How to add a new user-agent to blocking?

Modsecurity detected a scan with a ‘User-Agent: Mozilla/5.0 (compatible; NetcraftSurveyAgent/1.0;’ header due to wrong ‘Accept-Charset’ header …

Seeing this I wonder

  • what I need to do to detect this with Crowdsec directly? Any scenario for this or can I add this string easily to an existing scenario?

  • how can I order the detection? So that Crowdsec scenarios for this come first and modsecurity as last in chain?


are you talking about the " http-bad-user-agent" scenario?

There is a list that the scenario refers to:

So I think your input should be placed there or you modify the scenario to a local list.

Basically neither option really suits what I would expect which is

  • get an updated list of user-agents when I update the software/packages/scenarios
  • be able to add a bad user agent for my local installation

Maybe supporting two lists by default, one unmodifyable/retrieved from the scenario and an optional local list for this would be a solution?

Hello !

It is something we’re working on. Currently data-files are not updated when you update the hub :frowning: