Well, it's been trying to crawl us; after about the first week I decided to add a rule on the WAF to block it:
SecRule REQUEST_HEADERS:User-Agent "librabot" \ "log,deny,auditlog,phase:2,status:404,t:lowercase,\ t:replaceNulls,t:compressWhitespace,tag:'AUTOMATION/MALICIOUS',\ severity:2,msg:'librabot User Agent String Detected'" Can't say that I've actually seen anything outright malicious, but it sure looks like a duck... -- Shane Castle Data Security Mgr, Boulder County IT CISSP GSEC GCIH -----Original Message----- From: MARTIN, JASON (ATTSI) [mailto:[email protected]] Sent: Monday, January 03, 2011 15:54 To: Castle, Shane; [email protected] Subject: RE: [Owasp-modsecurity-core-rule-set] librabot: block or permit? Did librabot hit your site, and did it do anything unusual or abusive? -Jason Martin -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Castle, Shane Sent: Monday, January 03, 2011 12:35 PM To: [email protected] Subject: [Owasp-modsecurity-core-rule-set] librabot: block or permit? I've been blocking librabot if it appears in the user-agent. Info online is sketchy about whether or not librabot is bad; one person claimed that it did not honor robots.txt, and another at Microsoft said that it wasn't anything of theirs, in spite of the Microsoft reference (see request snippet below). The connecting addresses often don't resolve at all (i.e., no PTR records in DNS). So is there any consensus on whether or not it should be blocked? My conclusion so far is that I should continue to block it. Part of request: From: [email protected] User-Agent: librabot/2.0 (+http://academic.research.microsoft.com/) -- Shane Castle Data Security Mgr, Boulder County IT CISSP GSEC GCIH _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
