Block dirb scanner

Hi Hamid20n ,

Dirb Scan, according to its manual page is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary based attack against a web server and analizing the response.

There are a couple of options to deal with this:

1) It's default User-Agent is "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1". This looks like an IE 6 User-Agent. Of course, this is easily bypassed by an attacker by just changing the UA. However, you could quickly craft a custom signature to match that like the following (watch out for false positives):

2) This scanner will brute-force for files and directories. You configure allowed URLs and allowed File Types as well as Disallowed File Types. This would reduce the activity of the scanner.  

3) Configure Bot Defense Protection . This would be a more compreensive approach and would catch other bots as well (at the end, Dirb is a bot :))

4) Configure Session Tracking per IP, this way once an attack IP hits X violations during a certain time frame WAF will block the attack IP for a desired amount of time. 

My 2 cents.

Hi Hamid,
On ASM,  have you try to enforce all the Attack Signatures Type "Vulnerability Scan"  ?
Regards