Custom Attack Signature for blocking XFF IPs

Question

Hello,&nbsp;
Could you help me with writing a regular expression for custom attack signature that will check the XFF header for specific IP address and if there is a match block it.&nbsp;
Thank you in advance. &nbsp;

daniel_varela · Answer

What version are you using? In version 13.x you can block IP addresses. First you need to trust the X-Forwarded-For header as the origin of you IP address in your security policy. Then in the IP Address section of you policy add the IP you need to block and set Always Block this IP.&nbsp;
Other option is an irule, there is a bunch of ASM commands to extend ASM functionalities, this is better in my opinion that a custom signature. You will probably will need to add more IPs to the blocking, datagroups will help you with that much more easy than a signature.&nbsp;

daniel_varela · Answer

Didn't have time to tested, the rule should look like:&nbsp;
re2:"/X-Forwarded-For:\s(84\.138\.39\.100|66\.55\.33\.64)/Hi";&nbsp;
You can add as many IPs as you need.&nbsp;
Update to escape dots :)&nbsp;

Forum Discussion

Custom Attack Signature for blocking XFF IPs

2 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

Related Content

SSL Orchestrator Advanced Use Cases: Custom Blocking Pages

Blocking Spam with Custom Attack Signatures

Customized Bot Signature not working

Mitigating log4j (CVE-2021-44228) with AFM Protocol Inspection Custom Signatures

Using Perl Compatible Regular Expressions (PCRE) in Protocol Inspection Custom Signatures