Block one type request

Question

Dear All,&nbsp;
I would like to block one attack signature if it contains uniq request type on F5-ASM, without any traffic learning.&nbsp;
For example: I have a request from multi type IPs. I would like to block this when the request contains a uniq URL.&nbsp;
Is there any solutions for this problem?&nbsp;

kolom · Answer

Try the below iRule , you can also change drop to return other response code if you want.&nbsp;when HTTP_REQUEST {
if { ([string tolower [HTTP::uri]] contains "/example" ) 
     &amp;&amp; ( [IP::addr [IP::client_addr] equals x.x.x.0/24] ) } {
drop
}
}

gh0st_325958 · Answer

Thanks for your help :)&nbsp;

kolom · Answer

URW Szrusko :)&nbsp;

stanislas_piro2 · Answer

You can define an ASM user defined violation and raise it if condition meet.
when HTTP_REQUEST {
  set reqBlock 0
  if { ([string tolower [HTTP::uri]] contains "/example" ) 
     &amp;&amp; ( [IP::addr [IP::client_addr] equals x.x.x.0/24] ) } {
    set reqBlock 1
  }
}   
when ASM_REQUEST_DONE {
  if { $reqBlock == 1} {
    ASM::raise VIOLATION_FORBIDDEN_URL
  }
}

Forum Discussion

Block one type request

Recent Discussions

XC Bot defense question

LTM Rule, iRule, or Brute Force Configuration to Limit URL Access

NetScaler to F5 Migration

Application only need to access from 2 uris

In Radius auth, how to allow second attempt of token input when the first input is incorrect?

Related Content

Application Programming Interface (API) Authentication types simplified

Beware, your logs - how blocked log4shell, Spring4Shell etc requests can still lead to compromise

Block requests by reverse DNS record

Block Referral Requests

Block IP after a number of ASM Blocks

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS