Forum Discussion
BoT Defense Profile, Signature Enforcement
Recently, I implemented a BoT Defense/logging profile in transparent mode, expecting the profile to "learn" from the traffic generated by bots. During the initial "learning mode period," I hoped the profile to perform the following tasks:
- Check for mouse movement and keystrokes to detect human-like behavior.
- Track requests that deviate from the expected sequence or fail to request objects in a manner consistent with human browsing patterns.
- Utilize JavaScript to fingerprint browser characteristics and assign an internal score to evaluate if a browser meets the expected features. (I see that blocking for this setting would be a must, however)
Due to the presence of numerous performance testing and stress testing tools that use outdated browsers, we are unable to enable Browser Verification. Will it affect the bullet points above?
When I created the profile, I noticed that it came preloaded with 950 attack signatures specifically to bots. However, after a month of continuous traffic, I observed that there were no signatures ready to be enforced, and there were no signatures waiting for traffic samples. Could browser verification settings set to none also be the reason for no signature learning, for we have disabled that feature completely.
I believe this could be because bot signatures are generally static and not as diverse as the advanced (OWASP/MITRE) threats covered by Security Learning and Blocking Settings for polices in F5 and that the actual mitigation comes from Bot Mitigation Settings (Trusted Bot, Untrusted Bot, Suspicious Browser, Malicious Bot, Rate Limiting)
My question is: If I enable CAPTCHA for malicious bots, will the signatures from F5 950 intellectual property be utilized? Is it possible that true learning for these settings only starts when actual blocking is enabled? Or will it be utilized based as soon as Bot Mitigation Settings are set to block or challenge at least known signatures?
Thank you everyone for your input, the issue seems to have resolved itself, the signagures must not have been staged long enough I suppose.
You can sign up to revieve email alerts when new bot signatures are available. You can also set to auto-update (or not). Please see the following:
That would at least help validate the frequency of updates, and if you are missing one.
By default, signatures are staged and log a match. You would need to set them to enforce to actually block.
Hope this helps a bit.
Don't forget to add a security log profile that has the bot logs enabled to the virtual server.
- dbaimakovAltocumulus
Thank you everyone for your input, the issue seems to have resolved itself, the signagures must not have been staged long enough I suppose.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com