Forum Discussion
ASM_REQUEST_BLOCKING not being triggered in iRule
- Oct 26, 2020
I believe it found the issue, as this is a response violation (it is not something bad send by the client, but the response the webserver sends is what should be blocked) it should be handled in the ASM_RESPONSE_VIOLATION event.
this iRule both logs the violation and allows me to rewrite the block page.
when ASM_RESPONSE_VIOLATION { log local0. "response violation" set x [ASM::violation_data] for {set i 0} { $i < 7 } {incr i} { switch $i { 0 { log local0. "violation=[lindex $x $i]" } 1 { log local0. "support_id=[lindex $x $i]" } 2 { log local0. "web_application=[lindex $x $i]" } 3 { log local0. "severity=[lindex $x $i]" } 4 { log local0. "source_ip=[lindex $x $i]" } 5 { log local0. "attack_type=[lindex $x $i]" } 6 { log local0. "request_status=[lindex $x $i]" } }} ASM::payload replace 0 [ASM::payload length] "" ASM::payload replace 0 0 "12345607890" HTTP::header replace Content-Length [ASM::payload length] }
logs
Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: response violation Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: violation=VIOLATION_REDIRECT Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: support_id=5611810483771277404 Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: web_application=/Common/asm-1 Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: severity=Error Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: attack_type=ATTACK_TYPE_OTHER_APPLICATION_ACTIVITY Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: request_status=blocked
once you can confirm ill try to get the cloud docs updated. these things can be made a lot easier when a couple of extra lines explaining the different types of events.
to be sure you are creating violations right?
different types?
Yes
I mean I do get the access rejected page, but I get the default page, and I need to customize it.
like described here: https://support.f5.com/csp/article/K22017023
- boneyardOct 04, 2020MVP
and you have the irule associated with the virtual server that also has the ASM profile with the "Trigger ASM iRule Events Mode" enabled?
can you add some log statements to your iRule events to see if they get triggered at all?
does the ltm log show something related at the moment?
- Abed_AL-ROct 04, 2020Cirrostratus
Yes It is the same VS.
And yes I tried to add log.local to the iRule but nothing detected at the section of "ASM_REQUEST_BLOCKING"..
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com