[Modsecurity] gibberish useragents, and 'http://google.com' referer

mark thomas sorabji at gmail.com
Fri Apr 14 21:32:01 EDT 2006 

I switched from .htaccess and other band-aids to mod_security this week and
have thus far had good luck. Wanted to say how much I appreciate this
project and I hope to make useful contributions.

Something I noticed long ago, but didn't think much of until recently, is an
HTTP_REFERER such as the one in this line from my access_log (truncated
somewhat for this discussion):

194.126.164.5 - - "GET /m/messages/113/3248.html HTTP/1.0" 200 88002 "
http://google.com/" "Mozilla/6.0"

I had assumed these hits came from people using Google's "I'm Feeling Lucky"
button, but I later realized that you should never see google.com in your
logs without the www. in front of it. Hits from the "Lucky" button show up
in my logs with the full www.google.com address.

I added http://google.com/ to my .htaccess and scored numerous blocks, but
since switching to mod_security hits with that referer are getting through
again. Should http://google.com/ be added to the banned referers list?


In a different matter, my access_logs show occasional records like these
(truncated somewhat for this discussion):

216.18.228.122 - - "GET
http://www.sorabji.com/m/messages/221/3267.htmlHTTP/1.0" 200 20180 "-"
"ppuogkrfagpodowmkJnJJqlseslbln"
216.18.228.122 - - "GET
http://www.sorabji.com/m/messages/242/302.html<http://www.sorabji.com/m/messages/242/302.html?MondaySeptember1820001243pm>HTTP/1.0"
200 19167 "-" "rstSxeSkhwgcksya3va"
216.18.228.122 - - "GET
http://www.sorabji.com/m/messages/686/5731.html<http://www.sorabji.com/m/messages/686/5731.html?SundayMay1520050605pm>HTTP/1.0"
200 59509 "-" "ddmojkwxsinhfigaptkdo8fekahgn qjtpQ8keg"

Perhaps these requests would be rejected on other grounds, as there are
other things weird about these records (access_log doesn't usually record
full URLs in GET requests). But I wanted to ask if anyone else has seen
gibberish HTTP_USER_AGENT fields like these?

Also, what to make of blank HTTP_USER_AGENT, indicated in the access_log by
"-"

Are these conditions covered in mod_security's rules?

-mt


--
http://www.sorabji.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.gotroot.com/pipermail/modsecurity/attachments/20060414/2cd3edde/attachment.html

More information about the Modsecurity mailing list