Forum Discussion

Patti_G_72768's avatar
Patti_G_72768
Icon for Nimbostratus rankNimbostratus
Oct 29, 2013

Need to convert a Pandora rule to an iRule

Hi again, I need to convert a rule that is looking to block Pandora/Dirt Jumper attack in ASM. The rule is looking to block the Pandora GET flood attack. So it is looking for the GET method, HTTP/1.0 protocol, a missing Accept header, a user-agent keyword Mozilla and a randomized referer. This is what I came up with:

 

when HTTP_REQUEST { if {not ([HTTP::header exists Accept]) and ([HTTP::version] equals "1.0") and ([HTTP::header "method"] equals "GET") and ([string tolower [HTTP::header User-Agent]] contains "Mozilla*") and not ([HTTP::header Referer] equals "")} { log local0. "Pandora/Dirt Jumper type 0 1 2 attack." reject } } Would someone be able to take a look at what I tried to write and tell me where I'm going wrong please?

 

Thank you!

 

application delivery
devops
iRules

3 Replies

Sort By
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 29, 2013

    Is this in lieu of ASM?

    when HTTP_REQUEST {
    if { ( [HTTP::method] equals "GET" ) and ( [HTTP::version] equals "1.0" ) and not ( [HTTP::header exists Accept] ) and ( [HTTP::header User-Agent] contains "Mozilla" ) and ( [HTTP::header exists Referer] ) } {
        log local0. "Possible Pandora/Dirt Jumper type 0 1 2 attack."
        reject
    }
}

    The following also suggests a randomized Referer header:

    http://www.prolexic.com/kcresources/prolexic-threat-advisories/Prolexic-Threat-Advisory-PANDORA_08.08.12/threat-advisory-pandora_i.html

  • Patti_G_72768's avatar
    Patti_G_72768
    Icon for Nimbostratus rankNimbostratus
    Oct 29, 2013

    Hi Kevin, thank you very much again!

     

    It is in lieu of ASM actually. Sorry for my mis-statement above. I wasn't able to find where in ASM that I could achieve the same thing.

     

    Do you know if this type of attack is possible to stop in ASM?

     

    Thanks again,

     

    Patti

     

    • Kevin_Stewart's avatar
      Kevin_Stewart
      Icon for Employee rankEmployee
      Oct 29, 2013
      I don't see anything specific to Pandora/Dirt Jumper in the ASM signatures, but 1) I could be wrong, and 2) it might be listed under something more generic like HTTP Flood, etc.