Forum Discussion
Custom Attack Signature for blocking XFF IPs
Hello,
Could you help me with writing a regular expression for custom attack signature that will check the XFF header for specific IP address and if there is a match block it.
Thank you in advance.
- Daniel_VarelaEmployee
What version are you using? In version 13.x you can block IP addresses. First you need to trust the X-Forwarded-For header as the origin of you IP address in your security policy. Then in the IP Address section of you policy add the IP you need to block and set Always Block this IP.
Other option is an irule, there is a bunch of ASM commands to extend ASM functionalities, this is better in my opinion that a custom signature. You will probably will need to add more IPs to the blocking, datagroups will help you with that much more easy than a signature.
- Daniel_VarelaEmployee
Didn't have time to tested, the rule should look like:
re2:"/X-Forwarded-For:\s(84\.138\.39\.100|66\.55\.33\.64)/Hi";
You can add as many IPs as you need.
Update to escape dots :)
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com