For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

F5Audiolomb's avatar
F5Audiolomb
Icon for Altostratus rankAltostratus
Oct 27, 2023

ASM::unblock not working for specific violation

Hello there,
I set an iRule for ASM that should unblock a specific violation:

 

when ASM_REQUEST_DONE {
    set asm_support_id [ASM::support_id]
    if { $uri starts_with "/my/uri" and [ASM::violation names] contains "VIOL_ENCODING" } then {
        ASM::unblock
    }
}

 

This rule is not triggered for that specific violation. What am I missing?
I would also like to point out that if I remove the second part of the IF and leave just the uri match, the rule triggers just fine.

I am 100% sure the violation I am targeting is correct.

Any clues on what is wrong with it?

Thank you!

asm
iRules
security
unblock

6 Replies

  • F5Audiolomb's avatar
    F5Audiolomb
    Icon for Altostratus rankAltostratus
    Nov 01, 2023

    Well... thank you all for your inputs. I logged the violation, and it turns out the violation name is "VIOLATION_CHAR_CONV".

    Where is that name coming from, I wonder? If I go to options->application security->advanced configuration->violation list, the violation name I see is the one I specified in my code above.

    So, at this point I am completely confused. The violation names in the GUI all start with VIOL_, while the violation names logged via the irule start with VIOLATION_, hence why my irule was not working.

    Why this discrepancy? All this does not make any sense to me.
    If the violation names in the GUI don't match with what I need to use in the iRules, how the heck am I supposed to find what names to use?
    BTW, I am on version 15.1.10.2.

  • T-Trust's avatar
    T-Trust
    Icon for Cirrostratus rankCirrostratus
    Oct 30, 2023

    please log below for confirm

    when ASM_REQUEST_DONE {

    log local0. "HTTP URI: $uri VIOLATION: [ASM::violation names]"
    set asm_support_id [ASM::support_id]
    if { $uri starts_with "/my/uri" and [ASM::violation names] contains "VIOL_ENCODING" } then {
    ASM::unblock
    }
    }

  • Amine_Kadimi's avatar
    Amine_Kadimi
    Icon for MVP rankMVP
    Oct 27, 2023

    Have you set the variable $uri value before checking its content?

    set uri [string tolower [HTTP::uri]]

     As Juergen_Mang mentioned, logging both [HTTP::uri] and [ASM::violation names] can help a lot

    • F5Audiolomb's avatar
      F5Audiolomb
      Icon for Altostratus rankAltostratus
      Oct 28, 2023

      Yes I did.

      I just pasted the snippet I am interested in. Please assume that the rest is in place.

      Thank you for helping with this!

    • Nikoolayy1's avatar
      Nikoolayy1
      Icon for MVP rankMVP
      Oct 28, 2023

      You are right as there are subviolations so the real name could be different. Still can't renember where I saw the real name with  ASM::violation details or ASM::violation_data or the command you shared.