Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

Block dirb scanner

Hamid20n
Altocumulus
Altocumulus

‎03-Apr-2022 12:48

how can i block Dirb scan( web contetnt scanner) in ASM or LTM ?!

Labels:
0 Kudos
5 REPLIES 5

Lidev
MVP
MVP

‎04-Apr-2022 01:24

Hi Hamid,
On ASM,  have you try to enforce all the Attack Signatures Type "Vulnerability Scan"  ?
Regards

0 Kudos

Hamid20n
Altocumulus
Altocumulus
In response to Lidev

‎04-Apr-2022 02:18

i have enforce all Attack Signatures in Learning and Blocking Settings .

0 Kudos

Lidev
MVP
MVP
In response to Hamid20n

‎04-Apr-2022 02:55

Does F5 BIG-P now block the Dirb scan ?

0 Kudos

Hamid20n
Altocumulus
Altocumulus
In response to Lidev

‎05-Apr-2022 13:23

Unfortunately No!!!!!!

0 Kudos

Ismael_Goncalves
F5 Employee
F5 Employee

‎05-Apr-2022 16:45

Hi @Hamid20n ,

Dirb Scan, according to its manual page is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary based attack against a web server and analizing the response.

There are a couple of options to deal with this:

1) It's default User-Agent is "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1". This looks like an IE 6 User-Agent. Of course, this is easily bypassed by an attacker by just changing the UA. However, you could quickly craft a custom signature to match that like the following (watch out for false positives):

Ismael_Goncalves_0-1649201683569.png

2) This scanner will brute-force for files and directories. You configure allowed URLs and allowed File Types as well as Disallowed File Types. This would reduce the activity of the scanner.  

3) Configure Bot Defense Protection . This would be a more compreensive approach and would catch other bots as well (at the end, Dirb is a bot :))

4) Configure Session Tracking per IP, this way once an attack IP hits X violations during a certain time frame WAF will block the attack IP for a desired amount of time. 

My 2 cents.

 

Copyright © 2023 Khoros, LLC