Forum Discussion

Abed_AL-R's avatar
Abed_AL-R
Icon for Cirrostratus rankCirrostratus
Oct 03, 2020

ASM_REQUEST_BLOCKING not being triggered in iRule

Anyone here faced the issue that "ASM_REQUEST_BLOCKING" not being triggered in LTM iRule ? The "Trigger ASM iRule Events Mode" is set to normal in ASM policy Running v15.1.0.5 New setup, never tri...
ASM Advanced WAF
iRules
LTM
security
  • boneyard's avatar
    boneyard
    Oct 26, 2020

    I believe it found the issue, as this is a response violation (it is not something bad send by the client, but the response the webserver sends is what should be blocked) it should be handled in the ASM_RESPONSE_VIOLATION event.

    this iRule both logs the violation and allows me to rewrite the block page.

    when ASM_RESPONSE_VIOLATION {
 
  log local0. "response violation"
 
  set x [ASM::violation_data]
 
  for {set i 0} { $i < 7 } {incr i} {
      switch $i {
      0         { log local0. "violation=[lindex $x $i]" }
      1         { log local0. "support_id=[lindex $x $i]" }
      2         { log local0. "web_application=[lindex $x $i]" }
      3         { log local0. "severity=[lindex $x $i]" }
      4         { log local0. "source_ip=[lindex $x $i]" }
      5         { log local0. "attack_type=[lindex $x $i]" }
      6         { log local0. "request_status=[lindex $x $i]" }
 
   }}
   
  ASM::payload replace 0 [ASM::payload length] ""
  ASM::payload replace 0 0 "12345607890"
  HTTP::header replace Content-Length [ASM::payload length]
  
}

    logs

    Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: response violation
Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: violation=VIOLATION_REDIRECT
Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: support_id=5611810483771277404
Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: web_application=/Common/asm-1
Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: severity=Error
Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: attack_type=ATTACK_TYPE_OTHER_APPLICATION_ACTIVITY
Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: request_status=blocked

     once you can confirm ill try to get the cloud docs updated. these things can be made a lot easier when a couple of extra lines explaining the different types of events.

boneyard's avatar
boneyard
Icon for MVP rankMVP
Oct 04, 2020

to be sure you are creating violations right?

 

different types?

  • Abed_AL-R's avatar
    Abed_AL-R
    Icon for Cirrostratus rankCirrostratus
    Oct 04, 2020

    Yes

    I mean I do get the access rejected page, but I get the default page, and I need to customize it.

    like described here: https://support.f5.com/csp/article/K22017023

     

    • boneyard's avatar
      boneyard
      Icon for MVP rankMVP
      Oct 04, 2020

      and you have the irule associated with the virtual server that also has the ASM profile with the "Trigger ASM iRule Events Mode" enabled?

       

      can you add some log statements to your iRule events to see if they get triggered at all?

       

      does the ltm log show something related at the moment?

    • Abed_AL-R's avatar
      Abed_AL-R
      Icon for Cirrostratus rankCirrostratus
      Oct 04, 2020

      Yes It is the same VS.

      And yes I tried to add log.local to the iRule but nothing detected at the section of "ASM_REQUEST_BLOCKING"..