F5 ASM | Bot Signature

Question

Hi!I need to create a signature based in more than one header in the request payload. I see some articles about the bot signatures and if i understand correctly the signature only work for the User-agent header... this is correct?&nbsp;My signature need to be created based in other headers regarding the User-agent.ThanksTP

jeffrey_granier · Answer

Hi TP,
&nbsp;
Yes you are correct the limitation is stated in the KB article below:
Bot signatures are developed using Snort syntax to search for bots in either the User-Agent field of the header or the URL, or both.&nbsp;
Writing Custom Bot Signatures,Writing Custom Bot Signatures,Writing Custom Bot Signatures,Writing Custom Bot Signatures (f5.com)

daniel_wolf · Answer

Hi&nbsp;tpimpao,
seems you are right. Testing with 16.1 and 17.1 the "Advanced Mode" only allows the following tags:

headercontent (cannot be used without useragentonly)
uricontent

Other options and modifiers (as documented in&nbsp;https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-asm-attack-and-bot-signatures-14-1-0/signature-syntax.html) do not work.Please read also:&nbsp;BIG-IP Application Security Manager: Attack and Bot Signatures &gt; Writing Custom Bot Signatures&nbsp;
You could write an iRule, that will check for multiple headers or others attributes of the HTTP request and then block the request.
KR,Daniel&nbsp;

tpimpao · Answer

Thanks!&nbsp;

Forum Discussion

F5 ASM | Bot Signature

Recent Discussions

MAC address of deleted VS IP address still responsive

Different common name ssl acces 403 forbiddent

dynamic signature detection

DNS HM Probe issue

F5 looses the token for the first call

Related Content

BoT Defense Profile, Signature Enforcement

Bot Management Strategy - Defense against malicious bots with F5 Distributed Cloud Bot Defense

Customized Bot Signature not working

Proactive Bot Defense Bypass by Bot Signature

F5 AWAF/ASM Bot protection custom signature does not allow the traffic

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS