Forum Discussion

F5Audiolomb's avatar
F5Audiolomb
Icon for Altostratus rankAltostratus
Oct 27, 2023

ASM::unblock not working for specific violation

Hello there,
I set an iRule for ASM that should unblock a specific violation:

 

when ASM_REQUEST_DONE {
    set asm_support_id [ASM::support_id]
    if { $uri starts_with "/my/uri" and [ASM::violation names] contains "VIOL_ENCODING" } then {
        ASM::unblock
    }
}

 

This rule is not triggered for that specific violation. What am I missing?
I would also like to point out that if I remove the second part of the IF and leave just the uri match, the rule triggers just fine.

I am 100% sure the violation I am targeting is correct.

Any clues on what is wrong with it?

Thank you!

asm
iRules
security
    • Nikoolayy1's avatar
      Nikoolayy1
      Icon for MVP rankMVP
      Oct 28, 2023

      You are right as there are subviolations so the real name could be different. Still can't renember where I saw the real name with  ASM::violation details or ASM::violation_data or the command you shared.

  • T-Trust's avatar
    T-Trust
    Icon for Cirrostratus rankCirrostratus
    Oct 30, 2023

    please log below for confirm

    when ASM_REQUEST_DONE {

    log local0. "HTTP URI: $uri VIOLATION: [ASM::violation names]"
    set asm_support_id [ASM::support_id]
    if { $uri starts_with "/my/uri" and [ASM::violation names] contains "VIOL_ENCODING" } then {
    ASM::unblock
    }
    }

  • Amine_Kadimi's avatar
    Amine_Kadimi
    Icon for MVP rankMVP
    Oct 27, 2023

    Have you set the variable $uri value before checking its content?

    set uri [string tolower [HTTP::uri]]

     As Juergen_Mang mentioned, logging both [HTTP::uri] and [ASM::violation names] can help a lot

    • F5Audiolomb's avatar
      F5Audiolomb
      Icon for Altostratus rankAltostratus
      Oct 28, 2023

      Yes I did.

      I just pasted the snippet I am interested in. Please assume that the rest is in place.

      Thank you for helping with this!

  • F5Audiolomb's avatar
    F5Audiolomb
    Icon for Altostratus rankAltostratus
    Nov 01, 2023

    Well... thank you all for your inputs. I logged the violation, and it turns out the violation name is "VIOLATION_CHAR_CONV".

    Where is that name coming from, I wonder? If I go to options->application security->advanced configuration->violation list, the violation name I see is the one I specified in my code above.

    So, at this point I am completely confused. The violation names in the GUI all start with VIOL_, while the violation names logged via the irule start with VIOLATION_, hence why my irule was not working.

    Why this discrepancy? All this does not make any sense to me.
    If the violation names in the GUI don't match with what I need to use in the iRules, how the heck am I supposed to find what names to use?
    BTW, I am on version 15.1.10.2.