SOLVED mod_security rule not working

[jeffschips]

Trying to stop a bad bot from accessing server using mod_security rules. I have the following but it's not working.

SecRule REQUEST_HEADERS:User-Agent "@rx ^(?:Datanyze)$" "msg:'Datanyze blocked',phase:1,log,id:777777,t:none,block,status:403"

the word "Datanyze" is contained in the User Agent string and I can't find a definitive source anywhere that defines if the UA is the entire string, i.e,:

"Mozilla/5.0 (X11; Datanyze; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36"

or if you can use text strings therein as UA.

Thank you.

 

[fuzzylogic]

Couple of points.

"@rx ^(?:Datanyze)$"
@rx calls the regex operator. Same happens if you omit an operator.

The regex you are applying to the User-Agent value is...
^(?:Datanyze)$"
This will only match the exact value with exact case...
User-Agent: Datanyze
To match it anywhere is the User-Agent value use the regex...
(?:Datanyze)

Also to match any mix of Case transform to lowercase (t:lowercase) then use the regex...
(?:datanyze)

So final rule looks like this...

# Datanyze deny rule
SecRule REQUEST_HEADERS:User-Agent "(?:datanyze)" "msg:'Datanyze denied',phase:1,log,id:777779,t:lowercase,block,status:403"

When tested it matches the following request...

GET / HTTP/2.0
User-Agent: "Mozilla/5.0 (X11; Datanyze; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36"
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Host: domainname.com
Content-Length: 0

 

[jeffschips]

Perfect! Works perfectly!

Just as an aside, this started because I noticed that bot accessing my site, yet as I dug deeper today, I've also noticed that it accesses cached webpage and thereby by-passes apache. I'm wondering if there is anything mod_security can do to stop that. Here is an example of the request URL which succeeds in getting the cached webpages:

[04/Apr/2019:17:58:11 -0400] "GET /media/plg_jchoptimize/cache/css/7dfafd723239864098661385b6ef34e9_0.css HTTP/1.1" 200 206413 "-" "Mozilla/5.0 (X11; Datanyze; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36"

Or would the rule suggested also deny such activity: I''m guessing it would because the Datanyze is still in the User agent.

 

[fuzzylogic]

noticed that it accesses cached webpage and thereby by-passes apache.

This is a non-issue.
Apache serves this request exactly the same as it might serve a request for index.html or theme.css or any other static file.
It has been cached by a Joomla plugin, but is still a static css file in your website's directory structure.
This request is blocked by this rule very early in the request phase (Phase 1, Request Headers).

This is correct.

Or would the rule suggested also deny such activity: I''m guessing it would because the Datanyze is still in the User agent.

 

[jeffschips]

SOLVED.
Thank you for the understandable and succinct explanation. Much appreciated!

 

[cPanelMichael]

I've marked this thread as solved.

Thanks!