Dear all,
For the 20_asl_useragents.conf, the modsec will check the user agent depends on the brand (such as IE, Mozilla etc) or the checking will down to version level??
Thanks
Question about useragents rule set
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: Question about useragents rule set
It looks for suspicious / known bad user-agent fields used by malicious sources, as well as exploits that use the User Agent field.
What were you looking for, something to block specific browsers?
What were you looking for, something to block specific browsers?
Re: Question about useragents rule set
I have experienced that the mod sec block the newest Firefox accessing the web but it does not block the older Firefox.
I am not sure the behaviour of the blocking for the user agent.
Thanks
I am not sure the behaviour of the blocking for the user agent.
Thanks
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Question about useragents rule set
Can you be more specific? Which rule? We use the latest firefox as our desktop browser, and our rules definitely dont block it.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: Question about useragents rule set
We hit the rule 340133 in Firefox 27, but not in Firefox 15.
Thanks
Thanks
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Question about useragents rule set
Thank you. So that rule is not from the useragent rules or rule file. That rule is from the attack ruleset, and it detects actual PHP code injection attempts in the requests headers, which is bad news. If you see that rule being triggered, that typically means someone is actually attacking your system.
So that tells me something else is going on. Given that you reported a rule thats designed to detect remote code injection, it sounds like someone is attacking your system. If you arent sure, or you still think this is a false positive, please follow this process to report it:
https://www.atomicorp.com/wiki/index.ph ... _Positives
We'll need to see the actual event, and all the payload data to see whats happening.
We use firefox 27 as our company wide standard browser, so I can assure you that our rules do not block firefox 27. If they did, I wouldnt be able to post this.We hit the rule 340133 in Firefox 27, but not in Firefox 15.
So that tells me something else is going on. Given that you reported a rule thats designed to detect remote code injection, it sounds like someone is attacking your system. If you arent sure, or you still think this is a false positive, please follow this process to report it:
https://www.atomicorp.com/wiki/index.ph ... _Positives
We'll need to see the actual event, and all the payload data to see whats happening.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone