12-11-2012 11:10 PM
I'm getting a lot of bots hitting my site.
Log entries are very similar (except for the source IP):
1.247.32.58 - - [11/Dec/2012:22:57:03 -0800] "POST /?ptrxcz_Ah5qDayLi6TrEbzVtPwSqMtGmJgDa7
HTTP/1.1" 403 3985 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Can someone give me an example of how I can filter these out based the "/?ptrxcz..." part? Most of these requests
have this string in them.
100 match http cookie testcookie1 cookie-value ptrxcz?
Do I need a secondary name? I don't quite understand the syntax.
Thanks!
12-12-2012 11:35 AM
class-map type http loadbalance match-all BotMatches
2 match http cookie secondary ptrxcz.* cookie-value ".*" (look for anything preceeding a ? in a url that starts with ptrxcz. If it has an =, match any value that follows it.)
policy-map type loadbalance first-match Policy_80
class BotMatches
drop (Send a reset if we match this class)
class class-default
serverfarm Servers
policy-map multi-match Vips
class Vip_80
loadbalance vip inservice
loadbalance policy Policy_80
12-12-2012 02:55 PM
Thanks, Christopher. That doesn't seem to work though.
Does it matter that this is a POST request?
Does the secondary name argument (ptrxcz.*) accept regex? This bot seems to generate random strings that being with "ptrxcz".
Thanks!
12-12-2012 03:00 PM
Can I get a capture file and the configuration you applied?
Chris
12-12-2012 03:33 PM
Here you go:
policy-map type loadbalance first-match abc.ca.prod.http-l7slb
class abc.ca.http-l7class
drop
class class-default
serverfarm SF_nocms.prod
policy-map multi-match int194-webhosting
class abc.ca.prod.http
loadbalance vip inservice
loadbalance policy abc.ca.prod.http-l7slb
class-map match-all abc.ca.prod.http
2 match virtual-address 111.111.111.167 tcp eq www
class-map type http loadbalance match-all abc.ca.http-l7class
10 match http cookie secondary ptrxcz.* cookie-value ".*"
Here's a bigger snippet of what I see in the logs:
187.244.110.209 - - [12/Dec/2012:15:31:35 -0800] "POST /?ptrxcz_uCVmQegPo4Y4Y3YYoCqB0mj5Ptk8ev HTTP/1.1" 403 3985 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
87.69.255.148 - - [12/Dec/2012:15:31:35 -0800] "POST /?ptrxcz_MMMMMMMMMMMMMNNNNNNNNNNNNNNNNN HTTP/1.1" 403 3985 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
180.246.22.189 - - [12/Dec/2012:15:31:36 -0800] "POST /?ptrxcz_555555566666666666667777777777 HTTP/1.1" 403 3985 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
201.137.39.236 - - [12/Dec/2012:15:31:36 -0800] "POST /?ptrxcz_pppqqqqqqqrrrrrrrssssssstttttu HTTP/1.1" 403 3985 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
203.127.8.98 - - [12/Dec/2012:15:31:36 -0800] "POST /?ptrxcz_WXXXXXXXYYYYYYYYYYYZZZZZZZZZZZ HTTP/1.1" 403 3985 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
Thanks again.
12-13-2012 03:31 PM
Ok... Apparently, I unknowingly lied.
You can put a wildcard match in the cookie value like this:
ACE4710-ESC1/Admin(config-cmap-http-lb)# match http cookie secondary xyz cookie-value .*
Which will match /index.html?xyz=
However... if you try this:
ACE4710-ESC1/Admin(config-cmap-http-lb)# match http cookie secondary xyz.* cookie-value .*
We will match /index.html?xyz.*=
The .* is a litteral. I poked around in the bug database and found CSCsu67264 which was an enhancement request to allow wildcard names for secondary cookies (filed on A3(1.0) code.) It is still in a "New" state, with no updates which means there were not enough customers that required the feature to code it. We are out of luck....
Chris
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide