regex to iRule conversion - 2

Question

Hi again, I have another rule I would like to get some feedback on please. Here is an abbreviation of the rule:

404
  Request Indicates a Security Scanner Scanned the Site
  AUTOMATION/SECURITY_SCANNER
  %(_DENY)

Here is what I wrote as the iRule that would try to do the same thing:
when HTTP_REQUEST {
  if { ([class match [string tolower [HTTP::header User-Agent]] contains _my_rule_dg])} {
    log local0. "Security Scanner scanned the site."
    HTTP::respond 404 content "If you have reached this page in error, please try again."
    event disable
  }
}

I created the data group _my_rule_dg and entered the security scanners we want to search for. Will the iRule above satisfy what the regex rule is doing? If not, where am I going wrong? Thanks!

kevin_stewart · Answer

I may be missing some context somewhere, but are you expecting the client to send a specific User-Agent header that indicates some form of scanning process?&nbsp;

patti_g_72768 · Answer

patti_g_72768 · Answer

Hi, sorry it looks like I wasn't able to post some of the necessary info. I just posted the abbreviated rule.&nbsp;
Thanks!&nbsp;

kevin_stewart · Answer

I'm sure it'll need some tweaking, but it looks about right. I'm assuming your data group looks something like this:
nessus
n-stealth
metis
pmafind
nsauditor
nikto
black widow
brutus
bilbo
jaascois
paros
webinspect
.nasl

patti_g_72768 · Answer

Hi Kevin, yes my data group has those items listed. &nbsp;
thanks for your help!!!!&nbsp;

Forum Discussion

regex to iRule conversion - 2

5 Replies

Recent Discussions

What is the meaning is 52% block in WAF

Rundeck ansible F5 errors

rewrite Azure AD response for portal access via web portal

AS3 Monitoring multiple ports selectively

Open Redirection Mitigation

Related Content

Regex issue

Conversion license

Regex for dynamic URI

HTTP method conversion

PowerShell to iRule AES-CBC conversation using random IV values