Difference between revisions of "WAF 330131"
(Created page with "{{Infobox |header1= Rule 330131 |label2 = Status |data2 = Active |label3 = Alert Message |data3 = Atomicorp.com WAF Rules: Fake Mozilla User Agent String Detected }} = Descri...") |
m (→Description) |
||
(2 intermediate revisions by one user not shown) | |||
Line 9: | Line 9: | ||
= Description = | = Description = | ||
− | This rules detects invalid Mozilla user agent strings. For example, it will detect both when clients generate fake Mozilla user agent strings, as well | + | This rules detects invalid Mozilla user agent strings. For example, it will detect both when clients generate fake Mozilla user agent strings, as well as fake Netscape strings. |
− | That is, if a client pretends to be using the old web browser Netscape (which is the forefather of Mozilla, and uses the user agent string Mozilla) this rule will block access. Netscape browsers are both unlikely to be in use, and would not work correctly with modern websites. | + | That is, if a client pretends to be using the old web browser Netscape (which is the forefather of Mozilla, and uses the user agent string Mozilla), or a client uses a fake invalid Mozilla Userr-agent string this rule will block access. |
+ | |||
+ | Netscape browsers are both unlikely to be in use, and would not work correctly with modern websites. And Mozilla uses a strict versioning method, and invalid versions always mean the client is faking its true identity. This method is used by both attacks and spammers, and legitimate clients never use invalid User-Agent strings. | ||
+ | |||
+ | == Examples == | ||
+ | |||
+ | User-Agent: Mozilla/5.1 (X11; U; Linux i686; en-US; rv:1.8.0.3) Gecko/20060425 SUSE/1.5.0.3-7 Hv3/alpha | ||
+ | |||
+ | There are no browsers that use Mozilla 5.1. | ||
+ | |||
+ | User-Agent: Mozilla/4.5 (compatible; WB 3.00; Windows 98) | ||
+ | |||
+ | All browsers, including IE, Safari, Opera, Mozilla, and others use either Mozilla 4.0 or Mozilla 5.0 in their User-Agent strings. There are no 5.1, 5.2, 4.5, etc. Mozilla User-Agents strings. They always end in .0. | ||
= Troubleshooting = | = Troubleshooting = |
Latest revision as of 12:25, 6 September 2013
Rule 330131 | |
---|---|
Status | Active |
Alert Message | Atomicorp.com WAF Rules: Fake Mozilla User Agent String Detected |
Contents |
[edit] Description
This rules detects invalid Mozilla user agent strings. For example, it will detect both when clients generate fake Mozilla user agent strings, as well as fake Netscape strings.
That is, if a client pretends to be using the old web browser Netscape (which is the forefather of Mozilla, and uses the user agent string Mozilla), or a client uses a fake invalid Mozilla Userr-agent string this rule will block access.
Netscape browsers are both unlikely to be in use, and would not work correctly with modern websites. And Mozilla uses a strict versioning method, and invalid versions always mean the client is faking its true identity. This method is used by both attacks and spammers, and legitimate clients never use invalid User-Agent strings.
[edit] Examples
User-Agent: Mozilla/5.1 (X11; U; Linux i686; en-US; rv:1.8.0.3) Gecko/20060425 SUSE/1.5.0.3-7 Hv3/alpha
There are no browsers that use Mozilla 5.1.
User-Agent: Mozilla/4.5 (compatible; WB 3.00; Windows 98)
All browsers, including IE, Safari, Opera, Mozilla, and others use either Mozilla 4.0 or Mozilla 5.0 in their User-Agent strings. There are no 5.1, 5.2, 4.5, etc. Mozilla User-Agents strings. They always end in .0.
[edit] Troubleshooting
[edit] False Positives
A false positive can occur if a user is using an extremely old version of Netscape.
[edit] Tuning Guidance
If you know you have users using extremely old versions of the Netscape browser, you will need to disable this rule. We do not recommend you use old versions of browsers, they are known to contain security vulnerabilities that may cause your users to be compromised.
[edit] Additional Information
[edit] Similar Rules
None.
[edit] Knowledge Base Articles
None.
[edit] Outside References
None.
[edit] Notes
Attackers will often use old Netscape and invalid Mozilla client user-agent headers to try to trick web applications into trusting them, or to hide activity by pretending to be a legitimate user.