Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Block one type request

Dear All,

I would like to block one attack signature if it contains uniq request type on F5-ASM, without any traffic learning.

For example: I have a request from multi type IPs. I would like to block this when the request contains a uniq URL.

Is there any solutions for this problem?

0
Rate this Question
Comments on this Question
Comment made 07-Jan-2018 by kolom 286

Try the below iRule , you can also change drop to return other response code if you want.

when HTTP_REQUEST {
if { ([string tolower [HTTP::uri]] contains "/example" ) 
     && ( [IP::addr [IP::client_addr] equals x.x.x.0/24] ) } {
drop
}
}
0
Comment made 07-Jan-2018 by gh0st 62

Thanks for your help :)

0
Comment made 07-Jan-2018 by kolom 286

URW Szrusko :)

0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

You can define an ASM user defined violation and raise it if condition meet.

when HTTP_REQUEST {
  set reqBlock 0
  if { ([string tolower [HTTP::uri]] contains "/example" ) 
     && ( [IP::addr [IP::client_addr] equals x.x.x.0/24] ) } {
    set reqBlock 1
  }
}   
when ASM_REQUEST_DONE {
  if { $reqBlock == 1} {
    ASM::raise VIOLATION_FORBIDDEN_URL
  }
}
0