base on HTTP header irules to blocked request
Hi,
Demand background:
Each request must contain at least one of the four header (has configed at Application Security : Headers : HTTP Headers)
access-token
authentication
authorization
token
my bad rules:
if { [HTTP::host] == "abc.com" || [HTTP::host] == "123.biz" } {
if {[class match [HTTP::uri] contains meeting] and [ASM::violation names] eq "VIOLATION_MISSING_MANDATORY_HEADER" and [llength [ASM::violation details]] < 12} {
ASM::unblock
log local0.info "[HTTP::host] [HTTP::uri] and [llength [ASM::violation details]] and [ASM::violation details] and [ASM::violation names]"
}
}
log output:
Rule /Common/authentication_header_url_check <ASM_REQUEST_DONE>:
abc.biz
/dealerUser/auth/login and 5 and {viol_index 64} {viol_name VIOL_MANDATORY_HEADER} {header_data.header_name access-token} {header_data.header_name authentication}
{header_data.header_name token} and
VIOLATION_MISSING_MANDATORY_HEADER
It based on violation names number,Cannot match actual demand。 who has good idea,thanks a lot.