Forum Discussion

JWhitesPro_1928's avatar
JWhitesPro_1928
Icon for Cirrostratus rankCirrostratus
Dec 20, 2017

Useful 13.1 addition to ASM/AFM

In 13.1 it seems we have more signature/ips like functionality but one thing I think the system really lacks is more actions that can be taken on hits for those signatures.

 

IE:

 

If someone trips a signature looking for /admin on your external site that doesn't contain a /admin directory--this user is obviously up to no good. Beyond just blocking that request it would be nice to have either through and irule or built-in functionality the ability to add that client's IP address to the shun list so that it could be blocked from everything for a specified period of time. I don't see a great way to do this at the moment without creating my own external program to read logs, keep track of ip addresses and add/remove on time intervals....think snortsam for snort...

 

2 Replies

  • If you want to block across all sites you could add the IP to a tables blacklist:

    when HTTP_REQUEST {
    
        if { [class match [string tolower [HTTP::uri]] starts_with admin_uris] } {
             User tried to access blocked uri, adding to black list and dropping it
             This example will block the user for 10 seconds
            table add blacklist_[IP::client_addr] 1 10
            drop
        } elseif { [table lookup -notouch blacklist_[IP::client_addr]] != "" } {
             Previously blocked address, dropping.
            -notouch means that the timeout won't be reset 
            drop
        }
    
    }
    

    This is just a simple example. You could also add logic on how many attempts, increase the timeout if the user keeps it up etc. Tables are global so just add the rule to any virtual server you want to enforce the blacklist on.

    /Patrik

  • Great idea! Integrating Protocol Inspection with IP Intelligence makes sense. I logged a feature enhancement request.

    (Sorry I didn't see this sooner)