Forum Discussion

Mike_Maher's avatar
Mike_Maher
Icon for Nimbostratus rankNimbostratus
Nov 10, 2011

White List IP address for an Attack Signature

Does anyone know if there is a way to white list an IP or list of IP addresses for Attack Signatures.     Basically I am seeing a couple signatures get tripped but it is mostly my IP space whi...
app sec
BIG-IP Access Policy Manager (APM)
security
nathe's avatar
nathe
Icon for Cirrocumulus rankCirrocumulus
Nov 10, 2011
Mike

 

 

AFAIK you can't - just checked to see if this feature is available in v11.x but doesn't seem to. Perhaps an iRule will help you here to bypass the ASM altogether for certain IP addresses. I've seen these 2 docs for v9.x and v10.x:

 

 

http://support.f5.com/kb/en-us/solutions/public/10000/400/sol10479.html?sr=17615809

 

http://support.f5.com/kb/en-us/solutions/public/7000/900/sol7920.html

 

 

Whether you can get more granular in regards to specific Attack Sigs then perhaps someone else can advise as I'm not sure.

 

 

Now my iRuling days have only just started but from the doc above and if you've got v10 I wonder if you could create a class group of your internal IP addresses and use this iRule to bypass the ASM module?

 

 

when HTTP_CLASS_SELECTED {

 

ASM::enable

 

if { matchclass [IP::client_addr] equals $::ip_white_list } {

 

ASM::disable

 

}

 

}

 

 

Haven't got my test box available to me today so hopefully someone could verify this info.

 

 

Rgds

 

N