Skip to content

feat: block fake mozilla/5.g user-agent#4383

Merged
fzipi merged 2 commits into
coreruleset:mainfrom
EsadCetiner:feat-block-fake-mozilla-ua
Jan 20, 2026
Merged

feat: block fake mozilla/5.g user-agent#4383
fzipi merged 2 commits into
coreruleset:mainfrom
EsadCetiner:feat-block-fake-mozilla-ua

Conversation

@EsadCetiner
Copy link
Copy Markdown
Member

@EsadCetiner EsadCetiner commented Dec 17, 2025

Proposed changes

This is a new user-agent I noticed in my logs, it's a clear typo of the Mozilla user-agent which should almost always be Mozilla/5.0 or Mozilla/4.0 and not Mozilla/5.g.

PR Checklist

  • I have read the CONTRIBUTING doc
  • I have added positive tests proving my fix/feature works as intended.
  • I have added negative tests that prove my fix/feature considers common cases that might end in false positives
  • In case you changed a regular expression, you are not adding a ReDOS for pcre. You can check this using regexploit
  • My test use the comment field to write the expected behavior
  • I have added documentation for the rule or change (when appropriate)

Further comments

For the reviewer

  • Positive and negative tests were added
  • Tests cover the intended fix/feature properly
  • No usage of dangerous constructs like ctl:requestBodyAccess=Off were used in the rule
  • In case a regular expression was changed, there is no ReDOS
  • Documentation is clear for the rule/change

@EsadCetiner EsadCetiner added release:new-detection In this PR we introduce a new detection release:new-feature This PR introduces a new feature labels Dec 17, 2025
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Dec 17, 2025
edited
Loading

📊 Quantitative test results for language: eng, year: 2023, size: 10K, paranoia level: 1:
🚀 Quantitative testing did not detect new false positives

@touchweb-vincent
Copy link
Copy Markdown
Contributor

touchweb-vincent commented Dec 17, 2025
edited
Loading

Hello,

We could take this opportunity to create a new set of rules specific to user agents.

One of the first rules could be: mozilla\/[4-5]\.[^0]

@dune73
Copy link
Copy Markdown
Member

dune73 commented Dec 17, 2025

We had several rules about User-Agents in CRS3. The idea was to revamp them for CRS4, I invested a lot of time into automating the UA lists. But the details with the classification got so hairy, we finally gave up on it. All that is left is scanners-user-agents.data with the idea to detect and to block the most offensive security scanners.

Expanding the functionality beyond this would have to have very good arguments and a decent plan on how to automate it.

@theseion theseion mentioned this pull request Jan 5, 2026
Closed
@github-actions github-actions Bot added the Stale label Jan 17, 2026
@fzipi
Copy link
Copy Markdown
Member

fzipi commented Jan 20, 2026

Hello,

We could take this opportunity to create a new set of rules specific to user agents.

One of the first rules could be: mozilla\/[4-5]\.[^0]

I would say, if you want to follow on this after @dune73's comments, let's create an issue an discuss.

For now, I think we can merge this simple one.

@fzipi fzipi added this pull request to the merge queue Jan 20, 2026
Merged via the queue into coreruleset:main with commit 072b76e Jan 20, 2026
8 checks passed
@theseion theseion mentioned this pull request Feb 2, 2026
Closed
@EsadCetiner EsadCetiner deleted the feat-block-fake-mozilla-ua branch February 6, 2026 02:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fzipi fzipi fzipi approved these changes

Assignees

No one assigned

Labels

release:new-detection In this PR we introduce a new detection release:new-feature This PR introduces a new feature Stale

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@EsadCetiner @touchweb-vincent @dune73 @fzipi