From d6a3b141488165e350359207a5b4b63a305b27ce Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 26 Jul 2008 15:21:59 +0000 Subject: factered out the modules of the apache module --- files/mod_security/custom_rules/useragents.conf | 229 ------------------------ 1 file changed, 229 deletions(-) delete mode 100644 files/mod_security/custom_rules/useragents.conf (limited to 'files/mod_security/custom_rules/useragents.conf') diff --git a/files/mod_security/custom_rules/useragents.conf b/files/mod_security/custom_rules/useragents.conf deleted file mode 100644 index d969960..0000000 --- a/files/mod_security/custom_rules/useragents.conf +++ /dev/null @@ -1,229 +0,0 @@ -# http://www.gotroot.com/mod_security+rules -# Gotroot.com ModSecurity rules -# User Agent Security Rules for modsec 2.x -# -# Download from: http://www.gotroot.com/downloads/ftp/mod_security/2.0/useragents.conf -# -# Created by Michael Shinn of the Prometheus Group (http://www.prometheus-group.com) -# Copyright 2005 and 2006 by the Michael Shinn and the Prometheus Group, all rights reserved. -# Redistribution is strictly prohibited in any form, including whole or in part. -# -# Version: N-20061022-01 -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS -# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE -# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF -# THE POSSIBILITY OF SUCH DAMAGE. - - -#Comment spam header line -SecRule REQUEST_HEADERS "x-aaaaaa.*" -SecRule REQUEST_BODY "X-AAAAAA.*" - -#check for bad meta characters in User-Agent field -#SecRule HTTP_User-Agent ".*\'" - -#XSS in the UA field -SecRule HTTP_User-Agent "<(.|\s|\n)?(script|about|applet|activex|chrome|object)(.|\s|\n)?>.*<(.|\s|\n)?(script|about|applet|activex|chrome|object)" - -#PHP code injection attack -SecRule HTTP_User-Agent "(<\?php|<[[:space:]]*\?[[:space:]]*php)" -SecRule HTTP_User-Agent ".*HTTP_GET_VARS" - -#recursion attack in UA field -SecRule HTTP_User-Agent "\.\./\.\." - -#May cause false positives with some software, comment out if it does -#SecRule REMOTE_ADDR "!^127\.0\.0\.1$" "chain,id:390000,rev:1,severity:1,msg:'Suspicious Automated or Manual Request'" -#SecRule "HTTP_User-Agent|HTTP_HOST|HTTP_Accept" "^$" - -#Exploit agent -SecRule HTTP_User-Agent "Mosiac 1\.*" - -#Bad agent -SecRule HTTP_User-Agent "Brutus/AET" - -#CGI vuln scan tool -SecRule HTTP_User-Agent cgichk -SecRule HTTP_User-Agent "DataCha0s/2\.0" - -#Damn fine UA -SecRule HTTP_User-Agent ".*THIS IS AN EXPLOIT*" -SecRule HTTP_User-Agent "Morzilla" - -#CIRT.DK Webroot auditing tool -SecRule HTTP_User-Agent ".*WebRoot " - -#Exploit UA -SecRule HTTP_User-Agent ".*T H A T \' S G O T T A H U R T*" - -#XML RPC exploit tool -SecRule HTTP_User-Agent "xmlrpc exploit*" - -#A friendly little exploit banner for a WP vuln -SecRule HTTP_User-Agent "Wordpress Hash Grabber" - -#Blocks scripts -SecRule HTTP_User-Agent lwp - -#Web leaches -SecRule HTTP_User-Agent "Web Downloader" -SecRule HTTP_User-Agent WebZIP -SecRule HTTP_User-Agent WebCopier -SecRule HTTP_User-Agent Webster -SecRule HTTP_User-Agent WebZIP -SecRule HTTP_User-Agent WebStripper -SecRule HTTP_User-Agent "teleport pro" -SecRule HTTP_User-Agent combine -SecRule HTTP_User-Agent "Black Hole" -SecRule HTTP_User-Agent "SiteSnagger" -SecRule HTTP_User-Agent "ProWebWalker" -SecRule HTTP_User-Agent "CheeseBot" - -#Bogus Mozilla UA lines -SecRule HTTP_User-Agent "Mozilla/(4|5)\.0$" -SecRule HTTP_User-Agent "Mozilla/3\.Mozilla/2\.01$" - -#Bogus IE UA line -SecRule HTTP_User-Agent "Microsoft Internet Explorer/5\.0$" - -#Bogus UA -SecRule HTTP_User-Agent "FooBar/42" - -#Nessus Vuln scanner UA -SecRule HTTP_User-Agent "Mozilla.*Nessus" - -#Nikto vuln scanner UA -SecRule HTTP_User-Agent ".*Nikto" - -#BAd/Bogus UAs -SecRule HTTP_User-Agent "Indy Library" -SecRule HTTP_User-Agent "Faxobot" -SecRule HTTP_User-Agent ".*SAFEXPLORER TL" - -#Spam spinder UAs -SecRule HTTP_User-Agent ".*fantomBrowser" -SecRule HTTP_User-Agent ".*fantomCrew Browser" - -#VB development library used by many spammers, might block legite VBscripts -#comment out if you have problems -SecRule HTTP_User-Agent "Crescent Internet ToolPak" - -#Borland Delphi signature, as above, comment out if it gives you problems -#spammers sometimes use these UAs -SecRule HTTP_User-Agent "NEWT ActiveX\; Win32" -SecRule HTTP_User-Agent "Mozilla.*NEWT" - -#Part of the Microsoft MSINET.OCX, as above, spammers sometimes use this, if -#it causes problems, comment out. If you are a member of the Microsoft Site -#Builder Network, you probably do NOT want to block this ID. -#SecRule HTTP_User-Agent "Microsoft URL Control" -#SecRule HTTP_User-Agent "^Microsoft URL" - -#e-mail collectors and spammers -SecRule HTTP_User-Agent "WebBandit" -SecRule HTTP_User-Agent "WEBMOLE" -SecRule HTTP_User-Agent "Telesoft*" -SecRule HTTP_User-Agent "WebEMailExtractor" -SecRule HTTP_User-Agent "CherryPicker*" -SecRule HTTP_User-Agent NICErsPRO -SecRule HTTP_User-Agent "Advanced Email Extractor*" -SecRule HTTP_User-Agent EmailSiphon -SecRule HTTP_User-Agent Extractorpro -SecRule HTTP_User-Agent webbandit -SecRule HTTP_User-Agent EmailCollector -SecRule HTTP_User-Agent "WebEMailExtrac*" -SecRule HTTP_User-Agent EmailWolf - -#Spiders that eat up bandwidth for their customers -#Not a spammer, just a spider, comment out if you like -SecRule HTTP_User-Agent "CopyRightCheck" -SecRule HTTP_User-Agent "CopyGuard" -SecRule HTTP_User-Agent "Digimarc WebReader" - -#MArketing spiders -SecRule HTTP_User-Agent "Zeus .*Webster Pro*" - -#Poker spam -SecRule HTTP_User-Agent "8484 Boston Project" - -#collectors -SecRule HTTP_User-Agent "autoemailspider" -SecRule HTTP_User-Agent "ecollector" -SecRule HTTP_User-Agent "grub crawler" - -#referrer spam, not the real weblogs -SecRule HTTP_User-Agent "^www\.weblogs\.com" - -#spam bots -SecRule HTTP_User-Agent "DTS Agent" -SecRule HTTP_User-Agent "POE-Component-Client" -SecRule HTTP_User-Agent "WISEbot" -SecRule HTTP_User-Agent "^Shockwave Flash" -SecRule HTTP_User-Agent "Missigua" - -#comment spam sign -SecRule HTTP_User-Agent "compatible \; MSIE" - -#Some regexps to catch silly bots -SecRule REQUEST_URI "!/ps(zones\|comp).txt1" chain -SecRule HTTP_User-Agent "^(google|i?explorer?\.exe|(MS)?IE( [0-9.]+)?[ ]?(Compatible( Browser)?)?)$" -SecRule HTTP_User-Agent "^(Mozilla( [0-9.]+)?[ ]?\((Windows|Linux|(IE )?Compatible)\))$" -SecRule HTTP_User-Agent "^Mozilla/5\.0 \(X11; U; Linux i686; en-US; rv\:0\.9\.6\+\) Gecko/2001112$" -SecRule HTTP_User-Agent "^Mozilla/[0-9.]+ \(compatible; MSIE [0-9.]+; Windows( NT)?( [0-9.]*)?;[0-9./ ]*\)?$" -SecRule HTTP_User-Agent "^Mozilla/.+[. ]+$" - -#spammer -SecRule HTTP_User-Agent "Butch__2\.1\.1" -SecRule HTTP_User-Agent "agdm79@mail\.ru" - -#Fake Gameboy UA -SecRule HTTP_User-Agent "GameBoy\, Powered by Nintendo" - -#bogus amiga UA -SecRule HTTP_User-Agent "Amiga-AWeb/3\.4" - -#exploit UA -SecRule HTTP_User-Agent "Internet Ninja x\.0" - -#bogus googlebot UA -SecRule HTTP_User-Agent "Nokia-WAPToolkit.* googlebot.*googlebot" - -#recently caught sending spam referrals, from their actual crawler IP -SecRule HTTP_User-Agent "BecomeBot" - -#Suverybot -#SecRule HTTP_User-Agent "SurveyBot" - -#exploit -SecRule HTTP_User-Agent "S\.T\.A\.L\.K\.E\.R\." -SecRule HTTP_User-Agent "NeuralBot/0\.2" -SecRule HTTP_User-Agent "Kenjin Spider" - -#WebvulnScan -SecRule HTTP_User-Agent "WebVulnScan" - -#broken spam tool -SecRule HTTP_User-Agent "Mozilla/4\.0 \(compatible\; MSIE 6\.0\; Windows NT 5\.1$" - -#PHPBB worm UA -SecRule HTTP_User-Agent "INTERNET EXPLOITER SUX" - -#fake UA -SecRule HTTP_User-Agent "Windows-Update-Agent" - -#exploit -SecRule HTTP_User-Agent "Internet-exprorer" - -# Bad Spider -SecRule HTTP_User-Agent "hl_ftien_spider" - -# PMAFind -SecRule HTTP_User-Agent "PMAFind" -- cgit v1.2.3