Hi Andrei, Based on your question, are you asking how to stop all external requests that contain the string WordPress in the UA string, but allow the local Wordpress instance to send requests? You can do that by chaining your rule with logic that checks the REMOTE_ADDR variable does not equal 192.168.1.100.
- Josh On Thu, Dec 4, 2014 at 4:52 AM, Andrei <coro...@starnet.md> wrote: > Hello, > > How can I drop on ModSecurity for IIS any request from user-agent > WordPress/? > > IIS 8.0 access log: > ------------ > 2014-12-03 16:30:08 W3SVC1 WebServer 192.168.1.100 GET /Index.aspx - 80 - > 184.154.226.5 HTTP/1.0 WordPress/4.0.1;+http://www.nonohitters.com > ;+verifying+pingback+from+89.248.174.78 - - example.com 200 0 0 26063 199 > 9422 > 2014-12-03 16:30:08 W3SVC1 WebServer 192.168.1.100 GET /Index.aspx - 80 - > 77.68.54.144 HTTP/1.0 WordPress/3.4;+http://appyhour.co - - example.com > 200 0 0 26063 157 8484 > 2014-12-03 16:30:08 W3SVC1 WebServer 192.168.1.100 GET /Index.aspx - 80 - > 194.145.201.141 HTTP/1.0 WordPress/4.0.1;+http://microdermal-piercing.nl;+ > verifying+pingback+from+89.248.174.78 - - example.com 200 0 0 26063 203 > 9843 > 2014-12-03 16:30:08 W3SVC1 WebServer 192.168.1.100 GET /Index.aspx - 80 - > 213.5.176.14 HTTP/1.0 > WordPress/3.8.5;+http://www.uvac.ac.uk;+verifying+pingback+from+89.248.174.78 > - - example.com 200 0 0 26063 194 8468 > 2014-12-03 16:30:08 W3SVC1 WebServer 192.168.1.100 GET /Index.aspx - 80 - > 84.200.79.196 HTTP/1.0 WordPress/4.0;+http://milla.smyck.org > ;+verifying+pingback+from+89.248.174.78 - - example.com 200 0 0 26063 193 > 8453 > 2014-12-03 16:30:08 W3SVC1 WebServer 192.168.1.100 GET /Index.aspx - 80 - > 188.93.144.146 HTTP/1.0 WordPress/3.5.1;+http://www. > bastiaanfranken.nl/blog - - example.com 200 0 0 26063 175 9828 > 2014-12-03 16:30:08 W3SVC1 WebServer 192.168.1.100 GET /Index.aspx - 80 - > 213.171.218.216 HTTP/1.0 WordPress/4.0.1;+http://www. > wordpress.michaelgrange.co.uk;+verifying+pingback+from+89.248.174.78 - - > example.com 200 0 0 26063 213 8468 > 2014-12-03 16:30:08 W3SVC1 WebServer 192.168.1.100 GET /Index.aspx - 80 - > 174.139.169.10 HTTP/1.0 WordPress/4.0.1;+http://www.zahnarzt-koeln.org > ;+verifying+pingback+from+89.248.174.78 - - example.com 200 0 0 26063 202 > 9734 > 2014-12-03 16:30:08 W3SVC1 WebServer 192.168.1.100 GET /Index.aspx - 80 - > 185.38.251.154 HTTP/1.0 WordPress/4.0.1;+http://www.zac-efron.us > ;+verifying+pingback+from+89.248.174.78 - - example.com 200 0 0 26063 196 > 9047 > 2014-12-03 16:30:08 W3SVC1 WebServer 192.168.1.100 GET /Index.aspx - 80 - > 69.27.40.40 HTTP/1.0 WordPress/2.8.5;+http://funktion.catalystexhibit.com > - - example.com 200 0 0 26063 213 9953 > 2014-12-03 16:30:08 W3SVC1 WebServer 192.168.1.100 GET /Index.aspx - 80 - > 85.13.143.156 HTTP/1.0 WordPress/4.0.1;+http://www. > matchanglershop.de/blog;+verifying+pingback+from+89.248.174.78 - - > example.com 200 0 0 26063 207 9922 > ------------ > > But need to allow this: > > [client 192.168.1.100:13015] ModSecurity: Access denied with code 403 > (phase 1). Pattern match "WordPress/" at REQUEST_HEADERS:User-Agent. [file > "C:\/Program Files/ModSecurity IIS/owasp_crs/custom/ > modscurity_crs_15_custom.conf"] [line "13"] [id "8"] [msg "Prevent DDos > from WordPress CMS"] [hostname "WebServer"] [uri > "/wp-cron.php?doing_wp_cron=1417660712.6131439208984375000000"] > [unique_id "17654110601569370214"] > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set >
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
