# http://www.gotroot.com/mod_security+rules # Gotroot.com ModSecurity rules # User Agent Security Rules # # Download from: http://www.gotroot.com/downloads/ftp/mod_security/useragents.conf # # Created by Michael Shinn of the Prometheus Group (http://www.prometheus-group.com) # Copyright 2005 and 2006 by the Michael Shinn and the Prometheus Group, all rights reserved. # Redistribution is strictly prohibited in any form, including whole or in part. # # modsecurity is a trademark of Thinking Stone, Ltd. # # Version: N-20061014-01 # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF # THE POSSIBILITY OF SUCH DAMAGE. #Comment spam header line SecFilter "x-aaaaaa.*" SecFilterSelective POST_PAYLOAD "X-AAAAAA.*" #check for bad meta characters in User-Agent field #SecFilterSelective HTTP_USER_AGENT ".*\'" #XSS in the UA field SecFilterSelective HTTP_USER_AGENT "<(.|\s|\n)?(script|about|applet|activex|chrome|object)(.|\s|\n)?>.*<(.|\s|\n)?(script|about|applet|activex|chrome|object)" #PHP code injection attack SecFilterSelective HTTP_USER_AGENT "(<\?php|<[[:space:]]*\?[[:space:]]*php)" SecFilterSelective HTTP_USER_AGENT ".*HTTP_GET_VARS" #recursion attack in UA field SecFilterSelective HTTP_USER_AGENT "\.\./\.\." #May cause false positives with some software, comment out if it does #SecFilterSelective REMOTE_ADDR "!^127\.0\.0\.1$" "chain,id:390000,rev:1,severity:1,msg:'Suspicious Automated or Manual Request'" #SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST|HTTP_Accept" "^$" #Exploit agent SecFilterSelective HTTP_USER_AGENT "Mosiac 1\.*" #Bad agent SecFilterSelective HTTP_USER_AGENT "Brutus/AET" #CGI vuln scan tool SecFilterSelective HTTP_USER_AGENT cgichk SecFilterSelective HTTP_USER_AGENT "DataCha0s/2\.0" #Damn fine UA SecFilterSelective HTTP_USER_AGENT ".*THIS IS AN EXPLOIT*" SecFilterSelective HTTP_USER_AGENT "Morzilla" #CIRT.DK Webroot auditing tool SecFilterSelective HTTP_USER_AGENT ".*WebRoot " #Exploit UA SecFilterSelective HTTP_USER_AGENT ".*T H A T \' S G O T T A H U R T*" #XML RPC exploit tool SecFilterSelective HTTP_USER_AGENT "xmlrpc exploit*" #A friendly little exploit banner for a WP vuln SecFilterSelective HTTP_USER_AGENT "Wordpress Hash Grabber" #Blocks scripts SecFilterSelective HTTP_USER_AGENT lwp #Web leaches SecFilterSelective HTTP_USER_AGENT "Web Downloader" SecFilterSelective HTTP_USER_AGENT WebZIP SecFilterSelective HTTP_USER_AGENT WebCopier SecFilterSelective HTTP_USER_AGENT Webster SecFilterSelective HTTP_USER_AGENT WebZIP SecFilterSelective HTTP_USER_AGENT WebStripper SecFilterSelective HTTP_USER_AGENT "teleport pro" SecFilterSelective HTTP_USER_AGENT combine SecFilterSelective HTTP_USER_AGENT "Black Hole" SecFilterSelective HTTP_USER_AGENT "SiteSnagger" SecFilterSelective HTTP_USER_AGENT "ProWebWalker" SecFilterSelective HTTP_USER_AGENT "CheeseBot" #Bogus Mozilla UA lines SecFilterSelective HTTP_USER_AGENT "Mozilla/(4|5)\.0$" SecFilterSelective HTTP_USER_AGENT "Mozilla/3\.Mozilla/2\.01$" #Bogus IE UA line SecFilterSelective HTTP_USER_AGENT "Microsoft Internet Explorer/5\.0$" #Bogus UA SecFilterSelective HTTP_USER_AGENT "FooBar/42" #Nessus Vuln scanner UA SecFilterSelective HTTP_USER_AGENT "Mozilla.*Nessus" #Nikto vuln scanner UA SecFilterSelective HTTP_USER_AGENT ".*Nikto" #BAd/Bogus UAs SecFilterSelective HTTP_USER_AGENT "Indy Library" SecFilterSelective HTTP_USER_AGENT "Faxobot" SecFilterSelective HTTP_USER_AGENT ".*SAFEXPLORER TL" #Spam spinder UAs SecFilterSelective HTTP_USER_AGENT ".*fantomBrowser" SecFilterSelective HTTP_USER_AGENT ".*fantomCrew Browser" #VB development library used by many spammers, might block legite VBscripts #comment out if you have problems SecFilterSelective HTTP_USER_AGENT "Crescent Internet ToolPak" #Borland Delphi signature, as above, comment out if it gives you problems #spammers sometimes use these UAs SecFilterSelective HTTP_USER_AGENT "NEWT ActiveX\; Win32" SecFilterSelective HTTP_USER_AGENT "Mozilla.*NEWT" #Part of the Microsoft MSINET.OCX, as above, spammers sometimes use this, if #it causes problems, comment out. If you are a member of the Microsoft Site #Builder Network, you probably do NOT want to block this ID. #SecFilterSelective HTTP_USER_AGENT "Microsoft URL Control" #SecFilterSelective HTTP_USER_AGENT "^Microsoft URL" #e-mail collectors and spammers SecFilterSelective HTTP_USER_AGENT "WebBandit" SecFilterSelective HTTP_USER_AGENT "WEBMOLE" SecFilterSelective HTTP_USER_AGENT "Telesoft*" SecFilterSelective HTTP_USER_AGENT "WebEMailExtractor" SecFilterSelective HTTP_USER_AGENT "CherryPicker*" SecFilterSelective HTTP_USER_AGENT NICErsPRO SecFilterSelective HTTP_USER_AGENT "Advanced Email Extractor*" SecFilterSelective HTTP_USER_AGENT EmailSiphon SecFilterSelective HTTP_USER_AGENT Extractorpro SecFilterSelective HTTP_USER_AGENT webbandit SecFilterSelective HTTP_USER_AGENT EmailCollector SecFilterSelective HTTP_USER_AGENT "WebEMailExtrac*" SecFilterSelective HTTP_USER_AGENT EmailWolf #Spiders that eat up bandwidth for their customers #Not a spammer, just a spider, comment out if you like SecFilterSelective HTTP_USER_AGENT "CopyRightCheck" SecFilterSelective HTTP_USER_AGENT "CopyGuard" SecFilterSelective HTTP_USER_AGENT "Digimarc WebReader" #MArketing spiders SecFilterSelective HTTP_USER_AGENT "Zeus .*Webster Pro*" #Poker spam SecFilterSelective HTTP_USER_AGENT "8484 Boston Project" #collectors SecFilterSelective HTTP_USER_AGENT "autoemailspider" SecFilterSelective HTTP_USER_AGENT "ecollector" SecFilterSelective HTTP_USER_AGENT "grub crawler" #referrer spam, not the real weblogs SecFilterSelective HTTP_USER_AGENT "^www\.weblogs\.com" #spam bots SecFilterSelective HTTP_USER_AGENT "DTS Agent" SecFilterSelective HTTP_USER_AGENT "POE-Component-Client" SecFilterSelective HTTP_USER_AGENT "WISEbot" SecFilterSelective HTTP_USER_AGENT "^Shockwave Flash" SecFilterSelective HTTP_USER_AGENT "Missigua" #comment spam sign SecFilterSelective HTTP_USER_AGENT "compatible \; MSIE" #Some regexps to catch silly bots SecFilterSelective REQUEST_URI "!/ps(zones\|comp).txt1" chain SecFilterSelective HTTP_USER_AGENT "^(google|i?explorer?\.exe|(MS)?IE( [0-9.]+)?[ ]?(Compatible( Browser)?)?)$" SecFilterSelective HTTP_USER_AGENT "^(Mozilla( [0-9.]+)?[ ]?\((Windows|Linux|(IE )?Compatible)\))$" SecFilterSelective HTTP_USER_AGENT "^Mozilla/5\.0 \(X11; U; Linux i686; en-US; rv\:0\.9\.6\+\) Gecko/2001112$" SecFilterSelective HTTP_USER_AGENT "^Mozilla/[0-9.]+ \(compatible; MSIE [0-9.]+; Windows( NT)?( [0-9.]*)?;[0-9./ ]*\)?$" SecFilterSelective HTTP_USER_AGENT "^Mozilla/.+[. ]+$" #spammer SecFilterSelective HTTP_USER_AGENT "Butch__2\.1\.1" SecFilterSelective HTTP_USER_AGENT "agdm79@mail\.ru" #Fake Gameboy UA SecFilterSelective HTTP_USER_AGENT "GameBoy\, Powered by Nintendo" #bogus amiga UA SecFilterSelective HTTP_USER_AGENT "Amiga-AWeb/3\.4" #exploit UA SecFilterSelective HTTP_USER_AGENT "Internet Ninja x\.0" #bogus googlebot UA SecFilterSelective HTTP_USER_AGENT "Nokia-WAPToolkit.* googlebot.*googlebot" #recently caught sending spam referrals, from their actual crawler IP SecFilterSelective HTTP_USER_AGENT "BecomeBot" #Suverybot #SecFilterSelective HTTP_USER_AGENT "SurveyBot" #exploit SecFilterSelective HTTP_USER_AGENT "S\.T\.A\.L\.K\.E\.R\." SecFilterSelective HTTP_USER_AGENT "NeuralBot/0\.2" SecFilterSelective HTTP_USER_AGENT "Kenjin Spider" #WebvulnScan SecFilterSelective HTTP_USER_AGENT "WebVulnScan" #broken spam tool SecFilterSelective HTTP_USER_AGENT "Mozilla/4\.0 \(compatible\; MSIE 6\.0\; Windows NT 5\.1$" #PHPBB worm UA SecFilterSelective HTTP_USER_AGENT "INTERNET EXPLOITER SUX" #fake UA SecFilterSelective HTTP_USER_AGENT "Windows-Update-Agent" #exploit SecFilterSelective HTTP_USER_AGENT "Internet-exprorer" # Bad Spider SecFilterSelective HTTP_USER_AGENT "hl_ftien_spider" # PMAFind SecFilterSelective HTTP_USER_AGENT "PMAFind" #MS WebDav #If you do not allow webdav, this is useful to catch some webdav PUT attacks SecFilterSelective HTTP_USER_AGENT "Microsoft Data Access Internet Publishing Provider"