Forum Discussion

JWhitesPro_1928's avatar
JWhitesPro_1928
Icon for Cirrostratus rankCirrostratus
Dec 20, 2017

Useful 13.1 addition to ASM/AFM

In 13.1 it seems we have more signature/ips like functionality but one thing I think the system really lacks is more actions that can be taken on hits for those signatures.   IE:   If someone t...
AFM
ASM Advanced WAF
security
Patrik_Jonsson's avatar
Patrik_Jonsson
Icon for MVP rankMVP
Dec 21, 2017

If you want to block across all sites you could add the IP to a tables blacklist:

when HTTP_REQUEST {

    if { [class match [string tolower [HTTP::uri]] starts_with admin_uris] } {
         User tried to access blocked uri, adding to black list and dropping it
         This example will block the user for 10 seconds
        table add blacklist_[IP::client_addr] 1 10
        drop
    } elseif { [table lookup -notouch blacklist_[IP::client_addr]] != "" } {
         Previously blocked address, dropping.
        -notouch means that the timeout won't be reset 
        drop
    }

}

This is just a simple example. You could also add logic on how many attempts, increase the timeout if the user keeps it up etc. Tables are global so just add the rule to any virtual server you want to enforce the blacklist on.

/Patrik