Forum Discussion
Abed_AL-R
Cirrostratus
CirrostratusASM_REQUEST_BLOCKING not being triggered in iRule
Anyone here faced the issue that "ASM_REQUEST_BLOCKING" not being triggered in LTM iRule ?
The "Trigger ASM iRule Events Mode" is set to normal in ASM policy
Running v15.1.0.5
New setup, never tried this before ..
Thanks
I believe it found the issue, as this is a response violation (it is not something bad send by the client, but the response the webserver sends is what should be blocked) it should be handled in the ASM_RESPONSE_VIOLATION event.
this iRule both logs the violation and allows me to rewrite the block page.
when ASM_RESPONSE_VIOLATION { log local0. "response violation" set x [ASM::violation_data] for {set i 0} { $i < 7 } {incr i} { switch $i { 0 { log local0. "violation=[lindex $x $i]" } 1 { log local0. "support_id=[lindex $x $i]" } 2 { log local0. "web_application=[lindex $x $i]" } 3 { log local0. "severity=[lindex $x $i]" } 4 { log local0. "source_ip=[lindex $x $i]" } 5 { log local0. "attack_type=[lindex $x $i]" } 6 { log local0. "request_status=[lindex $x $i]" } }} ASM::payload replace 0 [ASM::payload length] "" ASM::payload replace 0 0 "12345607890" HTTP::header replace Content-Length [ASM::payload length] }logs
Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: response violation Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: violation=VIOLATION_REDIRECT Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: support_id=5611810483771277404 Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: web_application=/Common/asm-1 Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: severity=Error Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: attack_type=ATTACK_TYPE_OTHER_APPLICATION_ACTIVITY Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: request_status=blockedonce you can confirm ill try to get the cloud docs updated. these things can be made a lot easier when a couple of extra lines explaining the different types of events.
boneyardMVP
to be sure you are creating violations right?
different types?
Abed_AL-RYes
I mean I do get the access rejected page, but I get the default page, and I need to customize it.
like described here: https://support.f5.com/csp/article/K22017023
- boneyard
and you have the irule associated with the virtual server that also has the ASM profile with the "Trigger ASM iRule Events Mode" enabled?
can you add some log statements to your iRule events to see if they get triggered at all?
does the ltm log show something related at the moment?
- Abed_AL-R
Does anyone has any idea on how to solve this?
- boneyard
only thing i saw in previous questions is that it didn't trigger for all types of violations, the example there was data guard which didnt trigger it. you might try a couple of different violation types to rule that out.
but if that is ok and if you got a the configuration setup correctly (which you seem to have) and it still doesnt work then it could be a bug, best to have F5 support have a look at your configuration and determine if it is a bug.
- Abed_AL-R
The thing with F5 technical support is tey do not support iRules.
Only in rare cases. or if you have some sort of support level contract ....
Have you tried using ASM_REQUEST_DONE instead of ASM_REQUEST_VIOLATION? ASM_REQUEST_VIOLATION was deprecated in v11.5 and replaced with ASM_REQUEST_DONE.
- Abed_AL-R
If I do that then my website will not be reached and I'll get this browser error message:
This page isn’t working my.domain.com didn’t send any data. ERR_EMPTY_RESPONSEI see the iRule triggered but with errors in /var/log/ltm :
Oct 12 07:30:07 My-F5 info tmm5[14584]: Rule /Common/ASM_custom_block_page_v3 <ASM_REQUEST_DONE>: hello world Oct 12 07:30:08 My-F5 err tmm5[14584]: 011f0016:3: http_process_state_prepend - Invalid action:0x10a010 Server sends too much data. serverside (172.26.137.34:443 -> 172.26.137.46:6759) clientside (1.2.3.4:62170 -> 172.26.137.41:443) (Server side: vip=/Common/myserver_test profile=http pool=/Common/srv-myserver server_ip=172.26.137.34)- boneyard
how is your full iRule looking now?
if you only test with the example from https://clouddocs.f5.com/api/irules/ASM_REQUEST_DONE.html
what happens?
- Abed_AL-R
Hi
I launched this iRule and tried to create violation, the ASM blocked me , but the ltm log doesn't show anything related to "req block" log. Here is the output:
Oct 26 08:04:49 My-F5 info tmm2[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: req done Oct 26 08:04:49 My-F5 info tmm2[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: violation= Oct 26 08:04:49 My-F5 info tmm2[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: support_id=9864890563438358212 Oct 26 08:04:49 My-F5 info tmm2[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: web_application=/Common/MyServer Oct 26 08:04:49 My-F5 info tmm2[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: severity=Informational Oct 26 08:04:49 My-F5 info tmm2[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: source_ip=1.2.3.4 Oct 26 08:04:49 My-F5 info tmm2[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: attack_type= Oct 26 08:04:49 My-F5 info tmm2[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: request_status=clear Oct 26 08:04:49 My-F5 info tmm7[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: req done Oct 26 08:04:49 My-F5 info tmm7[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: violation= Oct 26 08:04:49 My-F5 info tmm7[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: support_id=9864890563489517902 Oct 26 08:04:49 My-F5 info tmm7[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: web_application=/Common/MyServer Oct 26 08:04:49 My-F5 info tmm7[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: severity=Informational Oct 26 08:04:49 My-F5 info tmm7[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: source_ip=1.2.3.4 Oct 26 08:04:49 My-F5 info tmm7[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: attack_type= Oct 26 08:04:49 My-F5 info tmm7[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: request_status=clear- boneyard
because you didnt trigger a violation according to the output. violation is empty and it shouldn't be
yours:
Oct 26 08:04:49 My-F5 info tmm2[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: violation=test from me:
Oct 22 13:40:01 bigip-01 info tmm2[20840]: Rule /Common/irule-asm_blockpage <ASM_REQUEST_DONE>: violation=VIOLATION_REQ_LEN,VIOLATION_OBJ_LEN,VIOLATION_OBJ_TYPEthere is no violation information at yours and there should be.
so you have to check if everything is setup correctly, perhaps multiple ASM policies and not having the right one here or ... it is difficult to determine what it could be from a distance.
reaching out to f5 support would be a good idea if you don't see an issue, it might be a bug. im running 14.1 and don't have 15.1 quickly available.
- Abed_AL-R
But I did trigger a violation
I received also a support id and ASM blocked my request
I will try to reach out the support soon
Thanks :)
- boneyard
can you lookup that support id and share the output (redacted where needed)?
- Abed_AL-R
Sure
Attached
- boneyard
ah interesting, a redirect violation, that might be a reason, as it is in the response.
can you try with another kind of violation?
- boneyard
I believe it found the issue, as this is a response violation (it is not something bad send by the client, but the response the webserver sends is what should be blocked) it should be handled in the ASM_RESPONSE_VIOLATION event.
this iRule both logs the violation and allows me to rewrite the block page.
when ASM_RESPONSE_VIOLATION { log local0. "response violation" set x [ASM::violation_data] for {set i 0} { $i < 7 } {incr i} { switch $i { 0 { log local0. "violation=[lindex $x $i]" } 1 { log local0. "support_id=[lindex $x $i]" } 2 { log local0. "web_application=[lindex $x $i]" } 3 { log local0. "severity=[lindex $x $i]" } 4 { log local0. "source_ip=[lindex $x $i]" } 5 { log local0. "attack_type=[lindex $x $i]" } 6 { log local0. "request_status=[lindex $x $i]" } }} ASM::payload replace 0 [ASM::payload length] "" ASM::payload replace 0 0 "12345607890" HTTP::header replace Content-Length [ASM::payload length] }logs
Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: response violation Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: violation=VIOLATION_REDIRECT Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: support_id=5611810483771277404 Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: web_application=/Common/asm-1 Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: severity=Error Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: attack_type=ATTACK_TYPE_OTHER_APPLICATION_ACTIVITY Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: request_status=blockedonce you can confirm ill try to get the cloud docs updated. these things can be made a lot easier when a couple of extra lines explaining the different types of events.
- Abed_AL-R
Hi
I tried different violation (illegal file type) and now i can see the req block
Oct 28 16:15:45 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: req done Oct 28 16:15:45 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: violation= Oct 28 16:15:45 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: support_id=9864890563816978112 Oct 28 16:15:45 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: web_application=/Common/MyServer Oct 28 16:15:45 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: severity=Informational Oct 28 16:15:45 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: source_ip=1.2.3.4 Oct 28 16:15:45 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: attack_type= Oct 28 16:15:45 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: request_status=clear Oct 28 16:15:50 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: req done Oct 28 16:15:50 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: violation=VIOLATION_OBJ_TYPE Oct 28 16:15:50 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: support_id=9864890563816985952 Oct 28 16:15:50 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: web_application=/Common/MyServer Oct 28 16:15:50 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: severity=Critical Oct 28 16:15:50 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: source_ip=1.2.3.4 Oct 28 16:15:50 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: attack_type=ATTACK_TYPE_FORCEFUL_BROWSING Oct 28 16:15:50 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: request_status=blocked Oct 28 16:15:50 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_BLOCKING>: req block- Abed_AL-R
Thank you boneyard
This iRule working fine
I just had to add "if support id exist" condition in "ASM_REQUEST_DONE" section
when HTTP_REQUEST { set requri "https://[HTTP::host][HTTP::uri]" } when ASM_RESPONSE_VIOLATION { log local0. "hello world1" #log local0. "Request from [IP::client_addr] blocked: [HTTP::uri]" set asm_support_id1 [ASM::support_id] HTTP::header remove Content-Length HTTP::header insert header_1 value_1 set client_ip1 [IP::client_addr] set response1 "<html><head><title>Request Rejected</title></head><body> The requested URL was rejected. Please consult with your administrator.<br><br> Your support ID is: $asm_support_id1<br><br><a href='javascript:history.back();'>Go Back</a><br><br> Your URL is: $requri <br><br> Your client IP is: $client_ip1 </body></html>" log local0. "req block1" ASM::payload replace 0 [ASM::payload length] "" ASM::payload replace 0 0 $response1 HTTP::header replace Content-Length [ASM::payload length] } when ASM_REQUEST_DONE { log local0. "hello world2" #log local0. "Request from [IP::client_addr] blocked: [HTTP::uri]" set asm_support_id2 [ASM::support_id] if {[info exists $asm_support_id2]} { HTTP::header remove Content-Length HTTP::header insert header_1 value_1 set client_ip2 [IP::client_addr] set response2 "<html><head><title>Request Rejected</title></head><body> The requested URL was rejected. Please consult with your administrator.<br><br> Your support ID is: $asm_support_id2<br><br><a href='javascript:history.back();'>Go Back</a><br><br> Your URL is: $requri <br><br> Your client IP is: $client_ip2 </body></html>" } } when ASM_REQUEST_BLOCKING { log local0. "req block2" ASM::payload replace 0 [ASM::payload length] "" ASM::payload replace 0 0 $response2 HTTP::header replace Content-Length [ASM::payload length] }This is iRule I took to the next level with ifile and custom html/javascript code
#Created by: AbedB 04-11-2020 #Do not edit this iRule without AbedB permission when HTTP_REQUEST { set requri "https://[HTTP::host][HTTP::uri]" } when ASM_RESPONSE_VIOLATION { log local0. "hello world1" #log local0. "Request from [IP::client_addr] blocked: [HTTP::uri]" set asm_support_id1 [ASM::support_id] HTTP::header remove Content-Length HTTP::header insert header_1 value_1 set client_ip1 [IP::client_addr] set response1 "HTTP::respond 200 content [subst -nocommands -nobackslashes [ifile get "blockpage1.html"]]" log local0. "req block1 and supportis is: $asm_support_id1" ASM::payload replace 0 [ASM::payload length] "" ASM::payload replace 0 0 $response1 HTTP::header replace Content-Length [ASM::payload length] } when ASM_REQUEST_DONE { log local0. "hello world2" #log local0. "Request from [IP::client_addr] blocked: [HTTP::uri]" set asm_support_id2 [ASM::support_id] if {[info exists $asm_support_id2]} { HTTP::header remove Content-Length HTTP::header insert header_1 value_1 set client_ip2 [IP::client_addr] set response2 "HTTP::respond 200 content [subst -nocommands -nobackslashes [ifile get "blockpage2.html"]]" } } when ASM_REQUEST_BLOCKING { log local0. "req block2" ASM::payload replace 0 [ASM::payload length] "" ASM::payload replace 0 0 $response2 HTTP::header replace Content-Length [ASM::payload length] }
