# http://www.atomicorp.com/ # Atomicorp (Gotroot.com) ModSecurity rules # User Agent Security Rules for modsec 2.x # # Created by the Prometheus Group (http://www.prometheus-group.com) # Copyright 2005,2006 and 2007 by the Prometheus Group, all rights reserved. # Redistribution is strictly prohibited in any form, including whole or in part. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF # THE POSSIBILITY OF SUCH DAMAGE. # Rule 330001: Comment spam header line SecRule REQUEST_HEADERS "x-aaaaaa.*" \ "id:330001,rev:1,severity:2,msg:'Spam: Generic spam header detected'" # Rule 330002: Comment spam header line SecRule REQUEST_BODY "X-AAAAAA.*" \ "id:330002,rev:1,severity:2,msg:'Spam: Generic spam header detected'" #check for bad meta characters in User-Agent field #SecRule REQUEST_HEADERS:User-Agent ".*\'" # Rule 330003: XSS in the UA field SecRule REQUEST_HEADERS:User-Agent "<(.|\s|\n)?(script|about|applet|activex|chrome|object)(.|\s|\n)?>.*<(.|\s|\n)?(script|about|applet|activex|chrome|object)" \ "id:330003,rev:1,severity:2,msg:'XSS in User Agent field'" # Rule 330004: PHP code injection attack SecRule REQUEST_HEADERS:User-Agent "(<\?php|<[[:space:]]*\?[[:space:]]*php)" \ "id:330004,rev:1,severity:2,msg:'PHP code injection via User Agent'" # Rule 330005: PHP code injection attack SecRule REQUEST_HEADERS:User-Agent ".*HTTP_GET_VARS" \ "id:330005,rev:1,severity:2,msg:'PHP code injection via User Agent 2'" # Rule 330006: recursion attack in UA field SecRule REQUEST_HEADERS:User-Agent "\.\./\.\." \ "id:330006,rev:1,severity:2,msg:'recursion attack in UA field'" #May cause false positives with some software, comment out if it does #SecRule REMOTE_ADDR "!^127\.0\.0\.1$" "chain,id:390000,rev:1,severity:1,msg:'Suspicious Automated or Manual Request'" #SecRule "REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Host|REQUEST_HEADERS:Accept" "^$" # Rule 330007: Exploit agent SecRule REQUEST_HEADERS:User-Agent "Mosiac 1\.*" \ "id:330007,rev:1,severity:2,msg:'Exploit agent indicater in UA'" # Rule 330008: Bad agent SecRule REQUEST_HEADERS:User-Agent "Brutus/AET" \ "id:330008,rev:1,severity:2,msg:'Bad User Agent: Brutus/AET'" # Rule 330009: CGI vuln scan tool SecRule REQUEST_HEADERS:User-Agent "cgichk" \ "id:330009,rev:1,severity:2,msg:'Bad User Agent: CGICHK vulnerabilty scanner'" # Rule 330010: DataCha0s SecRule REQUEST_HEADERS:User-Agent "DataCha0s/2\.0" \ "id:330010,rev:1,severity:2,msg:'Bad User Agent: DataCha0s'" # Rule 330011: Damn fine UA SecRule REQUEST_HEADERS:User-Agent ".*THIS IS AN EXPLOIT*" \ "id:330011,rev:1,severity:2,msg:'Bad User Agent: Damn fine UA'" # Rule 330012: Damn fine UA SecRule REQUEST_HEADERS:User-Agent "Morzilla" \ "id:330012,rev:1,severity:2,msg:'Bad User Agent: Damn fine UA'" # Rule 330013: CIRT.DK Webroot auditing tool SecRule REQUEST_HEADERS:User-Agent ".*WebRoot " \ "id:330013,rev:1,severity:2,msg:'Bad User Agent: Webroot vulnerabilty scanner'" # Rule 330014: Exploit UA SecRule REQUEST_HEADERS:User-Agent ".*T H A T \' S G O T T A H U R T*" \ "id:330014,rev:1,severity:2,msg:'Bad User Agent: GOTTA HURT'" # Rule 330014: XML RPC exploit tool SecRule REQUEST_HEADERS:User-Agent "xmlrpc exploit*" \ "id:330015,rev:1,severity:2,msg:'Bad User Agent: XMLRPC exploit tool'" # Rule 330016: A friendly little exploit banner for a WP vuln SecRule REQUEST_HEADERS:User-Agent "Wordpress Hash Grabber" \ "id:330016,rev:1,severity:2,msg:'Bad User Agent: Wordpress hash grabber'" # Rule 330017: Blocks scripts SecRule REQUEST_URI "!^/webprobilling/pipe/pop\.php$" \ "chain,id:330017,rev:2,severity:2,msg:'Suspicious User Agent: lwp'" SecRule REQUEST_HEADERS:User-Agent lwp # Rule 330018: Web leaches SecRule REQUEST_HEADERS:User-Agent "Suspicious User Agent: Web Downloader" \ "id:330018,rev:1,severity:2,msg:'Web leech: Web Downloader'" # Rule 330019: Web leaches SecRule REQUEST_HEADERS:User-Agent WebZIP # Rule 330020: Web leaches SecRule REQUEST_HEADERS:User-Agent WebCopier # Rule 330021: Web leaches SecRule REQUEST_HEADERS:User-Agent Webster # Rule 330023: Web leaches SecRule REQUEST_HEADERS:User-Agent WebStripper # Rule 330034: Web leaches SecRule REQUEST_HEADERS:User-Agent "teleport pro" # Rule 330025: Web leaches SecRule REQUEST_HEADERS:User-Agent combine # Rule 330026: Web leaches SecRule REQUEST_HEADERS:User-Agent "Black Hole" # Rule 330027: Web leaches SecRule REQUEST_HEADERS:User-Agent "SiteSnagger" # Rule 330028: Web leaches SecRule REQUEST_HEADERS:User-Agent "ProWebWalker" # Rule 330029: Web leaches SecRule REQUEST_HEADERS:User-Agent "CheeseBot" # Rule 330030: Bogus Mozilla UA lines SecRule REQUEST_HEADERS:User-Agent "Mozilla/(4|5)\.0$" # Rule 330031: Bogus Mozilla UA lines SecRule REQUEST_HEADERS:User-Agent "Mozilla/3\.Mozilla/2\.01$" # Rule 330032: Bogus IE UA line SecRule REQUEST_HEADERS:User-Agent "Microsoft Internet Explorer/5\.0$" # Rule 330033: Bogus UA SecRule REQUEST_HEADERS:User-Agent "FooBar/42" # Rule 330034: Nessus Vuln scanner UA SecRule REQUEST_HEADERS:User-Agent "Mozilla.*Nessus" # Rule 330035: Nikto vuln scanner UA SecRule REQUEST_HEADERS:User-Agent ".*Nikto" # Rule 330036: BAd/Bogus UAs SecRule REQUEST_HEADERS:User-Agent "Indy Library" # Rule 330037: BAd/Bogus UAs SecRule REQUEST_HEADERS:User-Agent "Faxobot" # Rule 330038: BAd/Bogus UAs SecRule REQUEST_HEADERS:User-Agent ".*SAFEXPLORER TL" # Rule 330039: Spam spinder UAs SecRule REQUEST_HEADERS:User-Agent ".*fantomBrowser" # Rule 330040: Spam spinder UAs SecRule REQUEST_HEADERS:User-Agent ".*fantomCrew Browser" # Rule 330041:VB development library used by many spammers, might block legite VBscripts #comment out if you have problems SecRule REQUEST_HEADERS:User-Agent "Crescent Internet ToolPak" # Rule 330042: Borland Delphi signature, as above, comment out if it gives you problems #spammers sometimes use these UAs SecRule REQUEST_HEADERS:User-Agent "NEWT ActiveX\; Win32" # Rule 330043: Borland Delphi signature, as above, comment out if it gives you problems SecRule REQUEST_HEADERS:User-Agent "Mozilla.*NEWT" #Part of the Microsoft MSINET.OCX, as above, spammers sometimes use this, if #it causes problems, comment out. If you are a member of the Microsoft Site #Builder Network, you probably do NOT want to block this ID. #SecRule REQUEST_HEADERS:User-Agent "Microsoft URL Control" #SecRule REQUEST_HEADERS:User-Agent "^Microsoft URL" # Rule 330044: e-mail collectors and spammers SecRule REQUEST_HEADERS:User-Agent "WebBandit" # Rule 330045: e-mail collectors and spammers SecRule REQUEST_HEADERS:User-Agent "WEBMOLE" # Rule 330046: e-mail collectors and spammers SecRule REQUEST_HEADERS:User-Agent "Telesoft*" # Rule 330047: e-mail collectors and spammers SecRule REQUEST_HEADERS:User-Agent "WebEMailExtractor" # Rule 330048: e-mail collectors and spammers SecRule REQUEST_HEADERS:User-Agent "CherryPicker*" # Rule 330049: e-mail collectors and spammers SecRule REQUEST_HEADERS:User-Agent NICErsPRO # Rule 330050: e-mail collectors and spammers SecRule REQUEST_HEADERS:User-Agent "Advanced Email Extractor*" # Rule 330051: e-mail collectors and spammers SecRule REQUEST_HEADERS:User-Agent EmailSiphon # Rule 330052: e-mail collectors and spammers SecRule REQUEST_HEADERS:User-Agent Extractorpro # Rule 330053: e-mail collectors and spammers SecRule REQUEST_HEADERS:User-Agent webbandit # Rule 330054: e-mail collectors and spammers SecRule REQUEST_HEADERS:User-Agent EmailCollector # Rule 330055: e-mail collectors and spammers SecRule REQUEST_HEADERS:User-Agent "WebEMailExtrac*" # Rule 330056: e-mail collectors and spammers SecRule REQUEST_HEADERS:User-Agent EmailWolf #Spiders that eat up bandwidth for their customers # Rule 330057: Not a spammer, just a spider, comment out if you like SecRule REQUEST_HEADERS:User-Agent "CopyRightCheck" # Rule 330058: Not a spammer, just a spider, comment out if you like SecRule REQUEST_HEADERS:User-Agent "CopyGuard" # Rule 330059: Not a spammer, just a spider, comment out if you like SecRule REQUEST_HEADERS:User-Agent "Digimarc WebReader" # Rule 330060: MArketing spiders SecRule REQUEST_HEADERS:User-Agent "Zeus .*Webster Pro*" # Rule 330061: Poker spam SecRule REQUEST_HEADERS:User-Agent "8484 Boston Project" # Rule 330062: collectors SecRule REQUEST_HEADERS:User-Agent "autoemailspider" # Rule 330063: collectors SecRule REQUEST_HEADERS:User-Agent "ecollector" # Rule 330064: collectors SecRule REQUEST_HEADERS:User-Agent "grub crawler" # Rule 330065: referrer spam, not the real weblogs SecRule REQUEST_HEADERS:User-Agent "^www\.weblogs\.com" # Rule 330066: spam bots SecRule REQUEST_HEADERS:User-Agent "DTS Agent" # Rule 330067: spam bots SecRule REQUEST_HEADERS:User-Agent "POE-Component-Client" # Rule 330068: spam bots SecRule REQUEST_HEADERS:User-Agent "WISEbot" # Rule 330069: spam bots SecRule REQUEST_URI "!(?:/index\.php/admin/catalog_product_gallery/upload/|/components/com_expose/expose/)" \ "chain, id:330069,rev:3,severity:2,msg:'Suspicious Unusual User Agent (Shockwave Flash)'" SecRule REQUEST_HEADERS:User-Agent "^Shockwave Flash" # Rule 330070: spam bots SecRule REQUEST_HEADERS:User-Agent "Missigua" \ "id:330070,rev:3,severity:2,msg:'Suspicious unusual User Agent'" # Rule 330071: comment spam sign SecRule REQUEST_HEADERS:User-Agent "compatible \; MSIE" \ "id:330071,rev:1,severity:2,msg:'Comment Spammer User Agent (IE)'" # Rule 330072: Some regexps to catch silly bots SecRule REQUEST_URI "!/ps(zones\|comp).txt1" "chain,id:330072,rev:1,severity:2,msg:'Comment Spammer User Agent (IE)'" SecRule REQUEST_HEADERS:User-Agent "^(google|i?explorer?\.exe|(MS)?IE( [0-9.]+)?[ ]?(Compatible( Browser)?)?)$" # Rule 330073: Some regexps to catch silly bots SecRule REQUEST_HEADERS:User-Agent "^(Mozilla( [0-9.]+)?[ ]?\((Windows|Linux|(IE )?Compatible)\))$" \ "id:330073,rev:1,severity:2,msg:'Comment Spammer User Agent (IE)'" # Rule 330074: Some regexps to catch silly bots SecRule REQUEST_HEADERS:User-Agent "^Mozilla/5\.0 \(X11; U; Linux i686; en-US; rv\:0\.9\.6\+\) Gecko/2001112$" \ "id:330074,rev:1,severity:2,msg:'Comment Spammer User Agent (Mozilla)'" # Rule 330075: Some regexps to catch silly bots #SecRule REQUEST_HEADERS:User-Agent "^Mozilla/[0-9.]+ \(compatible; MSIE [0-9.]+; Windows( NT)?( [0-9.]*)?;[0-9./ ]*\)?$" \ # "id:330075,rev:1,severity:2,msg:'Comment Spammer User Agent (IE) 2'" # Rule 330076: Some regexps to catch silly bots SecRule REQUEST_HEADERS:User-Agent "^Mozilla/.+[. ]+$" \ "id:330076,rev:1,severity:2,msg:'Comment Spammer User Agent (Mozilla) 2'" #spammer SecRule REQUEST_HEADERS:User-Agent "Butch__2\.1\.1" \ "id:330077,rev:1,severity:2,msg:'Comment Spammer User Agent'" #spammer SecRule REQUEST_HEADERS:User-Agent "agdm79@mail\.ru" \ "id:330079,rev:1,severity:2,msg:'Comment Spammer User Agent'" #Fake Gameboy UA SecRule REQUEST_HEADERS:User-Agent "GameBoy\, Powered by Nintendo" \ "id:330080,rev:1,severity:2,msg:'Comment Spammer User Agent (Mozilla) 2'" #bogus amiga UA SecRule REQUEST_HEADERS:User-Agent "Amiga-AWeb/3\.4" \ "id:330081,rev:1,severity:2,msg:'Fake Amiga Web Agent'" #exploit UA SecRule REQUEST_HEADERS:User-Agent "Internet Ninja " \ "id:330082,rev:1,severity:2,msg:'Exploit User Agent'" #bogus googlebot UA SecRule REQUEST_HEADERS:User-Agent "Nokia-WAPToolkit.* googlebot.*googlebot" \ "id:330083,rev:1,severity:2,msg:'Fake GoogleBot'" #recently caught sending spam referrals, from their actual crawler IP #SecRule REQUEST_HEADERS:User-Agent "BecomeBot" # "id:330076,rev:1,severity:2,msg:'Comment Spammer User Agent (Mozilla) 2'" #Suverybot #SecRule REQUEST_HEADERS:User-Agent "SurveyBot" #exploit SecRule REQUEST_HEADERS:User-Agent "S\.T\.A\.L\.K\.E\.R\." \ "id:330084,rev:1,severity:2,msg:'Exploit User Agent'" #exploit SecRule REQUEST_HEADERS:User-Agent "NeuralBot/0\.2" \ "id:330085,rev:1,severity:2,msg:'Exploit User Agent'" #exploit SecRule REQUEST_HEADERS:User-Agent "Kenjin Spider" \ "id:330086,rev:1,severity:2,msg:'Exploit User Agent'" #WebvulnScan SecRule REQUEST_HEADERS:User-Agent "WebVulnScan" \ "id:330087,rev:1,severity:2,msg:'WebVulnScan User Agent'" #broken spam tool SecRule REQUEST_HEADERS:User-Agent "Mozilla/4\.0 \(compatible\; MSIE 6\.0\; Windows NT 5\.1$" \ "id:330088,rev:1,severity:2,msg:'Comment Spammer User Agent (Fake Mozilla)'" #PHPBB worm UA SecRule REQUEST_HEADERS:User-Agent "INTERNET EXPLOITER SUX" \ "id:330089,rev:1,severity:2,msg:'Comment Spammer User Agent (Fake Mozilla)'" #fake UA SecRule REQUEST_HEADERS:User-Agent "Windows-Update-Agent" \ "id:330090,rev:1,severity:2,msg:'Comment Spammer User Agent (Fake Windows Update Agent)'" #exploit SecRule REQUEST_HEADERS:User-Agent "Internet-exprorer" \ "id:330091,rev:1,severity:2,msg:'Exploit User Agent'" # Bad Spider SecRule REQUEST_HEADERS:User-Agent "hl_ftien_spider" \ "id:330092,rev:1,severity:2,msg:'Comment Spammer User Agent'" # PMAFind SecRule REQUEST_HEADERS:User-Agent "PMAFind" \ "id:330093,rev:1,severity:2,msg:'Comment Spammer User Agent'" #Morfeus Fucking Scanner SecRule REQUEST_HEADERS:User-Agent "Morfeus Fucking Scanner" \ "id:330094,rev:1,severity:2,msg:'Exploit User Agent (MFS)'" #Vadix bot SecRule REQUEST_HEADERS:User-Agent "Vadixbot" \ "id:330095,rev:1,severity:2,msg:'Vadixbot User Agent String'"