[Owasp-modsecurity-core-rule-set] Http Flood Attack from list of WordPress vulnerabilities

Wed, 03 Dec 2014 19:06:49 -0800 

Hello,
How can I drop on ModSecurity for IIS any request from user-agent WordPress/? 

IIS 8.0 access log:
------------

2014-12-03 16:30:08 W3SVC1 WebServer 192.168.1.100 GET /Index.aspx - 80 
- 184.154.226.5 HTTP/1.0 
WordPress/4.0.1;+http://www.nonohitters.com;+verifying+pingback+from+89.248.174.78 
- - example.com 200 0 0 26063 199 9422
2014-12-03 16:30:08 W3SVC1 WebServer 192.168.1.100 GET /Index.aspx - 80 
- 77.68.54.144 HTTP/1.0 WordPress/3.4;+http://appyhour.co - - 
example.com 200 0 0 26063 157 8484
2014-12-03 16:30:08 W3SVC1 WebServer 192.168.1.100 GET /Index.aspx - 80 
- 194.145.201.141 HTTP/1.0 
WordPress/4.0.1;+http://microdermal-piercing.nl;+verifying+pingback+from+89.248.174.78 
- - example.com 200 0 0 26063 203 9843
2014-12-03 16:30:08 W3SVC1 WebServer 192.168.1.100 GET /Index.aspx - 80 
- 213.5.176.14 HTTP/1.0 
WordPress/3.8.5;+http://www.uvac.ac.uk;+verifying+pingback+from+89.248.174.78 
- - example.com 200 0 0 26063 194 8468
2014-12-03 16:30:08 W3SVC1 WebServer 192.168.1.100 GET /Index.aspx - 80 
- 84.200.79.196 HTTP/1.0 
WordPress/4.0;+http://milla.smyck.org;+verifying+pingback+from+89.248.174.78 
- - example.com 200 0 0 26063 193 8453
2014-12-03 16:30:08 W3SVC1 WebServer 192.168.1.100 GET /Index.aspx - 80 
- 188.93.144.146 HTTP/1.0 
WordPress/3.5.1;+http://www.bastiaanfranken.nl/blog - - example.com 200 
0 0 26063 175 9828
2014-12-03 16:30:08 W3SVC1 WebServer 192.168.1.100 GET /Index.aspx - 80 
- 213.171.218.216 HTTP/1.0 
WordPress/4.0.1;+http://www.wordpress.michaelgrange.co.uk;+verifying+pingback+from+89.248.174.78 
- - example.com 200 0 0 26063 213 8468
2014-12-03 16:30:08 W3SVC1 WebServer 192.168.1.100 GET /Index.aspx - 80 
- 174.139.169.10 HTTP/1.0 
WordPress/4.0.1;+http://www.zahnarzt-koeln.org;+verifying+pingback+from+89.248.174.78 
- - example.com 200 0 0 26063 202 9734
2014-12-03 16:30:08 W3SVC1 WebServer 192.168.1.100 GET /Index.aspx - 80 
- 185.38.251.154 HTTP/1.0 
WordPress/4.0.1;+http://www.zac-efron.us;+verifying+pingback+from+89.248.174.78 
- - example.com 200 0 0 26063 196 9047
2014-12-03 16:30:08 W3SVC1 WebServer 192.168.1.100 GET /Index.aspx - 80 
- 69.27.40.40 HTTP/1.0 
WordPress/2.8.5;+http://funktion.catalystexhibit.com - - example.com 200 
0 0 26063 213 9953
2014-12-03 16:30:08 W3SVC1 WebServer 192.168.1.100 GET /Index.aspx - 80 
- 85.13.143.156 HTTP/1.0 
WordPress/4.0.1;+http://www.matchanglershop.de/blog;+verifying+pingback+from+89.248.174.78 
- - example.com 200 0 0 26063 207 9922

------------

But need to allow this:


[client 192.168.1.100:13015] ModSecurity: Access denied with code 403 
(phase 1). Pattern match "WordPress/" at REQUEST_HEADERS:User-Agent. 
[file "C:\/Program Files/ModSecurity 
IIS/owasp_crs/custom/modscurity_crs_15_custom.conf"] [line "13"] [id 
"8"] [msg "Prevent DDos from WordPress CMS"] [hostname "WebServer"] [uri 
"/wp-cron.php?doing_wp_cron=1417660712.6131439208984375000000"] 
[unique_id "17654110601569370214"]

_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set






















					Reply via email to