path: root/files/mod_security/custom_rules/useragents.conf

# http://www.gotroot.com/mod_security+rules
# Gotroot.com ModSecurity rules
# User Agent Security Rules for modsec 2.x
#
# Download from: http://www.gotroot.com/downloads/ftp/mod_security/2.0/useragents.conf
#
# Created by Michael Shinn of the Prometheus Group (http://www.prometheus-group.com)
# Copyright 2005 and 2006 by the Michael Shinn and the Prometheus Group, all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# Version: N-20061022-01
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.


#Comment spam header line
SecRule REQUEST_HEADERS "x-aaaaaa.*"
SecRule REQUEST_BODY "X-AAAAAA.*"

#check for bad meta characters in User-Agent field
#SecRule HTTP_User-Agent ".*\'"

#XSS in the UA field
SecRule HTTP_User-Agent "<(.|\s|\n)?(script|about|applet|activex|chrome|object)(.|\s|\n)?>.*<(.|\s|\n)?(script|about|applet|activex|chrome|object)"

#PHP code injection attack
SecRule HTTP_User-Agent "(<\?php|<[[:space:]]*\?[[:space:]]*php)" 
SecRule HTTP_User-Agent ".*HTTP_GET_VARS"

#recursion attack in UA field
SecRule HTTP_User-Agent "\.\./\.\."

#May cause false positives with some software, comment out if it does
#SecRule REMOTE_ADDR "!^127\.0\.0\.1$" "chain,id:390000,rev:1,severity:1,msg:'Suspicious Automated or Manual Request'"
#SecRule "HTTP_User-Agent|HTTP_HOST|HTTP_Accept" "^$"

#Exploit agent
SecRule HTTP_User-Agent "Mosiac 1\.*"

#Bad agent
SecRule HTTP_User-Agent "Brutus/AET"

#CGI vuln scan tool
SecRule HTTP_User-Agent cgichk
SecRule HTTP_User-Agent "DataCha0s/2\.0"

#Damn fine UA
SecRule HTTP_User-Agent ".*THIS IS AN EXPLOIT*"
SecRule HTTP_User-Agent "Morzilla"

#CIRT.DK Webroot auditing tool
SecRule HTTP_User-Agent ".*WebRoot "

#Exploit UA
SecRule HTTP_User-Agent ".*T H A T \' S  G O T T A  H U R T*"

#XML RPC exploit tool
SecRule HTTP_User-Agent "xmlrpc exploit*"

#A friendly little exploit banner for a WP vuln
SecRule HTTP_User-Agent "Wordpress Hash Grabber"

#Blocks scripts
SecRule HTTP_User-Agent lwp

#Web leaches
SecRule HTTP_User-Agent "Web Downloader"
SecRule HTTP_User-Agent WebZIP
SecRule HTTP_User-Agent WebCopier
SecRule HTTP_User-Agent Webster
SecRule HTTP_User-Agent WebZIP
SecRule HTTP_User-Agent WebStripper
SecRule HTTP_User-Agent "teleport pro"
SecRule HTTP_User-Agent combine
SecRule HTTP_User-Agent "Black Hole"
SecRule HTTP_User-Agent "SiteSnagger" 
SecRule HTTP_User-Agent "ProWebWalker" 
SecRule HTTP_User-Agent "CheeseBot" 

#Bogus Mozilla UA lines
SecRule HTTP_User-Agent "Mozilla/(4|5)\.0$"
SecRule HTTP_User-Agent "Mozilla/3\.Mozilla/2\.01$"

#Bogus IE UA line
SecRule HTTP_User-Agent "Microsoft Internet Explorer/5\.0$"

#Bogus UA
SecRule HTTP_User-Agent "FooBar/42"

#Nessus Vuln scanner UA
SecRule HTTP_User-Agent "Mozilla.*Nessus"

#Nikto vuln scanner UA
SecRule HTTP_User-Agent ".*Nikto"

#BAd/Bogus UAs
SecRule HTTP_User-Agent "Indy Library"
SecRule HTTP_User-Agent "Faxobot"
SecRule HTTP_User-Agent ".*SAFEXPLORER TL"

#Spam spinder UAs
SecRule HTTP_User-Agent ".*fantomBrowser"
SecRule HTTP_User-Agent ".*fantomCrew Browser"

#VB development library used by many spammers, might block legite VBscripts
#comment out if you have problems
SecRule HTTP_User-Agent "Crescent Internet ToolPak"

#Borland Delphi signature, as above, comment out if it gives you problems
#spammers sometimes use these UAs
SecRule HTTP_User-Agent "NEWT ActiveX\; Win32"
SecRule HTTP_User-Agent "Mozilla.*NEWT"

#Part of the Microsoft MSINET.OCX, as above, spammers sometimes use this, if
#it causes problems, comment out.  If you are a member of the Microsoft Site 
#Builder Network, you probably do NOT want to block this ID.
#SecRule HTTP_User-Agent "Microsoft URL Control"
#SecRule HTTP_User-Agent  "^Microsoft URL"

#e-mail collectors and spammers
SecRule HTTP_User-Agent "WebBandit"
SecRule HTTP_User-Agent "WEBMOLE"
SecRule HTTP_User-Agent "Telesoft*"
SecRule HTTP_User-Agent "WebEMailExtractor"
SecRule HTTP_User-Agent "CherryPicker*"
SecRule HTTP_User-Agent NICErsPRO
SecRule HTTP_User-Agent "Advanced Email Extractor*"
SecRule HTTP_User-Agent EmailSiphon
SecRule HTTP_User-Agent Extractorpro
SecRule HTTP_User-Agent webbandit
SecRule HTTP_User-Agent EmailCollector
SecRule HTTP_User-Agent "WebEMailExtrac*"
SecRule HTTP_User-Agent EmailWolf

#Spiders that eat up bandwidth for their customers
#Not a spammer, just a spider, comment out if you like
SecRule HTTP_User-Agent "CopyRightCheck"
SecRule HTTP_User-Agent "CopyGuard"
SecRule HTTP_User-Agent "Digimarc WebReader"

#MArketing spiders
SecRule HTTP_User-Agent  "Zeus .*Webster Pro*"

#Poker spam
SecRule HTTP_User-Agent  "8484 Boston Project"

#collectors
SecRule HTTP_User-Agent  "autoemailspider"
SecRule HTTP_User-Agent  "ecollector"
SecRule HTTP_User-Agent  "grub crawler"

#referrer spam, not the real weblogs
SecRule HTTP_User-Agent  "^www\.weblogs\.com"

#spam bots
SecRule HTTP_User-Agent  "DTS Agent"
SecRule HTTP_User-Agent  "POE-Component-Client"
SecRule HTTP_User-Agent  "WISEbot"
SecRule HTTP_User-Agent  "^Shockwave Flash"
SecRule HTTP_User-Agent  "Missigua"

#comment spam sign
SecRule HTTP_User-Agent  "compatible \; MSIE"

#Some regexps to catch silly bots
SecRule REQUEST_URI "!/ps(zones\|comp).txt1" chain
SecRule HTTP_User-Agent "^(google|i?explorer?\.exe|(MS)?IE( [0-9.]+)?[ ]?(Compatible( Browser)?)?)$"
SecRule HTTP_User-Agent "^(Mozilla( [0-9.]+)?[ ]?\((Windows|Linux|(IE )?Compatible)\))$"
SecRule HTTP_User-Agent "^Mozilla/5\.0 \(X11; U; Linux i686; en-US; rv\:0\.9\.6\+\) Gecko/2001112$"
SecRule HTTP_User-Agent "^Mozilla/[0-9.]+ \(compatible; MSIE [0-9.]+; Windows( NT)?( [0-9.]*)?;[0-9./ ]*\)?$"
SecRule HTTP_User-Agent "^Mozilla/.+[. ]+$"

#spammer
SecRule HTTP_User-Agent "Butch__2\.1\.1"
SecRule HTTP_User-Agent "agdm79@mail\.ru"

#Fake Gameboy UA
SecRule HTTP_User-Agent "GameBoy\, Powered by Nintendo"

#bogus amiga UA
SecRule HTTP_User-Agent "Amiga-AWeb/3\.4"

#exploit UA
SecRule HTTP_User-Agent "Internet Ninja x\.0"

#bogus googlebot UA
SecRule HTTP_User-Agent "Nokia-WAPToolkit.* googlebot.*googlebot"

#recently caught sending spam referrals, from their actual crawler IP
SecRule HTTP_User-Agent "BecomeBot"

#Suverybot
#SecRule HTTP_User-Agent "SurveyBot"

#exploit
SecRule HTTP_User-Agent "S\.T\.A\.L\.K\.E\.R\."
SecRule HTTP_User-Agent "NeuralBot/0\.2"
SecRule HTTP_User-Agent "Kenjin Spider"

#WebvulnScan
SecRule HTTP_User-Agent "WebVulnScan"

#broken spam tool
SecRule HTTP_User-Agent "Mozilla/4\.0 \(compatible\; MSIE 6\.0\; Windows NT 5\.1$"

#PHPBB worm UA
SecRule HTTP_User-Agent "INTERNET EXPLOITER SUX"

#fake UA
SecRule HTTP_User-Agent "Windows-Update-Agent"

#exploit
SecRule HTTP_User-Agent "Internet-exprorer"

# Bad Spider
SecRule HTTP_User-Agent "hl_ftien_spider"

# PMAFind 
SecRule HTTP_User-Agent "PMAFind"