Forum Discussion

Chen_Zhe's avatar
Chen_Zhe
Icon for Altostratus rankAltostratus
Jul 09, 2020

base on HTTP header irules to blocked request

Hi, Demand background: Each request must contain at least one of the four header (has configed at Application Security : Headers : HTTP Headers) access-token authentication authorization ...
ASM Advanced WAF
iRules
security
Ivan_Chernenkii's avatar
Ivan_Chernenkii
Icon for Employee rankEmployee

Hello Chen Zhe,

 

What are you trying to achieve? If you want to block all requests which don't contains any of these 4 headers, then it would be better just create such rule in iRule or you can create attack signature with such rule (e.g content:!"access-token"; nocase; content:!"authentication"; nocase;....)

 

Thanks, Ivan

Chen_Zhe's avatar
Chen_Zhe
Icon for Altostratus rankAltostratus
Jul 13, 2020

Hi Ivan,

thank you!

Achieve you guess is right,detail: block all request which don't contains any of these 4 headers,unless shome HOST or host+uri .

but,rules didn't work as I expected。

when hit whilelist fist,at the end rules it hit discard again.​

 

when HTTP_REQUEST {

 if {[HTTP::header exists token] or [HTTP::header exists access-token] or [HTTP::header exists authentication] or [HTTP::header exists authorization]}{

   ASM::enable "/Common/base-on-header-string"

 }

#following all fuction is whitelist.

if { [class match [HTTP::host] contains domain_whiltlist] } {

 ASM::enable "/Common/base-on-header-string"

 }

 if { [HTTP::host] == "meetingroomip-uat.bba-app.com" || [HTTP::host] == "meeting-inspection.bba-app.biz" } {

   if {[class match [HTTP::uri] contains meeting] } {

   ASM::enable "/Common/base-on-header-string"

  }

 }

 if { [HTTP::host] == "bestyou-uat.bba-app.com" || [HTTP::host] == "bestyou.bba-app.biz" } {

   if { [class match [HTTP::uri] contains bestyou] } {

   ASM::enable "/Common/base-on-header-string"

  }

 }

else{

discard

}

  • Ivan_Chernenkii's avatar
    Ivan_Chernenkii
    Icon for Employee rankEmployee
    Jul 13, 2020

    I didn't get your further "whitelist" part...

    Do you want not enforce in case of whitelist?.. then you need ASM: disable.

    Also, you have

    when HTTP_REQUEST {

     if {[HTTP::header exists token] or [HTTP::header exists access-token] or [HTTP::header exists authentication] or [HTTP::header exists authorization]}{

       ASM::enable "/Common/base-on-header-string"

     }

    which means apply ASM policy in case of at least one header exists... While AFAIU you didn't want to block it. Please, clarify.

  • Chen_Zhe's avatar
    Chen_Zhe
    Icon for Altostratus rankAltostratus
    Jul 14, 2020

    thank you for your reply, forgot it.

    I changed irules to meet the requirements, but I encountered problems related to if, elseif, else. and i asked new question.