Forum Discussion

Wackitron_36350's avatar
Wackitron_36350
Icon for Altocumulus rankAltocumulus
Nov 01, 2018

Bad User-Agent Header to be blocked via ASM

Hi All,   I saw some weird User-Agent on the payloads for requests coming in for one of our Virtual Server.   User-Agent: lge/judyln_lao_com/judyln:8.0.0/OPR1.170623.032/182571210dda2:user/rele...
ASM Advanced WAF
cloud
security
Ivan_Chernenkii's avatar
Ivan_Chernenkii
Icon for Employee rankEmployee
Jan 16, 2020

You can create attack signature for User-Agent header if you know the pattern

iRule's avatar
iRule
Icon for Cirrus rankCirrus
Jul 07, 2020

I need to block requests containing user agent Test Certificate Info

 

While creating custom attack signature which option will work better from the attached snapshot.

 

 

 

  • Ivan_Chernenkii's avatar
    Ivan_Chernenkii
    Icon for Employee rankEmployee
    Jul 07, 2020

    I think it would be better to create appropriate Bot Signature (related to Bot Profile) and not Attack Signature (related to ASM policy), because in Bot Signature we have rule like "User Agent Contains ..."

    In case of Attack Signature - IMO, "Header" matched element is preferred, but also you can make it more detailed by using regex or string with "Request Content" matched element, like "User-Agent: *Test Certificate Info*" or "User-Agent: Test Certificate Info"

     

    Thanks, Ivan