On Thu, Sep 13, 2012 at 4:22 PM, Anders Kvist <and...@kvistmail.dk> wrote:
> On 09/13/2012 03:14 PM, Josh Amishav-Zlatin wrote: > > On Thu, Sep 13, 2012 at 4:03 PM, Anders Kvist <and...@kvistmail.dk>wrote: > >> Hi >> >> I have a lot of hits on rule 990012 - because some of our users >> (everything would be so much easier if they weren't there :)) have the >> following as User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_35 (The >> Java version may vary). >> >> > Hi Anders, > > What version of the CRS are you running? Have you considered building a > more recent version of ModSecurity from source? That would allow you to run > a more up to date version of the CRS as well. > > I have updated to 2.2.5 - ain't that the newest ruleset? > > Hi Anders, My bad then, I based that comment on your previous email. In any case, Ryan B. and I came up with the following which still stops the original bot and lets the requests with 'Windows XP 5.1' in the User-Agent string through: SecRule REQUEST_HEADERS:User-Agent "(Windows XP 5.1)" "phase:1,id:1,nolog,pass,ctl:ruleRemoveTargetById=990012" -- - Josh > /Anders > > > > > > I did a bit of googling and "Windows XP 5.1" is the correct version of >> XP - some sites list this a as bot, some doesn't. If I do a search for >> "Windows XP 5" the results for User-Agents are bot, bot and bot... >> >> Does anyone know if the intensions are to catch only "Windows XP 5" or >> both? >> >> I have added a case to the rule here that allows "Windows XP 5.1" as >> User-Agent, but not "Windows XP 5" - guess the question is if the updated >> rule should be submitted for the next ruleset? >> >> /Anders >> > >
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
