Very new to mod_sec
I want to block a UA string and I noticed there are a few types:
SecRule HTTP_User-Agent
SecRule REQUEST_HEADERS:User-Agent
What is the real difference between them?
My block:
SecRule REQUEST_HEADERS:User-Agent "perl" "phase:2,pass,msg:'Perl based user agent identified'"
Do I need to set a SecDefaultAction phase:2,deny,status:403,log,auditlog before that? Then any SecRule below that follows that action right?
I think you should rather use a SecDefaultAction to pass, and then to user the filter about perl user agent, to allow only this one. (If that's what you're really trying to do!)
SecDefaultAction phase:2,pass,status:403,log,auditlog
SecRule REQUEST_HEADERS:User-Agent "!perl" "phase:2,deny,msg:'Perl based user agent identified'"
I'm pretty sure this will work, but haven't tested it yet. And about your question concerning the differences between the two types, I think there isn't any.
