If your organization has additional needs for bot defense, you can write a custom bot signature to identify web robots by looking for specific patterns in the headers of incoming HTTP requests.
Bot signatures are similar to attack signatures; they are written using a limited subset of allowed keywords. You can design custom bot signatures to handle emergency situations, to support security policy enforcement unique to your networking environment, or to provide an analysis of specific activity on the network.
Being able to classify bots into different categories allows you to treat each category differently. You can report, block, or do nothing when a signature matches a malicious or benign bot. Further, malicious and benign bots fall into more specific bot signature categories that can be handled as needed. You can create new categories if they are needed to classify custom bot signatures.
Bot signatures are developed using Snort syntax to search for bots in either the User-Agent field of the header or the URL, or both. The User-Agent field is examined to identify the browser and operating system. The URL is searched to locate bots that access specific peculiar URLs within a site, regardless of whether the site has such a URL (in most cases it does not).
The syntax of bot signatures is similar to that of attack signatures using the general format keyword: "value"; modifier; but bot signatures can include only the following attributes:
The following are not allowed in bot signatures:
Refer to the Signature Options, Signature Syntax, and examples for additional details on the syntax used in bot signatures.
To develop more complex bot signatures, use the Advanced Edit Mode to type expressions using Snort control. Refer to the Signature Options and Signature Syntax sections for details. Refer to Bot signature syntax for special limitations when writing bot signatures.
As an example, this signature searches the header for three terms: SODA, BAR, and for a specific hexadecimal value.
headercontent:\"SODA\"; useragentonly; nocase; headercontent:\"BAR\"; useragentonly; nocase; headercontent:\"0x31303235343830303522\"; useragentonly; nocase;
In this example, the bot signature searches both User-Agent and the URL:
headercontent: "MaliciousBot/0.1"; useragentonly; uricontent: "/settings.php";