Re: [Owasp-modsecurity-core-rule-set] Rule 990012

Fri, 14 Sep 2012 02:06:49 -0700 

On 09/13/2012 03:59 PM, Josh Amishav-Zlatin wrote:
On Thu, Sep 13, 2012 at 4:22 PM, Anders Kvist <and...@kvistmail.dk <mailto:and...@kvistmail.dk>> wrote: 

    On 09/13/2012 03:14 PM, Josh Amishav-Zlatin wrote:

    On Thu, Sep 13, 2012 at 4:03 PM, Anders Kvist
    <and...@kvistmail.dk <mailto:and...@kvistmail.dk>> wrote:

        Hi

        I have a lot of hits on rule 990012 - because some of our
        users (everything would be so much easier if they weren't
        there :)) have the following as User-Agent: Mozilla/4.0
        (Windows XP 5.1) Java/1.6.0_35 (The Java version may vary).


    Hi Anders,

    What version of the CRS are you running? Have you considered
    building a more recent version of ModSecurity from source? That
    would allow you to run a more up to date version of the CRS as well.


    I have updated to 2.2.5 - ain't that the newest ruleset?


Hi Anders,


My bad then, I based that comment on your previous email. In any case, 
Ryan B. and I came up with the following which still stops the 
original bot and lets the requests with 'Windows XP 5.1' in the 
User-Agent string through:



SecRule REQUEST_HEADERS:User-Agent "(Windows XP 5.1)" 
"phase:1,id:1,nolog,pass,ctl:ruleRemoveTargetById=990012"


That would work - but first from 2.6.7 as far as I can see ;)


I'm sticking to a change in the rule instead. I have the rules in 
subversion, so I can control the changes and bring them to newer versions...


/Anders




--
 - Josh



    /Anders






        I did a bit of googling and "Windows XP 5.1" is the correct
        version of XP - some sites list this a as bot, some doesn't.
        If I do a search for "Windows XP 5" the results for
        User-Agents are bot, bot and bot...

        Does anyone know if the intensions are to catch only "Windows
        XP 5" or both?

        I have added a case to the rule here that allows "Windows XP
        5.1" as User-Agent, but not "Windows XP 5" - guess the
        question is if the updated rule should be submitted for the
        next ruleset?

        /Anders







_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set






















					Reply via email to