ASM length of Illegal URL

Steve

 

 

I think this setting is located under Application Security - Options - Advanced Configuration - ecard_max_http_req_uri_len.

 

 

If you go to Application Security - Policy - select your Policy - Blocking - Settings - you should be able to configure the Illegal URL Length triggers here, I take it Block is enabled? If Learn is then you can use it to reconfigure your policy.

 

 

Hope this helps

 

N

Steve,

 

There is actually an much easier way to find what you are looking for and make the change. The URL Length is something that is defined under File Types. So you go to Application Security > File Types > Allowed file types and you will see the column for URL Length. You will need to know what the file extension is on the end of the URL being blocked and adjust the appropriate one.

 

 

Nathan was correct though in saying that if you have learning turned on for Illegal URL length, you can go to Manual Policy Building > Traffic Learning and here you should see a violation for Length Errors, click on that and you should be able to find the block from there.

 

 

 

Mike

 

Thanks for the replies, below is the added detail on my Blocked transaction.

 

If I understand Nathans post under Options Advanced Configuration

 

ecard_max_http_req_uri_len

 

 

the default is set to 2048,

 

 

I'm guessing changing this would affect all application URLs.

 

 

I would like to adjust the length longer then default for ONLY the relative starting

 

URI /AdminCategories.do.......

 

 

How do I do that?

 

 

Thanks.

 

 

 

From Export Security Events Report:

 

 

Requested URL: [HTTPS]

 

Web Application: my.company.com_asm

 

Source IP Address: xx.xx.177.200:24454

 

Destination IP Address: xx.xx.5.62:443

 

Country: United States

 

Time: 2011-11-09 14:37:55

 

Request Status: Illegal, Blocked

 

Severity: Warning

 

Response Status Code: N/A

 

Potential Attacks: N/A

 

Detected Violations:

 

Violation Severity Learn Alarm Block

 

Illegal URL length Warning Yes Yes Yes

 

 

Request

 

GET

 

/AdminCategories.do?method=Save&selectedCategories (Thousands of characters...)

 

Hmmmm..... I am not sure you can do that, because the URL length control is under to File Type not the specific URL, so you would be adjusting the entire .do file type category. The only way I could think of to do what you are asking, is to create another HTTP Class/Policy for just that URL. You can go and create an HTTP Class and then Check the box that says URI Paths, select Match Only in the drop down box and put in /AdminCategories.do. Then you can configure the URL length specically for that URL. Obviously this is a bit messy in that you now have a separate policy for just the one URL, but you keep an edge on the security. Honestly though I would probably just adjust the URL Length for .do in the main policy and call it a day, as long as your back end server/application is configured well and can handle other .do URLs of the same length there is really not much of a concern.

 

 

Mike

For those who may stumble upon this thread, there are ASM features in addition to what Mike is referring to regarding file types.

 

 

The gory details are in Configuration Guide for Big-IP Application Security Manager, spread out over chapter 6 Manual Configuring Security Policy, and chapter 10 Working with parameters.

 

ASM has a very configurable and fine grained model to interrogate traffic before it gets to the application server.

 

 

The issue I ran into is my application created a relative URI that was longer than the default allowed and it was blocked.

 

To customize a rule that will allow a longer URI is a 2 step process:

 

Define a explicit URL.

 

Define a parameter linked to your URL with the length allowed.

 

 

Of course there a couple more details but that's what manuals are for ;-)