Forum Discussion

marta_sl's avatar
marta_sl
Icon for Nimbostratus rankNimbostratus
Sep 12, 2023

Bot Signature based on the referer header

Hi,

Can we create a bot signature based on the "referer" header? Many requests that we receive in a Virtual Server (VS) are legitimate, but they are categorized as "Suspicious Browser." We would like to distinguish them if they have a specific referer.

Thanks!

 

  • Better try irule to change the action as ASM WAFsignatures can use any header/cookie or body but not BOT signatures that are only based on User-Agent.

     

    Example:

    when BOTDEFENSE_ACTION {
         if {[HTTP::header value Referer] contains "www.example.com"} {
             log local0. "bypassing enforcement for [HTTP::header value Referer]"
             set res [BOTDEFENSE::action allow]
             log local0. "set action to allow, result \"$res\""
             log local0. "resulting action [BOTDEFENSE::action] reason \"[BOTDEFENSE::reason]\""
         }
     }

    https://clouddocs.f5.com/api/irules/BOTDEFENSE_ACTION.html 

     

     

    You can add if statement to trigger the allow only for a specific bot name https://clouddocs.f5.com/api/irules/BOTDEFENSE__bot_name.html

     

     

     

    Example:

    when BOTDEFENSE_ACTION {
         if {([HTTP::header value Referer] contains "www.example.com") && ([BOTDEFENSE::bot_name] contains "Bad Bot")} {
             log local0. "bypassing enforcement for [HTTP::header value Referer]"
             set res [BOTDEFENSE::action allow]
             log local0. "set action to allow, result \"$res\""
             log local0. "resulting action [BOTDEFENSE::action] reason \"[BOTDEFENSE::reason]\""
         }
     }

     

     

    Edit:

     

    The example shows  set res [BOTDEFENSE::action allow] but maybe it is wrong and you need just to do the command [BOTDEFENSE::action allow]

2 Replies

  • Better try irule to change the action as ASM WAFsignatures can use any header/cookie or body but not BOT signatures that are only based on User-Agent.

     

    Example:

    when BOTDEFENSE_ACTION {
         if {[HTTP::header value Referer] contains "www.example.com"} {
             log local0. "bypassing enforcement for [HTTP::header value Referer]"
             set res [BOTDEFENSE::action allow]
             log local0. "set action to allow, result \"$res\""
             log local0. "resulting action [BOTDEFENSE::action] reason \"[BOTDEFENSE::reason]\""
         }
     }

    https://clouddocs.f5.com/api/irules/BOTDEFENSE_ACTION.html 

     

     

    You can add if statement to trigger the allow only for a specific bot name https://clouddocs.f5.com/api/irules/BOTDEFENSE__bot_name.html

     

     

     

    Example:

    when BOTDEFENSE_ACTION {
         if {([HTTP::header value Referer] contains "www.example.com") && ([BOTDEFENSE::bot_name] contains "Bad Bot")} {
             log local0. "bypassing enforcement for [HTTP::header value Referer]"
             set res [BOTDEFENSE::action allow]
             log local0. "set action to allow, result \"$res\""
             log local0. "resulting action [BOTDEFENSE::action] reason \"[BOTDEFENSE::reason]\""
         }
     }

     

     

    Edit:

     

    The example shows  set res [BOTDEFENSE::action allow] but maybe it is wrong and you need just to do the command [BOTDEFENSE::action allow]