[Owasp-modsecurity-core-rule-set] Reg modsecurity_35_bad_robots

Thayyilekandy, Subin : Barclaycard US sthayyilekan at BarclaycardUS.com
Wed Jul 2 16:31:14 UTC 2014

Anyone using the modsecurity_35_bad_robots ?
There is keyword “Via” in the data file which matches for browsers like “Whitehat Aviator” and requests coming  off these browsers get blocked ,just wondering if its ok to remove the keyword “via” off the list or conditionally handle it with a positive rule to allow this browser, there may be other browser/devices that can have “via” in  user agents as part of some word as in this case.

Also not sure if this is the intended behavior, though the user agent have “Whitehat Aviator” present in in all the requests from this browser , only requests with ARGS seems to be working for the rules in modsecurity_35_bad_robots.conf

1.GET request – User comes to home page ( not blocked by Mod Security as there are no ARGS /parameters  )
2.POST request – user logs in ( blocked by Mod security – with POST parameters)
3.GET Request – any navigation with ARGS  ( blocked by Mod security - with GET parameters)



This email and any files transmitted with it may contain confidential and/or proprietary information. It is intended solely for the use of the individual or entity who is the intended recipient. Unauthorized use of this information is prohibited. If you have received this in error, please contact the sender by replying to this message and delete this material from any system it may be on.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20140702/132e669f/attachment-0001.html>

More information about the Owasp-modsecurity-core-rule-set mailing list