Forum Discussion
ASM iRule events not working
Hi all,
I activated this irule in my Virtual Server:
when HTTP_REQUEST {
set redirect 0
set requri [HTTP::uri]
}
when ASM_REQUEST_BLOCKING {
set redirect 1
}
when HTTP_RESPONSE {
if { $redirect } {
switch -glob $requri {
/url1* { HTTP::redirect "https://url1/index" }
/url2* { HTTP::redirect "https://url2/index" }
/url3* { HTTP::redirect "https://url3/index" }
default { }
}
}
}
I also enabled the "Trigger ASM iRule Events" option on my ASM security Policy which is in Blocking Mode. But, even so, redirections don't work after a violation is triggered.
Any ideas?
- Albert_252822Nimbostratus
The irule don't work neither using HTTP:redirect " nor using HTTP::respond 302 Location "
- Hannes_RappNimbostratus
Have not tested, but in theory, this should do what you want:
when ASM_REQUEST_DONE { if { [ASM::status] equals "blocked" } { switch -glob [string tolower [HTTP::path]] { "/url1*" { ASM::unblock HTTP::respond 302 Location "https://url1/index" Connection Close } "/url2*" { ASM::unblock HTTP::respond 302 Location "https://url2/index" Connection Close } "/url3*" { ASM::unblock HTTP::respond 302 Location "https://url3/index" Connection Close } default { } } } }
- Albert_252822Nimbostratus
Hi Hannes, thanks for your help.
I tested this irule replacing my whole irule and it doesn't work. I have the same result, after a violation I see the ASM Default Response Page.
I'm sure I'm missing something but I can't find it. My ASM Security Policy has "Trigger ASM iRule Events" enabled and "ASM iRules Event Mode" in Normal Mode. I also have the Default Response Page configured (code 200 - OK)
- Hannes_RappNimbostratus
I can just recommend to check /var/log/ltm - are there any iRule processing tcl errors? Make sure this iRule has priority by moving it first in the list of order, or use the 'priority' function.
Also note that if possible to invoke a redirect from ASM_REQUEST_BLOCKING event, rather use the sample Stanislas posted. This possibility varies across BigIP versions.
- Albert_252822Nimbostratus
My original irule is not showing any errors on logs. Although is not working properly, there aren't syntax errors:
info: ASM blocking
- Stanislas_Piro2Cumulonimbus
Hi,
you can use HTTP::redirect inside ASM_REQUEST_BLOCKING :
when ASM_REQUEST_BLOCKING { switch -glob [HTTP::path] { /url1* { HTTP::redirect "https://url1/index" } /url2* { HTTP::redirect "https://url2/index" } /url3* { HTTP::redirect "https://url3/index" } default { } } }
two other provided some specific iRule assitence i can only add that you should add logging to determine if the events get hit at all or not.
- Albert_252822Nimbostratus
I had this line in my ASM_REQUEST_BLOCKING block but I didn't include it in my post:
log local0. "ASM blocking"
Where should I see this message in case violations are triggered? ASM Event Logs only shows the violations. Maybe system logs?
- Stanislas_Piro2Cumulonimbus
local0. events are wrote in /var/log/ltm file.
you can see this logs in System / Logs / local traffic
- Stanislas_Piro2Cumulonimbus
Hi,
After some tests, the solution is to use your first irule, but change event HTTP_RESPONSE by HTTP_RESPONSE_RELEASE.
it work on my lab with version 12.1
- JinshuCirrus
why cant we use when ASM_REQUEST_DONE rather using when ASM_REQUEST_BLOCKING ??
-Jinshu
Hi Folks,
in the past I've experienced some major issues using the regular ASM redirect responses pointing to an ASM enabled default/error page.
The problem was that a poorly written Bot/Crawler/VA-Scanner was getting blocked because of its User-Agent information. The client was able to follow the ASM redirects, resulting in another blocked request and then just ended up in an endless redirect loop, which had consumed lots of system ressources over hours.
I've analysed the possibilities to manipulate the default blocking page behavior and ended up with a solution which detects HTTP::redirect loops and retrives the [ASM::support_id] during ASM_REQUEST_DONE and then manipulated the regular ASM violation page response, to become either a JScript redirect page or a static 200 OK error page, using the [ASM::payload] command during ASM_REQUEST_BLOCKING event.
Note: The iRule passes the RequestID to the redirected site as a B64encoded query string. The query string is then used to detect the redirect loop and send the 200OK response displaying the RequestID of the initial violation.
Integration iRule event:
when HTTP_REQUEST { if { [HTTP::host] eq "www.site.de" } then { set ASM_Policy_Violation_Page_URL "/default.aspx" } elseif { [HTTP::host] eq "www2.site.de" } then { set ASM_Policy_Violation_Page_URL "/sites/default.aspx" } }
ASM iRule Events:
when ASM_REQUEST_DONE { Purpose : The GLOBAL_ASM_ViolationPage_Selector file is responsible for controling redirects to different ASM errorpages. Author : Kai Wilke (kw@itacs.de) Date : 16.01.2015 Version : v3.1 (Build 3100.0) Dependencies : Enable "Trigger ASM iRule Events" Enable "Normal" ASM iRules Event mode Set Violation Page response to "Default Response" set debug 0 set log_prefix "Debug: \"[HTTP::uri]\" >" if { $debug } { log -noname local0. "$log_prefix --- Entering \"ASM_Selector\" ASM_REQUEST_DONE iRule ---" } if { [ASM::status] eq "blocked" } then { Handler for ASM Policy Violations if { $debug } { log -noname local0. "$log_prefix +++ Entering \"ASM_Policy_Violation\" Handler +++" } if { $debug } { log -noname local0. "$log_prefix An ASM Policy Violation ocoured. Evalutating error page settings for this request and preparing the response." } if { [info exist ASM_Policy_Violation_Page_URL] } then { Handler for ASM Violation Custom Error Pages if { [URI::query [HTTP::uri] RequestID] eq "" } then { Handler for ASM Violation Custom ErrorPage redirects if { $debug } { log -noname local0. "$log_prefix The HTTP-Request does not contain a \"RequestID\" query string. Preparing redirect to \"$ASM_Policy_Violation_Page_URL\" handler." } set asm_policy_violation_response "$ASM_Policy_Violation_Page_URL?RequestID= [b64encode "SupportID: [ASM::support_id]"]" } else { Handler for ASM Violation Redirect Loop Detection if { $debug } { log -noname local0. "$log_prefix HTTP-Request contains a \"RequestID\" query string. Disabling the custom page redirects to avoid loops." } if { $debug } { log -noname local0. "$log_prefix Enumerating the existing ASM Violation ID and setting up the static violation error page." } catch { b64encode [b64decode [URI::query [HTTP::uri] RequestID]] } asm_policy_violation_existing_id if { $asm_policy_violation_existing_id eq "" } then { if { $debug } { log -noname local0. "$log_prefix Existing ASM Violation ID couldnt be retrieved. Generating empty session id within custom response." } set asm_policy_violation_response "200ok U3VwcG9ydElEOiBNYWxmb3JtZWQgU3VwcG9ydElEIHJlY2VpdmVk" } else { if { $debug } { log -noname local0. "$log_prefix Existing ASM Violation ID retrieved successfully. Using existing session id within custom response." } set asm_policy_violation_response "200ok $asm_policy_violation_existing_id" } unset -nocomplain asm_policy_violation_existing_id } if { $debug } { log -noname local0. "$log_prefix +++ Leaving \"ASM_Policy_Violation_Custom_ErrorPages\" Handler +++" } unset -nocomplain ASM_Policy_Violation_Page_URL } else { Handler for ASM Violation Static Error Page if { $debug } { log -noname local0. "$log_prefix +++ Entering \"ASM_Policy_Violation_Static_ErrorPage\" Handler +++" } if { $debug } { log -noname local0. "$log_prefix Setting up the static violation error page and sending page to the client." } set asm_policy_violation_response "200ok [b64encode "SupportID: [ASM::support_id]"]" if { $debug } { log -noname local0. "$log_prefix +++ Leaving \"ASM_Policy_Violation_Static_ErrorPage\" Handler +++" } } } if { $debug } { log -noname local0. "$log_prefix --- Leaving \"ASM_Selector\" ASM_REQUEST_DONE iRule ---" } } when ASM_REQUEST_BLOCKING { set debug 0 set log_prefix "Debug: \"[HTTP::uri]\" >" Handler for ASM Violation Blocking Page Overwrite if { $debug } { log -noname local0. "$log_prefix --- Entering \"ASM_Selector\" ASM_REQUEST_BLOCKING iRule ---" } if { $debug } { log -noname local0. "$log_prefix Evaluate \"asm_policy_violation_response\" parameter to decide if client side redirect code are required." } if { $asm_policy_violation_response starts_with "200ok " } then { Handler for ASM Violation Static Error Page if { $debug } { log -noname local0. "$log_prefix +++ Entering \"ASM_Policy_Violation_Static_ErrorPage\" Handler +++" } if { $debug } { log -noname local0. "$log_prefix Setting up the violation error page without client side redirect code." } set response " Illegal Request StatusAn illegal request was received. SupportID[lindex $asm_policy_violation_response 1] " if { $debug } { log -noname local0. "$log_prefix +++ Leaving \"ASM_Policy_Violation_Static_ErrorPage\" Handler +++" } } else { Handler for ASM Violation Custom Error Page Redirect if { $debug } { log -noname local0. "$log_prefix +++ Entering \"ASM_Policy_Violation_Custom_ErrorPage_Redirect\" Handler +++" } if { $debug } { log -noname local0. "$log_prefix Setting up the violation error page with client side redirect code." } set response " Illegal Request StatusAn illegal request was received. SupportID[lindex $asm_policy_violation_response 1] " if { $debug } { log -noname local0. "$log_prefix +++ Leaving \"ASM_Policy_Violation_Custom_ErrorPage_Redirect\" Handler +++" } } unset -nocomplain asm_policy_violation_response Handler for ASM Violation Custom Error Page replacement if { $debug } { log -noname local0. "$log_prefix +++ Entering \"ASM_Policy_Violation_Custom_ErrorPage_Replacement\" Handler +++" } if { $debug } { log -noname local0. "$log_prefix Erasing the global definied ASM blocking page." } ASM::payload replace 0 [ASM::payload length] "" if { $debug } { log -noname local0. "$log_prefix Setting the custom ASM blocking page." } ASM::payload replace 0 0 $response unset -nocomplain response if { $debug } { log -noname local0. "$log_prefix Adjusting the \"Content-Length\" to reflect new \"ASM_Payload_Length\"." } HTTP::header remove Content-Length HTTP::header insert Content-Length [ASM::payload length] if { $debug } { log -noname local0. "$log_prefix +++ Leaving \"ASM_Policy_Violation_Custom_ErrorPage_Replacement\" Handler +++" } if { $debug } { log -noname local0. "$log_prefix --- Leaving \"ASM_Selector\" ASM_REQUEST_BLOCKING iRule ---" } }
Cheers, Kai
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com