Forum Discussion
Need to convert a Pandora rule to an iRule
Hi again, I need to convert a rule that is looking to block Pandora/Dirt Jumper attack in ASM. The rule is looking to block the Pandora GET flood attack. So it is looking for the GET method, HTTP/1.0 protocol, a missing Accept header, a user-agent keyword Mozilla and a randomized referer. This is what I came up with:
when HTTP_REQUEST { if {not ([HTTP::header exists Accept]) and ([HTTP::version] equals "1.0") and ([HTTP::header "method"] equals "GET") and ([string tolower [HTTP::header User-Agent]] contains "Mozilla*") and not ([HTTP::header Referer] equals "")} { log local0. "Pandora/Dirt Jumper type 0 1 2 attack." reject } } Would someone be able to take a look at what I tried to write and tell me where I'm going wrong please?
Thank you!
3 Replies
- Kevin_Stewart
Employee
Is this in lieu of ASM?
when HTTP_REQUEST { if { ( [HTTP::method] equals "GET" ) and ( [HTTP::version] equals "1.0" ) and not ( [HTTP::header exists Accept] ) and ( [HTTP::header User-Agent] contains "Mozilla" ) and ( [HTTP::header exists Referer] ) } { log local0. "Possible Pandora/Dirt Jumper type 0 1 2 attack." reject } }The following also suggests a randomized Referer header:
- Patti_G_72768
Nimbostratus
Hi Kevin, thank you very much again!
It is in lieu of ASM actually. Sorry for my mis-statement above. I wasn't able to find where in ASM that I could achieve the same thing.
Do you know if this type of attack is possible to stop in ASM?
Thanks again,
Patti
- Kevin_Stewart
Employee
I don't see anything specific to Pandora/Dirt Jumper in the ASM signatures, but 1) I could be wrong, and 2) it might be listed under something more generic like HTTP Flood, etc.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com