Forum Discussion

Manuel_60430's avatar
Manuel_60430
Icon for Nimbostratus rankNimbostratus
Mar 24, 2014

Block a User-Agent with an iRule

Dear Community,

 

we have received some suspicious requests with a customized User-Agent in the HTTP header. Now the idea is to temporary block those Agents with an iRule to do some further investigations.

 

Now I've written an iRule like this:

 

when HTTP_REQUEST {

 

log local0. "User-Agent:[HTTP::header "User-Agent"]" if { [string tolower [HTTP::header "User-Agent"]] == "Mozilla/4.0"} { drop log local0. "Rejected request: [IP::remote_addr] User-Agent:[string tolower [HTTP::header "User-Agent"]] requested [HTTP::host][HTTP::uri]" } }

 

I can see the User-Agents from the first log line, but no connections with the Agent "Mozilla/4.0" will be dropped (also the second log line does never match). Can anyone explain why this is the case? I want to block only exactly this expression, not something like User-Agent:Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0 bla bla because someone uses an old browser.

 

Furthermore I'd like to know if the "drop" is the correct statement for this, or I should rather more use a HTTP respond code like 403 or a "sorry page".

 

Thanks in advance for your help, Manuel

 

6 Replies

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus

    Manuel,

     

    The problem is line "if { [string tolower [HTTP::header "User-Agent"]] == "Mozilla/4.0"} { "

     

    This will never match as you're doing a string tolower but looking for Mozilla with a capital M.

     

    Try that.

     

    N

     

  • Hi!

     

    You convert your user agent header to lower case and match it against a string containing upper case. Change Mozilla/4.0 to mozilla/4.0 and you should be ok.

     

    /Patrik

     

  • Can you try below when HTTP_REQUEST { if { [ string tolower [HTTP::header User-Agent]] contains "name_of_user_agent"} { drop log local0. "Client IP:[IP::client_addr] has been blocked with user agent :[HTTP::header User-Agent]" } }
  • Pascal_Tene_910's avatar
    Pascal_Tene_910
    Historic F5 Account

    when HTTP_REQUEST { log local0. "User-Agent:[HTTP::header "User-Agent"]" if { [HTTP::header "User-Agent"] contains "Mozilla"} { drop log local0. "Rejected request: [IP::remote_addr] User-Agent:[string tolower [HTTP::header "User-Agent"]] requested [HTTP::host][HTTP::uri]" } }

     

    Above irule works (tested on 11.4.0)

     

    Mar 24 05:57:07 B7200-R3-S22 info tmm5[11470]: Rule /Common/jt-useragent-drop : Rejected request: 10.12.0.25 User-Agent:mozilla/5.0 (x11; linux x86_64; rv:10.0.12) gecko/20130109 firefox/10.0.12 requested 10.12.0.110/ Mar 24 05:57:49 B7200-R3-S22 info tmm6[11470]: Rule /Common/jt-useragent-drop : User-Agent:Mozilla/5.0 (X11; Linux x86_64; rv:10.0.12) Gecko/20130109 Firefox/10.0.12 Mar 24 05:57:49 B7200-R3-S22 info tmm6[11470]: Rule /Common/jt-useragent-drop : Rejected request: 10.12.0.25 User-Agent:mozilla/5.0 (x11; linux x86_64; rv:10.0.12) gecko/20130109 firefox/10.0.12 requested 10.12.0.110/

     

  • Thanks for the help! It was the upper case letter from "Mozilla/4.0", sorry for my noobish question :-)

     

    Thanks F5 Rocks, with the first log line I just wanted to get sure, that the rule hits at all (or maybe a previous match prevents this from hitting).

     

    Pascal, I guess that would be fine too - I just don't want to block every agent which "contains" Mozilla or Mozilla/4.0, but exactly the expression "Mozilla/4.0"

     

    • Patrik_Jonsson's avatar
      Patrik_Jonsson
      Icon for MVP rankMVP
      Good to hear the problem is solved. We all have some face-palm moments sometimes. :)