cancel
Showing results for 
Search instead for 
Did you mean: 

Useful 13.1 addition to ASM/AFM

JWhitesPro_1928
Cirrostratus
Cirrostratus

In 13.1 it seems we have more signature/ips like functionality but one thing I think the system really lacks is more actions that can be taken on hits for those signatures.

 

IE:

 

If someone trips a signature looking for /admin on your external site that doesn't contain a /admin directory--this user is obviously up to no good. Beyond just blocking that request it would be nice to have either through and irule or built-in functionality the ability to add that client's IP address to the shun list so that it could be blocked from everything for a specified period of time. I don't see a great way to do this at the moment without creating my own external program to read logs, keep track of ip addresses and add/remove on time intervals....think snortsam for snort...

 

2 REPLIES 2

If you want to block across all sites you could add the IP to a tables blacklist:

 

when HTTP_REQUEST { if { [class match [string tolower [HTTP::uri]] starts_with admin_uris] } { User tried to access blocked uri, adding to black list and dropping it This example will block the user for 10 seconds table add blacklist_[IP::client_addr] 1 10 drop } elseif { [table lookup -notouch blacklist_[IP::client_addr]] != "" } { Previously blocked address, dropping. -notouch means that the timeout won't be reset drop } }

This is just a simple example. You could also add logic on how many attempts, increase the timeout if the user keeps it up etc. Tables are global so just add the rule to any virtual server you want to enforce the blacklist on.

 

/Patrik

 

James_Affeld
F5 Employee
F5 Employee

Great idea! Integrating Protocol Inspection with IP Intelligence makes sense. I logged a feature enhancement request.

(Sorry I didn't see this sooner)