Recently, I implemented a BoT Defense/logging profile in transparent mode, expecting the profile to "learn" from the traffic generated by bots. During the initial "learning mode period," I hoped the profile to perform the following tasks:
Due to the presence of numerous performance testing and stress testing tools that use outdated browsers, we are unable to enable Browser Verification. Will it affect the bullet points above?
When I created the profile, I noticed that it came preloaded with 950 attack signatures specifically to bots. However, after a month of continuous traffic, I observed that there were no signatures ready to be enforced, and there were no signatures waiting for traffic samples. Could browser verification settings set to none also be the reason for no signature learning, for we have disabled that feature completely.
I believe this could be because bot signatures are generally static and not as diverse as the advanced (OWASP/MITRE) threats covered by Security Learning and Blocking Settings for polices in F5 and that the actual mitigation comes from Bot Mitigation Settings (Trusted Bot, Untrusted Bot, Suspicious Browser, Malicious Bot, Rate Limiting)
My question is: If I enable CAPTCHA for malicious bots, will the signatures from F5 950 intellectual property be utilized? Is it possible that true learning for these settings only starts when actual blocking is enabled? Or will it be utilized based as soon as Bot Mitigation Settings are set to block or challenge at least known signatures?
Solved! Go to Solution.
You can sign up to revieve email alerts when new bot signatures are available. You can also set to auto-update (or not). Please see the following:
That would at least help validate the frequency of updates, and if you are missing one.
By default, signatures are staged and log a match. You would need to set them to enforce to actually block.
Hope this helps a bit.