Forum Discussion
Mick39_201768
Nimbostratus
NimbostratusBlock HTTP access from specific user agent(2)
Dear community,
I want to arrange iRule which I learned in following URL.
https://devcentral.f5.com/questions/block-https-access-from-specific-user-agentanswer118447
Can I use iRule like this? My client doesn't want to show even 404.
when HTTP_REQUEST { log local0. "User-Agent:[HTTP::header "User-Agent"]" if { ([regexp sqlmap|havij|nmap|nessus|absinthe|nikto|w3af|pangolin|bsqlbf|prog.customcrawler|sql\ power\ injector|mysqloit|netsparker [string tolower [HTTP::header "User-Agent"]]]) && !([IP::addr [IP::client_addr] equals 192.168.115.100]) } { discard log local0. "[HTTP::header "User-Agent"] discarding." } }
Michael_JenkinsCirrostratus
I'd suggest using a
instead of regex, because the performance will be better (and I find it simpler to read too)switch -globwhen HTTP_REQUEST { log local0. "User-Agent:[HTTP::header "User-Agent"]" switch -glob [string tolower [HTTP::header "User-Agent"]] { "*sqlmap*" - "*havij*" - "*nmap*" - "*nessus*" - "*absinthe*" - "*nikto*" - "*w3af*" - "*pangolin*" - "*bsqlbf*" - "*prog.customcrawler*" - "*sql power injector*" - "*mysqloit*" - "*netsparker*" { if { !([IP::addr [IP::client_addr] equals 192.168.115.100]) } { discard log local0. "[HTTP::header "User-Agent"] discarding." } } }