Block one type request

Question

Dear All,&nbsp;
I would like to block one attack signature if it contains uniq request type on F5-ASM, without any traffic learning.&nbsp;
For example: I have a request from multi type IPs. I would like to block this when the request contains a uniq URL.&nbsp;
Is there any solutions for this problem?&nbsp;

kolom · Answer

Try the below iRule , you can also change drop to return other response code if you want.&nbsp;when HTTP_REQUEST {
if { ([string tolower [HTTP::uri]] contains "/example" ) 
     &amp;&amp; ( [IP::addr [IP::client_addr] equals x.x.x.0/24] ) } {
drop
}
}

gh0st_325958 · Answer

Thanks for your help :)&nbsp;

kolom · Answer

URW Szrusko :)&nbsp;

stanislas_piro2 · Answer

You can define an ASM user defined violation and raise it if condition meet.
when HTTP_REQUEST {
  set reqBlock 0
  if { ([string tolower [HTTP::uri]] contains "/example" ) 
     &amp;&amp; ( [IP::addr [IP::client_addr] equals x.x.x.0/24] ) } {
    set reqBlock 1
  }
}   
when ASM_REQUEST_DONE {
  if { $reqBlock == 1} {
    ASM::raise VIOLATION_FORBIDDEN_URL
  }
}

Forum Discussion

Block one type request

4 Replies

Recent Discussions

F5Access | MacOS Sonoma

Active- Active HA setup

syslog server connection

Cannot see floating MAC address outside of ESXi

Rewrite uri translation not working

Related Content

Application Programming Interface (API) Authentication types simplified

Beware, your logs - how blocked log4shell, Spring4Shell etc requests can still lead to compromise

ASM blocked request contains & (ampersand) symbol in parameter value

BIG-IP Advanced Firewall Manager (AFM) DNS NXDOMAIN Query Attack Type Walkthrough - part two

Distributed caching of authentication requests with NGINX Ingress Controller