Blocking a single IP in ASM - send to the blocking page

Would something like this work in the meantime? I realise it will basically allow anything through that isn't in the block list:

 

 

when HTTP_REQUEST {

 

if { [matchclass [IP::remote_addr] equals /Common/asmblockips] } {

 

 

ASM::enable

 

} else {

ASM::disable

 

}

 

}

 

A slightly revised version, would this be ok? (more specific to webscraping now)

 

 

when ASM_REQUEST_VIOLATION {

 

 

set x [ASM::violation_data]

 

 

 

if {([lindex $x 0] contains "VIOLATION_WEB_SCRAPING_DETECTED")} {

 

 

 

if { ! [matchclass [IP::remote_addr] equals /Common/asmblockips] } {

 

 

ASM::disable

 

}

 

}

 

}

 

 

 

 

 

 

 

However i have just read the asm::enable and asm::disable functions only work within HTTP_CLASS_SELECTED, if this is the case, i guess i cant be specific down to the attack type?

 

just curious why you need support id while blocking them right away.

 

 

I can find places to whitelist IPswhere is the whitelist? is it at anomaly detection > dos attack prevention and web scraping? isn't it only meant to dos attack and web scraping?

 

 

sol10479: Bypassing the BIG-IP ASM with an iRule in version 10.x

 

http://support.f5.com/kb/en-us/solutions/public/10000/400/sol10479.html

Hi Nitass, good point regarding the support ID. We just want to display the same blocking page, which includes the <%TS.request.ID()%> code. If this particular IP wants to appeal against the block then it would look a bit strange to them if they dont have the support ID listed.

 

 

The whitelist is indeed where you say it is, but there is also an "ignored IP addresses" section which i would assume just disables ASM for that particular IP.

The whitelist is indeed where you say it is, but there is also an "ignored IP addresses" section which i would assume just disables ASM for that particular IP.i never tested it but thinking it is for learning suggestion only.

 

 

Ignored IP addresses

 

You can now configure IP addresses that the system should ignore. The system ignores traffic sent from these IP addresses, and does not generate Learning suggestions from traffic sent from these IP addresses. Configuring ignored IP addresses is especially useful when performing penetration testing on the web application. To add an ignored IP address, from the Configuration utility, navigate to Application Security » Manual Policy Building » Ignored IPs.

 

 

Release Note: BIG-IP ASM version 10.2.0

 

http://support.f5.com/kb/en-us/products/big-ip_asm/releasenotes/product/relnotes_asm_10_2_0.html

Ah i see, that makes sense. Well, im only concerned with web scraping at the moment so thats OK as far as a whitelist goes.

 

 

I'll continue to test my irule and post back here if it works, thanks.

Is there any update on this? The initial iRule solution wasn't really a functional solution for us as it simply disables ASM for IP's that aren't in the list.

 

 

Basically, the situation I have is that I'm learning on web scraping, and have seen a few addresses I want to block, but I don't know if I've got appropriate thresholds, so I don't want to block scraping, since I don't want to block valid traffic. So in the interim, I'd like to be able to simply block all traffic from a specific IP. All the traffic not from these specific IP's should STILL be passed through ASM.

 

 

Any other thoughts? I was thinking this may be done on LTM also with the appropriate iRule.

 

 

Thanks!