Forum Discussion
Nimbostratusregex to iRule conversion - 2
Hi again, I have another rule I would like to get some feedback on please. Here is an abbreviation of the rule:
404
Request Indicates a Security Scanner Scanned the Site
AUTOMATION/SECURITY_SCANNER
%(_DENY)
Here is what I wrote as the iRule that would try to do the same thing:
when HTTP_REQUEST {
if { ([class match [string tolower [HTTP::header User-Agent]] contains _my_rule_dg])} {
log local0. "Security Scanner scanned the site."
HTTP::respond 404 content "If you have reached this page in error, please try again."
event disable
}
}
I created the data group _my_rule_dg and entered the security scanners we want to search for. Will the iRule above satisfy what the regex rule is doing? If not, where am I going wrong? Thanks!
5 Replies
- Kevin_Stewart
Employee
I may be missing some context somewhere, but are you expecting the client to send a specific User-Agent header that indicates some form of scanning process?
Patti_G_72768regex flags="sdeo" regex="(?:\b(?:m(?:ozilla\/4.0 (compatible)|etis)|webtrends security analyzer|pmafind)\b|n(?:-stealth|sauditor|essus|ikto)|b(?:lack ?widow|rutus|ilbo)|(?:jaascoi|paro)s|webinspect|.nasl)" select="REQUEST_HEADERS:User-Agent" transform="lowercase"
404 "Request Indicates a Security Scanner Scanned the Site"
- Patti_G_72768
Hi, sorry it looks like I wasn't able to post some of the necessary info. I just posted the abbreviated rule.
Thanks!
- Kevin_Stewart
I'm sure it'll need some tweaking, but it looks about right. I'm assuming your data group looks something like this:
nessus n-stealth metis pmafind nsauditor nikto black widow brutus bilbo jaascois paros webinspect .nasl - Patti_G_72768
Hi Kevin, yes my data group has those items listed.
thanks for your help!!!!
