Forum Discussion

chiznitz_15400's avatar
chiznitz_15400
Icon for Nimbostratus rankNimbostratus
Mar 07, 2014

iRule - Don't show 403 forbidden alert when from whitelisted IP

Hi all,

 

Our website doesn't allow users to backspace the URL and press enter, this triggers a 403 forbidden alert. Many of our customers are doing this on accident and it gives us a lot of noise in our appliance. Is there a way I could write an iRule that says if it's a 403Forbidden of this type and from this IP please do not log it?

 

We do not want to completely white list the IP as our customers could have malicious software that is sending traffic are way.

 

thanks!

 

application delivery
ASM Advanced WAF
devops
iRules
security

4 Replies

Sort By
  • Patrik_Jonsson's avatar
    Patrik_Jonsson
    Icon for MVP rankMVP
    Mar 07, 2014
    What kind of noise are you referring to? The LTM would not log the 403 by default, but perhaps you're using another module? /Patrik
  • chiznitz_15400's avatar
    chiznitz_15400
    Icon for Nimbostratus rankNimbostratus
    Mar 07, 2014

    This would be for our ASM. When you click Reporting you can see the requests etc, we don't want to turn off 403 for every IP, only for the ones that we have researched as being one of our actual customers. We still want to see 403s during driveby scans etc from attackers.

     

  • chiznitz_15400's avatar
    chiznitz_15400
    Icon for Nimbostratus rankNimbostratus
    Mar 10, 2014

    This is what I have so far, the question is will this already have logged the violation? I'm trying to say that if this violation happens we don't want to see it in the logs.

     

    when ASM_RESPONSE_VIOLATION { set x [ASM::violation_data] set y [ASM::client_ip] if {([lindex $x 0] contains "VIOLATION_HTTP_STATUS_IN_RESPONSE") and $y equals x.x.x.x } ASM::disable

     

    } else { ASM::enable /Common/myasmpol

     

    }}