Forum Discussion
NimbostratusAllow blocked content for a specific uri
I have pools of virtual servers and ASM policies associated with each. I have a wiki we use for documentation that is served by a virtual server that also serves other non-wiki sites. When a user is documenting scripts in wiki ASM blocks the post because the post contains "!/bin/bash or !/bin/perl" etc. I would like to create an iRule that would allow the post to go through but only for a specific site or at minimum be able to rewrite the data in the post to remove the "!/bin..."etc and replace it with different text. I do not want to create individual ASM profiles for all of my sites that I would need to allow this behavior. Is something like this possible?
18 Replies
Thomas_Gobet_91Cirrostratus
Hi,
You have 2 options :
- Create an iRule which deactivate ASM on specific URI
- Create an iRule to replace data inspected by your ASM
Can you tell me what you want, I'll give you an example.
John_131301We have a wiki where a person is trying to document scripts used. They paste their script as input and ASM disallows it because it contains the sha-bang, i.e. !/bin/bash or !/bin/perl. I would like to allow the sha-bangs in instances like this.
Thomas_GobetHi,
You have 2 options :
- Create an iRule which deactivate ASM on specific URI
- Create an iRule to replace data inspected by your ASM
Can you tell me what you want, I'll give you an example.
- John_131301We have a wiki where a person is trying to document scripts used. They paste their script as input and ASM disallows it because it contains the sha-bang, i.e. !/bin/bash or !/bin/perl. I would like to allow the sha-bangs in instances like this.
- Thomas_Gobet
Can you give us what is blocking your request in ASM? I think it's something in attack signature, but can you check it into your event logs ?
- John_131301Yes, it is an attack signature. ASM blocks it because it thinks malicious code or script is trying to be submitted. It keys off the fact that the post contains !/bin/perl or !/bin/bash etc.
- Thomas_Gobet_91
Can you give us what is blocking your request in ASM? I think it's something in attack signature, but can you check it into your event logs ?
- John_131301Yes, it is an attack signature. ASM blocks it because it thinks malicious code or script is trying to be submitted. It keys off the fact that the post contains !/bin/perl or !/bin/bash etc.
- Kevin_Stewart
Employee
If you're running 11.4, you can also use a rewrite profile (and/or the POLICY command) to enable/disable ASM processing. Before that you'd use ASM::disable in the HTTP_CLASS_SELECTED event. But it's also equally as important to know that the request you're disabling ASM for is actually a legitimate user, and that depends on how you're doing authentication.
- Thomas_Gobet
Don't worry, we're not talking about rewrite policy but rewrite profile.
Can you tell us which version you have on your BIG-IP, then we will choose the best thing for you ;)- John_131301We are using 11.3.0 (Build 3131.0)
- Thomas_Gobet_91
Don't worry, we're not talking about rewrite policy but rewrite profile.
Can you tell us which version you have on your BIG-IP, then we will choose the best thing for you ;)- John_131301We are using 11.3.0 (Build 3131.0)
- Kevin_Stewart
I actually am talking about an 11.4 "policy". I misspoke before when I mentioned a rewrite profile - a completely different thing. A policy can be used to enable/disable ASM (among many other things) based on some inline criteria. That said, a policy can only act on the request URI and headers, and not payload. So to do what you're asking, to disable ASM processing for specific content, you may necessarily have to use the ASM::disable command inside an iRule that inspects (at least the beginning) payload of each request.
- Thomas_Gobet
With this irule you should have what you want :
when ASM_REQUEST_BLOCKING { set x [ASM::violation_data] if {([lindex $x 0] contains "VIOLATION_ATTACK_SIGNATURE_DETECTED")} { if {[IP::client_addr] equals your_IP}{ if {ASM::payload contains "your_expression"} { ASM::disable } } } }- John_131301Thanks. I will give this a try.
- Thomas_Gobet_91
With this irule you should have what you want :
when ASM_REQUEST_BLOCKING { set x [ASM::violation_data] if {([lindex $x 0] contains "VIOLATION_ATTACK_SIGNATURE_DETECTED")} { if {[IP::client_addr] equals your_IP}{ if {ASM::payload contains "your_expression"} { ASM::disable } } } }- John_131301Thanks. I will give this a try.
