Custom Attack Signature for blocking XFF IPs

Question

Hello,&nbsp;
Could you help me with writing a regular expression for custom attack signature that will check the XFF header for specific IP address and if there is a match block it.&nbsp;
Thank you in advance. &nbsp;

daniel_varela · Answer

What version are you using? In version 13.x you can block IP addresses. First you need to trust the X-Forwarded-For header as the origin of you IP address in your security policy. Then in the IP Address section of you policy add the IP you need to block and set Always Block this IP.&nbsp;
Other option is an irule, there is a bunch of ASM commands to extend ASM functionalities, this is better in my opinion that a custom signature. You will probably will need to add more IPs to the blocking, datagroups will help you with that much more easy than a signature.&nbsp;

daniel_varela · Answer

Didn't have time to tested, the rule should look like:&nbsp;
re2:"/X-Forwarded-For:\s(84\.138\.39\.100|66\.55\.33\.64)/Hi";&nbsp;
You can add as many IPs as you need.&nbsp;
Update to escape dots :)&nbsp;

Forum Discussion

Custom Attack Signature for blocking XFF IPs

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

SSL Orchestrator Advanced Use Cases: Custom Blocking Pages

Blocking Spam with Custom Attack Signatures

Customized Bot Signature not working

Mitigating log4j (CVE-2021-44228) with AFM Protocol Inspection Custom Signatures

Using Perl Compatible Regular Expressions (PCRE) in Protocol Inspection Custom Signatures

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS