File: //opt/bitninja-waf/etc/BitNinja/404-SCANNER-PROTECTION.conf
SecRule REQUEST_URI "@pmf web-shell-uri.data" "chain,phase:2,id:404001,block,\
severity:CRITICAL,\
msg:'Scanner protection based on Hello Peppa botnet',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
SecRule ARGS_POST "@pmf botnet-post-request.data" "setvar:tx.bn_inbound_found=+1"
SecRule RESPONSE_STATUS "404" "phase:3,id:404002,chain,\
msg:'Scanner protection based on Hello Peppa botnet',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
SecRule ARGS_POST "@pmf botnet-post-request.data" "setvar:tx.bn_outbound_found=+1"
SecRule RESPONSE_STATUS "404" "block,auditlog,phase:3,id:404003,chain,\
severity:CRITICAL,\
msg:'Scripting user agent protection',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
SecRule REQUEST_FILENAME "!@endsWith /robots.txt" \
"t:none, chain"
SecRule REQUEST_HEADERS:User-Agent "@pmf ../crs/rules/scripting-user-agents.data" "setvar:tx.bn_outbound_found=+1"SecRule REQUEST_HEADERS:User-Agent "@rx Bytespider" \
"id:404004,\
phase:2,\
rev:'1',\
severity:critical,\
t:none,\
setvar:'tx.bn_inbound_found=+1',\
msg:'WAF Rule against Bytespider User-Agent',\
logdata:'WAF Rule against Bytespider User-Agent'"
SecRule REQUEST_HEADERS:User-Agent "@rx claudebot" \
"id:404005,\
phase:2,\
rev:'1',\
severity:critical,\
t:none,t:lowercase,\
setvar:'tx.bn_inbound_found=+1',\
msg:'WAF Rule against ClaudeBot User-Agent',\
logdata:'WAF Rule against ClaudeBot User-Agent'"
SecRule REQUEST_HEADERS:User-Agent "@rx Scrapy" \
"id:404006,\
phase:2,\
rev:'1',\
severity:critical,\
t:none,t:lowercase,\
setvar:'tx.bn_inbound_found=+1',\
msg:'WAF Rule against Scrapy User-Agent',\
logdata:'WAF Rule against Scrapy User-Agent'"