Bot signatures identify web robots by looking for specific patterns in the headers of incoming HTTP requests. DoS Layer 7 bot detection includes many signatures that identify bots, and you can also write your own for customized bot defense.
Bot signatures carefully identify bots and have a low rate of producing false positive results. The signatures identify the type of bot for classification and investigative purposes, and can distinguish between benign and malicious bots.
Benign bots can be useful for providing Internet services such as search engine bots, index crawlers, site monitors, and those used to establish availability and response time. Some environments may not want to block benign bot traffic. But attackers use malicious bots for more harmful purposes such as harvesting email addresses, producing spam, and developing exploitation tools. You may want to block malicious bots because they can orchestrate DoS attacks, waste internet resources, and search for vulnerabilities to exploit in your application.
Being able to classify bots allows you to treat them differently. You can report, block, or do nothing when a signature matches a malicious or benign bot. Further, malicious and benign bots fall into more specific bot signature categories that can be handled as needed. You can create new categories if needed for custom bot signatures.
Bot signatures are developed using Snort syntax to search for bots in either the User-Agent field of the header or the URL, or both. The User-Agent field is examined to identify the browser and operating system. The URL is searched to locate bots that access specific peculiar URLs within a site, regardless of whether the site has such a URL (in most cases it does not).
The syntax of bot signatures is similar to that of attack signatures using the general format keyword: "value"; modifier; but bot signatures can include only the following attributes:
The following are not allowed in bot signatures:
Refer to the Signature Options, Signature Syntax, and examples for additional details on the syntax used in bot signatures.
To develop more complex bot signatures, use the Advanced Edit Mode to type expressions using Snort control. Refer to the Signature Options and Signature Syntax sections for details. Refer to Bot signature syntax for special limitations when writing bot signatures.
As an example, this signature searches the header for three terms: FOO, BAR, and for a specific hexadecimal value.
headercontent:\"FOO\"; useragentonly; nocase; headercontent:\"BAR\"; useragentonly; nocase; headercontent:\"0x31303235343830303522\"; useragentonly; nocase;
In this example, the bot signature searches both User-Agent and the URL:
headercontent: "MaliciousBot/0.1"; useragentonly; uricontent: "/settings.php";