ModSec Rules Problem
Hello,
I have a aggresive protection on my server because I have a big forum on it. And also I have a lot of rules in ModSec but I got a lot of false block from one rule. Any idea why this rule blocked many IP
Regards
This is my ModSec rule
This is my sample log Log entries:
SecRule REQUEST_HEADERS:User-Agent "(?:\b(?:(?:indy librar|snoop)y|microsoft url control|lynx)\b|d(?:eek:wnload demon|isco)|w(?:3mirror|get)|l(?:ibwww|wp)|p(?:avuk|erl)|cu(?:sto|rl)|big brother|autohttp|netants|eCatch)" \
"chain,log,auditlog,msg:'Request Indicates an automated program explored the site',id:'990011',severity:'5'"
SecRule REQUEST_HEADERS:User-Agent "!^apache.*perl"This is my sample log Log entries:
[Wed Apr 13 07:27:02 2016] [error] [client 212.154.13.254] ModSecurity: Access denied with code 406 (phase 2). Match of "rx ^apache.*perl" against "REQUEST_HEADERS:User-Agent" required. [file "/usr/local/apache/conf/modsec2.user.conf"> [line "59"> [id "990011"> [msg "Request Indicates an automated program explored the site"> [severity "NOTICE"> [hostname "www.example.com"> [uri "/satforum/archive/index.php/t-227474.html"> [unique_id "Vw3Klsc7pNIAAG0ODaoAAAAG"> [Wed Apr 13 07:27:02 2016] [error] [client 212.154.13.254] ModSecurity: Access denied with code 406 (phase 2). Match of "rx ^apache.*perl" against "REQUEST_HEADERS:User-Agent" required. [file "/usr/local/apache/conf/modsec2.user.conf"> [line "59"> [id "990011"> [msg "Request Indicates an automated program explored the site"> [severity "NOTICE"> [hostname "www.example.com"> [uri "/satforum/archive/index.php/t-227474.html"> [unique_id "Vw3Klsc7pNIAAGvFgrwAAAAE"> [Wed Apr 13 07:27:03 2016] [error] [client 212.154.13.254] ModSecurity: Access denied with code 406 (phase 2). Match of "rx ^apache.*perl" against "REQUEST_HEADERS:User-Agent" required. [file "/usr/local/apache/conf/modsec2.user.conf"> [line "59"> [id "990011"> [msg "Request Indicates an automated program explored the site"> [severity "NOTICE"> [hostname "www.example.com"> [uri "/satforum/archive/index.php/t-486162.html"> [unique_id "Vw3Klsc7pNIAAHmWJ34AAAAB"> [Wed Apr 13 07:27:03 2016] [error] [client 212.154.13.254] ModSecurity: Access denied with code 406 (phase 2). Match of "rx ^apache.*perl" against "REQUEST_HEADERS:User-Agent" required. [file "/usr/local/apache/conf/modsec2.user.conf"> [line "59"> [id "990011"> [msg "Request Indicates an automated program explored the site"> [severity "NOTICE"> [hostname "www.example.com"> [uri "/satforum/archive/index.php/t-486162.html"> [unique_id "Vw3Kl8c7pNIAAGid95AAAAAF"> [Wed Apr 13 07:27:03 2016] [error] [client 212.154.13.254] ModSecurity: Access denied with code 406 (phase 2). Match of "rx ^apache.*perl" against "REQUEST_HEADERS:User-Agent" required. [file "/usr/local/apache/conf/modsec2.user.conf"> [line "59"> [id "990011"> [msg "Request Indicates an automated program explored the site"> [severity "NOTICE"> [hostname "www.example.com"> [uri "/satforum/showthread.php"> [unique_id "Vw3Kl8c7pNIAAGpIJP4AAAAH">
-
Hello :) The rule description suggests it's blocking requests when the "User-Agent" matches a value associated with an automated script, as opposed to an individual using a web browser. Have you reviewed the instances where the block is a false positive to see how they were accessing the URL? Thank you. 0 -
The log is saying your User Agent (browser identification) had one of the strings in that first line in it. If you go to a site like What's My User Agent? it will show you how your browser is identifying itself and perhaps help you troubleshoot this. If you were using a script or program to interact with the site, this is a likely situation and you may need to whitelist your IP address. 0
Please sign in to leave a comment.
Comments
2 comments