Fake Bot plugin blocks valid bots and allows fake bots.
{
"transaction": {
"client_ip": "66.249.64.219",
"time_stamp": "Tue Jul 12 15:54:19 2022",
"server_id": "9e7bc6878f15155f664887f5952d257c0d032745",
"client_port": 61702,
"host_ip": "255.255.255.255",
"host_port": 443,
"unique_id": "1657641259",
"request": {
"method": "GET",
"http_version": 1.1,
"uri": "/",
"headers": {
"Host": "redacted.com",
"AMP-Cache-Transform": "google;v=\"1..8\"",
"Connection": "keep-alive",
"Accept": "text/html,application/xhtml+xml,application/signed-exchange;v=b3,application/xml;q=0.9,*/*;q=0.8",
"User-Agent": "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)",
"From": "googlebot(at)googlebot.com",
"Accept-Encoding": "gzip, deflate, br",
"If-Modified-Since": "Tue, 24 May 2022 23:58:16 GMT"
}
},
"response": {
"body": "",
"http_code": 403,
"headers": {}
},
"producer": {
"modsecurity": "ModSecurity v3.0.6 (FreeBSD)",
"connector": "ModSecurity-nginx v1.0.3",
"secrules_engine": "Enabled",
"components": [
"OWASP_CRS/4.0.0-rc1\""
]
},
"messages": [
{
"message": "Fake bot detected: ",
"details": {
"match": "Matched \"Operator `Pm' with parameter `applebot bingbot facebookbot facebookcatalog facebookexternalhit googlebot twitterbot' against variable `REQUEST_HEADERS:User-Agent' (Value: `Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chr (100 characters omitted)' )",
"reference": "o153,9v265,200",
"ruleId": "9504110",
"file": "/usr/local/share/modsecurity-crs/plugins/fake-bot-after.conf",
"lineNumber": "19",
"data": "Matched Data: if-modified-since found within REQUEST_HEADERS:User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)",
"severity": "2",
"ver": "fake-bot-plugin/1.0.0",
"rev": "",
"tags": [
"application-multi",
"language-multi",
"platform-multi",
"attack-bot",
"capec/1000/225/22/77/13",
"PCI/6.5.10",
"paranoia-level/1"
],
"maturity": "0",
"accuracy": "0"
}
}
]
}
}
{
"transaction": {
"client_ip": "1.2.3.4",
"time_stamp": "Tue Jul 12 15:59:08 2022",
"server_id": "9e7bc6878f15155f664887f5952d257c0d032745",
"client_port": 64532,
"host_ip": "255.255.255.255",
"host_port": 443,
"unique_id": "1657641548",
"request": {
"method": "GET",
"http_version": 2,
"uri": "/",
"headers": {
"host": "redacted.com",
"accept": "*/*",
"user-agent": "asd googlebot asd"
}
},
"response": {
"body": "redacted",
"http_code": 200,
"headers": {}
},
"producer": {
"modsecurity": "ModSecurity v3.0.6 (FreeBSD)",
"connector": "ModSecurity-nginx v1.0.3",
"secrules_engine": "Enabled",
"components": [
"OWASP_CRS/4.0.0-rc1\""
]
},
"messages": [
{
"message": "Fake bot detected: Googlebot",
"details": {
"match": "Matched \"Operator `InspectFile' with parameter `fake-bot.lua' against variable `TX:0' (Value: `googlebot' )",
"reference": "o0,9v69,9",
"ruleId": "9504110",
"file": "/usr/local/share/modsecurity-crs/plugins/fake-bot-after.conf",
"lineNumber": "19",
"data": "Matched Data: googlebot found within REQUEST_HEADERS:User-Agent: Googlebot",
"severity": "2",
"ver": "fake-bot-plugin/1.0.0",
"rev": "",
"tags": [
"application-multi",
"language-multi",
"platform-multi",
"attack-bot",
"capec/1000/225/22/77/13",
"PCI/6.5.10",
"paranoia-level/1"
],
"maturity": "0",
"accuracy": "0"
}
}
]
}
}