Block a User-Agent with an iRule
Dear Community,
we have received some suspicious requests with a customized User-Agent in the HTTP header. Now the idea is to temporary block those Agents with an iRule to do some further investigations.
Now I've written an iRule like this:
when HTTP_REQUEST {
log local0. "User-Agent:[HTTP::header "User-Agent"]" if { [string tolower [HTTP::header "User-Agent"]] == "Mozilla/4.0"} { drop log local0. "Rejected request: [IP::remote_addr] User-Agent:[string tolower [HTTP::header "User-Agent"]] requested [HTTP::host][HTTP::uri]" } }
I can see the User-Agents from the first log line, but no connections with the Agent "Mozilla/4.0" will be dropped (also the second log line does never match). Can anyone explain why this is the case? I want to block only exactly this expression, not something like User-Agent:Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0 bla bla because someone uses an old browser.
Furthermore I'd like to know if the "drop" is the correct statement for this, or I should rather more use a HTTP respond code like 403 or a "sorry page".
Thanks in advance for your help, Manuel