Skip to content

feat: block fake mozilla/5.g user-agent #4383

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
EsadCetiner wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: block fake mozilla/5.g user-agent #4383

EsadCetiner wants to merge 1 commit into from
+3 −0

Conversation

@EsadCetiner
Copy link
Member

@EsadCetiner EsadCetiner commented Dec 17, 2025

Proposed changes

This is a new user-agent I noticed in my logs, it's a clear typo of the Mozilla user-agent which should almost always be Mozilla/5.0 or Mozilla/4.0 and not Mozilla/5.g.

PR Checklist

  • I have read the CONTRIBUTING doc
  • I have added positive tests proving my fix/feature works as intended.
  • I have added negative tests that prove my fix/feature considers common cases that might end in false positives
  • In case you changed a regular expression, you are not adding a ReDOS for pcre. You can check this using regexploit
  • My test use the comment field to write the expected behavior
  • I have added documentation for the rule or change (when appropriate)

Further comments

For the reviewer

  • Positive and negative tests were added
  • Tests cover the intended fix/feature properly
  • No usage of dangerous constructs like ctl:requestBodyAccess=Off were used in the rule
  • In case a regular expression was changed, there is no ReDOS
  • Documentation is clear for the rule/change

@EsadCetiner EsadCetiner added release:new-detection In this PR we introduce a new detection release:new-feature This PR introduces a new feature labels Dec 17, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Dec 17, 2025

📊 Quantitative test results for language: eng, year: 2023, size: 10K, paranoia level: 1:
🚀 Quantitative testing did not detect new false positives

@touchweb-vincent
Copy link
Contributor

touchweb-vincent commented Dec 17, 2025
edited
Loading

Hello,

We could take this opportunity to create a new set of rules specific to user agents.

One of the first rules could be: mozilla\/[4-5]\.[^0]

@dune73
Copy link
Member

dune73 commented Dec 17, 2025

We had several rules about User-Agents in CRS3. The idea was to revamp them for CRS4, I invested a lot of time into automating the UA lists. But the details with the classification got so hairy, we finally gave up on it. All that is left is scanners-user-agents.data with the idea to detect and to block the most offensive security scanners.

Expanding the functionality beyond this would have to have very good arguments and a decent plan on how to automate it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

release:new-detection In this PR we introduce a new detection release:new-feature This PR introduces a new feature

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@EsadCetiner @touchweb-vincent @dune73