Forum Discussion

Mike_Maher's avatar
Mike_Maher
Icon for Nimbostratus rankNimbostratus
Dec 21, 2012

iRule or Custom Attack Signature??

I am wanting to configure something to looks for the following patterns that pertain to recent DDoS attackes that have been going around and log the event.

 

 

· UDP packets containing this RegEx: "\x2e{250}" or "\x2e{250,}"

 

 

· TCP and UDP packets containing this RegEx: "\x41{250}" or "\x41{250,}"

 

 

· TCP packets containing this RegEx: "(?i)User-Agent[^\r\n]+curl\x2f\d\x3e"

 

 

· TCP packets containing this RegEx: "User-Agent[^\r\n]+PHP\x2f"

 

I am pretty sure I can do this with an iRule, it has also been suggested by a collegue that it may be better to do a custom attack siganture within ASM. I wanted to get some opinions on which one would be the better way to accomplish this.

 

 

I have written a few iRules nothing, but have not attempted to do a custom attack signature yet. Any thoughts or guidance on this is appreciated.

 

 

Mike

 

 

 

APM
app sec
security

3 Replies

Sort By
  • Ido_Breger_3805's avatar
    Ido_Breger_3805
    Historic F5 Account
    Dec 23, 2012
    Hi Mike,

     

    ASM signatures can detect that within HTTP requests, however, from what you describe (especially the need for UDP), it seems that this isn't part of HTTP.

     

    The general advice is to use ASM for anything that is HTTP related (ASM sigs are faster than iRules) and iRules for anything else.
  • Ido_Breger_3805's avatar
    Ido_Breger_3805
    Historic F5 Account
    Dec 23, 2012
    Hi Mike,

     

    ASM signatures can detect that within HTTP requests, however, from what you describe (especially the need for UDP), it seems that this isn't part of HTTP.

     

    The general advice is to use ASM for anything that is HTTP related (ASM sigs are faster than iRules) and iRules for anything else.
  • Mike_Maher's avatar
    Mike_Maher
    Icon for Nimbostratus rankNimbostratus
    Jan 02, 2013
    Ido,

     

    Thanks for the advice, is there any documentation/wiki on writing custom attack signatures like what is out there for iRules?