I'm not sure if this is possible, but I have a situation where I'm trying to identify an attacker who is constantly screen scraping my website. The challenge is that the attacker's traffic is first sent to a CDM so the source IP is modified before it gets to me. The CDM inserts a response header (X-Client-IP) into the HTTP request containg the the source address of the attacker.
attacker <-> CDM <-> my web server
How would I (or is it even possible) create a custom sig to look at the incoming response header "X-Client-IP" to identify 20 hits from the same attacker in 1 minute? The attackers address could change at any time, so I can't hard code his IP in the signature's "request regex" variable. I need the system to keep track of all incoming request headers and identify anyone who trips the 20 hit limit.
To answer your first question, you could create a service-http signature on header-regex of:
(with perhaps [0-9]+\x2e[0-9]+\x2e[0-9]+\x2e[0-9] for IPv4 addresses).
As for the changing IP addresses, I don't know of any way to handle that within the regex. However, if the X-Client-IP address is within a certain range (ie, class C/B), you could include that in the regex above).
You might be able to do a suitable alert with event management software, however, I don't know of any way of doing exactly what you want with a single signature (though I may be wrong and it may be possible).
I have some questions which may help with writing a suitable signature though:
How different is the IP addresses used in X-Client-IP?
Have you tested if the CDM passes on the clients X-Client-IP header (if specified), or if it replaces the header completely (or possibly inserts an additional header).
If the client's X-Client-IP header is honoured, then the client might be inserting random IP addresses to try and trick software using X-Client-IP.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...