Current File : //03_Global_Agents.conf

# ---------------------------------------------------------------
# Comodo ModSecurity Rules
# Copyright (C) 2022 Comodo Security solutions All rights reserved.
#
# The COMODO SECURITY SOLUTIONS Mod Security Rule Set is distributed under
# THE COMODO SECURITY SOLUTIONS END USER LICENSE AGREEMENT,
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
# This is a FILE CONTAINING CHANGED or MODIFIED RULES FROM THE:
# OWASP ModSecurity Core Rule Set (CRS)
# ---------------------------------------------------------------

SecRule REQUEST_HEADERS:User-Agent "@pmFromFile userdata_wl_agents" \
	"id:210800,phase:2,pass,nolog,t:none,skip:1,rev:2,severity:2,tag:'CWAF',tag:'Agents'"

SecRule REQUEST_HEADERS:User-Agent "@pmFromFile bl_scanners" \
	"id:210801,msg:'COMODO WAF: Request Indicates a Security Scanner Scanned the Site||%{tx.domain}|%{tx.mode}|2',phase:2,block,setvar:'tx.points=+%{tx.points_limit4}',logdata:'%{matched_var}',t:none,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'Agents'"

SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@pmFromFile bl_scanners_headers" \
	"id:210810,msg:'COMODO WAF: Request Indicates a Security Scanner Scanned the Site||%{tx.domain}|%{tx.mode}|2',phase:2,block,setvar:'tx.points=+%{tx.points_limit4}',logdata:'%{matched_var}',t:none,rev:4,severity:2,tag:'CWAF',tag:'Agents'"

SecRule REQUEST_FILENAME "@pm nessustest appscan_fingerprint" \
	"id:210820,msg:'COMODO WAF: Request Indicates a Security Scanner Scanned the Site||%{tx.domain}|%{tx.mode}|2',phase:2,block,setvar:'tx.points=+%{tx.points_limit4}',logdata:'%{matched_var}',t:none,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'Agents'"

SecRule REQUEST_HEADERS:User-Agent "@pmFromFile userdata_wl_agents" \
	"id:210830,phase:2,pass,nolog,t:none,skipAfter:'SECMARKER_210800',rev:2,severity:2,tag:'CWAF',tag:'Agents'"

SecRule REQUEST_HEADERS:User-Agent "@pmFromFile bl_agents" \
	"id:210831,chain,msg:'COMODO WAF: Rogue web site crawler||%{tx.domain}|%{tx.mode}|4',phase:2,capture,block,logdata:'%{TX.0}',t:none,rev:2,severity:4,tag:'CWAF',tag:'Agents'"
SecRule REQUEST_HEADERS:User-Agent "(?i:(?:^(?:microsoft url|user-Agent|www\.weblogs\.com|(?:jakart|vi)a|(google|i{0,1}explorer{0,1}\.exe|(ms){0,1}ie( [0-9.]{1,}){0,1} {0,1}(compatible( browser){0,1}){0,1})$)|\bdatacha0s\b|; widows|\\\r|a(?: href=|d(?:sarobot|vanced email extractor)|gdm79@mail\.ru|miga-aweb/3\.4|t(?:hens|tache|(?:omic_email_hunt|spid)er)|utoemailspider)|b(?:ackdoor|lack hole|utch__2\.1\.1|wh3_user_agent)|c(?:h(?:e(?:esebot|rrypicker)|ina(?: local browse 2\.|claw))|o(?:mpatible(?: ;(?: msie|\.)|-)|n(?:cealed defense|t(?:actbot/|entsmartz)|veracrawler)|py(?:guard|rightcheck)|re-project/1.0)|rescent internet toolpak)|d(?:ig(?:imarc webreader|out4uagent)|ts agent)|e(?:ducate search vxb|mail(?:siphon|wolf|(?: extracto|reape)r|(siphon|spider)|(?:collec|harves|magne)t)|o browse|xtractorpro|(?:collecto|irgrabbe)r)|f(?:a(?:xobot|(?:ntombrows|stlwspid)er)|loodgate|oobar/|ull web bot|(?:iddle|ranklin locato)r)|g(?:ameBoy, powered by nintendo|ecko/25|rub(?: crawler|-client))|h(?:anzoweb|hjhj@yahoo|l_ftien_spider)|i(?:n(?:dy library|ternet(?: (?:exploiter sux|ninja)|-exprorer))|sc systems irc search 2\.1)|kenjin spider|larbin@unspecified|m(?:ailto:craftbot@yahoo\.com|i(?:crosoft (?:internet explorer/5\.0$|url control)|ssigua)|o(?:r(?:feus fucking scanner|zilla)|siac 1.|zilla/3\.mozilla/2\.01$)|urzillo compatible)|n(?:ameofagent|e(?:ssus|(?:uralbot/0\.|wt activeX; win3)2)|ikto|o(?: browser|kia-waptoolkit.{0,} googlebot.{0,}googlebot))|p(?:a(?:ckrat|nscient\.com)|cbrowser|e 1\.4|leasecrawl/1\.|mafind|oe-component-client|ro(?:duction bot|gram shareware 1\.0\.|webwalker)|s(?:urf|ycheclone))|rsync|s(?:\.t\.a\.l\.k\.e\.r\.|afexplorer tl|e(?:archbot admin@google.com|curity scan)|hai|itesnagger|(?:tress tes|urveybo)t)|t(?:ele(?:port pro|soft)|oata dragostea mea pentru diavola|uring machine|(?: {0,1}h {0,1}a {0,1}t {0,1}' {0,1}s g {0,1}o {0,1}t {0,1}t {0,1}a {0,1} h {0,1}u {0,1}r {0,1}|akeou|his is an exploi)t)|u(?:nder the rainbow 2\.|ser-agent:)|v(?:adixbot|oideye)|w(?:3mir|e(?:b(?: (?:by mail|downloader)|emailextract{0,1}|mole|vulnscan|(?:bandi|(?:altb|ro)o)t)|lls search ii|p Search 00)|i(?:ndows(?:-update-agent)|se(?:nut){0,1}bot)|ordpress(?: hash grabber|/4\.01))|zeus(?: .{0,}webster pro){0,1}|[a-z]surf[0-9][0-9]|(?:$botname/$botvers|(script|sql) inject)ion|(compatible ; msie|msie .{1,}; .{0,}windows xp)|(?:8484 boston projec|xmlrpc exploi)t|(sogou develop spider|sohu agent)|(?:demo bot|(?:d|e)browse)|(libwen-us|myie2|murzillo compatible|webaltbot|wisenutbot)))" \
	"capture,setvar:'tx.points=+%{tx.points_limit2}'"

SecRule REQUEST_HEADERS:User-Agent "@pmFromFile userdata_bl_agents" \
	"id:210832,msg:'COMODO WAF: Blacklisted by userdata_bl_agents||%{tx.domain}|%{tx.mode}|4',phase:2,capture,block,logdata:'%{TX.0}',t:none,rev:2,severity:4,tag:'CWAF',tag:'Agents'"

SecMarker SECMARKER_210800
SecRule ARGS|REQUEST_FILENAME "@pmFromFile bl_scanners_urls" \
	"id:211010,msg:'COMODO WAF: Request Indicates a Security Scanner Scanned the Site||%{tx.domain}|%{tx.mode}|1',phase:2,block,setvar:'tx.points=+%{tx.points_limit4}',log,logdata:'%{matched_var}',t:none,rev:1,severity:1,tag:'CWAF',tag:'Agents'"