For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Mick39_201768's avatar
Mick39_201768
Icon for Nimbostratus rankNimbostratus
May 27, 2015

Block HTTP access from specific user agent(2)

Dear community,   I want to arrange iRule which I learned in following URL.   https://devcentral.f5.com/questions/block-https-access-from-specific-user-agentanswer118447   Can I use iRule li...
application delivery
devops
ibm
iRules
LTM
management
security
Michael_Jenkins's avatar
Michael_Jenkins
Icon for Cirrostratus rankCirrostratus
May 27, 2015

I'd suggest using a 

switch -glob
instead of regex, because the performance will be better (and I find it simpler to read too)

when HTTP_REQUEST {
    log local0. "User-Agent:[HTTP::header "User-Agent"]"
    switch -glob [string tolower [HTTP::header "User-Agent"]] {
        "*sqlmap*" -
        "*havij*" -
        "*nmap*" -
        "*nessus*" -
        "*absinthe*" -
        "*nikto*" -
        "*w3af*" -
        "*pangolin*" -
        "*bsqlbf*" -
        "*prog.customcrawler*" -
        "*sql power injector*" -
        "*mysqloit*" -
        "*netsparker*" {
            if { !([IP::addr [IP::client_addr] equals 192.168.115.100]) } {
                discard
                log local0. "[HTTP::header "User-Agent"] discarding."
            }
    }
}