I have been in a lot of errors lately because of this rule. Is ok to disable this rule?

Regards,

Sergioº

(As always, make sure you are running the latest rules)

Nothing normal should trigger this rule. That rule looks for this:

User-Agent: whatever User-Agent something else

Real clients dont do that. They have a single header like this:

User-Agent: whatever

So if you see two in a row, its a fake UA.

Thank you Mike.

The problem that I have is that a lot of real customers are getting blocked by this rule. Even this morning I have a chat with a customer that couldn't enter into his own site because his Internet Explorer was triggering this rule.

I asked him to install FireFox and try it again and with FireFox everything worked fine. I asked him what IE was he using and it was IE 6, so, I asked him to upgrade to IE 8. For now he is using FireFox as he is not getting any errors at all.
He asked me how his IE is blocked if a few days ago it was working ok? I really don't know how or if it is a spyware or adware, but I told him that something inside his IE was wrong. He ran an AV and AntiSpyware and there was nothing inusual on his computer. So, what it could be the cause of IE triggering this rule?

My next question to you is, what happens if I suspend this rule in particular? I assume that all the other rules will be working and will be blocking any type of attack. Am I right?

Best Regards,

Sergio

As to why his IE is sending an invalid UA string I dont know. Maybe theres a broken proxy thats adding a UA string to the UA string instead of replacing it? Virus, spyware, who knows.

If you disable this rule it wont disable any other rules.

I have been struggling with this rule as well has anyone figured out why would IE trigger this rule? I have clients that is running IE8 I have looked through his entire configuration to see what's going on but can not find anything strange.

Joe Bourque
http://www.abovewebmedia.com