Jump to content
Welcome to our new Citrix community!

How to create Responder to drop request if header contains a specific browser version


Recommended Posts

Running VPX NS13.0 61.48.nc

 

We have been getting a large amount for malicious attempts generating from random IPs. The one thing they all have in common is "Chrome/86.0.4240.198" Below is a sample from SysLog.

Looking to at a responder to drop any authentication attempt that contains "Chrome/86.0.4240.198" . 

All actual users are running Chrome 89 or higher so this will not effect them. 

 

.......- Client_ip xxx.xxx.xxx.xxx - Failure_reason "External authentication server denied access" - Browser Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36

 

Please help with the correct expression to drop those attempts. 

Link to comment
Share on other sites

add responder policy rs_pol_drop_badbrowser 'http.req.header("user-agent").set_text_mode(ignorecase).contains("Chrome/86.0.4240.198")' DROP

 

Or you can use a responder action to redirect if you want an error message other than drop.

 

And to make responder process before AAA, the authentication vserver should have a AAA bind point (I can't find the reference right now and can get details later, if someone doesn't beat me to it) so it will run before the authentication attempt (otherwise responder is after).

 

Are you using a vpn vserver, vpn + AAA, or LB + AAA?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...