Forum Discussion

f5learner's avatar
f5learner
Icon for Nimbostratus rankNimbostratus
Apr 10, 2023

ASM irule to disable attack signature authorization header with specific value

hello is there an irule to DISABLE ASM attack signature on the Authorization header if value contains "Bearer" but still check attack signature on rest of the payload
devops
security
  • Enes_Afsin_Al's avatar
    Enes_Afsin_Al
    Apr 10, 2023

    Hi f5learner,

    Can you try this iRule?

    when ASM_REQUEST_DONE {
    if { [ASM::violation names] contains "VIOLATION_ATTACK_SIGNATURE_DETECTED" && [HTTP::header Authorization] starts_with "Bearer" } {
        ASM::unblock
    }
}

    Trigger ASM iRule Events Mode should be set Normal on the WAF policy.

    Note that if the request has any violations other than "attack signature detected", the request will be completely unblocked.

  • Enes_Afsin_Al's avatar
    Enes_Afsin_Al
    Apr 20, 2023

    Hi,

    When more than one violation occurs, if "Block" is active in one violation, but not in the other violation, the request_status for ASM::violation_data does not occur individually. It is defined as "block".

    A separate control is required for violations that are not in the block. I think, rather than using such an iRule, a simple policy should be preferred.

    https://clouddocs.f5.com/api/irules/ASM__violation_data.html

Enes_Afsin_Al's avatar
Enes_Afsin_Al
Icon for MVP rankMVP
Apr 20, 2023

Hi,

When more than one violation occurs, if "Block" is active in one violation, but not in the other violation, the request_status for ASM::violation_data does not occur individually. It is defined as "block".

A separate control is required for violations that are not in the block. I think, rather than using such an iRule, a simple policy should be preferred.

https://clouddocs.f5.com/api/irules/ASM__violation_data.html

  • f5learner's avatar
    f5learner
    Icon for Nimbostratus rankNimbostratus
    Apr 25, 2023

    thank you so much for all the help