Requesting Assist with iRule Please
Hi All,
I have F5LTM version 16.1.2. I need to make an irule to stop NetSparker from scanning our web servers. I can identify them with the x_scanner variable in the header. I followed K31914583 which pretty much told me exactly how to make the rule except it was for user-agent. So, I replaced user-agent with X-Scanner and am hoping it will work. I don't really have a way to test it (no test device and have to wait for them to hit us again) . I was wondering if anyone could just peek at this iRule and see if they think it is ok? Any help is appreciated!
when HTTP_REQUEST {
if { [class match [HTTP::header "X-SCANNER"] contains Netsparker] } {
drop
}
}
Hi there,
The K31914583 article assumes that you have created a data group. In your example above that data group would be called Netsparker. Also is the header name x-scanner or x_scanner?
Seeing as you are only after one value I would not use the data group.
You can use an irule to do this for you such as below,
when HTTP_REQUEST { if { string tolower [HTTP::header "X-Scanner"]] contains "netsparker"] } { drop } }
or you may want to look at using a traffic policy to do this for you, something like this. You can also include additional actions such as logging to the policy.
Don't forget to apply the irule and/or policy to your VS, make sure you test this before applying to production traffic.
Good luck
Mark