| From: |
"Steven Levine" <ecs-isp@2rosenthals.com> |
Full Headers
Undecoded message |
| Subject: |
Re: [eCS-ISP] unwanted bots |
| Date: |
Tue, 20 Apr 2021 14:44:18 -0700 |
| To: |
"eCS ISP Mailing List" <ecs-isp@2rosenthals.com> |
|
|---|
In <list-1822251@2rosenthals.com>, on 04/20/21
at 10:33 AM, "Massimo S." <ecs-isp@2rosenthals.com> said:
Hi Massimo,
>i'me trying to use log to understand that stuff
Rule-Action = Log is the best way to test new rules. It allows you to
test multiple rules without the chance of rule conflicts.
It's also wise while testing to use Log-File to write the log messages to
a separate log file so that it is really easy to see what rules matched.
>i now have this (similar) issue:
>[2021/04/19][00:07:07][05:Major][MSG:][URL-Filter-bot_petalsearch23][SRC:114.119.147.152][SRC:petalbot-114-119-147-152.petalsearch.com][tcp]
Making the hex dump a bit more readable, we have:
GET /tesi.php?tesiOrder=Sorter_LivelloLaurea&tesiDir=ASC&tesiPage=8
HTTP/1.1 Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Linux; Android 7.0;) AppleWebKit/537.36
(KHTML,like Gecko) Mobile Safari/537.36
(compatible;
PetalBot;+https://webmaster.petalsearch.com/site/petalbot)
Accept-Language: en,zh;q=0.1
Accept-Encoding: gzip,deflate
Host: www.tecnicom.com
Cache-Control: max-age=0
Connection: keep-alive
There nothing unusual here other than the bot appears to be running on
Andriod, if one believes the User-Agent.
>this rule filter something:
>URL-Filter-bot-petal-string1
>these 2 nothing at all:
What you mean is they don't result in the match you expect.
>URL-Filter-bot-petal-string2
> Comment = "Deny HTTP requests for petalsearch-bot2 19-4-2021",
> Destination-Port = "80 443",
> Protocol = TCP,
> Log-Control = Enabled,
> Log-Mask = "date time severity message rule source resolved_source
>prot",
> Log-Size = 9990,
> Log-Severity = Major,
> Depth = 200,
> Hex-String = "<nocase>petalsearch",
> Rule-Action = Deny,
> Direction = Incoming
Did you disable the URL-Filter-bot-petal-string1 rule before adding this
rule. If not, it's obvious why this rule did not trigger. Otherwise,
it's not yet so obvious.
>URL-Filter-bot-petal-string3
> Comment = "Deny HTTP requests for petalsearch-bot2 19-4-2021",
> Destination-Port = "80 443",
> Protocol = TCP,
> Log-Control = Enabled,
> Log-Mask = "date time severity message rule source resolved_source
>prot",
> Log-Size = 9990,
> Log-Severity = Major,
> Depth = 200,
> Offset = URL,
> Hex-String = "*PetalBot*",
> Rule-Action = Deny,
> Direction = Incoming
It's obvious why this rule did not trigger. You do not quite yet
understand what Offset = URL means. The URL does not contain the string
PetalBot. This is the same error you made with your MJ12bot rule.
Steven
--
----------------------------------------------------------------------
"Steven Levine" <steve53@earthlink.net> Warp/DIY/BlueLion etc.
www.scoug.com www.arcanoae.com www.warpcave.com
----------------------------------------------------------------------
|