Very new to mod_sec
I want to block a UA string and I noticed there are a few types:
SecRule HTTP_User-Agent
SecRule REQUEST_HEADERS:User-Agent
What is the real difference between them?
My block:
SecRule REQUEST_HEADERS:User-Agent "perl" "phase:2,pass,msg:'Perl based user agent identified'"
Do I need to set a SecDefaultAction phase:2,deny,status:403,log,auditlog before that? Then any SecRule below that follows that action right?
Best Answer
I think you should rather use a SecDefaultAction to pass, and then to user the filter about perl user agent, to allow only this one. (If that's what you're really trying to do!)
I'm pretty sure this will work, but haven't tested it yet. And about your question concerning the differences between the two types, I think there isn't any.