ecs-isp@2rosenthals.com Messaggio archiviato #315

Da: "Steven Levine" <ecs-isp@2rosenthals.com> Intestazioni complete
Messaggio non codificato
Oggetto: Re: [eCS-ISP] unwanted bots
Data: Tue, 20 Apr 2021 14:44:18 -0700
A: "eCS ISP Mailing List" <ecs-isp@2rosenthals.com>

In <list-1822251@2rosenthals.com>, on 04/20/21
   at 10:33 AM, "Massimo S." <ecs-isp@2rosenthals.com> said:

Hi Massimo,

>i'me trying to use log to understand that stuff

Rule-Action = Log is the best way to test new rules.  It allows you to
test multiple rules without the chance of rule conflicts.

It's also wise while testing to use Log-File to write the log messages to
a separate log file so that it is really easy to see what rules matched.

>i now have this (similar) issue:

>[2021/04/19][00:07:07][05:Major][MSG:][URL-Filter-bot_petalsearch23][SRC:114.119.147.152][SRC:petalbot-114-119-147-152.petalsearch.com][tcp]

Making the hex dump a bit more readable, we have:

GET /tesi.php?tesiOrder=Sorter_LivelloLaurea&tesiDir=ASC&tesiPage=8
HTTP/1.1 Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Linux; Android 7.0;) AppleWebKit/537.36
            (KHTML,like Gecko) Mobile Safari/537.36
            (compatible;
PetalBot;+https://webmaster.petalsearch.com/site/petalbot)
Accept-Language: en,zh;q=0.1
Accept-Encoding: gzip,deflate
Host: www.tecnicom.com
Cache-Control: max-age=0
Connection: keep-alive

There nothing unusual here other than the bot appears to be running on
Andriod, if one believes the User-Agent.

>this rule filter something:

>URL-Filter-bot-petal-string1

>these 2 nothing at all:

What you mean is they don't result in the match you expect.

>URL-Filter-bot-petal-string2
> Comment = "Deny HTTP requests for petalsearch-bot2 19-4-2021",
> Destination-Port = "80 443",
> Protocol = TCP,
> Log-Control = Enabled,
> Log-Mask = "date time severity message rule source resolved_source
>prot",
> Log-Size = 9990,
> Log-Severity = Major,
> Depth = 200,
> Hex-String = "<nocase>petalsearch",
>                 Rule-Action = Deny,
> Direction = Incoming

Did you disable the URL-Filter-bot-petal-string1 rule before adding this
rule.  If not, it's obvious why this rule did not trigger.  Otherwise,
it's not yet so obvious.

>URL-Filter-bot-petal-string3
> Comment = "Deny HTTP requests for petalsearch-bot2 19-4-2021",
> Destination-Port = "80 443",
> Protocol = TCP,
> Log-Control = Enabled,
> Log-Mask = "date time severity message rule source resolved_source
>prot",
> Log-Size = 9990,
> Log-Severity = Major,
> Depth = 200,
> Offset = URL,
> Hex-String = "*PetalBot*",
>                 Rule-Action = Deny,
> Direction = Incoming

It's obvious why this rule did not trigger.  You do not quite yet
understand what Offset = URL means.  The URL does not contain the string
PetalBot.  This is the same error you made with your MJ12bot rule.

Steven

--
----------------------------------------------------------------------
"Steven Levine" <steve53@earthlink.net>  Warp/DIY/BlueLion etc.
www.scoug.com www.arcanoae.com www.warpcave.com
----------------------------------------------------------------------


Isriviti: Feed, Riassunto, Indice.
Disiscriviti
Scrivi a ListMaster