Forum Discussion
youssef1
Aug 06, 2018Cumulonimbus
Hi Nor,
You can try this:
when HTTP_REQUEST {
foreach client_addr [table keys -subtable "temp_blocage"] {
set curtime [clock seconds]
set formated_time_second [clock scan $curtime]
set violation [table lookup -notouch -subtable temp_blocage $client_addr]
if { [IP::addr [IP::client_addr] equals $client_addr] } {
HTTP::respond 200 content "you are temporarily blocked"
log local0. "user with IP : $client_addr was blocked because it is done previously blocked for the following reason: $violation"
return
}
}
}
when ASM_REQUEST_BLOCKING {
set violation [ASM::violation_data]
set client_addr [IP::client_addr]
for {set i 0} { $i < 7 } {incr i} {
switch $i {
0 { log local0. "violation=[lindex $x $i]" }
1 { log local0. "support_id=[lindex $x $i]" }
2 { log local0. "web_application=[lindex $x $i]" }
3 { log local0. "severity=[lindex $x $i]" }
4 { log local0. "source_ip=[lindex $x $i]" }
5 { log local0. "attack_type=[lindex $x $i]" }
6 { log local0. "request_status=[lindex $x $i]" }
}}
table delete -subtable temp_blocage $client_addr
table set -subtable temp_blocage $client_addr $violation 300
}
For information, i don't test this irule but it will work. maybe you have to finetune it.
So this irule block your access to application during 300s if you trigged a violation before. You can update this irule by adding additional condition for a specific violoation for example.
keep me in touch if you need more details or help to update this irule.
regards,