Forum Discussion
NimbostratusBlock a User-Agent with an iRule
Dear Community,
we have received some suspicious requests with a customized User-Agent in the HTTP header. Now the idea is to temporary block those Agents with an iRule to do some further investigations.
Now I've written an iRule like this:
when HTTP_REQUEST {
log local0. "User-Agent:[HTTP::header "User-Agent"]" if { [string tolower [HTTP::header "User-Agent"]] == "Mozilla/4.0"} { drop log local0. "Rejected request: [IP::remote_addr] User-Agent:[string tolower [HTTP::header "User-Agent"]] requested [HTTP::host][HTTP::uri]" } }
I can see the User-Agents from the first log line, but no connections with the Agent "Mozilla/4.0" will be dropped (also the second log line does never match). Can anyone explain why this is the case? I want to block only exactly this expression, not something like User-Agent:Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0 bla bla because someone uses an old browser.
Furthermore I'd like to know if the "drop" is the correct statement for this, or I should rather more use a HTTP respond code like 403 or a "sorry page".
Thanks in advance for your help, Manuel
6 Replies
natheCirrocumulus
Manuel,
The problem is line "if { [string tolower [HTTP::header "User-Agent"]] == "Mozilla/4.0"} { "
This will never match as you're doing a string tolower but looking for Mozilla with a capital M.
Try that.
N
Hi!
You convert your user agent header to lower case and match it against a string containing upper case. Change Mozilla/4.0 to mozilla/4.0 and you should be ok.
/Patrik
spalandeNacreous
Can you try below when HTTP_REQUEST { if { [ string tolower [HTTP::header User-Agent]] contains "name_of_user_agent"} { drop log local0. "Client IP:[IP::client_addr] has been blocked with user agent :[HTTP::header User-Agent]" } }when HTTP_REQUEST { log local0. "User-Agent:[HTTP::header "User-Agent"]" if { [HTTP::header "User-Agent"] contains "Mozilla"} { drop log local0. "Rejected request: [IP::remote_addr] User-Agent:[string tolower [HTTP::header "User-Agent"]] requested [HTTP::host][HTTP::uri]" } }
Above irule works (tested on 11.4.0)
Mar 24 05:57:07 B7200-R3-S22 info tmm5[11470]: Rule /Common/jt-useragent-drop : Rejected request: 10.12.0.25 User-Agent:mozilla/5.0 (x11; linux x86_64; rv:10.0.12) gecko/20130109 firefox/10.0.12 requested 10.12.0.110/ Mar 24 05:57:49 B7200-R3-S22 info tmm6[11470]: Rule /Common/jt-useragent-drop : User-Agent:Mozilla/5.0 (X11; Linux x86_64; rv:10.0.12) Gecko/20130109 Firefox/10.0.12 Mar 24 05:57:49 B7200-R3-S22 info tmm6[11470]: Rule /Common/jt-useragent-drop : Rejected request: 10.12.0.25 User-Agent:mozilla/5.0 (x11; linux x86_64; rv:10.0.12) gecko/20130109 firefox/10.0.12 requested 10.12.0.110/
Manuel_60430Thanks for the help! It was the upper case letter from "Mozilla/4.0", sorry for my noobish question :-)
Thanks F5 Rocks, with the first log line I just wanted to get sure, that the rule hits at all (or maybe a previous match prevents this from hitting).
Pascal, I guess that would be fine too - I just don't want to block every agent which "contains" Mozilla or Mozilla/4.0, but exactly the expression "Mozilla/4.0"
- Good to hear the problem is solved. We all have some face-palm moments sometimes. :)
