Custom Attack Signature to block request with No UA or Referer

Yea, I am not sure that will accomplish what I am looking for. Which is to check if both Headers are missing. If a UA is present but the referer isn't I will still want to allow the traffic. Also I may need the ability to whitelist the signature for certain traffic.

It would be nice if in policy there was a way to attach mandatory header conditions per URL.

Hi Mike,

I'm not sure if it's possible to attach mandatory header conditions per URL. But you can whitelist if an URI is blocked because of MISSING MANDATORY HEADER. You can use below irule. Make sure Trigger ASM iRule Events is enabled in Policy.

1) create a DG for hosts that need to whitelist 2) create a DG for URI that need to whitelist

    when ASM_REQUEST_DONE {

if { [ class match [HTTP::host] equals host_dg ] and [string tolower [HTTP::uri]] contains "uri_dg" and ([ASM::violation_data] contains "VIOLATION_MISSING_MANDATORY_HEADER" ) } { ASM::unblock } }

Thanks for the suggestion, I had not thought about that and it is an interesting solution. The site I am working with is very dynamic and that list may be difficult to maintain. I do appreciate the feed back though, and I am going to keep that iRule idea in my back pocket as it may work well for other solutions in the future.