Forum Discussion
Abed_AL-R
Cirrostratus
CirrostratusASM_REQUEST_BLOCKING not being triggered in iRule
Anyone here faced the issue that "ASM_REQUEST_BLOCKING" not being triggered in LTM iRule ? The "Trigger ASM iRule Events Mode" is set to normal in ASM policy Running v15.1.0.5 New setup, never tri...
I believe it found the issue, as this is a response violation (it is not something bad send by the client, but the response the webserver sends is what should be blocked) it should be handled in the ASM_RESPONSE_VIOLATION event.
this iRule both logs the violation and allows me to rewrite the block page.
when ASM_RESPONSE_VIOLATION { log local0. "response violation" set x [ASM::violation_data] for {set i 0} { $i < 7 } {incr i} { switch $i { 0 { log local0. "violation=[lindex $x $i]" } 1 { log local0. "support_id=[lindex $x $i]" } 2 { log local0. "web_application=[lindex $x $i]" } 3 { log local0. "severity=[lindex $x $i]" } 4 { log local0. "source_ip=[lindex $x $i]" } 5 { log local0. "attack_type=[lindex $x $i]" } 6 { log local0. "request_status=[lindex $x $i]" } }} ASM::payload replace 0 [ASM::payload length] "" ASM::payload replace 0 0 "12345607890" HTTP::header replace Content-Length [ASM::payload length] }logs
Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: response violation Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: violation=VIOLATION_REDIRECT Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: support_id=5611810483771277404 Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: web_application=/Common/asm-1 Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: severity=Error Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: attack_type=ATTACK_TYPE_OTHER_APPLICATION_ACTIVITY Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: request_status=blockedonce you can confirm ill try to get the cloud docs updated. these things can be made a lot easier when a couple of extra lines explaining the different types of events.
Abed_AL-RCirrostratus
CirrostratusHi
I tried different violation (illegal file type) and now i can see the req block
Oct 28 16:15:45 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: req done
Oct 28 16:15:45 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: violation=
Oct 28 16:15:45 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: support_id=9864890563816978112
Oct 28 16:15:45 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: web_application=/Common/MyServer
Oct 28 16:15:45 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: severity=Informational
Oct 28 16:15:45 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: source_ip=1.2.3.4
Oct 28 16:15:45 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: attack_type=
Oct 28 16:15:45 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: request_status=clear
Oct 28 16:15:50 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: req done
Oct 28 16:15:50 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: violation=VIOLATION_OBJ_TYPE
Oct 28 16:15:50 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: support_id=9864890563816985952
Oct 28 16:15:50 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: web_application=/Common/MyServer
Oct 28 16:15:50 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: severity=Critical
Oct 28 16:15:50 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: source_ip=1.2.3.4
Oct 28 16:15:50 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: attack_type=ATTACK_TYPE_FORCEFUL_BROWSING
Oct 28 16:15:50 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: request_status=blocked
Oct 28 16:15:50 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_BLOCKING>: req blockAbed_AL-RCirrostratus
CirrostratusThank you boneyard
This iRule working fine
I just had to add "if support id exist" condition in "ASM_REQUEST_DONE" section
when HTTP_REQUEST {
set requri "https://[HTTP::host][HTTP::uri]"
}
when ASM_RESPONSE_VIOLATION {
log local0. "hello world1"
#log local0. "Request from [IP::client_addr] blocked: [HTTP::uri]"
set asm_support_id1 [ASM::support_id]
HTTP::header remove Content-Length
HTTP::header insert header_1 value_1
set client_ip1 [IP::client_addr]
set response1 "<html><head><title>Request Rejected</title></head><body>
The requested URL was rejected. Please consult with your administrator.<br><br>
Your support ID is: $asm_support_id1<br><br><a href='javascript:history.back();'>Go Back</a><br><br>
Your URL is: $requri <br><br>
Your client IP is: $client_ip1
</body></html>"
log local0. "req block1"
ASM::payload replace 0 [ASM::payload length] ""
ASM::payload replace 0 0 $response1
HTTP::header replace Content-Length [ASM::payload length]
}
when ASM_REQUEST_DONE {
log local0. "hello world2"
#log local0. "Request from [IP::client_addr] blocked: [HTTP::uri]"
set asm_support_id2 [ASM::support_id]
if {[info exists $asm_support_id2]} {
HTTP::header remove Content-Length
HTTP::header insert header_1 value_1
set client_ip2 [IP::client_addr]
set response2 "<html><head><title>Request Rejected</title></head><body>
The requested URL was rejected. Please consult with your administrator.<br><br>
Your support ID is: $asm_support_id2<br><br><a href='javascript:history.back();'>Go Back</a><br><br>
Your URL is: $requri <br><br>
Your client IP is: $client_ip2
</body></html>"
}
}
when ASM_REQUEST_BLOCKING {
log local0. "req block2"
ASM::payload replace 0 [ASM::payload length] ""
ASM::payload replace 0 0 $response2
HTTP::header replace Content-Length [ASM::payload length]
}
This is iRule I took to the next level with ifile and custom html/javascript code
#Created by: AbedB 04-11-2020
#Do not edit this iRule without AbedB permission
when HTTP_REQUEST {
set requri "https://[HTTP::host][HTTP::uri]"
}
when ASM_RESPONSE_VIOLATION {
log local0. "hello world1"
#log local0. "Request from [IP::client_addr] blocked: [HTTP::uri]"
set asm_support_id1 [ASM::support_id]
HTTP::header remove Content-Length
HTTP::header insert header_1 value_1
set client_ip1 [IP::client_addr]
set response1 "HTTP::respond 200 content [subst -nocommands -nobackslashes [ifile get "blockpage1.html"]]"
log local0. "req block1 and supportis is: $asm_support_id1"
ASM::payload replace 0 [ASM::payload length] ""
ASM::payload replace 0 0 $response1
HTTP::header replace Content-Length [ASM::payload length]
}
when ASM_REQUEST_DONE {
log local0. "hello world2"
#log local0. "Request from [IP::client_addr] blocked: [HTTP::uri]"
set asm_support_id2 [ASM::support_id]
if {[info exists $asm_support_id2]} {
HTTP::header remove Content-Length
HTTP::header insert header_1 value_1
set client_ip2 [IP::client_addr]
set response2 "HTTP::respond 200 content [subst -nocommands -nobackslashes [ifile get "blockpage2.html"]]"
}
}
when ASM_REQUEST_BLOCKING {
log local0. "req block2"
ASM::payload replace 0 [ASM::payload length] ""
ASM::payload replace 0 0 $response2
HTTP::header replace Content-Length [ASM::payload length]
}