Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Drop request by body message

Tomislav
Nimbostratus
Nimbostratus

‎14-Sep-2021 06:29

Hi,

 

how can I block request for specific policy filtered by specific body message.

 

For example this is body message (URL decoded):

 

{"messageType":"Erro","messageVersion":"2.1.0","threeDSServerTransID":"<REDUCTED>","acsTransID":"<Reducted>","sdkTransID":"<Reducted>","sdkCounterStoA":"7394","errorCode":"101","errorComponent":"C","errorDescription":"MessageReceivedInvalid.","errorMessageType":"<Reducted>","errorDetail":"InvalidJSON.Valuenulloftypeorg.json.JSONObject$1cannotbeconvertedtoJSONObject"}",response="Loggingratelimitreached"

 

Is it possible to filter by keywords such as:

Message Received Invalid

or Invalid JSON. Value null of type org.json.JSONObject$1 cannot be converted to JSONObject

 

Thank you in advance.

 

Kind Regards,

Tomislav

Labels:
0 Kudos
5 REPLIES 5

samstep
Cirrocumulus
Cirrocumulus

‎14-Sep-2021 14:54

You can achieve this in ASM by writing a custom Attack signature to look for whichever keywords you want and then set it to Block in your ASM policy.

 

 

https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/big-ip-asm-attack-and-bot-signa...

 

Tomislav
Nimbostratus
Nimbostratus
In response to samstep

‎22-Sep-2021 03:54

Hi,

I have created new signature but requests are still passing. Do you have any idea what I have configured wrong?

 

Kind Regards,

Tomislav Nagy

0 Kudos

Tomislav
Nimbostratus
Nimbostratus

‎15-Sep-2021 00:54

Hi thank you very much, this was helpful!

 

Kind Regards,

Tomislav

0 Kudos

Tomislav
Nimbostratus
Nimbostratus

‎15-Sep-2021 05:14

I have created new attack signature.

 

I have set type as request, added system technologies, attack type.

Under rule Matched Element is Request Content, Contains String, under Keyword.... valuecontent:"Invalid JSON. Value null of type org.json.JSONObject$1 cannot be converted to JSONObject"; jsononly;

Match case is checked and Accuracy and Risk is set to Low,

 

This attack signature is added to signature set which is bind to policy. Policy changes are applied.

 

Yet it does not seem to drop the request, in SIEM tool we can see request:

request_status="passed",response_code="200"

 

 

 

0 Kudos

Tomislav
Nimbostratus
Nimbostratus

‎15-Sep-2021 05:17

Maybe signature option and syntax is not correct.

I was following this link:

https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/big-ip-asm-attack-and-bot-signatures-14-1-0/06.html

0 Kudos
Copyright © 2023 Khoros, LLC