Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

Block dirb scanner

Hamid20n
Altocumulus
Altocumulus

how can i block Dirb scan( web contetnt scanner) in ASM or LTM ?!

5 REPLIES 5

Lidev
MVP
MVP

Hi Hamid,
On ASM,  have you try to enforce all the Attack Signatures Type "Vulnerability Scan"  ?
Regards

i have enforce all Attack Signatures in Learning and Blocking Settings .

Does F5 BIG-P now block the Dirb scan ?

Unfortunately No!!!!!!

Ismael_Goncalves
F5 Employee
F5 Employee

Hi @Hamid20n ,

Dirb Scan, according to its manual page is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary based attack against a web server and analizing the response.

There are a couple of options to deal with this:

1) It's default User-Agent is "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1". This looks like an IE 6 User-Agent. Of course, this is easily bypassed by an attacker by just changing the UA. However, you could quickly craft a custom signature to match that like the following (watch out for false positives):

Ismael_Goncalves_0-1649201683569.png

2) This scanner will brute-force for files and directories. You configure allowed URLs and allowed File Types as well as Disallowed File Types. This would reduce the activity of the scanner.  

3) Configure Bot Defense Protection . This would be a more compreensive approach and would catch other bots as well (at the end, Dirb is a bot :))

4) Configure Session Tracking per IP, this way once an attack IP hits X violations during a certain time frame WAF will block the attack IP for a desired amount of time. 

My 2 cents.