For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

terri8502's avatar
terri8502
Icon for Nimbostratus rankNimbostratus
Mar 08, 2022
Solved

Requesting Assist with iRule Please

Hi All,

I have F5LTM version 16.1.2.  I need to make an irule to stop NetSparker from scanning our web servers. I can identify them with the x_scanner variable in the header.  I followed K31914583 which pretty much told me exactly how to make the rule except it was for user-agent. So, I replaced user-agent with X-Scanner and am hoping it will work.  I don't really have a way to test it (no test device and have to wait for them to hit us again) .  I was wondering if anyone could just peek at this iRule and see if they think it is ok? Any help is appreciated!

when HTTP_REQUEST {
if { [class match [HTTP::header "X-SCANNER"] contains Netsparker] } {
drop
}
}

application delivery
  • Mark_van_D's avatar
    Mark_van_D
    Mar 09, 2022

    Hi there,

    The K31914583 article assumes that you have created a data group.  In your example above that data group would be called Netsparker.  Also is the header name x-scanner or x_scanner?

    Seeing as you are only after one value I would not use the data group.

    You can use an irule to do this for you such as below,

    when HTTP_REQUEST {
    if { string tolower [HTTP::header "X-Scanner"]] contains "netsparker"] } {
drop
}
}

    or you may want to look at using a traffic policy to do this for you, something like this.  You can also include additional actions such as logging to the policy.

    Don't forget to apply the irule and/or policy to your VS, make sure you test this before applying to production traffic.

    Good luck

    Mark

4 Replies

  • Mark_van_D's avatar
    Mark_van_D
    Icon for Cirrostratus rankCirrostratus
    Mar 09, 2022

    Hi there,

    The K31914583 article assumes that you have created a data group.  In your example above that data group would be called Netsparker.  Also is the header name x-scanner or x_scanner?

    Seeing as you are only after one value I would not use the data group.

    You can use an irule to do this for you such as below,

    when HTTP_REQUEST {
    if { string tolower [HTTP::header "X-Scanner"]] contains "netsparker"] } {
drop
}
}

    or you may want to look at using a traffic policy to do this for you, something like this.  You can also include additional actions such as logging to the policy.

    Don't forget to apply the irule and/or policy to your VS, make sure you test this before applying to production traffic.

    Good luck

    Mark

    • CA_Valli's avatar
      CA_Valli
      Icon for MVP rankMVP
      Mar 09, 2022

      Hello, this is good info -- be careful with iRule syntax, your IF statement has wrong number of brackets. 

      Correct syntax below. 

      when HTTP_REQUEST {
    if { [string tolower [HTTP::header "X-Scanner"]] contains "netsparker" } { drop }
}

       

    • terri8502's avatar
      terri8502
      Icon for Nimbostratus rankNimbostratus
      Mar 09, 2022

      Thank you so much! I appreciate the review and new info.