Custom rule to block user agent

General Discussion of atomic repo and development projects.

Ask for help here with anything else not covered by other forums.
Post Reply
mairj
New Forum User
New Forum User
Posts: 4
Joined: Thu Mar 10, 2011 7:38 am
Location: Rome

Custom rule to block user agent

Unread post by mairj »

Hello to everyone,
one of our server had tons of connections from many different ip but all with user agent: "Mon_httpDownload /3.1.0libwww-perl/5.805"
So I create a new rule file named: 99_asl_zzz_custom.conf with the following lines:
SecDefaultAction "log,deny,auditlog,phase:2,status:403,t:none,t:lowercase,t:replaceNulls,t:compressWhitespace"

SecRule REQUEST_HEADERS:User-Agent "Mon_httpDownload /3.1.0libwww-perl/5.805" \
"id:999999,rev:1,severity:2,msg:'Custom Local Rule: Blocked UserAgent'"

Is this correct ? can I exect to find the next http request with the user agent: "Mon_httpDownload /3.1.0libwww-perl/5.805" with 403 error in apache log ?
Thanks in advance for your help.
Top
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4155
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Custom rule to block user agent

Unread post by mikeshinn »

SecDefaultAction "log,deny,auditlog,phase:2,status:403,t:none,t:lowercase,t:replaceNulls,t:compressWhitespace"

SecRule REQUEST_HEADERS:User-Agent "Mon_httpDownload /3.1.0libwww-perl/5.805" \
"id:999999,rev:1,severity:2,msg:'Custom Local Rule: Blocked UserAgent'"
Thank you for the question, unfortunately your rule won't work. You have a transform to lowercase and you have upper case in your pattern so your rule will never match. Either change the pattern token to all lowercase, or remove the t:lowercase transform. The former is a better idea than the later, as case is something you don't want to trigger on normally. You also dont need the replacenulls transforms. You're better off defining your transforms in the rule itself rather than using a defaultaction. Also, remember to escape regular expression metacharacters, like ".". For example, this rule would work although its far to literal for my tastes, I wouldnt match on versions unless you really only want to block this exact UA:

SecRule REQUEST_HEADERS:User-Agent "mon_httpdownload /3\.1\.0libwww-perl/5\.805" \
"t:none,t:lowercase,deny, status:403,id:999999,rev:1,severity:2,msg:'Custom Local Rule: Blocked UserAgent'"

Keep in mind that libwww-perl is already blocked by the Atomicorp/Gotroot rules, so you dont need your custom rule if you are already using our rules:

get http://test1/foo.php --user-agent="Mon_httpDownload /3.1.0libwww-perl/5.805"

[modsecurity] [client 10.91.94.33] [domain test1 [403] [/20110429/20110429-1009/20110429-100935-OT9W@ErQm4UAAFeKbeYAAABQ] [file "/etc/httpd/modsecurity.d/20_asl_useragents.conf"] [line "117"] [id "330039"] [rev "1"] [msg "Atomicorp.com WAF Rules: Suspicious Unusual User Agent (libwww-perl). Disable this rule if you use libwww-perl. "] [severity "CRITICAL"] Access denied with code 403 (phase 2). Pattern match "libwww-perl" at REQUEST_HEADERS:User-Agent.
Top
Post Reply

Return to “General Help and Development Discussion”