Does userdata_bl_domains could block bit.ly/badword?

secmas · November 16, 2020, 3:27pm

Hi.
Lately I have seen a lot of forms filled with domain “bit.ly” that points to malicious code or to an spammer page.
So, I added “bit.ly” to my userdata_bl_domains file but some of my customers complained that they use that a lot, so I had to delete that on my blacklist.
So, Is possible to add a line like “bit.ly/someword” on this rule or this rule is just for domains only?

Thanks in advance for your input.

Regards.

Serhyo · November 17, 2020, 11:17am

Hi,
it is possible to add a line like “bit.ly/someword” to the file “userdata_bl_domains” and rule will work.

secmas · November 18, 2020, 3:45pm

Thank you.

I will will add those sites on my userdata_bl_domains.cf.

Best Regards,
Sergio

secmas · December 11, 2020, 4:11pm

Hi, Cwaf_Team.

Do you have a reference guide where I can read how to properly used each of the userdata_bl_[filename]?
I am interested in one where I could add phrases or email addresses to a black list where to be checked when users posts comments on forms.

Thanks,
Sergio

Serhyo · December 11, 2020, 10:37pm

Hi,
you can read

you can find in our rules files names, but in case with domains in the rule 210921 are additional conditions

ARGS|REQUEST_URI|XML:/* "(?:data|gopher|ogg|php|zlib|(?:f|ht)tps{0,1}):/

We can remove these conditions to pass complete control over domain to a users.

secmas · December 12, 2020, 3:57am

Actually what I was looking is to have a file like per example “user_bl_phrases” (just an example), where I could add any text that I will like to block in any web form in my server.

I mean if some one writes in the form an email like this:
i.t.i.s.a.n.s.p.a.m@gmail.com

or any text like this:
beauties in disguise

I will like to be able to add texts in a file like “user_bl_phrases” that mod security could check the list and proceed accordingly if the phrase is matched.

For now I really don’t know if Comodo rules has already a file for this.

Best Regards,
Sergio

Serhyo · December 18, 2020, 2:01pm

you can add your custom rule to track suspicious data

SecRule REQUEST_URI|ARGS|ARGS_NAMES|REQUEST_BODY|XML:/* "@pmFromFile userdata_bl_words" \
  "id:110491,\
  msg:'COMODO WAF: Bad data is not allowed by policy||%{tx.domain}|%{tx.mode}|5',\
  phase:1,\
  deny,\
  status:403,\
  log,\
  rev:1,\
  severity:5
 "

You should completely understand what parameters to track. Also, rule provided as example, without any warranties, could produce a lot of false positives.

secmas · February 22, 2021, 3:16pm

I have tried the rule that you kindly wrote and modified it a bit, but it is not working.

Here is the rule:

SecRule REQUEST_URI|ARGS|ARGS_NAMES|REQUEST_BODY|XML:/* “@pmFromFile /mymodsec/userdata_bl_emails”
“id:110491,msg:‘SECMAS: Blocked email not allowed by policy||%{tx.domain}|%{tx.mode}|5’,phase:1,deny,status:403,log,rev:1,severity:5”

and the file userdata_bl_emails that is located at my directory /mymodesec/ contains per example:
2conv.ch@gmail.com
aidenmorgan77+cax@gmail.com
alvinellis2528@gmail.com

I have escaped the @ and dots (.) and seems not working. Even it didn’t work with @ and dot not escaped.

What I pretend is that when someone writes those emails on a form, the IP is blocked.

Is there something wrong on my rule or data?

Thank you for your help.

Best Regards,
Sergio