Forum Discussion

Tomislav's avatar
Tomislav
Icon for Nimbostratus rankNimbostratus
Sep 14, 2021

Drop request by body message

Hi,

 

how can I block request for specific policy filtered by specific body message.

 

For example this is body message (URL decoded):

 

{"messageType":"Erro","messageVersion":"2.1.0","threeDSServerTransID":"<REDUCTED>","acsTransID":"<Reducted>","sdkTransID":"<Reducted>","sdkCounterStoA":"7394","errorCode":"101","errorComponent":"C","errorDescription":"MessageReceivedInvalid.","errorMessageType":"<Reducted>","errorDetail":"InvalidJSON.Valuenulloftypeorg.json.JSONObject$1cannotbeconvertedtoJSONObject"}",response="Loggingratelimitreached"

 

Is it possible to filter by keywords such as:

Message Received Invalid

or Invalid JSON. Value null of type org.json.JSONObject$1 cannot be converted to JSONObject

 

Thank you in advance.

 

Kind Regards,

Tomislav

5 Replies

    • Tomislav's avatar
      Tomislav
      Icon for Nimbostratus rankNimbostratus

      Hi,

      I have created new signature but requests are still passing. Do you have any idea what I have configured wrong?

       

      Kind Regards,

      Tomislav Nagy

  • Hi thank you very much, this was helpful!

     

    Kind Regards,

    Tomislav

  • I have created new attack signature.

     

    I have set type as request, added system technologies, attack type.

    Under rule Matched Element is Request Content, Contains String, under Keyword.... valuecontent:"Invalid JSON. Value null of type org.json.JSONObject$1 cannot be converted to JSONObject"; jsononly;

    Match case is checked and Accuracy and Risk is set to Low,

     

    This attack signature is added to signature set which is bind to policy. Policy changes are applied.

     

    Yet it does not seem to drop the request, in SIEM tool we can see request:

    request_status="passed",response_code="200"

     

     

     

  • Maybe signature option and syntax is not correct.

    I was following this link:

    https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/big-ip-asm-attack-and-bot-signatures-14-1-0/06.html