Forum Discussion
NimbostratusASM - Block GET requests on a specific URL
Hello,
I'm trying hard to block GET request on a specific URL with the ASM module. This URL has to allow only POST request and I saw that GET / POST request are allowed by default in the methods section without ability to modify this behavior.
Do you have an idea how I could perform that ? (through ASM or an iRule ?)
Thanks a lot for your help.
1 - Creating a new User-defined ASM violation
Security > Options > Application Security > Advanced Configuration > Violations List > User Defined Violations (tab); Select "Create New User-Defined Violation"
Sample Field Values (adjust as needed): Name "VIOLATION_FORBIDDEN_GET_PATH" Title "GET Request to a restricted path" Type "Access Violation" Severity "Alert" Attack Type "Abuse of Functionality" Description (leave empty)2 - Go to Blocking Settings
Select Block for your new custom violation (or Alarm, if you want to transparently test)
3 - Creating an iRule
The sample below covers the most simple use-case, a single path. In case of 10 or more paths, using a LTM data group entry match, or a switch statement would be a better option.
when HTTP_REQUEST { set reqBlock 0 if {([HTTP::method] equals "GET") and ([string tolower [HTTP::path]] equals "/mypath/index.aspx")}{ set reqBlock 1 } } when ASM_REQUEST_DONE { if { $reqBlock == 1} { ASM::raise VIOLATION_FORBIDDEN_GET_PATH } }
17 Replies
Hannes_RappThe "Allowed Methods" entity covers the policy as a whole. As far as I'm aware, no such granularity exists to have exceptions per Path, or per URI. This alone is a show-stopper, not to mention the hacks you need to implement to prohibit GET method in ASM. To achieve what you requested, your best bet is to use an iRule.
It would be the easiest solution to drop or reject a request in LTM. A slightly harder solution would be raising a user-defined violation that you define in ASM. This way your users will see the typical ASM blocking page in response. You will still need to use an iRule to raise the violation itself.
Let us know if any help with iRule is needed.
0veracl0udThank you for your answer !
I assume that with LTM the iRule will look at that :
Code when HTTP_REQUEST { if {([HTTP::method] equals "GET") and ([HTTP::uri] equals "/mypath/index.aspx")}{ drop } }But, I'm new with the ASM module. I'm not sure how to implement the iRule to get an ASM blocking response page...
- Hannes_Rapp
1 - Creating a new User-defined ASM violation
Security > Options > Application Security > Advanced Configuration > Violations List > User Defined Violations (tab); Select "Create New User-Defined Violation"
Sample Field Values (adjust as needed): Name "VIOLATION_FORBIDDEN_GET_PATH" Title "GET Request to a restricted path" Type "Access Violation" Severity "Alert" Attack Type "Abuse of Functionality" Description (leave empty)2 - Go to Blocking Settings
Select Block for your new custom violation (or Alarm, if you want to transparently test)
3 - Creating an iRule
The sample below covers the most simple use-case, a single path. In case of 10 or more paths, using a LTM data group entry match, or a switch statement would be a better option.
when HTTP_REQUEST { set reqBlock 0 if {([HTTP::method] equals "GET") and ([string tolower [HTTP::path]] equals "/mypath/index.aspx")}{ set reqBlock 1 } } when ASM_REQUEST_DONE { if { $reqBlock == 1} { ASM::raise VIOLATION_FORBIDDEN_GET_PATH } }
Stanislas_Piro2Cumulonimbus
Hi, nice solution! Is it possible to check HTTP method and HTTP path in ASM_REQUEST_DONE event?- Hannes_Rapp
Worth a try, but I'd expect a TCL error to occur. At least in case of 11.3, this was not possible. Perhaps a newer version already supports common HTTP_REQUEST functions to be called in ASM_REQUEST_DONE event.
Hi, Used same context in my iRule as follow: But not able to get ASM_REQUEST_DONE event triggered.
when HTTP_REQUEST { set reqBlock 0 if {([HTTP::method] equals "GET") and ([string tolower [HTTP::path]] starts_with "/home/")}{ set reqBlock 1 log local0. "now reqBlock = $reqBlock" } }
when ASM_REQUEST_DONE { log local0. "ASM_REQUEST_DONE triggered" if { $reqBlock == 1 } { ASM::raise BLOCK_PATH_ACCESS log local0. "ASM have raised BLOCK_PATH_ACCESS" }
}Don't know reason.. Have tried to use the same on 11.6.x and 12.1.1 same results. not able to get log "ASM_REQUEST_DONE triggered"
Hannes_Rapp_162Nacreous
1 - Creating a new User-defined ASM violation
Security > Options > Application Security > Advanced Configuration > Violations List > User Defined Violations (tab); Select "Create New User-Defined Violation"
Sample Field Values (adjust as needed): Name "VIOLATION_FORBIDDEN_GET_PATH" Title "GET Request to a restricted path" Type "Access Violation" Severity "Alert" Attack Type "Abuse of Functionality" Description (leave empty)2 - Go to Blocking Settings
Select Block for your new custom violation (or Alarm, if you want to transparently test)
3 - Creating an iRule
The sample below covers the most simple use-case, a single path. In case of 10 or more paths, using a LTM data group entry match, or a switch statement would be a better option.
when HTTP_REQUEST { set reqBlock 0 if {([HTTP::method] equals "GET") and ([string tolower [HTTP::path]] equals "/mypath/index.aspx")}{ set reqBlock 1 } } when ASM_REQUEST_DONE { if { $reqBlock == 1} { ASM::raise VIOLATION_FORBIDDEN_GET_PATH } }- Stanislas_Piro2Hi, nice solution! Is it possible to check HTTP method and HTTP path in ASM_REQUEST_DONE event?
- Hannes_Rapp_162
Worth a try, but I'd expect a TCL error to occur. At least in case of 11.3, this was not possible. Perhaps a newer version already supports common HTTP_REQUEST functions to be called in ASM_REQUEST_DONE event.
Hi, Used same context in my iRule as follow: But not able to get ASM_REQUEST_DONE event triggered.
when HTTP_REQUEST { set reqBlock 0 if {([HTTP::method] equals "GET") and ([string tolower [HTTP::path]] starts_with "/home/")}{ set reqBlock 1 log local0. "now reqBlock = $reqBlock" } }
when ASM_REQUEST_DONE { log local0. "ASM_REQUEST_DONE triggered" if { $reqBlock == 1 } { ASM::raise BLOCK_PATH_ACCESS log local0. "ASM have raised BLOCK_PATH_ACCESS" }
}Don't know reason.. Have tried to use the same on 11.6.x and 12.1.1 same results. not able to get log "ASM_REQUEST_DONE triggered"
- 0veracl0ud
Thanks a lot ! I understand the iRule and the way you create the User-defined violation. It could be helpful for my next ASM deployment.
Currently, I don't understand why I don't see the ASM violation when I make a GET request on the URI. I'm making a troubleshooting on that. I didn't forget to enable the BLOCK mode for this new violation...
- 0veracl0ud
Hello,
I'm trying to make this iRule work but I saw in stats that there is no execution for the ASM REQUEST part :
ASM_POST Maquette ASM_REQUEST_DONE 0 0 0 ASM_POST Maquette HTTP_REQUEST 78 0 0What's wrong ?
Thank you for your help.
- 0veracl0ud
I can answer myself, after troubleshooting with several "log local0." in the iRule :)
Just the ASM part didn't work because I didn't enable the "Trigger ASM iRule Events" option in my ASM Policy --> https://devcentral.f5.com/questions/where-in-f5-asm-do-i-enable-the-trigger-asm-irule-event-setting
Thanks for your help.
See you soon.
