Forum Discussion

David_M's avatar
David_M
Icon for Cirrostratus rankCirrostratus
Sep 03, 2019

ASM iRule use cases and doubts

As I am prepping for the 303 ASM exam I see asm has its own irule events.

 

I have used the unblock one in the past, however what are the use cases for the others?

 

I see one for creating a custom blocking page.

 

Also how are the normal and compatible modes to be used and what's the real difference. It seems they just control the moment when certain events are executed but how exactly is that useful in a real scenario?

 

Thanks.

  •  ASM-related events let you interact witlh and potentially change application security policy behavior using an iRule. Three common events are ASM_REQUEST_DONE, ASM_REQUEST_BLOCKING, and ASM_RESPONSE violation. Any of these three need to be triggrered before the irule will fire, and the additional commands below give you more leverage over the event.

     

    Here are some commands and example usage:

     

    ASM::captcha -- Sends a CAPTCHA challenge to the client

     

    ASM::captcha_age -- Returns the age of the sent CAPTCHA challenge

     

    ASM::captcha_status -- Returns the status of the user's answer to the CAPTCHA challenge

     

    ASM::client_ip -- Returns the IP address of the client that sent the request

     

    ASM::disable -- Disables ASM processing on the request

     

    ASM::enable -- Enables ASM processing on the request

     

    ASM::fingerprint -- Returns the device ID of the client (if you have Device ID enabled)

     

    ASM::microservice -- Returns the microservice matched for the request

     

    ASM::payload -- Retrieves or replaces the payload collected by the system

     

    ASM::policy -- Returns the name of the application security policy that applies to this request

     

    ASM::raise -- Issues a user-defined violation on the current request (you must create the violation)

     

    ASM::severity -- Returns the overall severity of violations found in the request

     

    ASM::signature -- Returns a list of enforced or staged attack signatures detected in the request

     

    ASM::support_id -- Returns the support ID of the current request

     

    ASM::threat_campaigns -- Returns a list of threat campaigns detected in the request

     

    ASM::unblock -- Unblocks a blocked request (perhaps you are blocking all clients from a disallowed geolocation, but you wish to allow a single IP address from that geolocation)

     

    ASM::uncaptcha -- Overrides the CAPTCHA action for a request mitigated during a brute-force attack

     

    ASM::violation -- Disables F5 Advanced WAF processing on the connection

     

    ASM::violation_data -- Enables F5 Advanced WAF processing on the connection

     

    Normal mode instructs ASM to invoke the event ASM_REQUEST_DONE after processing each request, regardless of whether the request triggered any violations. This gives you the opportunity to perform actions after ASM handles requests whether they trigger, or do not trigger, violations.

     

    Compatibility mode instructs ASM to invoke the event ASM_REQUEST_VIOLATION after processing each request that triggered a violation. This gives you the opportunity to perform actions after ASM handles only requests which trigger violations. This was the only option available in versions prior to BIG-IP version 11.5.0