Forum Discussion
Bot Signature based on the referer header
Hi,
Can we create a bot signature based on the "referer" header? Many requests that we receive in a Virtual Server (VS) are legitimate, but they are categorized as "Suspicious Browser." We would like to distinguish them if they have a specific referer.
Thanks!
Better try irule to change the action as ASM WAFsignatures can use any header/cookie or body but not BOT signatures that are only based on User-Agent.
Example:
when BOTDEFENSE_ACTION { if {[HTTP::header value Referer] contains "www.example.com"} { log local0. "bypassing enforcement for [HTTP::header value Referer]" set res [BOTDEFENSE::action allow] log local0. "set action to allow, result \"$res\"" log local0. "resulting action [BOTDEFENSE::action] reason \"[BOTDEFENSE::reason]\"" } }
https://clouddocs.f5.com/api/irules/BOTDEFENSE_ACTION.html
You can add if statement to trigger the allow only for a specific bot name https://clouddocs.f5.com/api/irules/BOTDEFENSE__bot_name.html
Example:
when BOTDEFENSE_ACTION { if {([HTTP::header value Referer] contains "www.example.com") && ([BOTDEFENSE::bot_name] contains "Bad Bot")} { log local0. "bypassing enforcement for [HTTP::header value Referer]" set res [BOTDEFENSE::action allow] log local0. "set action to allow, result \"$res\"" log local0. "resulting action [BOTDEFENSE::action] reason \"[BOTDEFENSE::reason]\"" } }
Edit:
The example shows set res [BOTDEFENSE::action allow] but maybe it is wrong and you need just to do the command [BOTDEFENSE::action allow]
Better try irule to change the action as ASM WAFsignatures can use any header/cookie or body but not BOT signatures that are only based on User-Agent.
Example:
when BOTDEFENSE_ACTION { if {[HTTP::header value Referer] contains "www.example.com"} { log local0. "bypassing enforcement for [HTTP::header value Referer]" set res [BOTDEFENSE::action allow] log local0. "set action to allow, result \"$res\"" log local0. "resulting action [BOTDEFENSE::action] reason \"[BOTDEFENSE::reason]\"" } }
https://clouddocs.f5.com/api/irules/BOTDEFENSE_ACTION.html
You can add if statement to trigger the allow only for a specific bot name https://clouddocs.f5.com/api/irules/BOTDEFENSE__bot_name.html
Example:
when BOTDEFENSE_ACTION { if {([HTTP::header value Referer] contains "www.example.com") && ([BOTDEFENSE::bot_name] contains "Bad Bot")} { log local0. "bypassing enforcement for [HTTP::header value Referer]" set res [BOTDEFENSE::action allow] log local0. "set action to allow, result \"$res\"" log local0. "resulting action [BOTDEFENSE::action] reason \"[BOTDEFENSE::reason]\"" } }
Edit:
The example shows set res [BOTDEFENSE::action allow] but maybe it is wrong and you need just to do the command [BOTDEFENSE::action allow]
- marta_slNimbostratus
Thank you very much! it works!
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com