Imperva Cyber Community

communities_1.jpg
 View Only
  • 1.  Zgrab Scanner Mitigation Policy

    Posted 04-17-2023 13:40

    Dear all,

    Hope you're all doing great!!!

    We have observed a http traffic initiated by zgrab scanner. So we didn't find relevant policy to this,

    User-agent: Mozilla/5.0 zgrab/0.x


    #CloudWAF(formerlyIncapsula)
    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Jagadesh Kumar R
    Inormation Security Group, Assistant Manager
    The Karur Vysya Bank Limited
    Karur
    ------------------------------


  • 2.  RE: Zgrab Scanner Mitigation Policy

    Posted 04-20-2023 13:00

    Hi! You could create an incap rule to block that User Agent, it would look a bit like this



    ------------------------------
    Alden Chevez Gomez
    Imperva Employee
    ------------------------------



  • 3.  RE: Zgrab Scanner Mitigation Policy

    Posted 04-21-2023 08:03

    Hello Alden,

    Thanks for the information,

    It could be appreciable if there's a policy for On-premise WAF. And how to block "User agents" in On-Premise WAF.



    ------------------------------
    Jagadesh Kumar R
    Inormation Security Group, Assistant Manager
    The Karur Vysya Bank Limited
    Karur
    ------------------------------



  • 4.  RE: Zgrab Scanner Mitigation Policy
    Best Answer

    Posted 04-21-2023 10:02

    Hi Jagadesh,

    There is a policy for "automated vulnerability scanning" under "Web Service Custom". (Main > Policies > Security)

    By default, this policy has an action of "none" and is not applied. Click the Apply To tab to apply it your applicable server groups. 

    If you are satisfied with the results, you can change the action to "block".

    Alternatively, you can create a custom policy to block the specific user agent, similar to what Alden mentioned above for CWAF.

    Within the Security Policies screen, click the green + icon and select "Web Service". Give the policy a name and select "Web Service Custom" for type and click Create.



    Look within the list of Match Criteria until you find, "HTTP Request User-Agent (Header)"

    Click the green up arrow to move it up. (it will then turn to a blue down arrow)


    Click the green + next to the operation value and enter "Mozilla/5.0 zgrab/0.x" for the value.

    You may want to leave the action as "None" during initial testing. Remember to click the Apply To tab and apply to applicable server groups, and finally click Save.



    ------------------------------
    Jaired Anderson
    Imperva
    ------------------------------