auto block ip if detected by waf

hi guys

is there a way to have WAF automatically put an "offending"/detected waf rule source ip to the black list?

right now we get notifications, but i could not find a way to automatically put it in black list, either permanently or temporarily.

i know there are waf rules you can write but that doesnt help much in these cases.

brgds

Angelos

0

2 comments

Avatar

Booker EVail

Hello,

I understand that you want to have WAF automatically put an offending or detected WAF rule source IP to the blacklist. There are different ways to do this depending on the WAF provider or platform that you are using. Here are some possible solutions that you can try:

  • Using AWS WAF: If you are using AWS WAF, you can use the AWS WAF Rate Based Rule feature to automatically block IP addresses that exceed a specified request rate threshold. You can also use the AWS WAF IP Reputation Lists feature to automatically block IP addresses that are known to be malicious or compromised. You can configure these features using the AWS WAF console, API, or CLI. You can also use the AWS WAF Security Automations solution to deploy a set of preconfigured rules and actions that can automatically respond to common web attacks.
  • Using Cloudflare WAF: If you are using Cloudflare WAF, you can use the Cloudflare Firewall Rules feature to create custom rules that can automatically block IP addresses based on various criteria, such as the WAF rule ID, the request method, the URI path, or the user agent. You can also use the Cloudflare Managed Rules feature to enable predefined rules that can automatically DogNeedsBest block IP addresses that are part of the Cloudflare IP Reputation Database or the Project Honeypot Database.
  • Using Kemp WAF: If you are using Kemp WAF, you can use the Kemp WAF Custom Rules feature to create custom rules that can automatically block IP addresses based on various conditions, such as the source IP address, the cookie, or the parameter. You can also use the Kemp WAF Known Attack Source Rules feature to automatically block IP addresses that are known to be attack sources for a specified period.

I hope this helps you find a way to have WAF automatically put an offending or detected WAF rule source IP to the blacklist. If you have any other questions or feedback, please let me know. I’m always happy to help.

 

Best Regard,
Booker EVail

0

Avatar

Intership Navigation IT dept

hi Booker,thanks for above reply

using kemp waf - but i had asked kemp techs and they said there is no possibility to make such rules. any insider info (or method to make them) would be nice.

i assume banning to blocklist on a single attack, would be a bad idea, so not sure if there is any threshold that could be met with such a rule

thanks

Angelos

0

Please to leave a comment.

Didn't find what you were looking for?