Author Topic: Does userdata_bl_domains could block bit.ly/badword?  (Read 869 times)

Offline secmas

  • Newbie
  • *
  • Posts: 6
Does userdata_bl_domains could block bit.ly/badword?
« on: November 16, 2020, 10:27:14 AM »
Hi.
Lately I have seen a lot of forms filled with domain "bit.ly" that points to malicious code or to an spammer page.
So, I added "bit.ly" to my userdata_bl_domains file but some of my customers complained that they use that a lot, so I had to delete that on my blacklist.
So, Is possible to add a line like "bit.ly/someword" on this rule or this rule is just for domains only?

Thanks in advance for your input.

Regards.

Offline Cwaf_Team

  • Moderator
  • Comodo's Hero
  • *****
  • Posts: 290
Re: Does userdata_bl_domains could block bit.ly/badword?
« Reply #1 on: November 17, 2020, 06:17:22 AM »
Hi,
it is possible to add a line like "bit.ly/someword" to the file "userdata_bl_domains" and rule will work.

Offline secmas

  • Newbie
  • *
  • Posts: 6
Re: Does userdata_bl_domains could block bit.ly/badword?
« Reply #2 on: November 18, 2020, 10:45:32 AM »
Thank you.

I will will add those sites on my userdata_bl_domains.cf.

Best Regards,
Sergio

Offline secmas

  • Newbie
  • *
  • Posts: 6
Re: Does userdata_bl_domains could block bit.ly/badword?
« Reply #3 on: December 11, 2020, 11:11:37 AM »
Hi, Cwaf_Team.

Do you have a reference guide where I can read how to properly used each of the userdata_bl_[filename]?
I am interested in one where I could add phrases or email addresses to a black list where to be checked when users posts comments on forms.

Thanks,
Sergio

Offline Cwaf_Team

  • Moderator
  • Comodo's Hero
  • *****
  • Posts: 290
Re: Does userdata_bl_domains could block bit.ly/badword?
« Reply #4 on: December 11, 2020, 05:37:33 PM »
Hi,
you can read
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29#pmfromfile

you can find in our rules files names, but in case with domains in the rule 210921 are additional conditions

 
Code: [Select]
ARGS|REQUEST_URI|XML:/* "(?:data|gopher|ogg|php|zlib|(?:f|ht)tps{0,1}):/
We can  remove these conditions to pass complete control over domain to a users.

Offline secmas

  • Newbie
  • *
  • Posts: 6
Re: Does userdata_bl_domains could block bit.ly/badword?
« Reply #5 on: December 11, 2020, 10:57:28 PM »
Actually what I was looking is to have a file like per example "user_bl_phrases" (just an example), where I could add any text that I will like to block in any web form in my server.

I mean if some one writes in the form an email like this:
i.t.i.s.a.n.s.p.a.m[at]gmail.com

or any text like this:
beauties in disguise

I will like to be able to add texts in a file like "user_bl_phrases" that mod security could check the list and proceed accordingly if the phrase is matched.

For now I really don't know if Comodo rules has already a file for this.

Best Regards,
Sergio

Offline Cwaf_Team

  • Moderator
  • Comodo's Hero
  • *****
  • Posts: 290
Re: Does userdata_bl_domains could block bit.ly/badword?
« Reply #6 on: December 18, 2020, 09:01:28 AM »
you can add your custom rule to track suspicious data

Code: [Select]
SecRule REQUEST_URI|ARGS|ARGS_NAMES|REQUEST_BODY|XML:/* "[at]pmFromFile userdata_bl_words" \
  "id:110491,\
  msg:'COMODO WAF: Bad data is not allowed by policy||%{tx.domain}|%{tx.mode}|5',\
  phase:1,\
  deny,\
  status:403,\
  log,\
  rev:1,\
  severity:5
 "
You should completely understand what parameters to track. Also, rule provided as example, without any warranties, could produce a lot of false positives.

Offline secmas

  • Newbie
  • *
  • Posts: 6
Re: Does userdata_bl_domains could block bit.ly/badword?
« Reply #7 on: February 22, 2021, 10:16:23 AM »
I have tried the rule that you kindly wrote and modified it a bit, but it is not working.

Here is the rule:

SecRule REQUEST_URI|ARGS|ARGS_NAMES|REQUEST_BODY|XML:/* "[at]pmFromFile /mymodsec/userdata_bl_emails" \
  "id:110491,msg:'SECMAS: Blocked email not allowed by policy||%{tx.domain}|%{tx.mode}|5',phase:1,deny,status:403,log,rev:1,severity:5"

and the file userdata_bl_emails that is located at my directory /mymodesec/ contains per example:
2conv\.ch[at]gmail\.com
aidenmorgan77+cax\[at]gmail\.com
alvinellis2528\[at]gmail\.com

I have escaped the [at] and dots (.) and seems not working. Even it didn't work with [at] and dot not escaped.

What I pretend is that when someone writes those emails on a form, the IP is blocked.

Is there something wrong on  my rule or data?

Thank you for your help.

Best Regards,
Sergio

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek