# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# User Agent Security Rules for modsec 2.x
#
# Created by the Prometheus Group (http://www.prometheus-group.com)
# Copyright 2005,2006 and 2007 by the Prometheus Group, all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# Distribution of this work or derivative of this work in any form is 
# prohibited unless prior written permission is obtained from the 
# copyright holder. 
#
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS   
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE   
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE   
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE   
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR   
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF   
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS   
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN   
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)   
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF   
# THE POSSIBILITY OF SUCH DAMAGE.
#
# ---ASL-CONFIG-FILE---

SecDefaultAction "log,deny,auditlog,phase:2,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace"

# Rule 330001: Comment spam header line
SecRule REQUEST_HEADERS "x-aaaaaa" \
	"id:330001,rev:2,severity:2,msg:'Spam: Generic spam header detected'"

#check for bad meta characters in User-Agent field
#SecRule REQUEST_HEADERS:User-Agent ".*\'"

# Rule 330003: XSS in the UA field
SecRule REQUEST_HEADERS:User-Agent "<(.|\s|\n)?(script|about|applet|activex|chrome|object)(.|\s|\n)?>.*<(.|\s|\n)?(script|about|applet|activex|chrome|object)" \
	"id:330003,rev:1,severity:2,msg:'XSS in User Agent field'"


# Rule 330004: PHP code injection attack
SecRule REQUEST_HEADERS:User-Agent "(<\?php|<[[:space:]]*\?[[:space:]]*php)"  \
	"id:330004,rev:1,severity:2,msg:'PHP code injection via User Agent'"

# Rule 330005: PHP code injection attack
SecRule REQUEST_HEADERS:User-Agent "http_get_vars" \
	"id:330005,rev:2,severity:2,msg:'PHP code injection via User Agent 2'"


# Rule 330006: recursion attack in UA field
SecRule REQUEST_HEADERS:User-Agent "\.\./\.\." \
	"id:330006,rev:1,severity:2,msg:'recursion attack in UA field'"

#May cause false positives with some software, comment out if it does
#SecRule REMOTE_ADDR "!^127\.0\.0\.1$" "chain,id:390000,rev:1,severity:1,msg:'Suspicious Automated or Manual Request'"
#SecRule "REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Host|REQUEST_HEADERS:Accept" "^$"

# Rule 330007: Exploit agent
SecRule REQUEST_HEADERS:User-Agent "mosiac 1\.*" \
	"id:330007,rev:2,severity:2,msg:'Exploit agent indicater in UA'"

# Rule 330008: Bad agent
SecRule REQUEST_HEADERS:User-Agent "brutus/aet" \
	"id:330008,rev:2,severity:2,msg:'Bad User Agent: Brutus/AET'"

# Rule 330009: CGI vuln scan tool
SecRule REQUEST_HEADERS:User-Agent "cgichk" \
	"id:330009,rev:1,severity:2,msg:'Bad User Agent: CGICHK vulnerabilty scanner'"

# Rule 330010: DataCha0s
SecRule REQUEST_HEADERS:User-Agent "datacha0s/2\.0" \
	"id:330010,rev:2,severity:2,msg:'Bad User Agent: DataCha0s'"

# Rule 330011: Damn fine UA
SecRule REQUEST_HEADERS:User-Agent "this is an exploit*" \
	"id:330011,rev:1,severity:2,msg:'Bad User Agent: Damn fine UA'"

# Rule 330012: Damn fine UA
SecRule REQUEST_HEADERS:User-Agent "morzilla" \
	"id:330012,rev:1,severity:2,msg:'Bad User Agent: Damn fine UA'"

# Rule 330013: CIRT.DK Webroot auditing tool
SecRule REQUEST_HEADERS:User-Agent "webroot " \
	"id:330013,rev:1,severity:2,msg:'Bad User Agent: Webroot vulnerabilty scanner'"

# Rule 330014: Exploit UA
SecRule REQUEST_HEADERS:User-Agent "t ?h ?a ?t ?' ?s g ?o ?t ?t ?a ? h ?u ?r ?t" \
	"id:330014,rev:2,severity:2,msg:'Bad User Agent: GOTTA HURT'"

# Rule 330014: XML RPC exploit tool 
SecRule REQUEST_HEADERS:User-Agent "xmlrpc exploit" \
	"id:330015,rev:1,severity:2,msg:'Bad User Agent: XMLRPC exploit tool'"

# Rule 330016: A friendly little exploit banner for a WP vuln
SecRule REQUEST_HEADERS:User-Agent "wordpress hash grabber" \
	"id:330016,rev:1,severity:2,msg:'Bad User Agent: Wordpress hash grabber'"

# Rule 330017:  Blocks scripts
SecRule REQUEST_URI "!(/webprobilling/pipe/pop\.php|/cron/index\.php|/read\.php|/pg/cron/)" \
	"chain,id:330017,rev:5,severity:2,msg:'Suspicious User Agent: lwp - Disable this rule if you are using LWP'"
SecRule REQUEST_HEADERS:User-Agent lwp 

# Rule 330018: Web leaches
SecRule REQUEST_HEADERS:User-Agent "web downloader" \
	"id:330018,rev:1,severity:2,msg:'Web leech: Web Downloader'"

# Rule 330019: Web leaches
SecRule REQUEST_HEADERS:User-Agent webzip  \
	"id:330019,rev:1,severity:2,msg:'Web leech: Web Downloader'"

# Rule 330020: Web leaches
SecRule REQUEST_HEADERS:User-Agent webcopier \
	"id:330020,rev:1,severity:2,msg:'Web leech: Web Downloader'"

# Rule 330021: Web leaches
SecRule REQUEST_HEADERS:User-Agent webster \
	"id:330021,rev:1,severity:2,msg:'Web leech: Web Downloader'"

# Rule 330023: Web leaches
SecRule REQUEST_HEADERS:User-Agent webstripper \
	"id:330023,rev:1,severity:2,msg:'Web leech: Web Downloader'"

# Rule 330024: Web leaches
SecRule REQUEST_HEADERS:User-Agent "teleport pro" \
	"id:330024,rev:1,severity:2,msg:'Web leech: Web Downloader'"

# Rule 330025: Web leaches
SecRule REQUEST_HEADERS:User-Agent combine \
	"id:330025,rev:1,severity:2,msg:'Web leech: Web Downloader'"

# Rule 330026: Web leaches
SecRule REQUEST_HEADERS:User-Agent "black hole" \
	"id:330026,rev:1,severity:2,msg:'Web leech: Web Downloader'"

# Rule 330027: Web leaches
SecRule REQUEST_HEADERS:User-Agent "sitesnagger"  \
	"id:330027,rev:1,severity:2,msg:'Web leech: Web Downloader'"

# Rule 330028: Web leaches
SecRule REQUEST_HEADERS:User-Agent "prowebwalker"  \
	"id:330028,rev:1,severity:2,msg:'Web leech: Web Downloader'"

# Rule 330029: Web leaches
SecRule REQUEST_HEADERS:User-Agent "cheesebot"  \
	"id:330029,rev:1,severity:2,msg:'Web leech: Web Downloader'"

# Rule 330030: Bogus Mozilla UA lines
SecRule REQUEST_HEADERS:User-Agent "mozilla/(4|5)\.0$" \
	"id:330030,rev:1,severity:2,msg:'Fake Mozilla User agent detected'"

# Rule 330031: Bogus Mozilla UA lines
SecRule REQUEST_HEADERS:User-Agent "mozilla/3\.mozilla/2\.01$" \
	"id:330031,rev:1,severity:2,msg:'Fake Mozilla User agent detected'"

# Rule 330032: Bogus IE UA line
SecRule REQUEST_HEADERS:User-Agent "microsoft internet explorer/5\.0$" \
	"id:330032,rev:1,severity:2,msg:'Fake IE User agent detected'"

# Rule 330033: Bogus UA
SecRule REQUEST_HEADERS:User-Agent "foobar/" \
	"id:330033,rev:1,severity:2,msg:'Fake User agent detected'"

# Rule 330034: Nessus Vuln scanner UA
SecRule REQUEST_HEADERS:User-Agent "nessus" \
	"id:330034,rev:1,severity:2,msg:'Nessus Vulnerability Scanner User agent detected'"

# Rule 330035: Nikto vuln scanner UA
SecRule REQUEST_HEADERS:User-Agent "nikto" \
	"id:330035,rev:1,severity:2,msg:'Nikto Web Vulnerability Scanner User agent detected'"

# Rule 330036: BAd/Bogus UAs
SecRule REQUEST_HEADERS:User-Agent "indy library" \
	"id:330036,rev:1,severity:2,msg:'Suspicious User agent detected'"
# Rule 330037: BAd/Bogus UAs
SecRule REQUEST_HEADERS:User-Agent "faxobot" \
	"id:330037,rev:1,severity:2,msg:'Fake User agent detected'"
# Rule 330038: BAd/Bogus UAs
SecRule REQUEST_HEADERS:User-Agent "safexplorer tl" \
	"id:330038,rev:1,severity:2,msg:'Suspicious Unusual User Agent (SAFEXPLORER)'"

# Rule 330039: Spam spinder UAs
SecRule REQUEST_HEADERS:User-Agent "fantombrowser" \
	"id:330039,rev:1,severity:2,msg:'Spambot User agent detected'"

# Rule 330041:VB development library used by many spammers, might block legite VBscripts
#comment out if you have problems
SecRule REQUEST_HEADERS:User-Agent "crescent internet toolpak" \
	"id:330041,rev:1,severity:2,msg:'Suspicious User agent detected'"

# Rule 330042: Borland Delphi signature, as above, comment out if it gives you problems
#spammers sometimes use these UAs
SecRule REQUEST_HEADERS:User-Agent "newt activeX\; win32" \
	"id:330042,rev:1,severity:2,msg:'Suspicious User agent detected'"
# Rule 330043: Borland Delphi signature, as above, comment out if it gives you problems
SecRule REQUEST_HEADERS:User-Agent "mozilla.*newt" \
	"id:330043,rev:1,severity:2,msg:'Suspicious User agent detected'"

#Part of the Microsoft MSINET.OCX, as above, spammers sometimes use this, if
#it causes problems, comment out.  If you are a member of the Microsoft Site 
#Builder Network, you probably do NOT want to block this ID.
#SecRule REQUEST_HEADERS:User-Agent "Microsoft URL Control"
#SecRule REQUEST_HEADERS:User-Agent  "^Microsoft URL"

# Rule 330044: e-mail collectors and spammers
SecRule REQUEST_HEADERS:User-Agent "webbandit" \
	"id:330044,rev:1,severity:2,msg:'Email Harvester Spambot User agent detected'"
# Rule 330045: e-mail collectors and spammers
SecRule REQUEST_HEADERS:User-Agent "webmole" \
	"id:330045,rev:1,severity:2,msg:'Email Harvester Spambot User agent detected'"
# Rule 330046: e-mail collectors and spammers
SecRule REQUEST_HEADERS:User-Agent "telesoft" \
	"id:330046,rev:1,severity:2,msg:'Email Harvester Spambot User agent detected'"
# Rule 330047: e-mail collectors and spammers
SecRule REQUEST_HEADERS:User-Agent "webemailextract" \
	"id:330047,rev:1,severity:2,msg:'Email Harvester Spambot User agent detected'"
# Rule 330048: e-mail collectors and spammers
SecRule REQUEST_HEADERS:User-Agent "cherrypicker" \
	"id:330048,rev:1,severity:2,msg:'Email Harvester Spambot User agent detected'"
# Rule 330049: e-mail collectors and spammers
SecRule REQUEST_HEADERS:User-Agent nicerspro \
	"id:330049,rev:1,severity:2,msg:'Email Harvester Spambot User agent detected'"
# Rule 330050: e-mail collectors and spammers
SecRule REQUEST_HEADERS:User-Agent "advanced email extractor" \
	"id:330050,rev:1,severity:2,msg:'Email Harvester Spambot User agent detected'"
# Rule 330051: e-mail collectors and spammers
SecRule REQUEST_HEADERS:User-Agent "email(siphon|spider)" \
	"id:330051,rev:1,severity:2,msg:'Email Harvester Spambot User agent detected'"
# Rule 330052: e-mail collectors and spammers
SecRule REQUEST_HEADERS:User-Agent extractorpro \
	"id:330052,rev:1,severity:2,msg:'Email Harvester Spambot User agent detected'"
# Rule 330053: e-mail collectors and spammers
SecRule REQUEST_HEADERS:User-Agent emailcollector \
	"id:330054,rev:1,severity:2,msg:'Email Harvester Spambot User agent detected'"
# Rule 330055: e-mail collectors and spammers
# Rule 330056: e-mail collectors and spammers
SecRule REQUEST_HEADERS:User-Agent emailwolf \
	"id:330056,rev:1,severity:2,msg:'Email Harvester Spambot User agent detected'"

#Spiders that eat up bandwidth for their customers
# Rule 330057: Not a spammer, just a spider, comment out if you like
SecRule REQUEST_HEADERS:User-Agent "copyrightcheck" \
	"id:330057,rev:1,severity:2,msg:'CopyRightCheck Spider User agent detected'"
# Rule 330058: Not a spammer, just a spider, comment out if you like
SecRule REQUEST_HEADERS:User-Agent "copyguard" \
	"id:330058,rev:1,severity:2,msg:'CopyGuard Spider User agent detected'"
# Rule 330059: Not a spammer, just a spider, comment out if you like
SecRule REQUEST_HEADERS:User-Agent "digimarc webreader" \
	"id:330059,rev:1,severity:2,msg:'Digimarc DRM Spider User agent detected'"

# Rule 330060: MArketing spiders
SecRule REQUEST_HEADERS:User-Agent  "zeus .*webster pro" \
	"id:330060,rev:1,severity:2,msg:'Marketing Spider User agent detected'"

# Rule 330061: Poker spam
SecRule REQUEST_HEADERS:User-Agent  "8484 boston project" \
	"id:330061,rev:1,severity:2,msg:'Spambot User agent detected'"

# Rule 330062: collectors
SecRule REQUEST_HEADERS:User-Agent  "autoemailspider" \
	"id:330062,rev:1,severity:2,msg:'Email Harvester Spambot User agent detected'"
# Rule 330063: collectors
SecRule REQUEST_HEADERS:User-Agent  "ecollector" \
	"id:330063,rev:1,severity:2,msg:'Email Harvester Spambot User agent detected'"
# Rule 330064: collectors
SecRule REQUEST_HEADERS:User-Agent  "grub crawler" \
	"id:330064,rev:1,severity:2,msg:'Email Harvester Spambot User agent detected'"

# Rule 330065: referrer spam, not the real weblogs
SecRule REQUEST_HEADERS:User-Agent  "^www\.weblogs\.com" \
	"id:330065,rev:1,severity:2,msg:'Fake User agent detected'"

# Rule 330066: spam bots
SecRule REQUEST_HEADERS:User-Agent  "dts agent" \
	"id:330066,rev:1,severity:2,msg:'Spambot User agent detected'"
# Rule 330067: spam bots
SecRule REQUEST_HEADERS:User-Agent  "poe-component-client" \
	"id:330269,rev:1,severity:2,msg:'Suspicious User Agent (POE-Component-Client)'"
# Rule 330068: spam bots
SecRule REQUEST_HEADERS:User-Agent  "wisebot" \
	"id:330067,rev:1,severity:2,msg:'Spambot User agent detected'"
# Rule 330069: spam bots
#SecRule REQUEST_URI "!(?:/wp-admin/|/index\.php/admin/catalog_product_gallery/upload/|/index\.php\?option=com_media&task=file\.upload|/components/com_expose/expose/|administrator/index\.php\?option=com_media|/flashservices/|/ssp_director/|/admin/upload\.php|/XML\.php\?module=|/flash_uploader\.php|/admin/gallery_image_upload\.php|/administrator/index\.php)" \
#	"chain, id:330069,rev:13,severity:2,msg:'Suspicious Unusual User Agent (Shockwave Flash)'"
#SecRule REQUEST_HEADERS:User-Agent  "^shockwave flash"  chain
#SecRule ARGS:task "!(upload)"

# Rule 330070: spam bots
SecRule REQUEST_HEADERS:User-Agent  "missigua" \
	"id:330070,rev:3,severity:2,msg:'Suspicious unusual User Agent'"

# Rule 330071: comment spam sign
SecRule REQUEST_HEADERS:User-Agent  "compatible \; msie" \
	"id:330071,rev:1,severity:2,msg:'Comment Spammer User Agent (IE)'"

# Rule 330072: Some regexps to catch silly bots
SecRule REQUEST_URI "!/ps(zones\|comp).txt1" "chain,id:330072,rev:1,severity:2,msg:'Comment Spammer User Agent (IE)'"
SecRule REQUEST_HEADERS:User-Agent "^(google|i?explorer?\.exe|(ms)?ie( [0-9.]+)?[ ]?(compatible( browser)?)?)$"

# Rule 330073: Some regexps to catch silly bots
SecRule REQUEST_HEADERS:User-Agent "^(mozilla( [0-9.]+)?[ ]?\((windows|linux|(ie )?compatible)\))$" \
	"id:330073,rev:1,severity:2,msg:'Comment Spammer User Agent (IE)'"

# Rule 330074: Some regexps to catch silly bots
SecRule REQUEST_HEADERS:User-Agent "^Mozilla/5\.0 \(X11; U; Linux i686; en-US; rv\:0\.9\.6\+\) Gecko/2001112$" \
	"id:330074,rev:1,severity:2,msg:'Comment Spammer User Agent (Mozilla)'"

# Rule 330075: Some regexps to catch silly bots
#SecRule REQUEST_HEADERS:User-Agent "^Mozilla/[0-9.]+ \(compatible; MSIE [0-9.]+; Windows( NT)?( [0-9.]*)?;[0-9./ ]*\)?$" \
#	"id:330075,rev:1,severity:2,msg:'Comment Spammer User Agent (IE) 2'"

# Rule 330076: Some regexps to catch silly bots
SecRule REQUEST_HEADERS:User-Agent "^mozilla/.+[. ]+$" \
	"id:330076,rev:1,severity:2,msg:'Comment Spammer User Agent (Mozilla) 2'"

#spammer
SecRule REQUEST_HEADERS:User-Agent "butch__2\.1\.1" \
	"id:330077,rev:1,severity:2,msg:'Comment Spammer User Agent'"

#spammer
SecRule REQUEST_HEADERS:User-Agent "agdm79@mail\.ru" \
	"id:330079,rev:1,severity:2,msg:'Comment Spammer User Agent'"

#Fake Gameboy UA
SecRule REQUEST_HEADERS:User-Agent "gameBoy\, powered by nintendo" \
	"id:330080,rev:1,severity:2,msg:'Comment Spammer User Agent (Mozilla) 2'"

#bogus amiga UA
SecRule REQUEST_HEADERS:User-Agent "amiga-aweb/3\.4" \
	"id:330081,rev:1,severity:2,msg:'Fake Amiga Web Agent'"

#exploit UA
SecRule REQUEST_HEADERS:User-Agent "internet ninja " \
	"id:330082,rev:1,severity:2,msg:'Exploit User Agent'"

#bogus googlebot UA
SecRule REQUEST_HEADERS:User-Agent "nokia-waptoolkit.* googlebot.*googlebot" \
	"id:330083,rev:1,severity:2,msg:'Fake GoogleBot'"

#recently caught sending spam referrals, from their actual crawler IP
#SecRule REQUEST_HEADERS:User-Agent "BecomeBot"
#	"id:330076,rev:1,severity:2,msg:'Comment Spammer User Agent (Mozilla) 2'"

#Suverybot
#SecRule REQUEST_HEADERS:User-Agent "SurveyBot"

#exploit
SecRule REQUEST_HEADERS:User-Agent "s\.t\.a\.l\.k\.e\.r\." \
	"id:330084,rev:1,severity:2,msg:'Exploit User Agent'"

#exploit
SecRule REQUEST_HEADERS:User-Agent "neuralbot/0\.2" \
	"id:330085,rev:1,severity:2,msg:'Exploit User Agent'"

#exploit
SecRule REQUEST_HEADERS:User-Agent "kenjin spider" \
	"id:330086,rev:1,severity:2,msg:'Exploit User Agent'"

#WebvulnScan
SecRule REQUEST_HEADERS:User-Agent "webvulnscan" \
	"id:330087,rev:1,severity:2,msg:'WebVulnScan User Agent'"

#broken spam tool
SecRule REQUEST_HEADERS:User-Agent "mozilla/4\.0 \(compatible\; msie 6\.0\; windows nt 5\.1$" \
	"id:330088,rev:1,severity:2,msg:'Comment Spammer User Agent (Fake Mozilla)'"

#PHPBB worm UA
SecRule REQUEST_HEADERS:User-Agent "internet exploiter sux" \
	"id:330089,rev:1,severity:2,msg:'Comment Spammer User Agent (Fake Mozilla)'"

#fake UA
SecRule REQUEST_HEADERS:User-Agent "windows-update-agent" \
	"id:330090,rev:1,severity:2,msg:'Comment Spammer User Agent (Fake Windows Update Agent)'"

#exploit
SecRule REQUEST_HEADERS:User-Agent "internet-exprorer" \
	"id:330091,rev:1,severity:2,msg:'Exploit User Agent'"

# Bad Spider
SecRule REQUEST_HEADERS:User-Agent "hl_ftien_spider" \
	"id:330092,rev:1,severity:2,msg:'Comment Spammer User Agent'"

# PMAFind 
SecRule REQUEST_HEADERS:User-Agent "pmafind" \
	"id:330093,rev:1,severity:2,msg:'Comment Spammer User Agent'"

#Morfeus Fucking Scanner
SecRule REQUEST_HEADERS:User-Agent "morfeus fucking scanner" \
	"id:330094,rev:1,severity:2,msg:'Exploit User Agent (MFS)'"

#Vadix bot
SecRule REQUEST_HEADERS:User-Agent "vadixbot" \
	"id:330095,rev:1,severity:2,msg:'Vadixbot User Agent String'"

SecRule REQUEST_HEADERS:User-Agent "concealed defense" \
	"id:330096,rev:1,severity:2,msg:'Concealed Defense User Agent String'"

SecRule REQUEST_HEADERS:User-Agent "core-project/1.0" \
	"id:330097,rev:1,severity:2,msg:'core-project/1.0 User Agent String'"

SecRule REQUEST_HEADERS:User-Agent "fiddler" \
	"id:330098,rev:1,severity:2,msg:'Fiddler User Agent String'"

SecRule REQUEST_HEADERS:User-Agent "no browser" \
	"id:330098,rev:1,severity:2,msg:'Fake No Browser User Agent String'"

SecRule REQUEST_HEADERS:User-Agent "backdoor" \
	"id:330099,rev:1,severity:2,msg:'backdoor User Agent String'"

SecRule REQUEST_HEADERS:User-Agent "(script|sql) injection" \
	"id:330100,rev:1,severity:2,msg:'script injection User Agent String'"

SecRule REQUEST_HEADERS:User-Agent "security scan" \
	"id:330101,rev:1,severity:2,msg:'script injection User Agent String'"

SecRule REQUEST_HEADERS:User-Agent "stress test" \
	"id:330102,rev:1,severity:2,msg:'Stress Test User Agent String'"

SecRule REQUEST_HEADERS:User-Agent "voideye" \
	"id:330103,rev:1,severity:2,msg:'VoidEYE User Agent String'"

SecRule REQUEST_HEADERS:User-Agent "$BotName/$BotVersion" \
	"id:330105,rev:1,severity:2,msg:'Broken Bot Generic User Agent String Detected'"

SecRule REQUEST_HEADERS:User-Agent "china local browse 2\." \
	"id:330106,rev:1,severity:2,msg:'Spambot User Agent String Detected'"

SecRule REQUEST_HEADERS:User-Agent "franklin locator" \
	"id:330107,rev:1,severity:2,msg:'Spambot User Agent String Detected'"

SecRule REQUEST_HEADERS:User-Agent "atspider" \
	"id:330108,rev:1,severity:2,msg:'Spambot User Agent String Detected'"

SecRule REQUEST_HEADERS:User-Agent "nameofagent" \
	"id:330109,rev:1,severity:2,msg:'Spambot User Agent String Detected'"

SecRule REQUEST_HEADERS:User-Agent "pe 1\.4" \
	"id:330110,rev:1,severity:2,msg:'Scanbot User Agent String Detected'"

SecRule REQUEST_HEADERS:User-Agent "production bot" \
	"id:330111,rev:1,severity:2,msg:'Scanbot User Agent String Detected'"

SecRule REQUEST_HEADERS:User-Agent "program shareware 1\.0\." \
	"id:330112,rev:1,severity:2,msg:'Spambot User Agent String Detected'"

SecRule REQUEST_HEADERS:User-Agent "[a-z]surf[0-9][0-9]" \
	"id:330113,rev:2,severity:2,msg:'Scanbot User Agent String Detected'"

SecRule REQUEST_HEADERS:User-Agent "psycheclone" \
	"id:330114,rev:1,severity:2,msg:'Scanbot User Agent String Detected'"

SecRule REQUEST_HEADERS:User-Agent "searchbot admin@google.com" \
	"id:330115,rev:1,severity:2,msg:'Fake Google Searchengine User Agent String Detected'"

SecRule REQUEST_HEADERS:User-Agent "(sogou develop spider|sohu agent)" \
	"id:330116,rev:1,severity:2,msg:'Fake Sogou Searchengine User Agent String Detected'"

SecRule REQUEST_HEADERS:User-Agent "under the rainbow 2\." \
	"id:330117,rev:1,severity:2,msg:'Email Harvester Spambot User Agent String Detected'"

SecRule REQUEST_HEADERS:User-Agent "wells search ii" \
	"id:330119,rev:1,severity:2,msg:'Spambot User Agent String Detected'"

SecRule REQUEST_HEADERS:User-Agent "wep Search 00" \
	"id:330120,rev:1,severity:2,msg:'Spambot User Agent String Detected'"

SecRule REQUEST_HEADERS:User-Agent "atomic_email_hunter" \
	"id:330121,rev:1,severity:2,msg:'Email Harvester Spambot User Agent String Detected'"

SecRule REQUEST_HEADERS:User-Agent "bwh3_user_agent" \
	"id:330122,rev:1,severity:2,msg:'Attack Script User Agent String Detected'"

SecRule REQUEST_HEADERS:User-Agent "contactbot/" \
	"id:330123,rev:1,severity:2,msg:'Email Harvester Spambot User Agent String Detected'"

SecRule REQUEST_HEADERS:User-Agent "contentsmartz" \
	"id:330124,rev:1,severity:2,msg:'Email Harvester Spambot User Agent String Detected'"

SecRule REQUEST_HEADERS:User-Agent "(?:(?:d|e)browse|demo bot)" \
	"id:330125,rev:1,severity:2,msg:'Scanbot User Agent String Detected'"

SecRule REQUEST_HEADERS:User-Agent "educate search vxb" \
	"id:330126,rev:1,severity:2,msg:'Scanbot User Agent String Detected'"

SecRule REQUEST_HEADERS:User-Agent "full web bot" \
	"id:330127,rev:1,severity:2,msg:'Scanbot User Agent String Detected'"

#SecRule REQUEST_HEADERS:User-Agent "^jakarta" \
#	"id:330128,rev:3,severity:2,msg:'Suspicious User Agent String Detected - Disable if you use Jakarta'"

SecRule REQUEST_HEADERS:User-Agent "^user-Agent" \
	"id:330129,rev:1,severity:2,msg:'Broken Bot User-Agent/User Agent String Detected'"

SecRule REQUEST_HEADERS:User-Agent "compatible ;\." \
	"id:330130,rev:1,severity:2,msg:'Broken Bot User Agent String Detected'"

SecRule REQUEST_HEADERS:User-Agent "$mozilla^" \
	"id:330131,rev:1,severity:2,msg:'Fake Mozilla User Agent String Detected'"

#SecRule REQUEST_HEADERS:User-Agent "ConveraCrawler" \
#	"id:330132,rev:1,severity:2,msg:'Spambot User Agent String Detected'"

#SecRule REQUEST_HEADERS:User-Agent "panscient\.com" \
#	"id:330133,rev:1,severity:2,msg:'Badbot User Agent String Detected'"

#SecRule REQUEST_HEADERS:User-Agent "^[a-z]{3,} [a-z]{4,} [a-z]{4,}$" \
#	"id:330134,rev:1,severity:2,msg:'Fake User Agent String Detected'"


SecRule REQUEST_HEADERS:User-Agent "isc systems irc Search 2\.1" \
	"id:330135,rev:1,severity:2,msg:'Email Harvester Spambot User Agent String Detected'"

SecRule REQUEST_HEADERS:User-Agent "pleasecrawl/1\." \
	"id:330136,rev:1,severity:2,msg:'Badbot User Agent String Detected'"

#exclusions
<LocationMatch /cron/index.php>
 SecRuleRemoveById 330017
</LocationMatch>

<LocationMatch /ssp_director/index.php>
SecRuleRemoveById 330069
</LocationMatch>
<LocationMatch /ssp_director>
SecRuleRemoveById 330069
</LocationMatch>
<LocationMatch /silentPost.php>
SecRuleRemoveById 330030
</LocationMatch>
<LocationMatch /cgi/upload.cgi>
SecRuleRemoveById 330069
</LocationMatch>
<LocationMatch /tfu/tfu_upload.php>
SecRuleRemoveById 330069
</LocationMatch>
<LocationMatch /qm/dm.master>
SecRuleRemoveById 330072
</LocationMatch>
<LocationMatch /dump_full_recs.txt>
SecRuleRemoveById 330072
</LocationMatch>
<LocationMatch /export/kelkoo.php>
SecRuleRemoveById 330128
</LocationMatch>
<LocationMatch /admincp>
SecRuleRemoveById 330069
</LocationMatch>