cancel
Showing results for 
Search instead for 
Did you mean: 

Requesting Assist with iRule Please

terri8502
Nimbostratus
Nimbostratus

Hi All,

I have F5LTM version 16.1.2.  I need to make an irule to stop NetSparker from scanning our web servers. I can identify them with the x_scanner variable in the header.  I followed K31914583 which pretty much told me exactly how to make the rule except it was for user-agent. So, I replaced user-agent with X-Scanner and am hoping it will work.  I don't really have a way to test it (no test device and have to wait for them to hit us again) .  I was wondering if anyone could just peek at this iRule and see if they think it is ok? Any help is appreciated!

when HTTP_REQUEST {
if { [class match [HTTP::header "X-SCANNER"] contains Netsparker] } {
drop
}
}

1 ACCEPTED SOLUTION

Mark_van_D
Cirrostratus
Cirrostratus

Hi there,

The K31914583 article assumes that you have created a data group.  In your example above that data group would be called Netsparker.  Also is the header name x-scanner or x_scanner?

Seeing as you are only after one value I would not use the data group.

You can use an irule to do this for you such as below,

when HTTP_REQUEST {
    if { string tolower [HTTP::header "X-Scanner"]] contains "netsparker"] } {
drop
}
}

or you may want to look at using a traffic policy to do this for you, something like this.  You can also include additional actions such as logging to the policy.

Mark_van_D_0-1646785499493.png

Don't forget to apply the irule and/or policy to your VS, make sure you test this before applying to production traffic.

Good luck

Mark

View solution in original post

4 REPLIES 4

Mark_van_D
Cirrostratus
Cirrostratus

Hi there,

The K31914583 article assumes that you have created a data group.  In your example above that data group would be called Netsparker.  Also is the header name x-scanner or x_scanner?

Seeing as you are only after one value I would not use the data group.

You can use an irule to do this for you such as below,

when HTTP_REQUEST {
    if { string tolower [HTTP::header "X-Scanner"]] contains "netsparker"] } {
drop
}
}

or you may want to look at using a traffic policy to do this for you, something like this.  You can also include additional actions such as logging to the policy.

Mark_van_D_0-1646785499493.png

Don't forget to apply the irule and/or policy to your VS, make sure you test this before applying to production traffic.

Good luck

Mark

Hello, this is good info -- be careful with iRule syntax, your IF statement has wrong number of brackets. 

Correct syntax below. 

when HTTP_REQUEST {
    if { [string tolower [HTTP::header "X-Scanner"]] contains "netsparker" } { drop }
}

 

Thank you too! I appreciate your time and review.

Thank you so much! I appreciate the review and new info.