350001 rule blocks the Facebook Sharing Debugger bot

[MariuszMilka]

I have ModSecurity installed and configure by my hosting provider. Today I tried to refresh blank preview image of a link I posted on facebook. But Facebook Sharing Debugger kept giving me 403 response code. Then I found Modsecurity log telling me the request was blocked by the 350001. I temporarily switched off the rule and everything works. But I guess the same rule blocks many other boths that are actually bad, so please fix it, so I can re-activate it.

  "accept": "*/*",
        "user-agent": "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
      }
    },
    "response": {
      "http_code": 403
    },
    "messages": [
      {
        "message": "BAD BOT - Detected and Blocked. ",
        "details": {
          "match": "Matched Operator '@pmFromFile /etc/modsecurity.d/badbots.txt' against variable 'REQUEST_HEADERS:User-Agent'",
          "ruleId": 350001,
          "file": "/etc/modsecurity.d/badbots.conf",
          "lineNumber": 1,
          "data": "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)",
          "rev": 1,
          "msg": "BAD BOT - Detected and Blocked. ",
          "severity": "CRITICAL"

[airween]

Hi @MariuszMilka,

I think that's a normal behavior.

ModSecurity is a WAF engine: it splits the request into several parts. The decision is in hand of rule set.

The expected action in this case to create an exclusion against the rule, something like this:

SecRule REQUEST_URI "@beginsWith /your/uri/which/not/seems/here" \
    "id:10000,\
    phase:1,\
    t:none,\
    pass,
    ctl:ruleRemoveTargetById=35001;REQUEST_HEADERS:User-Agent"

Put this rule before your ruleset, I hope this will solve your problem.