Forum Discussion

terri8502's avatar
terri8502
Icon for Nimbostratus rankNimbostratus
Mar 08, 2022

Requesting Assist with iRule Please

Hi All,

I have F5LTM version 16.1.2.  I need to make an irule to stop NetSparker from scanning our web servers. I can identify them with the x_scanner variable in the header.  I followed K31914583 which pretty much told me exactly how to make the rule except it was for user-agent. So, I replaced user-agent with X-Scanner and am hoping it will work.  I don't really have a way to test it (no test device and have to wait for them to hit us again) .  I was wondering if anyone could just peek at this iRule and see if they think it is ok? Any help is appreciated!

when HTTP_REQUEST {
if { [class match [HTTP::header "X-SCANNER"] contains Netsparker] } {
drop
}
}

  • Hi there,

    The K31914583 article assumes that you have created a data group.  In your example above that data group would be called Netsparker.  Also is the header name x-scanner or x_scanner?

    Seeing as you are only after one value I would not use the data group.

    You can use an irule to do this for you such as below,

    when HTTP_REQUEST {
        if { string tolower [HTTP::header "X-Scanner"]] contains "netsparker"] } {
    drop
    }
    }

    or you may want to look at using a traffic policy to do this for you, something like this.  You can also include additional actions such as logging to the policy.

    Don't forget to apply the irule and/or policy to your VS, make sure you test this before applying to production traffic.

    Good luck

    Mark

  • Hi there,

    The K31914583 article assumes that you have created a data group.  In your example above that data group would be called Netsparker.  Also is the header name x-scanner or x_scanner?

    Seeing as you are only after one value I would not use the data group.

    You can use an irule to do this for you such as below,

    when HTTP_REQUEST {
        if { string tolower [HTTP::header "X-Scanner"]] contains "netsparker"] } {
    drop
    }
    }

    or you may want to look at using a traffic policy to do this for you, something like this.  You can also include additional actions such as logging to the policy.

    Don't forget to apply the irule and/or policy to your VS, make sure you test this before applying to production traffic.

    Good luck

    Mark

    • CA_Valli's avatar
      CA_Valli
      Icon for MVP rankMVP

      Hello, this is good info -- be careful with iRule syntax, your IF statement has wrong number of brackets. 

      Correct syntax below. 

      when HTTP_REQUEST {
          if { [string tolower [HTTP::header "X-Scanner"]] contains "netsparker" } { drop }
      }

       

    • terri8502's avatar
      terri8502
      Icon for Nimbostratus rankNimbostratus

      Thank you so much! I appreciate the review and new info.