Technical Forum
Ask questions. Discover Answers.
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

Useful 13.1 addition to ASM/AFM


In 13.1 it seems we have more signature/ips like functionality but one thing I think the system really lacks is more actions that can be taken on hits for those signatures.




If someone trips a signature looking for /admin on your external site that doesn't contain a /admin directory--this user is obviously up to no good. Beyond just blocking that request it would be nice to have either through and irule or built-in functionality the ability to add that client's IP address to the shun list so that it could be blocked from everything for a specified period of time. I don't see a great way to do this at the moment without creating my own external program to read logs, keep track of ip addresses and add/remove on time intervals....think snortsam for snort...



If you want to block across all sites you could add the IP to a tables blacklist:


    if { [class match [string tolower [HTTP::uri]] starts_with admin_uris] } {
         User tried to access blocked uri, adding to black list and dropping it
         This example will block the user for 10 seconds
        table add blacklist_[IP::client_addr] 1 10
    } elseif { [table lookup -notouch blacklist_[IP::client_addr]] != "" } {
         Previously blocked address, dropping.
        -notouch means that the timeout won't be reset 


This is just a simple example. You could also add logic on how many attempts, increase the timeout if the user keeps it up etc. Tables are global so just add the rule to any virtual server you want to enforce the blacklist on.


F5 Employee
F5 Employee

Great idea! Integrating Protocol Inspection with IP Intelligence makes sense. I logged a feature enhancement request.

(Sorry I didn't see this sooner)