Forum Discussion

Mike_Maher's avatar
Mike_Maher
Icon for Nimbostratus rankNimbostratus
Nov 10, 2011

White List IP address for an Attack Signature

Does anyone know if there is a way to white list an IP or list of IP addresses for Attack Signatures.

 

 

Basically I am seeing a couple signatures get tripped but it is mostly my IP space which we found is a false positive. So I wanted to keep the signature enabled but just white list some of my IP space.

 

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Mike

     

     

    AFAIK you can't - just checked to see if this feature is available in v11.x but doesn't seem to. Perhaps an iRule will help you here to bypass the ASM altogether for certain IP addresses. I've seen these 2 docs for v9.x and v10.x:

     

     

    http://support.f5.com/kb/en-us/solutions/public/10000/400/sol10479.html?sr=17615809

     

    http://support.f5.com/kb/en-us/solutions/public/7000/900/sol7920.html

     

     

    Whether you can get more granular in regards to specific Attack Sigs then perhaps someone else can advise as I'm not sure.

     

     

    Now my iRuling days have only just started but from the doc above and if you've got v10 I wonder if you could create a class group of your internal IP addresses and use this iRule to bypass the ASM module?

     

     

    when HTTP_CLASS_SELECTED {

     

    ASM::enable

     

    if { matchclass [IP::client_addr] equals $::ip_white_list } {

     

    ASM::disable

     

    }

     

    }

     

     

    Haven't got my test box available to me today so hopefully someone could verify this info.

     

     

    Rgds

     

    N