Proactive Bot Defense Bypass by Bot Signature

Problem this snippet solves:

This code enables you to bypass Proactive Bot Defense for a specific bot signature.

Caution: If the signature is simple, it may be easy for an attacker to guess it and craft a response to match the signature and thus bypass Proactive Bot Defense with this in place. For this reason, another bypass solution is recommended where possible. You can bypass Proactive Bot Defense without this iRule by setting a benign category to "Report" and ensuring that the signature has a reverse DNS lookup in place. This will validate the source in addition to other factors such as the User-Agent.

How to use this snippet:

Add to the virtual server that is protected by Proactive Bot Defense and Bot Signatures. Enter the signature you want to bypass in the code where the example "curl" is placed currently. The signature's category must be set to report or block for this to take effect. Tested on v13.1.

Code :

when BOTDEFENSE_ACTION {
  #log local0. "signature: [BOTDEFENSE::bot_signature]"
  if { [BOTDEFENSE::bot_signature] ends_with "curl"} {
    BOTDEFENSE::action allow
  }
}
Published May 30, 2018
Version 1.0

Was this article helpful?

1 Comment

  • Great article! It seems that making a custom category in the Trusted Bot Class and making a custom signature for specific URL to allow curl still I am being blocked for example when using curl, so your code seems the only way forward except of stopping (setting it to Alarm or None with axception) the "curl" signature for the entire bot protection.