ASM Api Rest $filter question

Question

Hi,
version 12.1.2, ASM module.
I need to use $filter together with option "contains", not "eq" as commonly used.
According to this article it should be possible, but it looks it is not as I've been getting only parsing errors.
Example:
From list of ASM policy signatures I need to find signature using ID given by GUI.
Looks like it is possible only by looping through all signatures within policy (/asm/policies//signatures) and trying to match against signature ID which I got when asking /asm/signatures?$filter=signatureId eq &amp;$select=id.
In practise I need to filter signature which signatureReference contains specific ID o4C6lMG4tza8YX-85RRKFA:
{   u'items': [{  u'enabled': True,
                  u'id': u'K4k2wNgjBwH6B81hkIIDwg',
                  u'kind': u'tm:asm:policies:signatures:signaturestate',
                  u'lastUpdateMicros': 1521786878000000.0,
                  u'performStaging': True,
                  u'selfLink': u'https://localhost/mgmt/tm/asm/policies/9gV6OhNsX7jnw9sPSfRGmQ/signatures/K4k2wNgjBwH6B81hkIIDwg?ver=12.1.2',
                  u'signatureReference': {   u'link': u'https://localhost/mgmt/tm/asm/signatures/o4C6lMG4tza8YX-85RRKFA?ver=12.1.2'}}],
    u'kind': u'tm:asm:policies:signatures:signaturecollectionstate',

When trying this GET request:
/asm/policies/9gV6OhNsX7jnw9sPSfRGmQ/signatures?$filter=signatureReference contains o4C6lMG4tza8YX-85RRKFA'
I get error:
Can not parse $filter: \'signatureReference contains o4C6lMG4tza8YX-85RRKFA\'
Question is, is really using "contains" supported when using $filter in Rest API?
Thanks,
Zdenek

abdessamad_851 · Answer

It looks like only basic operators are supported in version 12:¬†
eq - equalne - not equallt - less thanle - less than or equalgt - greater thange - greater than or equalLogical Operators:- and- or- not
https://devcentral.f5.com/s/articles/demystifying-icontrol-rest-part-3-how-to-pass-query-parameters-and-tmsh-options¬†
You need to go for version 13 to be able to use the "contains" command¬†
https://clouddocs.f5.com/api/icontrol-rest/¬†

suttonsc · Answer

The syntax can be a bit tricky, for curl there is the added escaping that is not needed if using Postman. The following was tested using curl against BIG-IP v12.1.3.4:&nbsp;Simple filter using contains:&nbsp;$ curl -sku admin:admin https://155.121.lab.es.f5net.com/mgmt/tm/asm/policies/Fqpvw5rn1SzYqgrCR9CA1Q/signatures?\$filter=contains$id,\'_zZQ8rpWoL9mFeg8MZqIIg\'$ | jq .
{
  "kind": "tm:asm:policies:signatures:signaturecollectionstate",
  "selfLink": "https://localhost/mgmt/tm/asm/policies/Fqpvw5rn1SzYqgrCR9CA1Q/signatures?ver=12.1.3&amp;$filter=contains(id%2C'_zZQ8rpWoL9mFeg8MZqIIg')",
  "totalItems": 1,
  "items": [
    {
      "kind": "tm:asm:policies:signatures:signaturestate",
      "selfLink": "https://localhost/mgmt/tm/asm/policies/Fqpvw5rn1SzYqgrCR9CA1Q/signatures/_zZQ8rpWoL9mFeg8MZqIIg?ver=12.1.3",
      "signatureReference": {
        "link": "https://localhost/mgmt/tm/asm/signatures/3lXrJ-kq-EnlidWPaM32Ug?ver=12.1.3"
      },
      "lastUpdateMicros": 1464814636000000,
      "id": "_zZQ8rpWoL9mFeg8MZqIIg",
      "performStaging": true,
      "enabled": true
    }
  ]
}
`
When trying to parse the 'signatureReference' there is a invalid reference issue unless you expand and then filter:
`$ curl -sku admin:admin https://155.121.lab.es.f5net.com/mgmt/tm/asm/policies/Fqpvw5rn1SzYqgrCR9CA1Q/signatures?\$expand=signatureReference$signature/id,\'3lXrJ-kq-EnlidWPaM32Ug\'$ | jq .
{
  "kind": "tm:asm:policies:signatures:signaturecollectionstate",
  "selfLink": "https://localhost/mgmt/tm/asm/policies/Fqpvw5rn1SzYqgrCR9CA1Q/signatures?$expand=signatureReference&amp;ver=12.1.3&amp;$filter=contains(signature%2Fid%2C'3lXrJ-kq-EnlidWPaM32Ug')",
  "totalItems": 1,
  "items": [
    {
      "kind": "tm:asm:policies:signatures:signaturestate",
      "selfLink": "https://localhost/mgmt/tm/asm/policies/Fqpvw5rn1SzYqgrCR9CA1Q/signatures/_zZQ8rpWoL9mFeg8MZqIIg?ver=12.1.3",
      "signature": {
        "matchesWithinGwt": true,
        "isUserDefined": false,
        "matchesWithinCookie": true,
        "selfLink": "https://localhost/mgmt/tm/asm/signatures/3lXrJ-kq-EnlidWPaM32Ug?ver=12.1.3",
        "matchesWithinParameter": true,
        "systems": [
          {
            "systemReference": {
              "link": "https://localhost/mgmt/tm/asm/signature-systems/b9hI1sIulARJ09bbdy0VQw?ver=12.1.3"
            }
          }
        ],
        "matchesWithinXml": true,
        "id": "3lXrJ-kq-EnlidWPaM32Ug",
        "matchesWithinHeader": false,
        "signatureId": 200000128,
        "matchesWithinJson": true,
        "name": "img tag: src/dynsrc/lowsrc (Parameter)",
        "lastUpdateMicros": 1525137548000000,
        "description": "Summary:\nThis event is generated when an attempt is made to exploit a Cross Site Scripting (XSS) vulnerability. This is a general attack detection signature (i.e. it is not specific to any web application).\n\n--\nImpact:\nSuccessful exploitation will result in information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application can result. Possible execution of arbitrary code of the attacker's choosing can result.\n\n--\nDetailed Information:\nThis event indicates that an attempt has been made to exploit a Cross Site Scripting vulnerability in an application running on a webserver.\nCross Site Scripting (XSS) occurs when a web application doesn't sanitize user-supplied input and places it directly into the page returned to the user. Usually the attacker will submit malicious JavaScript, VBScript, ActiveX, HTML, or Flash code to the vulnerable web site.\n\n--\nAffected Systems:\nAll systems that accept user input are potentially affected.\n\n--\nAttack Scenarios:\nAn attacker can supply a malicious link designed to steal information from a user clicking on that link.\n\n--\nEase of Attack:\nVary from simple to medium.\n\n--\nFalse Positives:\nSome applications send various script code to the web server as legitimate input.\nSome free-text user input may match Cross Site Scripting signatures.\n\n--\nFalse Negatives:\nNone known.\n\n--\nCorrective Action:\nEnsure the system is using an up to date version of the software and has had all vendor supplied patches applied.\nUtilize \"Positive Security Model\" by accepting only known types of input in web application.\n\n--\nAdditional References:\n\nThe Cross Site Scripting (XSS) FAQ\nhttp://www.cgisecurity.com/articles/xss-faq.shtml\n\nCross-site scripting\nhttp://en.wikipedia.org/wiki/Cross_site_scripting\n\n--\n",
        "revision": "3",
        "attackTypeReference": {
          "link": "https://localhost/mgmt/tm/asm/attack-types/MFsWvSAV_Z5j1vSkR0hnXg?ver=12.1.3"
        },
        "matchesWithinResponse": false,
        "matchesWithinRequest": false,
        "matchesWithinUri": false,
        "accuracy": "low",
        "risk": "low",
        "signatureType": "request"
      },
      "lastUpdateMicros": 1464814636000000,
      "id": "_zZQ8rpWoL9mFeg8MZqIIg",
      "performStaging": true,
      "enabled": true
    }
  ]
}Let me know if this answers your question.&nbsp;

Forum Discussion

ASM Api Rest $filter question

Recent Discussions

AS3 Limitations

Unable to install firmware OS and drop at 10%

Statistics ›› Analytics : HTTP : Overview

How to Renew F5 Device Certificate

F5 ASM CEF Sending Logs in Specific TimeZone

Related Content

Updating SSL Certificates on BIG-IP using REST API

Beyond REST: Protecting GraphQL

List of F5 iControl REST API Endpoints

iControl REST 101: What is iControl REST?

iControl REST Fine-Grained Role Based Access Control

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS