Forum Discussion

ErkkiS_295148's avatar
Apr 03, 2018

asm irule to unblock upon violation based on type

Hello,

 

I created a custom attack signature to block access to WSDL and sets Attack Type to "Information Leakage". Works fine and blocks stuff. blabla.com/ws/test?wsdl gets blocked.

 

Now I needed it unblocked for certain destinations. I added an iRule to unblock it in case it is a destination in the list datagroup_webservice-prod for example entry from the datagroup is /ws/test2

 

Checked the trigger iRule box in ASM under proper policy. iRule has been attached to the service.

 

What it should do: Someone accesses a wsdl, gets blocked, iRule is activated and checks if url violation is "Information Leakage" and if the destination is in the datagroup, if yes, then unblocks the access and lets the user through.

 

blabla.com/ws/test = ok blabla.com/ws/test?wsdl = blocked Accessing /ws/test2?wsdl = blocked though it should be unblocked.

 

Can someone check if the iRule looks OK?

 

 

  • Solved! YESSS!

    First clue: https://devcentral.f5.com/Wiki/iRules.ASM__violation_data.ashx

    Position   Field   Description
    **0 Violation** string that contains list of comma separated violations, see below the rquest side and response side violations for value options
    1   support_id  Unique id given for a transaction
    2   web_application ASM Web application name
    3   Severity    it will be the most critical severity of all the transaction violations, possible values: Emergency, Alert, Critical, Error, Warning, Notice and Informational
    4   source_ip   Client IP. (in case trust xff option is enabled on the policy, this will be the xff ip
    **5 attack_type**   string that contains list of comma separated attack types, see below for value options
    6   request_status  Can be “blocked” or “alarmed”
    

    Second clue: ATTACK_TYPE_INFORMATION_LEAKAGEInformation Leakage

    So I am browsing the wrong hole which is 0 for matches instead of the correct one which is 5.

    Third clue: Note: Starting version 11.5.0 this command is replaced by the commands ASM::violation, ASM::support_id, ASM::severity and ASM::client_ip which have more convenient syntax and enhanced options. It is kept for backward compatibility.

    Also had to enable compatibility mode for Trigger iRule upon ASM event.

  • Solved! YESSS!

    First clue: https://devcentral.f5.com/Wiki/iRules.ASM__violation_data.ashx

    Position   Field   Description
    **0 Violation** string that contains list of comma separated violations, see below the rquest side and response side violations for value options
    1   support_id  Unique id given for a transaction
    2   web_application ASM Web application name
    3   Severity    it will be the most critical severity of all the transaction violations, possible values: Emergency, Alert, Critical, Error, Warning, Notice and Informational
    4   source_ip   Client IP. (in case trust xff option is enabled on the policy, this will be the xff ip
    **5 attack_type**   string that contains list of comma separated attack types, see below for value options
    6   request_status  Can be “blocked” or “alarmed”
    

    Second clue: ATTACK_TYPE_INFORMATION_LEAKAGEInformation Leakage

    So I am browsing the wrong hole which is 0 for matches instead of the correct one which is 5.

    Third clue: Note: Starting version 11.5.0 this command is replaced by the commands ASM::violation, ASM::support_id, ASM::severity and ASM::client_ip which have more convenient syntax and enhanced options. It is kept for backward compatibility.

    Also had to enable compatibility mode for Trigger iRule upon ASM event.