Forum Discussion

Abed_AL-R's avatar
Abed_AL-R
Icon for Cirrostratus rankCirrostratus
Oct 03, 2020

ASM_REQUEST_BLOCKING not being triggered in iRule

Anyone here faced the issue that "ASM_REQUEST_BLOCKING" not being triggered in LTM iRule ? The "Trigger ASM iRule Events Mode" is set to normal in ASM policy Running v15.1.0.5 New setup, never tri...
ASM Advanced WAF
iRules
LTM
security
  • boneyard's avatar
    boneyard
    Oct 26, 2020

    I believe it found the issue, as this is a response violation (it is not something bad send by the client, but the response the webserver sends is what should be blocked) it should be handled in the ASM_RESPONSE_VIOLATION event.

    this iRule both logs the violation and allows me to rewrite the block page.

    when ASM_RESPONSE_VIOLATION {
 
  log local0. "response violation"
 
  set x [ASM::violation_data]
 
  for {set i 0} { $i < 7 } {incr i} {
      switch $i {
      0         { log local0. "violation=[lindex $x $i]" }
      1         { log local0. "support_id=[lindex $x $i]" }
      2         { log local0. "web_application=[lindex $x $i]" }
      3         { log local0. "severity=[lindex $x $i]" }
      4         { log local0. "source_ip=[lindex $x $i]" }
      5         { log local0. "attack_type=[lindex $x $i]" }
      6         { log local0. "request_status=[lindex $x $i]" }
 
   }}
   
  ASM::payload replace 0 [ASM::payload length] ""
  ASM::payload replace 0 0 "12345607890"
  HTTP::header replace Content-Length [ASM::payload length]
  
}

    logs

    Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: response violation
Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: violation=VIOLATION_REDIRECT
Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: support_id=5611810483771277404
Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: web_application=/Common/asm-1
Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: severity=Error
Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: attack_type=ATTACK_TYPE_OTHER_APPLICATION_ACTIVITY
Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: request_status=blocked

     once you can confirm ill try to get the cloud docs updated. these things can be made a lot easier when a couple of extra lines explaining the different types of events.

Abed_AL-R's avatar
Abed_AL-R
Icon for Cirrostratus rankCirrostratus
Oct 09, 2020

Does anyone has any idea on how to solve this?

  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Oct 10, 2020

    only thing i saw in previous questions is that it didn't trigger for all types of violations, the example there was data guard which didnt trigger it. you might try a couple of different violation types to rule that out.

     

    but if that is ok and if you got a the configuration setup correctly (which you seem to have) and it still doesnt work then it could be a bug, best to have F5 support have a look at your configuration and determine if it is a bug.

    • Abed_AL-R's avatar
      Abed_AL-R
      Icon for Cirrostratus rankCirrostratus
      Oct 10, 2020

      The thing with F5 technical support is tey do not support iRules.

      Only in rare cases. or if you have some sort of support level contract ....

    • boneyard's avatar
      boneyard
      Icon for MVP rankMVP
      Oct 10, 2020

      they don't support full debugging / writing of iRules, but they will in my experience assist in something like this or if something clearly fails. specially when you are just following F5 articles and do something relatively simple as this. i would certainly try them.