Revision as of 13:23, 6 September 2013

Description

This rules detects invalid Mozilla user agent strings. For example, it will detect both when clients generate fake Mozilla user agent strings, as well was Netscape strings.

That is, if a client pretends to be using the old web browser Netscape (which is the forefather of Mozilla, and uses the user agent string Mozilla) this rule will block access. Netscape browsers are both unlikely to be in use, and would not work correctly with modern websites.

Examples

User-Agent: Mozilla/5.1 (X11; U; Linux i686; en-US; rv:1.8.0.3) Gecko/20060425 SUSE/1.5.0.3-7 Hv3/alpha

There are no browsers that use Mozilla 5.1.

 User-Agent: Mozilla/4.5 (compatible; WB 3.00; Windows 98)

All browsers use either Mozilla 4.0 or Mozilla 5.0. There are no 5.1, 5.2, 4.5, etc. Mozilla User-Agents. They always end in .0.

Troubleshooting

False Positives

A false positive can occur if a user is using an extremely old version of Netscape.

Tuning Guidance

If you know you have users using extremely old versions of the Netscape browser, you will need to disable this rule. We do not recommend you use old versions of browsers, they are known to contain security vulnerabilities that may cause your users to be compromised.

Additional Information

Similar Rules

None.

Knowledge Base Articles

None.

Outside References

None.

Notes

Attackers will often use old Netscape and invalid Mozilla client user-agent headers to try to trick web applications into trusting them, or to hide activity by pretending to be a legitimate user.