ASM/WAF rate limit and block clients by source ip (or device_id fingerprint) if there are too many violations

Problem this snippet solves: For attackers that cause too many violations it is better to block them at the start of the HTTP_REQUEST or CLIENT_ACCEPTED events as the ASM/WAF processing causes too ...
Updated Jan 31, 2023
Version 3.0
ASM Advanced WAF
devops
fingerprint
iRules
Security
Nikoolayy1's avatar
Nikoolayy1
Icon for MVP rankMVP
Jul 15, 2021

For you to share ASM violation data between F5 devices you will need Splunk or other SIEM that will make a list that can be used as AFM custom feed list or exter data group. For more about that see my comments under:

 

 

https://devcentral.f5.com/s/question/0D51T00006aFjFF/managing-datagroups-from-bigiq

 

 

https://support.f5.com/csp/article/K17523

 

 

 

 

As external data group enties don't time out like the table command you can feed the extarnal list using sideband function to load the external cvs list by HTTP command in the F5 device table:

 

https://devcentral.f5.com/s/articles/populating-tables-with-csv-data-via-sideband-connections

 

 

Another solution is to add the data group entries like:

1.1.1.1 2016-05-30

2.2.2.2 2016-06-01

3.3.3.3 2016-07-20

 

 

 

And use a bash script that may be triggered with cronjob on the server that feeds the F5 to check every day if there is an old entry:

 

 

cutoff=$(date -d 'now - 30 days' '+%Y-%m-%d')

awk -v cutoff="$cutoff" '$2 >= cutoff { print }' <in.txt >out.txt && mv out.txt in.txt

 

 

https://stackoverflow.com/questions/38571524/remove-line-in-text-file-with-bash-if-the-date-is-older-than-30-days