Forum Discussion
ASM_REQUEST_BLOCKING not being triggered in iRule
- Oct 26, 2020
I believe it found the issue, as this is a response violation (it is not something bad send by the client, but the response the webserver sends is what should be blocked) it should be handled in the ASM_RESPONSE_VIOLATION event.
this iRule both logs the violation and allows me to rewrite the block page.
when ASM_RESPONSE_VIOLATION { log local0. "response violation" set x [ASM::violation_data] for {set i 0} { $i < 7 } {incr i} { switch $i { 0 { log local0. "violation=[lindex $x $i]" } 1 { log local0. "support_id=[lindex $x $i]" } 2 { log local0. "web_application=[lindex $x $i]" } 3 { log local0. "severity=[lindex $x $i]" } 4 { log local0. "source_ip=[lindex $x $i]" } 5 { log local0. "attack_type=[lindex $x $i]" } 6 { log local0. "request_status=[lindex $x $i]" } }} ASM::payload replace 0 [ASM::payload length] "" ASM::payload replace 0 0 "12345607890" HTTP::header replace Content-Length [ASM::payload length] }
logs
Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: response violation Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: violation=VIOLATION_REDIRECT Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: support_id=5611810483771277404 Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: web_application=/Common/asm-1 Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: severity=Error Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: attack_type=ATTACK_TYPE_OTHER_APPLICATION_ACTIVITY Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: request_status=blocked
once you can confirm ill try to get the cloud docs updated. these things can be made a lot easier when a couple of extra lines explaining the different types of events.
Hi
I launched this iRule and tried to create violation, the ASM blocked me , but the ltm log doesn't show anything related to "req block" log. Here is the output:
Oct 26 08:04:49 My-F5 info tmm2[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: req done
Oct 26 08:04:49 My-F5 info tmm2[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: violation=
Oct 26 08:04:49 My-F5 info tmm2[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: support_id=9864890563438358212
Oct 26 08:04:49 My-F5 info tmm2[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: web_application=/Common/MyServer
Oct 26 08:04:49 My-F5 info tmm2[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: severity=Informational
Oct 26 08:04:49 My-F5 info tmm2[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: source_ip=1.2.3.4
Oct 26 08:04:49 My-F5 info tmm2[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: attack_type=
Oct 26 08:04:49 My-F5 info tmm2[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: request_status=clear
Oct 26 08:04:49 My-F5 info tmm7[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: req done
Oct 26 08:04:49 My-F5 info tmm7[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: violation=
Oct 26 08:04:49 My-F5 info tmm7[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: support_id=9864890563489517902
Oct 26 08:04:49 My-F5 info tmm7[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: web_application=/Common/MyServer
Oct 26 08:04:49 My-F5 info tmm7[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: severity=Informational
Oct 26 08:04:49 My-F5 info tmm7[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: source_ip=1.2.3.4
Oct 26 08:04:49 My-F5 info tmm7[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: attack_type=
Oct 26 08:04:49 My-F5 info tmm7[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: request_status=clear
- boneyardOct 26, 2020MVP
because you didnt trigger a violation according to the output. violation is empty and it shouldn't be
yours:
Oct 26 08:04:49 My-F5 info tmm2[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: violation=
test from me:
Oct 22 13:40:01 bigip-01 info tmm2[20840]: Rule /Common/irule-asm_blockpage <ASM_REQUEST_DONE>: violation=VIOLATION_REQ_LEN,VIOLATION_OBJ_LEN,VIOLATION_OBJ_TYPE
there is no violation information at yours and there should be.
so you have to check if everything is setup correctly, perhaps multiple ASM policies and not having the right one here or ... it is difficult to determine what it could be from a distance.
reaching out to f5 support would be a good idea if you don't see an issue, it might be a bug. im running 14.1 and don't have 15.1 quickly available.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com