[Owasp-modsecurity-core-rule-set] [JIRA] Resolved: (CORERULES-70) Phrase "Via" in 35_bad_robots matches Google translated requests

Ryan Barnett (JIRA) rbarnett at trustwave.com
Wed Jul 20 10:42:05 EDT 2011 

     [ https://www.modsecurity.org/tracker/browse/CORERULES-70?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ryan Barnett resolved CORERULES-70.
-----------------------------------

    Resolution: Fixed

I updated the rule logic in the 36 bad robots conf file.  Previously, the regexs only had an @pm rule run which did not have the proper regex logic for some of the checks.  I now created a chained rule for rule ID 990012 where a regex SecRule runs if the @pm check matches.  This should reduce the false positives.

This will be available in CRS v2.2.1.

> Phrase "Via" in 35_bad_robots matches Google translated requests
> ----------------------------------------------------------------
>
>                 Key: CORERULES-70
>                 URL: https://www.modsecurity.org/tracker/browse/CORERULES-70
>             Project: Core Rules
>          Issue Type: Improvement
>      Security Level: Normal
>          Components: False positive
>    Affects Versions: 2.1.3
>            Reporter: Thomas
>            Assignee: Ryan Barnett
>
> Requests coming from Google translate have the phrase "(via translate.google.com)" appended to user agent string which is caught by crs_35_bad_robots.conf, 990012. An example is as follows:
> GET / HTTP/1.1
> Accept: text/html, text/plain, application/pdf, application/msword, */*
> Accept-Charset: utf-8,*
> Host: ...
> Referer: http://translate.googleusercontent.com/translate_c?hl=es&langpair=en%7Ces&u=http://.../&rurl=translate.google.com.mx&usg=...
> User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6.3; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; MDDR; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8),gzip(gfe) (via translate.google.com)
> Via: 1.0 translate.google.com TWSFE/0.9
> X-Forwarded-For: ...
> Accept-Encoding: gzip

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the Owasp-modsecurity-core-rule-set mailing list