Question about useragents rule set

[egispccw]

Dear all,

For the 20_asl_useragents.conf, the modsec will check the user agent depends on the brand (such as IE, Mozilla etc) or the checking will down to version level??
Thanks

[scott]

It looks for suspicious / known bad user-agent fields used by malicious sources, as well as exploits that use the User Agent field.

What were you looking for, something to block specific browsers?

[egispccw]

I have experienced that the mod sec block the newest Firefox accessing the web but it does not block the older Firefox.
I am not sure the behaviour of the blocking for the user agent.
Thanks

[mikeshinn]

Can you be more specific? Which rule? We use the latest firefox as our desktop browser, and our rules definitely dont block it.

[egispccw]

We hit the rule 340133 in Firefox 27, but not in Firefox 15.
Thanks

[mikeshinn]

Thank you. So that rule is not from the useragent rules or rule file. That rule is from the attack ruleset, and it detects actual PHP code injection attempts in the requests headers, which is bad news. If you see that rule being triggered, that typically means someone is actually attacking your system.

We hit the rule 340133 in Firefox 27, but not in Firefox 15.

We use firefox 27 as our company wide standard browser, so I can assure you that our rules do not block firefox 27. If they did, I wouldnt be able to post this.

So that tells me something else is going on. Given that you reported a rule thats designed to detect remote code injection, it sounds like someone is attacking your system. If you arent sure, or you still think this is a false positive, please follow this process to report it:

https://www.atomicorp.com/wiki/index.ph ... _Positives

We'll need to see the actual event, and all the payload data to see whats happening.