Rule 920310 (CRS3) not firing if no User-Agent is submitted
See original GitHub issue_Issue originally created by user dune73 on date 2016-06-21 09:16:41. Link to original issue: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/370._
920310 (CRS3) is meant to alarm if there is no Accept header. There are cases where an alarm is suppressed based on the User-Agent. However, given the construction of the rule, a request without a User-Agent will never trigger 920310, which is a false negative.
Possible solutions:
- 2nd rule covering this special case
- replace
@pm
with regex and check for empty header
Thoughts?
This issue evolved from a discussion in #366.
Issue Analytics
- State:
- Created 3 years ago
- Comments:5
Top Results From Across the Web
Rule 920310 (CRS3) not firing if no User-Agent is submitted
920310 (CRS3) is meant to alarm if there is no Accept header. There are cases where an alarm is suppressed based on the...
Read more >Create an exception for a blocked user agent - AWS WAF ...
If traffic from some non-browser user agents is being erroneously blocked, you can create an exception by setting the offending AWS WAF Bot...
Read more >CRS rule groups and rules - Azure Web Application Firewall
If a request matches a custom rule, the corresponding rule action is applied. The request is either blocked or passed through to the...
Read more >Is lack of User-Agent in HTTP request valid? - Stack Overflow
UPDATE My intention with the phrase "real-world" was to indicate that I am not asking what the HTTP protocol permits. It is permitted...
Read more >User-Agent - HTTP - MDN Web Docs - Mozilla
The User-Agent request header is a characteristic string that lets servers and network peers identify the application, operating system, ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
User dune73 commented on date 2016-07-02 15:11:17:
Can’t resist such an invitation. Please consider #389 as my offering.
User dune73 commented on date 2016-06-28 12:34:10:
csanders-git : good remark about
920320
being notice. I overlooked that.Covering the special case at a higher PL does not seem right to me as it allows a simple evasion at PL1 to go mostly unnoticed and it tears two rules with the same goal apart within the same rule file.
I think a PL1 sibling
920311
right after920310
is the better solution:That way the problem is contained at PL1 and within the same area in the rule file.