Rule 397989 Fake or not fake MSIE 6.0 detected?

Customer support forums for Atomic Protector (formerly Atomic Secured Linux). There is no such thing as a bad question here as long as it pertains to using Atomic Protector. Newbies feel free to get help getting started or asking questions that may be obvious. Regular users are asked to be gentle. :-)
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Rule 397989 Fake or not fake MSIE 6.0 detected?

Unread post by faris »

According to my logs, rule 397989 is being triggered almost constantly by some IP or other. Certainly it is being triggered more than any other rule.

In the GUI event viewer, it says "Atomicorp.com WAF Rules: MSIE 6.0 detected (Disable if you want to allow MSIE 6)"

The word "Fake" is not mentioned here. So at first glance it appears as through the rule is blocking anybody with MSIE6, which I do not necessarily want to do.

It is only when you click on "More info" for the rule that you end up in the Wiki where it says:

*********
Alert Message
Atomicorp.com WAF Rules: Fake MSIE 6.0 detected"

Description
This rule detects when I [sic] client pretends to be using Microsoft Internet Explorer 6.0. Many malicious bots and attackers will try to disguise their requests as legitimate users, and this rules detects when the request has been faked. This types of requests should be blocked.
**********

So I just want to confirm that when rule 397989 triggers, we are 100% definitely talking about a fake user agent, and therefore a bot or crawler that I don't want anywhere near my systems?

If so, please can the words that appear in the event viewer be adjusted to make this clear? (also please change the "I" in the wiki to "a")
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Post Reply