Forum Discussion

Nikoolayy1's avatar
Jan 25, 2022

Do F5 Shape security instert HTTP header showing the Bot name, category etc. of the HTTP traffic?

I want to be able to use the F5 Splunk logging irule to also send an HTTP header containing Bot name, bot category etc.  that Shape thinks it is the bot generating the traffic, if that is possible.

 

https://docs.splunk.com/Documentation/AddOns/released/F5BIGIP/Setup

  • So a basic answer would be, no - since Shape isn't primarily based on Bot Signatures but rather, looking for behaviors, it does not return that information. That said, there is a header labelled "Inference" that will provide the following:

    - Token Missing (JavaScript didn't execute) - the Shape headers aren't present, likely because of scripted attempts / non-browser environment
    - Invalid Token / AI Payload Missing / AI Payload Invalid - (Shape headers were removed, or manipulated) - indicates tampering
    - Rate Limit Exceeded / Token Denylisted - Transactions with same Shape header(s) being replayed
    - Attack Inference - Spoofing or automated tools
    - Threat Intelligence - Rules based on TACTICS threat package that are firing. Most often, they are 'control-block' (read: advanced rate limiting usually based on a combination of Layer 7 things)

    If the traffic was definitely something like a known QA, it would fall under Threat Intelligence but wouldn't have much further than that detail.

    These are just some general details, however. Depending on more implementation information, there could be different ways to go about this so it might be best to get with your local F5 Shape SE and see if this is the best way to approach your desired outcome.

  • So a basic answer would be, no - since Shape isn't primarily based on Bot Signatures but rather, looking for behaviors, it does not return that information. That said, there is a header labelled "Inference" that will provide the following:

    - Token Missing (JavaScript didn't execute) - the Shape headers aren't present, likely because of scripted attempts / non-browser environment
    - Invalid Token / AI Payload Missing / AI Payload Invalid - (Shape headers were removed, or manipulated) - indicates tampering
    - Rate Limit Exceeded / Token Denylisted - Transactions with same Shape header(s) being replayed
    - Attack Inference - Spoofing or automated tools
    - Threat Intelligence - Rules based on TACTICS threat package that are firing. Most often, they are 'control-block' (read: advanced rate limiting usually based on a combination of Layer 7 things)

    If the traffic was definitely something like a known QA, it would fall under Threat Intelligence but wouldn't have much further than that detail.

    These are just some general details, however. Depending on more implementation information, there could be different ways to go about this so it might be best to get with your local F5 Shape SE and see if this is the best way to approach your desired outcome.