scripts #SecRule REQUEST_URI "!(/webprobilling/pipe/pop\.php|/cron/index\.php|/read\.php|/pg/cron/)" \ # "chain,id:330017,rev:5,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Suspicious User Agent: lwp - Disable this rule if you are using LWP'" #SecRule REQUEST_HEADERS:User-Agent lwp # Rule 330019: Web leaches SecRule REQUEST_HEADERS:User-Agent "^(?:web(?:(?:st(?:ripp)?| download|copi)er|zip)|(?:prowebwalk|sitesnagg)er|c(?:heesebot|ombine)|teleport pro|black hole|chinaclaw)" \ "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,status:403,id:330019,rev:3,severity:3,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Suspicious Web Client Detected (Disable this rule if you wish to allow these clients)'" # Rule 330031: Bogus Mozilla UA lines SecRule REQUEST_HEADERS:User-Agent "m(?:icrosoft internet explorer/5.0|ozilla/3.mozilla/(?:2.01|5\.0)|ozilla/4\.0 \(compatible; msie 7\.0; na; \))$" \ "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,status:403,capture,id:330031,rev:4,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Fake Browser User agent detected',logdata:'%{TX.0}'" # Rule 330033: Bogus UA SecRule REQUEST_HEADERS:User-Agent "(?:f(?:oobar/|axobot)|^www\.weblogs\.com)" \ "phase:2,t:none,t:lowercase,deny,status:403,id:330033,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Fake User agent detected'" # Rule 330034: Vuln scanner UA SecRule REQUEST_HEADERS:User-Agent "(?:n(?:-stealth|sauditor|e(?:ssus|etwork-services-auditor)|ikto|map)|b(?:lack ?widow|rutus|ilbo)|web(?:inspec|roo)t|p(?:mafind|aros|avuk)|cgichk|jaascois|\.nasl|metis|w(?:ebtrends security analyzer|hcc|3af\.sourceforge\.net)|zmeu|springenwerk|arachni|acunetix-product|havij)" \ "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,status:403,id:330034,rev:10,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Vulnerability Scanner User agent detected'" # Rule 330037: WhatWeb/ SecRule REQUEST_HEADERS:User-Agent "whatweb/" \ "phase:2,t:none,t:lowercase,deny,status:403,id:330037,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: WhatWeb web scanner detected'" # Rule 330036: BAd/Bogus UAs SecRule REQUEST_HEADERS:User-Agent "indy library" \ "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,status:403,id:330036,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Suspicious User agent detected. Disable this rule if you use indy library.'" # Rule 330038: BAd/Bogus UAs SecRule REQUEST_HEADERS:User-Agent "safexplorer tl" \ "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,status:403,id:330038,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Suspicious Unusual User Agent (SAFEXPLORER)'" # Rule 330039: Libwww-perl SecRule REMOTE_ADDR "!@ipMatch 127.0.0.1,::1" \ "phase:2,t:none,deny,status:403,chain,id:330039,rev:4,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Suspicious Unusual User Agent (libwww-perl). Disable this rule if you use libwww-perl. '" SecRule REQUEST_HEADERS:User-Agent "libwww-perl" "chain,t:none,t:lowercase" SecRule REQUEST_HEADERS:User-Agent "!(^w3c-|systran\))" "t:none,t:lowercase" # Rule 330039: python-requests/ SecRule REMOTE_ADDR "!@ipMatch 127.0.0.1,::1" \ "phase:2,t:none,deny,status:403,chain,id:332039,rev:4,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Suspicious Unusual User Agent (python-requests). Disable this rule if you use python-requests/. '" SecRule REQUEST_HEADERS:User-Agent "python-requests/" "t:none,t:lowercase" # Rule 331039: Python-urllib SecRule REMOTE_ADDR "!@ipMatch 127.0.0.1,::1" \ "phase:2,t:none,deny,status:403,chain,id:331039,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Suspicious Unusual User Agent (Python-urllib). Disable this rule if you use Python-urllib. '" SecRule REQUEST_HEADERS:User-Agent "python-urllib" "chain,t:none,t:lowercase" SecRule REQUEST_HEADERS:User-Agent "!(^w3c-|systran\))" "t:none,t:lowercase" # Rule 330040: TwengaBot SecRule REQUEST_HEADERS:User-Agent "twengabot" \ "phase:2,t:none,t:lowercase,deny,status:403,id:330040,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Impolite bot - TwengaBot detected. Disable this rule if you want to allow TwengaBot. '" # Rule 330041:VB development library used by many spammers, might block legite VBscripts #comment out if you have problems SecRule REQUEST_HEADERS:User-Agent "crescent internet toolpak" \ "phase:2,t:none,t:lowercase,deny,status:403,id:330041,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Suspicious User agent detected'" # Rule 330039: Libpycurl SecRule REMOTE_ADDR "!@ipMatch 127.0.0.1,::1" \ "phase:2,t:none,deny,status:403,chain,id:330045,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Suspicious Unusual User Agent (pycurl). Disable this rule if you use pycurl. '" SecRule REQUEST_HEADERS:User-Agent "pycurl" "t:none,t:lowercase" # Rule 330044: e-mail collectors and spammers SecRule REQUEST_HEADERS:User-Agent "(?:e(?:mail(?:s(?:iphon|pider)|collector|wolf)?|xtractor(?:pro)?|collector)|web(?:(?:emailextrac|bandi)t|mole)|autoemailspider|cherrypicker|under the rainbow 2|nicerspro|telesoft|grub|j12bot\/v1\.0\.8|(?:blogsearchbot-marti|super happy fu)n|c(?:ore-project\/|herrypicker)|p(?:sycheclone|ussycat)|(?:grub crawl|omniexplor)er|auto ?email ?spider|winnie poh|nut(?:scrape/|chcvs))" \ "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,status:403,chain,id:330056,rev:9,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Email Harvester Spambot User agent detected'" SecRule REQUEST_HEADERS:User-Agent "!(windows-live-social-object-extractor-engine|nutch-)" "t:none,t:lowercase" #Spiders that eat up bandwidth for their customers # Rule 330057: Not a spammer, just a spider, comment out if you like SecRule REQUEST_HEADERS:User-Agent "(?:copy(?:rightcheck|guard)|digimarc webreader|picscout)" \ "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,status:403,id:330057,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: DRM Spider User agent detected'" # Rule 330060: MArketing spiders SecRule REQUEST_HEADERS:User-Agent "zeus .*webster pro" \ "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,status:403,id:330060,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Marketing Spider User agent detected'" # Rule 330061: Poker spam SecRule REQUEST_HEADERS:User-Agent "(?:(?:w(?:ise(?:nut)?|ebalt)bo|(?:nameof|dts )agen|8484 boston projec)t|(?:f(?:ranklin locato|antombrowse)|atspide)r|china local browse 2|murzillo compatible|libwen-us|program shareware 1|we(?:lls search ii|p search 00)|digger|trackback\/)" \ "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,status:403,id:330061,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Spambot User agent detected'" #330269 suspicious UA SecRule REQUEST_HEADERS:User-Agent "poe-component-client" \ "phase:2,t:none,t:lowercase,deny,status:403,id:330269,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Suspicious User Agent (POE-Component-Client)'" # Rule 330070: spam bots SecRule REQUEST_HEADERS:User-Agent "missigua" \ "phase:2,t:none,t:lowercase,deny,status:403,id:330070,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Suspicious unusual User Agent'" #spammer SecRule REQUEST_HEADERS:User-Agent "(?:agdm79@mail\.ru|larbin@unspecified|butch__2\.1\.1|internet exploiter sux|hl_ftien_spider|godzilla)" \ "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,status:403,id:330079,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Comment Spammer User Agent'" #Fake Gameboy UA SecRule REQUEST_HEADERS:User-Agent "gameboy\, powered by nintendo" \ "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,status:403,id:330080,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Comment Spammer User Agent (Fake Gamboy UA)'" #bogus amiga UA SecRule REQUEST_HEADERS:User-Agent "amiga-aweb/3\.4" \ "phase:2,t:none,t:lowercase,deny,status:403,id:330081,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Fake Amiga Web Agent'" #bogus googlebot UA SecRule REQUEST_HEADERS:User-Agent "(?:nokia-waptoolkit.* googlebot.*googlebot|googlehttpclient)" \ "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,status:403,id:330083,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Fake GoogleBot'" #exploit UA SecRule REQUEST_HEADERS:User-Agent "(?:mo(?:rfeus fucking scanner|siac 1)|internet(?:-exprorer| ninja)|s\.t\.a\.l\.k\.e\.r\.|kenjin spider|neuralbot/)" \ "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,status:403,id:330082,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Exploit User Agent'" #fake UA SecRule REQUEST_URI "!(\.asmx$)" \ "phase:2,t:none,t:lowercase,deny,status:403,chain,id:330090,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Comment Spammer User Agent (Fake Windows Update Agent)'" SecRule REQUEST_HEADERS:User-Agent "windows-update-agent" \ #Vadix bot SecRule REQUEST_HEADERS:User-Agent "vadixbot" \ "phase:2,t:none,t:lowercase,deny,status:403,id:330095,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Vadixbot User Agent String'" SecRule REQUEST_HEADERS:User-Agent "concealed defense" \ "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,status:403,id:330096,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Concealed Defense User Agent String'" SecRule REQUEST_HEADERS:User-Agent "core-project/1." \ "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,status:403,id:330097,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: core-project/1.0 User Agent String'" SecRule REQUEST_HEADERS:User-Agent "(?:no browser|user[- ]agent:)" \ "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,status:403,chain,id:330094,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Fake User Agent String'" SecRule REQUEST_HEADERS:User-Agent "!(http://bsalsa\.com)" \ SecRule REQUEST_HEADERS:User-Agent "backdoor" \ "phase:2,t:none,t:lowercase,deny,status:403,id:330099,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: backdoor User Agent String'" SecRule REQUEST_HEADERS:User-Agent "(?:script|sql) injection" \ "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,status:403,id:330100,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: script injection User Agent String'" SecRule REQUEST_HEADERS:User-Agent "security scan" \ "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,status:403,id:330101,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: script injection User Agent String'" SecRule REQUEST_HEADERS:User-Agent "stress test" \ "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,status:403,id:330102,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Stress Test User Agent String'" SecRule REQUEST_HEADERS:User-Agent "voideye" \ "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,status:403,id:330103,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: VoidEYE User Agent String'" SecRule REQUEST_HEADERS:User-Agent "(?:$botname/$botversion|^user-agent)" \ "phase:2,t:none,t:lowercase,deny,status:403,id:330105,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Broken Bot Generic User Agent String Detected'" SecRule REQUEST_HEADERS:User-Agent "(?:p(?:e 1\.4|roduction bot|sycheclone)|[a-z]surf[0-9][0-9])" \ "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,status:403,id:330110,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Scanbot User Agent String Detected'" SecRule REQUEST_HEADERS:User-Agent "searchbot admin@google\.com" \ "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,status:403,id:330115,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Fake Google Searchengine User Agent String Detected'" SecRule REQUEST_HEADERS:User-Agent "(?:sogou develop spider|sohu agent)" \ "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,status:403,id:330116,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Fake Sogou Searchengine User Agent String Detected'" SecRule REQUEST_HEADERS:User-Agent "(?:bwh3_user_agent|zemu|mama (?:casper|cyber|sox|xirio)|(?:kmccrew|sasqia|casper|planetwork|dex|jcomers|sledink|goblox|indo(?:com|network)) bot search|^perl post$|rk q kangen|t34mh4k|^revolt$)" \ "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,status:403,id:330122,rev:4,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Attack Script User Agent String Detected'" SecRule REQUEST_HEADERS:User-Agent "(?:con(?:tentsmartz|tactbot/)|atomic_email_hunter|isc systems irc search 2\.1)" \ "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,status:403,id:330124,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Email Harvester Spambot User Agent String Detected'" SecRule REQUEST_HEADERS:User-Agent "(?:demo bot|educate search vxb|full web bot)" \ "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,status:403,chain,id:330125,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Scanbot User Agent String Detected'" SecRule REQUEST_HEADERS:User-Agent "!(flipboardbrowser)" "t:none,t:lowercase" SecRule REQUEST_HEADERS:User-Agent "k1b compatible; rss 6.0; windows sot 5.1 security kol" \ "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,status:403,id:330132,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Attacker User Agent String Detected'" SecRule REQUEST_HEADERS:User-Agent "pleasecrawl/1\." \ "phase:2,t:none,t:lowercase,deny,status:403,id:330136,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Badbot User Agent String Detected'" #SecRule REQUEST_HEADERS:User-Agent "yandexbot" \ # "id:330137,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: YandexBot Search Engine User Agent Detected (Disable this rules if you wish to allow this search bot, this is not a false positive)'" # Rule 330014: Exploit UA SecRule REQUEST_HEADERS:User-Agent "that's gotta hurt" \ "phase:2,t:none,t:lowercase,t:removeWhitespace,deny,status:403,id:330014,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Exploit User Agent Detected'" SecRule REQUEST_HEADERS:User-Agent "www\.80legs\.com" \ "phase:2,t:none,t:lowercase,deny,status:403,id:333514,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Bad Bot www.80legs.com'" SecMarker END_UA_CHECKS_1 #Suspicious useragent SecRule REQUEST_HEADERS:User-Agent "@endsWith ;)" \ "chain,phase:2,t:none,t:compressWhitespace,deny,status:403,id:309925,severity:2,rev:6,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Suspicious User-Agent, parenthesis closed with a semicolon %{REQUEST_HEADERS.User-Agent}'" SecRule REQUEST_HEADERS:User-Agent "!(Qualidator\.com|ExaleadCloudView|^Mozilla/4\.0 \(compatible;\)$|UTVDriveBot|Add Catalog|^Appcelerator)" "t:none" #Check major browsers for validity SecRule REQUEST_HEADERS:User-Agent "@pm mozilla ;. newt google explore msie compatible opera" \ "id:333925,t:none,phase:2,pass,nolog,skip:1" SecAction phase:2,id:333720,pass,nolog,skipAfter:END_UA_CHECKS_2 #Fake Mozilla UA string SecRule REQUEST_HEADERS:User-Agent "(?:$mozilla^|mozilla/[45]\.[1-9])" \ "phase:2,t:none,t:lowercase,deny,status:403,id:330131,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Fake Mozilla User Agent String Detected'" #Fake Opera browser #SecRule REQUEST_HEADERS:User-Agent "^.* Opera[ /][0-9]\." \ # "phase:2,t:none,deny,status:403,id:336655,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Fake Opera browser',chain" #SecRule &REQUEST_HEADERS:X-Wap-Profile "@eq 0" "t:none" #SecRule &REQUEST_HEADERS:X-Wap-Profile "@eq 0" "t:none,chain" #SecRule REQUEST_HEADERS:User-Agent "!(Nintendo DSi)" "t:none" #Fake Mozilla #SecRule REQUEST_HEADERS:User-Agent "^mozilla/5\.0 " \ # "phase:2,t:none,t:lowercase,deny,status:403,id:336656,rev:2,severity:2,chain,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Fake Mozilla/5.0 browser %{REQUEST_HEADERS.User-Agent}.'" #SecRule REQUEST_HEADERS:User-Agent "!(?:gecko|msie 9\.|baiduspider)" #Broken Bot SecRule REQUEST_HEADERS:User-Agent "compatible ;\." \ "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,status:403,id:330130,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Broken Bot User Agent String Detected'" # Rule 330072: Some regexps to catch silly bots #SecRule REQUEST_HEADERS:User-Agent "(?:^(?:google|i?explorer?\.exe|(?:ms)?ie( [0-9.]+)?[ ]?(?:compatible(?: browser)?)?|mozilla(?: [0-9.]+)?[ ]?\((?:windows|linux|(?:ie )?compatible)\))$|compatible \; msie)" \ #"chain,phase:2,t:none,t:compressWhitespace,t:lowercase,deny,status:403,id:330072,rev:6,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible Fake Browser detected'" #SecRule REQUEST_HEADERS:User-Agent "!(placeware rpc 1\.0\)$)" # Rule 330074: Some regexps to catch silly bots #SecRule REQUEST_HEADERS:User-Agent "^(?:mozilla/5\.0 \(x11; u; linux i686; en-us; rv\:0\.9\.6\+\) gecko/2001112|mozilla/.+[. ]+|mozilla/4\.0 \(compatible\; msie 6\.0\; windows nt 5\.1)$" \ # "id:330074,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Comment Spammer User Agent (Fake Mozilla)'" #330076: Broken spammer tool SecRule REQUEST_HEADERS:User-Agent "^mozilla/4\.0\+" \ "phase:2,t:none,t:lowercase,deny,status:403,chain,log,id:330076,rev:4,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible Fake User Agent (Spammer converting spaces to plus signs)'" SecRule REQUEST_HEADERS:User-Agent "^!(mozilla/4.0+\(compatible; uptimerobot/1\..; http://www.uptimerobot.com/\))$" #SecRule REQUEST_HEADERS:User-Agent "mozilla/4\.0 \(compatible; msie 7\.0; windows nt 5\.1; trident/4\.0 ?; ?(\.net clr.*){4,}.*msoffice 12" \ SecRule REQUEST_HEADERS:User-Agent "mozilla/4\.0 \(compatible; msie 7\.0; windows nt 5\.1; trident/4\.0 ?; \.net clr 1\.1\.4322; \.net clr 2\.0\.503l3; \.net clr 3\.0\.4506\.2152; \.net clr 3\.5\.30729; ?msoffice 12" \ "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,status:403,id:331136,rev:3,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Possible slowloris DOS attack tool detected'" # Rule 330042: Borland Delphi signature, as above, comment out if it gives you problems #spammers sometimes use these UAs SecRule REQUEST_HEADERS:User-Agent "(?:newt activex\; win32|mozilla.*newt)" \ "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,status:403,id:330042,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Suspicious User agent detected'" #Older MSIE6 on newer platforms #SecRule REQUEST_HEADERS:User-Agent "msie 6\.0[ab]?;(?: .+;)? windows nt [56]\." \ # "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,status:403,id:336657,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Client using IE6 on verion of Windows that should have IE7 or higher installed'" #Known attack box #^Mozilla/4.76 \[ru\] \(X11; U; SunOS 5.7 sun4u\) SecRule REQUEST_HEADERS:User-Agent "mozilla/4\.76 \[ru\]" \ "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,status:403,id:330043,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Suspicious User agent detected'" SecMarker END_UA_CHECKS_2 #exclusions <LocationMatch /cron/index.php> SecRuleRemoveById 330017 </LocationMatch> <LocationMatch /ssp_director/index.php> SecRuleRemoveById 330069 </LocationMatch> <LocationMatch /ssp_director> SecRuleRemoveById 330069 </LocationMatch> <LocationMatch /silentPost.php> SecRuleRemoveById 330030 </LocationMatch> <LocationMatch /cgi/upload.cgi> SecRuleRemoveById 330069 </LocationMatch> <LocationMatch /tfu/tfu_upload.php> SecRuleRemoveById 330069 </LocationMatch> <LocationMatch /qm/dm.master> SecRuleRemoveById 330072 </LocationMatch> <LocationMatch /dump_full_recs.txt> SecRuleRemoveById 330072 </LocationMatch> <LocationMatch /export/kelkoo.php> SecRuleRemoveById 330128 </LocationMatch> <LocationMatch /admincp> SecRuleRemoveById 330069 </LocationMatch> <LocationMatch /ideal_wbp1ah.php> SecRuleRemoveById 330036 </LocationMatch> <LocationMatch /checkout/onepage> SecRuleRemoveById 330036 </LocationMatch> <LocationMatch /postsale.php> SecRuleRemoveById 330036 </LocationMatch> <LocationMatch /cancel.php> SecRuleRemoveById 330036 </LocationMatch> <LocationMatch /cp-res-cancel.php> SecRuleRemoveById 330036 </LocationMatch> <LocationMatch /cron.php> SecRuleRemoveById 330017 </LocationMatch> <LocationMatch /linkmachine/linkmachine.php> SecRuleRemoveById 330072 </LocationMatch> <LocationMatch /api/postBack> SecRuleRemoveById 330036 </LocationMatch> <LocationMatch /spinclude.cgi> SecRuleRemoveById 330039 </LocationMatch> <LocationMatch /vmpayment/realex/notify.php> SecRuleRemoveById 330039 </LocationMatch>
Copyright ©2k19 -
Hexid
|
Tex7ure