Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Bot Signature based on the referer header

Go to solution
marta_sl
Nimbostratus
Nimbostratus

‎12-Sep-2023 01:35 - edited ‎12-Sep-2023 01:36

Hi,

Can we create a bot signature based on the "referer" header? Many requests that we receive in a Virtual Server (VS) are legitimate, but they are categorized as "Suspicious Browser." We would like to distinguish them if they have a specific referer.

Thanks!

 

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Nikoolayy1
MVP
MVP

‎12-Sep-2023 05:25 - edited ‎12-Sep-2023 05:53

Better try irule to change the action as ASM WAFsignatures can use any header/cookie or body but not BOT signatures that are only based on User-Agent.

 

Example:

when BOTDEFENSE_ACTION {
     if {[HTTP::header value Referer] contains "www.example.com"} {
         log local0. "bypassing enforcement for [HTTP::header value Referer]"
         set res [BOTDEFENSE::action allow]
         log local0. "set action to allow, result \"$res\""
         log local0. "resulting action [BOTDEFENSE::action] reason \"[BOTDEFENSE::reason]\""
     }
 }

https://clouddocs.f5.com/api/irules/BOTDEFENSE_ACTION.html 

 

 

You can add if statement to trigger the allow only for a specific bot name https://clouddocs.f5.com/api/irules/BOTDEFENSE__bot_name.html

 

 

 

Example:

when BOTDEFENSE_ACTION {
     if {([HTTP::header value Referer] contains "www.example.com") && ([BOTDEFENSE::bot_name] contains "Bad Bot")} {
         log local0. "bypassing enforcement for [HTTP::header value Referer]"
         set res [BOTDEFENSE::action allow]
         log local0. "set action to allow, result \"$res\""
         log local0. "resulting action [BOTDEFENSE::action] reason \"[BOTDEFENSE::reason]\""
     }
 }

 

 

Edit:

 

The example shows  set res [BOTDEFENSE::action allow] but maybe it is wrong and you need just to do the command [BOTDEFENSE::action allow]

View solution in original post

0 Kudos
2 REPLIES 2

Go to solution
Nikoolayy1
MVP
MVP

‎12-Sep-2023 05:25 - edited ‎12-Sep-2023 05:53

Better try irule to change the action as ASM WAFsignatures can use any header/cookie or body but not BOT signatures that are only based on User-Agent.

 

Example:

when BOTDEFENSE_ACTION {
     if {[HTTP::header value Referer] contains "www.example.com"} {
         log local0. "bypassing enforcement for [HTTP::header value Referer]"
         set res [BOTDEFENSE::action allow]
         log local0. "set action to allow, result \"$res\""
         log local0. "resulting action [BOTDEFENSE::action] reason \"[BOTDEFENSE::reason]\""
     }
 }

https://clouddocs.f5.com/api/irules/BOTDEFENSE_ACTION.html 

 

 

You can add if statement to trigger the allow only for a specific bot name https://clouddocs.f5.com/api/irules/BOTDEFENSE__bot_name.html

 

 

 

Example:

when BOTDEFENSE_ACTION {
     if {([HTTP::header value Referer] contains "www.example.com") && ([BOTDEFENSE::bot_name] contains "Bad Bot")} {
         log local0. "bypassing enforcement for [HTTP::header value Referer]"
         set res [BOTDEFENSE::action allow]
         log local0. "set action to allow, result \"$res\""
         log local0. "resulting action [BOTDEFENSE::action] reason \"[BOTDEFENSE::reason]\""
     }
 }

 

 

Edit:

 

The example shows  set res [BOTDEFENSE::action allow] but maybe it is wrong and you need just to do the command [BOTDEFENSE::action allow]

0 Kudos

Go to solution
marta_sl
Nimbostratus
Nimbostratus

‎13-Sep-2023 06:45

Thank you very much! it works!

0 Kudos
Copyright © 2023 Khoros, LLC