Forum Discussion

Mick39_201768's avatar
Mick39_201768
Icon for Nimbostratus rankNimbostratus
May 27, 2015

Block HTTP access from specific user agent(2)

Dear community,

 

I want to arrange iRule which I learned in following URL.

 

https://devcentral.f5.com/questions/block-https-access-from-specific-user-agentanswer118447

 

Can I use iRule like this? My client doesn't want to show even 404.

 

when HTTP_REQUEST { log local0. "User-Agent:[HTTP::header "User-Agent"]" if { ([regexp sqlmap|havij|nmap|nessus|absinthe|nikto|w3af|pangolin|bsqlbf|prog.customcrawler|sql\ power\ injector|mysqloit|netsparker [string tolower [HTTP::header "User-Agent"]]]) && !([IP::addr [IP::client_addr] equals 192.168.115.100]) } { discard log local0. "[HTTP::header "User-Agent"] discarding." } }

 

application delivery
devops
ibm
iRules
LTM
management
security

1 Reply

Sort By
  • Michael_Jenkins's avatar
    Michael_Jenkins
    Icon for Cirrostratus rankCirrostratus
    May 27, 2015

    I'd suggest using a 

    switch -glob
    instead of regex, because the performance will be better (and I find it simpler to read too)

    when HTTP_REQUEST {
    log local0. "User-Agent:[HTTP::header "User-Agent"]"
    switch -glob [string tolower [HTTP::header "User-Agent"]] {
        "*sqlmap*" -
        "*havij*" -
        "*nmap*" -
        "*nessus*" -
        "*absinthe*" -
        "*nikto*" -
        "*w3af*" -
        "*pangolin*" -
        "*bsqlbf*" -
        "*prog.customcrawler*" -
        "*sql power injector*" -
        "*mysqloit*" -
        "*netsparker*" {
            if { !([IP::addr [IP::client_addr] equals 192.168.115.100]) } {
                discard
                log local0. "[HTTP::header "User-Agent"] discarding."
            }
    }
}