Custom Attack Signature to block request with No UA or Referer

Question

I want to be able to check and see if the request is missing both the User-Agent String and the Referer, and possibly block the request. So I know I can do this with an iRule, but I am wanting to try and perform this check with an Attack Signature. Reason being, that I would like to put the Signature in staging to see how much traffic is getting logged against it before I move it to blocking. I am running 12.1.1 HF1 currently.

nag_54823 · Answer

Hi Mike,&nbsp;
I think configuring  mandatory headers will be help. Please find the below link.&nbsp;
https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-12-1-0/29.htmlunique_2103859402&nbsp;

mike_maher · Answer

Yea, I am not sure that will accomplish what I am looking for.  Which is to check if both Headers are missing.  If a UA is present but the referer isn't I will still want to allow the traffic.  Also I may need the ability to whitelist the signature for certain traffic.  
&nbsp;
It would be nice if in policy there was a way to attach mandatory header conditions per URL.  &nbsp;

nag_54823 · Answer

Hi Mike,
I'm not sure if it's possible to attach mandatory header conditions per URL. But you can whitelist if an URI is blocked because of MISSING MANDATORY HEADER. You can use below irule. Make sure Trigger ASM iRule Events is enabled in Policy.
1) create a DG for hosts that need to whitelist
2) create a DG for URI that need to whitelist
    when ASM_REQUEST_DONE {

if { [ class match [HTTP::host] equals host_dg ] and [string tolower [HTTP::uri]] contains "uri_dg" and ([ASM::violation_data] contains "VIOLATION_MISSING_MANDATORY_HEADER" ) } {
             ASM::unblock
}
}

mike_maher · Answer

Thanks for the suggestion, I had not thought about that and it is an interesting solution. The site I am working with is very dynamic and that list may be difficult to maintain. I do appreciate the feed back though, and I am going to keep that iRule idea in my back pocket as it may work well for other solutions in the future.

richard_karon · Answer

Another way to say this is that you want the header to be mandatory.  There is a setting under &nbsp;
Security  ››  Application Security : Headers : HTTP Headers  ››  Edit Header&nbsp;
Mandatory to Enabled will say the header must appear in the request&nbsp;

Forum Discussion

Custom Attack Signature to block request with No UA or Referer

Recent Discussions

Client SSL Profile set to Require Client Certificate breaks RDP in APM

TS Declarations for DNS

APM file and registry key date check 8 days old

SSL bridging without SSL proxy forward

Should config via cli rather than gui?

Related Content

Deploy the NGINX Modern Apps Reference Architecture locally

F5 Rules for AWS WAF - Rule ID to Attack Type Reference

attack Signature detected but i can not find keyword inside request

Customized Bot Signature not working

Default Attack Signature Sets

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS