I am trying to write an iRule to do search and replace logic on the body of a custom blocking response. When I add headers to the custom blocking response within ASM I do not see them when logging the headers within a "when HTTP_RESPONSE" iRule. Can this be done, or is the ASM blocking response mechanism disconnected from iRules present on the VIP? I am running 9.4.3.

Hi there, Out of curiosity, why are you trying to do this? Testing with a simple iRule on 9.4.5HF2, I see HTTP_RESPONSE being triggered when a request is blocked. None of the headers are logged as they would be in a normal response from the pool. I'd suggest opening a case with F5 and ask them why this is and whether there are any plans for supporting modification of the headers and/or body for ASM blocking responses. Also, I'd strongly suggest upgrading to 9.4.5HF2 as there have been a lot of major issues fixed in the latest version and hotfix. Aaron

I have multiple VIP's protected by 1 ASM policy. I am trying to configure the ASM blocking response page using SOL7825: Redirecting a blocking response support ID to an external error page. The site I am redirecting to will be different for each VIP. My iRule would do search and replace logic on the response to set the site.

Unfortunately the HTTP_RESPONSE event fires before ASM has made any modifications to (or replacement of) the response received from the node, and the same is true for the blocking response page. In essence you are seeing the embryonic blocking page before it has actually been constructed by the ASM. At present there are no plans to extend the iRules functionality - for example adding an HTTP_RESPONSE_SEND event to allow manipulation of the response before it leaves TMM (after it has passed through ASM) - but as Aaron says above, you can use v9.4's VIP-targetting-VIP functionality to achieve the same aim. Thanks, Aaron

I agree it would be good Aaron, indeed I attempted to get an RFE CR for this particular use case recently - unfortunately the message in return was that this enhancement would not be considered. However, as this request would be coming from an end customer rather than internal I would agree with your recommendation to create a case requesting the feature so that we can track the use-cases in the field and attempt to push this forward somehow. Aaron

Hi Aaron, thanks for the tip. It's there now: SOL9388: Using an iRule to parse post-ASM responses (Click here) It's novel but still seems like a hack--it would be great if F5 would support additional iRule events to provide a simpler method for handling illegal requests from an iRule. Aaron

ASM custom blocking response & iRules

11 Replies

hoolio
Cirrostratus
Nov 03, 2008
Hi there,

Out of curiosity, why are you trying to do this?

Testing with a simple iRule on 9.4.5HF2, I see HTTP_RESPONSE being triggered when a request is blocked. None of the headers are logged as they would be in a normal response from the pool.

I'd suggest opening a case with F5 and ask them why this is and whether there are any plans for supporting modification of the headers and/or body for ASM blocking responses.

Also, I'd strongly suggest upgrading to 9.4.5HF2 as there have been a lot of major issues fixed in the latest version and hotfix.

Aaron
Brad_53264
Nimbostratus
Nov 03, 2008
I have multiple VIP's protected by 1 ASM policy. I am trying to configure the ASM blocking response page using SOL7825: Redirecting a blocking response support ID to an external error page.

The site I am redirecting to will be different for each VIP. My iRule would do search and replace logic on the response to set the site.
AaronJB
Ret. Employee
Nov 03, 2008
Unfortunately the HTTP_RESPONSE event fires before ASM has made any modifications to (or replacement of) the response received from the node, and the same is true for the blocking response page. In essence you are seeing the embryonic blocking page before it has actually been constructed by the ASM.

At present there are no plans to extend the iRules functionality - for example adding an HTTP_RESPONSE_SEND event to allow manipulation of the response before it leaves TMM (after it has passed through ASM) - but as Aaron says above, you can use v9.4's VIP-targetting-VIP functionality to achieve the same aim.

Thanks,

Aaron
AaronJB
Ret. Employee
Nov 04, 2008
I agree it would be good Aaron, indeed I attempted to get an RFE CR for this particular use case recently - unfortunately the message in return was that this enhancement would not be considered.

However, as this request would be coming from an end customer rather than internal I would agree with your recommendation to create a case requesting the feature so that we can track the use-cases in the field and attempt to push this forward somehow.

Aaron
hoolio
Cirrostratus
Nov 12, 2008
Hi Aaron, thanks for the tip. It's there now:

SOL9388: Using an iRule to parse post-ASM responses (Click here)

It's novel but still seems like a hack--it would be great if F5 would support additional iRule events to provide a simpler method for handling illegal requests from an iRule.

Aaron
brad_11480
Nimbostratus
Aug 31, 2009
if a couple variables would be available in the ASM response page in addition to TS.session.ID this could be easliy done without the complications and 'wizardy' described in the SOL9388 and irules and all. Perhaps a TS.vs.name could be available.

Is this perhaps provided? I might open a case to find out since I couldn't see anything in the knowledgebase.

Thanks for your help.
hoolio
Cirrostratus
Aug 31, 2009
Hi Brad,

I don't think any new functionality in this area has been added to the product. But it might make sense to add more variables like requested host header value, VS name, etc. The best way to pursue this is by opening a case with F5 Support and asking them to create a request for enhancement change request for you.

Aaron
brad_11480
Nimbostratus
Feb 09, 2011
And Version 10 has added some Irule events that can be set.

ASM_REQUEST_BLOCKING

ASM_REQUEST_VIOLATION

ASM_RESPONSE_VIOLATION

So I'm looking at the information on these (wiki/default.aspxiRules.ASM) and finding that either I don't understand it or it isn't working as the examples show.

The example in http://devcentral.f5.com/wiki/default.aspx/iRules/ASM__violation_data.html

seems to indicate that you can redirect the URI. but trying to do this doesn't seem to change the fact that it issues the canned block page. I would MUCH prefer to handle the response pages by returning static pages from the various applications. The canned messages are plain text and (1) the business doesn't like the look, and (2) any changes to the information requires an update to the policy.. Let the business do this.

So I would like to replace the response page, basically cancel the canned response and either issue a redirect (which causes another error--011f0007:3: http_process_state_prepend - Invalid action EV_SINK_HEADER during ST_HTTP_PREPEND_HEADERS ) or a http::uri substitution (which doesn't seem to occur).

Looks like some progress. but information and examples are sketchy.... THANKS SO MUCH.
hoolio
Cirrostratus
Feb 10, 2011
Hi Brad,

Can you check your other post for a reply?

http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/afv/topic/aft/1166838/aff/5/showtab/groupforums/Default.aspx

Aaron
Mike_Nepomny
Nimbostratus
Oct 07, 2011
Hi

I am using iRule ASM_REQUEST_BLOCKING event and I have access to violation, attack_type and webapp. How can I fetch HTTP request and response (or response code) for this violation with this iRule?

Thank you.

Mike