Forum Discussion
Tomislav
Nimbostratus
NimbostratusDrop request by body message
Hi,
how can I block request for specific policy filtered by specific body message.
For example this is body message (URL decoded):
{"messageType":"Erro","messageVersion":"2.1.0","threeDSServerTransID":"<REDUCTED>","acsTransID":"<Reducted>","sdkTransID":"<Reducted>","sdkCounterStoA":"7394","errorCode":"101","errorComponent":"C","errorDescription":"MessageReceivedInvalid.","errorMessageType":"<Reducted>","errorDetail":"InvalidJSON.Valuenulloftypeorg.json.JSONObject$1cannotbeconvertedtoJSONObject"}",response="Loggingratelimitreached"
Is it possible to filter by keywords such as:
Message Received Invalid
or Invalid JSON. Value null of type org.json.JSONObject$1 cannot be converted to JSONObject
Thank you in advance.
Kind Regards,
Tomislav
samstepCirrocumulus
You can achieve this in ASM by writing a custom Attack signature to look for whichever keywords you want and then set it to Block in your ASM policy.
TomislavHi,
I have created new signature but requests are still passing. Do you have any idea what I have configured wrong?
Kind Regards,
Tomislav Nagy
- Tomislav
Hi thank you very much, this was helpful!
Kind Regards,
Tomislav
- Tomislav
I have created new attack signature.
I have set type as request, added system technologies, attack type.
Under rule Matched Element is Request Content, Contains String, under Keyword.... valuecontent:"Invalid JSON. Value null of type org.json.JSONObject$1 cannot be converted to JSONObject"; jsononly;
Match case is checked and Accuracy and Risk is set to Low,
This attack signature is added to signature set which is bind to policy. Policy changes are applied.
Yet it does not seem to drop the request, in SIEM tool we can see request:
request_status="passed",response_code="200"
- Tomislav
Maybe signature option and syntax is not correct.
I was following this link:
https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/big-ip-asm-attack-and-bot-signatures-14-1-0/06.html