# http://www.gotroot.com/mod_security+rules # Gotroot.com ModSecurity rules # User Agent Security Rules for modsec 2.x # # Download from: http://www.gotroot.com/downloads/ftp/mod_security/2.0/useragents.conf # # Created by Michael Shinn of the Prometheus Group (http://www.prometheus-group.com) # Copyright 2005 and 2006 by the Michael Shinn and the Prometheus Group, all rights reserved. # Redistribution is strictly prohibited in any form, including whole or in part. # # Version: N-20061022-01 # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF # THE POSSIBILITY OF SUCH DAMAGE. #Comment spam header line SecRule REQUEST_HEADERS "x-aaaaaa.*" SecRule REQUEST_BODY "X-AAAAAA.*" #check for bad meta characters in User-Agent field #SecRule HTTP_User-Agent ".*\'" #XSS in the UA field SecRule HTTP_User-Agent "<(.|\s|\n)?(script|about|applet|activex|chrome|object)(.|\s|\n)?>.*<(.|\s|\n)?(script|about|applet|activex|chrome|object)" #PHP code injection attack SecRule HTTP_User-Agent "(<\?php|<[[:space:]]*\?[[:space:]]*php)" SecRule HTTP_User-Agent ".*HTTP_GET_VARS" #recursion attack in UA field SecRule HTTP_User-Agent "\.\./\.\." #May cause false positives with some software, comment out if it does #SecRule REMOTE_ADDR "!^127\.0\.0\.1$" "chain,id:390000,rev:1,severity:1,msg:'Suspicious Automated or Manual Request'" #SecRule "HTTP_User-Agent|HTTP_HOST|HTTP_Accept" "^$" #Exploit agent SecRule HTTP_User-Agent "Mosiac 1\.*" #Bad agent SecRule HTTP_User-Agent "Brutus/AET" #CGI vuln scan tool SecRule HTTP_User-Agent cgichk SecRule HTTP_User-Agent "DataCha0s/2\.0" #Damn fine UA SecRule HTTP_User-Agent ".*THIS IS AN EXPLOIT*" SecRule HTTP_User-Agent "Morzilla" #CIRT.DK Webroot auditing tool SecRule HTTP_User-Agent ".*WebRoot " #Exploit UA SecRule HTTP_User-Agent ".*T H A T \' S G O T T A H U R T*" #XML RPC exploit tool SecRule HTTP_User-Agent "xmlrpc exploit*" #A friendly little exploit banner for a WP vuln SecRule HTTP_User-Agent "Wordpress Hash Grabber" #Blocks scripts SecRule HTTP_User-Agent lwp #Web leaches SecRule HTTP_User-Agent "Web Downloader" SecRule HTTP_User-Agent WebZIP SecRule HTTP_User-Agent WebCopier SecRule HTTP_User-Agent Webster SecRule HTTP_User-Agent WebZIP SecRule HTTP_User-Agent WebStripper SecRule HTTP_User-Agent "teleport pro" SecRule HTTP_User-Agent combine SecRule HTTP_User-Agent "Black Hole" SecRule HTTP_User-Agent "SiteSnagger" SecRule HTTP_User-Agent "ProWebWalker" SecRule HTTP_User-Agent "CheeseBot" #Bogus Mozilla UA lines SecRule HTTP_User-Agent "Mozilla/(4|5)\.0$" SecRule HTTP_User-Agent "Mozilla/3\.Mozilla/2\.01$" #Bogus IE UA line SecRule HTTP_User-Agent "Microsoft Internet Explorer/5\.0$" #Bogus UA SecRule HTTP_User-Agent "FooBar/42" #Nessus Vuln scanner UA SecRule HTTP_User-Agent "Mozilla.*Nessus" #Nikto vuln scanner UA SecRule HTTP_User-Agent ".*Nikto" #BAd/Bogus UAs SecRule HTTP_User-Agent "Indy Library" SecRule HTTP_User-Agent "Faxobot" SecRule HTTP_User-Agent ".*SAFEXPLORER TL" #Spam spinder UAs SecRule HTTP_User-Agent ".*fantomBrowser" SecRule HTTP_User-Agent ".*fantomCrew Browser" #VB development library used by many spammers, might block legite VBscripts #comment out if you have problems SecRule HTTP_User-Agent "Crescent Internet ToolPak" #Borland Delphi signature, as above, comment out if it gives you problems #spammers sometimes use these UAs SecRule HTTP_User-Agent "NEWT ActiveX\; Win32" SecRule HTTP_User-Agent "Mozilla.*NEWT" #Part of the Microsoft MSINET.OCX, as above, spammers sometimes use this, if #it causes problems, comment out. If you are a member of the Microsoft Site #Builder Network, you probably do NOT want to block this ID. #SecRule HTTP_User-Agent "Microsoft URL Control" #SecRule HTTP_User-Agent "^Microsoft URL" #e-mail collectors and spammers SecRule HTTP_User-Agent "WebBandit" SecRule HTTP_User-Agent "WEBMOLE" SecRule HTTP_User-Agent "Telesoft*" SecRule HTTP_User-Agent "WebEMailExtractor" SecRule HTTP_User-Agent "CherryPicker*" SecRule HTTP_User-Agent NICErsPRO SecRule HTTP_User-Agent "Advanced Email Extractor*" SecRule HTTP_User-Agent EmailSiphon SecRule HTTP_User-Agent Extractorpro SecRule HTTP_User-Agent webbandit SecRule HTTP_User-Agent EmailCollector SecRule HTTP_User-Agent "WebEMailExtrac*" SecRule HTTP_User-Agent EmailWolf #Spiders that eat up bandwidth for their customers #Not a spammer, just a spider, comment out if you like SecRule HTTP_User-Agent "CopyRightCheck" SecRule HTTP_User-Agent "CopyGuard" SecRule HTTP_User-Agent "Digimarc WebReader" #MArketing spiders SecRule HTTP_User-Agent "Zeus .*Webster Pro*" #Poker spam SecRule HTTP_User-Agent "8484 Boston Project" #collectors SecRule HTTP_User-Agent "autoemailspider" SecRule HTTP_User-Agent "ecollector" SecRule HTTP_User-Agent "grub crawler" #referrer spam, not the real weblogs SecRule HTTP_User-Agent "^www\.weblogs\.com" #spam bots SecRule HTTP_User-Agent "DTS Agent" SecRule HTTP_User-Agent "POE-Component-Client" SecRule HTTP_User-Agent "WISEbot" SecRule HTTP_User-Agent "^Shockwave Flash" SecRule HTTP_User-Agent "Missigua" #comment spam sign SecRule HTTP_User-Agent "compatible \; MSIE" #Some regexps to catch silly bots SecRule REQUEST_URI "!/ps(zones\|comp).txt1" chain SecRule HTTP_User-Agent "^(google|i?explorer?\.exe|(MS)?IE( [0-9.]+)?[ ]?(Compatible( Browser)?)?)$" SecRule HTTP_User-Agent "^(Mozilla( [0-9.]+)?[ ]?\((Windows|Linux|(IE )?Compatible)\))$" SecRule HTTP_User-Agent "^Mozilla/5\.0 \(X11; U; Linux i686; en-US; rv\:0\.9\.6\+\) Gecko/2001112$" SecRule HTTP_User-Agent "^Mozilla/[0-9.]+ \(compatible; MSIE [0-9.]+; Windows( NT)?( [0-9.]*)?;[0-9./ ]*\)?$" SecRule HTTP_User-Agent "^Mozilla/.+[. ]+$" #spammer SecRule HTTP_User-Agent "Butch__2\.1\.1" SecRule HTTP_User-Agent "agdm79@mail\.ru" #Fake Gameboy UA SecRule HTTP_User-Agent "GameBoy\, Powered by Nintendo" #bogus amiga UA SecRule HTTP_User-Agent "Amiga-AWeb/3\.4" #exploit UA SecRule HTTP_User-Agent "Internet Ninja x\.0" #bogus googlebot UA SecRule HTTP_User-Agent "Nokia-WAPToolkit.* googlebot.*googlebot" #recently caught sending spam referrals, from their actual crawler IP SecRule HTTP_User-Agent "BecomeBot" #Suverybot #SecRule HTTP_User-Agent "SurveyBot" #exploit SecRule HTTP_User-Agent "S\.T\.A\.L\.K\.E\.R\." SecRule HTTP_User-Agent "NeuralBot/0\.2" SecRule HTTP_User-Agent "Kenjin Spider" #WebvulnScan SecRule HTTP_User-Agent "WebVulnScan" #broken spam tool SecRule HTTP_User-Agent "Mozilla/4\.0 \(compatible\; MSIE 6\.0\; Windows NT 5\.1$" #PHPBB worm UA SecRule HTTP_User-Agent "INTERNET EXPLOITER SUX" #fake UA SecRule HTTP_User-Agent "Windows-Update-Agent" #exploit SecRule HTTP_User-Agent "Internet-exprorer" # Bad Spider SecRule HTTP_User-Agent "hl_ftien_spider" # PMAFind SecRule HTTP_User-Agent "PMAFind"