Mike_Maher
Dec 21, 2012Nimbostratus
iRule or Custom Attack Signature??
I am wanting to configure something to looks for the following patterns that pertain to recent DDoS attackes that have been going around and log the event.
· UDP packets containing this RegEx: "\x2e{250}" or "\x2e{250,}"
· TCP and UDP packets containing this RegEx: "\x41{250}" or "\x41{250,}"
· TCP packets containing this RegEx: "(?i)User-Agent[^\r\n]+curl\x2f\d\x3e"
· TCP packets containing this RegEx: "User-Agent[^\r\n]+PHP\x2f"
I am pretty sure I can do this with an iRule, it has also been suggested by a collegue that it may be better to do a custom attack siganture within ASM. I wanted to get some opinions on which one would be the better way to accomplish this.
I have written a few iRules nothing, but have not attempted to do a custom attack signature yet. Any thoughts or guidance on this is appreciated.
Mike