Forum Discussion
ASM irule to disable attack signature authorization header with specific value
- Apr 10, 2023
Hi f5learner,
Can you try this iRule?
when ASM_REQUEST_DONE { if { [ASM::violation names] contains "VIOLATION_ATTACK_SIGNATURE_DETECTED" && [HTTP::header Authorization] starts_with "Bearer" } { ASM::unblock } }
Trigger ASM iRule Events Mode should be set Normal on the WAF policy.
Note that if the request has any violations other than "attack signature detected", the request will be completely unblocked.
- Apr 20, 2023
Hi,
When more than one violation occurs, if "Block" is active in one violation, but not in the other violation, the request_status for ASM::violation_data does not occur individually. It is defined as "block".
A separate control is required for violations that are not in the block. I think, rather than using such an iRule, a simple policy should be preferred.
https://clouddocs.f5.com/api/irules/ASM__violation_data.html
Hi,
Can you test this iRule?
when ASM_REQUEST_DONE {
if { [ASM::violation names] eq "VIOLATION_ATTACK_SIGNATURE_DETECTED" && [b64decode [llookup [ASM::violation details] "header.header_name"]] eq "Authorization" && [HTTP::header Authorization] starts_with "Bearer" } {
log local0. "Request unblocked - URI: [HTTP::uri] - ClientIP: [IP::client_addr] - Authorization: [HTTP::header Authorization]"
ASM::unblock
}
}
With this iRule, the request will be unblocked only if occurs following conditions:
- Only Attack signature violation occurs
- Attack signature is in the Authorization header
- Authorization header starts with Bearer
In all other cases, the blocking will continue.
You can view the logs in the /var/log/ltm.
- f5learnerApr 12, 2023Nimbostratus
thank you so much, looks like we are almost there but still not working. is it because above provided irule ONLY expecting attack signature violation but there is also "Modified domain cookie" detection. However modified cookie is in ALARM mode. so should further modification needed? please see below screenshots
- f5learnerApr 14, 2023Nimbostratus
please let me know if you need furhter inforamtion, thank you so much for your assistance
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com