Bad User-Agent Header to be blocked via ASM

Wackitron_36350 · ‎01-Nov-2018

Hi All,

I saw some weird User-Agent on the payloads for requests coming in for one of our Virtual Server.

User-Agent: lge/judyln_lao_com/judyln:8.0.0/OPR1.170623.032/182571210dda2:user/release-keys

We have ASM module in place. Wondering how to block requests that have bad User Agent Header. I know there is a bunch of ways to do it, one is via Irule,and the others via ASM, I am not sure how to achieve it. Enabling Bot Protection might not take care of it, I believe. Could you please suggest the best approach to care of this.

Goal: To block User-Agents like the above one and other bad ones to be blocked.

Thanks in advance

Richard_Karon · ‎30-Dec-2019

K31914583: Blocking HTTP requests with unwanted User-Agent header using an iRule

Ivan_Chernenkii · ‎15-Jan-2020

You can create attack signature for User-Agent header if you know the pattern

iRule · ‎07-Jul-2020

I need to block requests containing user agent Test Certificate Info

While creating custom attack signature which option will work better from the attached snapshot.

Ivan_Chernenkii · ‎07-Jul-2020

I think it would be better to create appropriate Bot Signature (related to Bot Profile) and not Attack Signature (related to ASM policy), because in Bot Signature we have rule like "User Agent Contains ..."

In case of Attack Signature - IMO, "Header" matched element is preferred, but also you can make it more detailed by using regex or string with "Request Content" matched element, like "User-Agent: *Test Certificate Info*" or "User-Agent: Test Certificate Info"

Thanks, Ivan

DevCentral

Bad User-Agent Header to be blocked via ASM

Register For AppWorld 2024

F5 Receives Six Trust Radius
Best of 2023 Awards

F5 XC WAF

F5 BIG-IP

DevCentral

Bad User-Agent Header to be blocked via ASM

Register For AppWorld 2024

F5 Receives Six Trust Radius Best of 2023 Awards

F5 XC WAF

F5 BIG-IP

F5 Receives Six Trust Radius
Best of 2023 Awards