Forum Discussion

Mick39_201768's avatar
Mick39_201768
Icon for Nimbostratus rankNimbostratus
May 27, 2015

Block HTTP access from specific user agent(2)

Dear community,

 

I want to arrange iRule which I learned in following URL.

 

https://devcentral.f5.com/questions/block-https-access-from-specific-user-agentanswer118447

 

Can I use iRule like this? My client doesn't want to show even 404.

 

when HTTP_REQUEST { log local0. "User-Agent:[HTTP::header "User-Agent"]" if { ([regexp sqlmap|havij|nmap|nessus|absinthe|nikto|w3af|pangolin|bsqlbf|prog.customcrawler|sql\ power\ injector|mysqloit|netsparker [string tolower [HTTP::header "User-Agent"]]]) && !([IP::addr [IP::client_addr] equals 192.168.115.100]) } { discard log local0. "[HTTP::header "User-Agent"] discarding." } }

 

  • I'd suggest using a

    switch -glob
    instead of regex, because the performance will be better (and I find it simpler to read too)

    when HTTP_REQUEST {
        log local0. "User-Agent:[HTTP::header "User-Agent"]"
        switch -glob [string tolower [HTTP::header "User-Agent"]] {
            "*sqlmap*" -
            "*havij*" -
            "*nmap*" -
            "*nessus*" -
            "*absinthe*" -
            "*nikto*" -
            "*w3af*" -
            "*pangolin*" -
            "*bsqlbf*" -
            "*prog.customcrawler*" -
            "*sql power injector*" -
            "*mysqloit*" -
            "*netsparker*" {
                if { !([IP::addr [IP::client_addr] equals 192.168.115.100]) } {
                    discard
                    log local0. "[HTTP::header "User-Agent"] discarding."
                }
        }
    }