Forum Discussion
F5Team
Cirrus
CirrusASM - Disable violation for a specific URI
Below is the violation detected for a certain URI. We are looking to disable only for this specific URI
Evasion technique detected [1]
Detected Evasion Technique Bad unescape
Parameter Value
"1.0"?<UserName>xxxxxxx</UserName><UserPassword>Hello123%</UserPassword><CurrentDateTime>2023-05-29</CurrentDateTime><UserType>U
ssword>Hello123%</UserPassword><
(Password contains the character '%')
1. Would the following iRule help? Can we also include character of the parameter value to the iRule to be more specific (ASM::violation details, parameter_data.value)
when ASM_REQUEST_DONE {
if {[ASM::violation names] contains "Evasion technique detected" and [string tolower [HTTP::uri]] contains "URI"}
{
ASM::unblock
log local0. "ASM unblocking [HTTP::uri]"
}
}
2. Would adding a return carriage or a space to the html code before the </UserPassword> work?
Hi F5Team ,
you can use irule like you wrote above also see these Article about 1-ASM irules , 2- how to get the correct name of the violation to specifiy it in the iRule:
> https://my.f5.com/manage/s/article/K15573541
> https://my.f5.com/manage/s/article/K37744422But what if another violation under ( Evasion Technique Detection ) other than Badunescape one.
I would recommend to adjust the system variable attribute "ecard_max_http_req_uri_len" to higher value but you need to do that in a maintenance window because you need to restard asm deamon service for the changes to take effect , to do that please refer to this article :
https://my.f5.com/manage/s/article/K000092642
you will find within it another article with the steps.
I hope that helps you
F5TeamThanks
We've used another option "Security Policy Microservices", which can be applied to more specific traffic.This unblocked 'Bad unescape' only for that specific URI.
1) Go to Security ›› Application Security : Security Policies : Policies List ›› Policy name
2) Select Microservices --> Create --> as shown in the screenshot.
