base on HTTP header irules to blocked request

Question

Hi,

Demand background：

Each request must contain at least one of the four header （has configed at Application Security : Headers : HTTP Headers）

access-token

authentication

authorization

token

my bad rules:

if { [HTTP::host] == "abc.com" || [HTTP::host] == "123.biz" } {

if {[class match [HTTP::uri] contains meeting] and [ASM::violation names] eq "VIOLATION_MISSING_MANDATORY_HEADER" and [llength [ASM::violation details]] < 12} {

ASM::unblock

log local0.info "[HTTP::host] [HTTP::uri] and [llength [ASM::violation details]] and [ASM::violation details] and [ASM::violation names]"

}

log output:

Rule /Common/authentication_header_url_check <ASM_REQUEST_DONE>:

abc.biz

/dealerUser/auth/login and 5 and {viol_index 64} {viol_name VIOL_MANDATORY_HEADER} {header_data.header_name access-token} {header_data.header_name authentication}

{header_data.header_name token} and

VIOLATION_MISSING_MANDATORY_HEADER

It based on violation names number,Cannot match actual demand。 who has good idea,thanks a lot.

ivan_chernenkii · Answer

Hello Chen Zhe,&nbsp;What are you trying to achieve? If you want to block all requests which don't contains any of these 4 headers, then it would be better just create such rule in iRule or you can create attack signature with such rule (e.g content:!"access-token"; nocase; content:!"authentication"; nocase;....)&nbsp;Thanks, Ivan

chen_zhe · Answer

Hi Ivan,thank you!Achieve you guess is right,detail: block all request which don't contains any of these 4 headers,unless shome HOST or host+uri .but,rules didn't work as I expected。when hit whilelist fist,at the end rules it hit discard again.​&nbsp;when HTTP_REQUEST {&nbsp;if {[HTTP::header exists token] or [HTTP::header exists access-token] or [HTTP::header exists authentication] or [HTTP::header exists authorization]}{&nbsp;&nbsp;&nbsp;ASM::enable "/Common/base-on-header-string"&nbsp;}#following all  fuction is whitelist. if { [class match [HTTP::host] contains domain_whiltlist] } {&nbsp;ASM::enable "/Common/base-on-header-string"&nbsp;}&nbsp;if { [HTTP::host] == "meetingroomip-uat.bba-app.com" || [HTTP::host] == "meeting-inspection.bba-app.biz" } {&nbsp;&nbsp;&nbsp;if {[class match [HTTP::uri] contains meeting] } {&nbsp;&nbsp;&nbsp;ASM::enable "/Common/base-on-header-string"&nbsp;&nbsp;}&nbsp;}&nbsp;if { [HTTP::host] == "bestyou-uat.bba-app.com" || [HTTP::host] == "bestyou.bba-app.biz" } {&nbsp;&nbsp;&nbsp;if { [class match [HTTP::uri] contains bestyou] } {&nbsp;&nbsp;&nbsp;ASM::enable "/Common/base-on-header-string"&nbsp;&nbsp;}&nbsp;}else{discard}​

ivan_chernenkii · Answer

I didn't get your further "whitelist" part...

Do you want not enforce in case of whitelist?.. then you need ASM: disable.

Also, you have

when HTTP_REQUEST {

if {[HTTP::header exists token] or [HTTP::header exists access-token] or [HTTP::header exists authentication] or [HTTP::header exists authorization]}{

ASM::enable "/Common/base-on-header-string"

}

which means apply ASM policy in case of at least one header exists... While AFAIU you didn't want to block it. Please, clarify.

chen_zhe · Answer

thank you for your reply, forgot it.I changed irules to meet the requirements, but I encountered problems related to if, elseif, else. and i asked new question.

Forum Discussion

base on HTTP header irules to blocked request

4 Replies

Recent Discussions

F5Access | MacOS Sonoma

Active- Active HA setup

syslog server connection

Cannot see floating MAC address outside of ESXi

Rewrite uri translation not working

Related Content

Revocation Status in HTTP Request Header

F5 AWAF - bypass request based on the pressence of a request header - value

Beware, your logs - how blocked log4shell, Spring4Shell etc requests can still lead to compromise

ASM blocked request contains & (ampersand) symbol in parameter value

Routing HTTP by request headers