Forum Discussion
kcb263
Nimbostratus
NimbostratusBlock all "HTTP Protocol Compliance - Unparsable request content" EXCEPT a Specific URL?
Is it possible to allow a specific URL to bypass a block of "Unparsable Request Content"?
When I went to Manual Policy Building > Traffic Learning > RFC Violations > HTTP Protocol compliance failed > Unparsable Request Content I was presented with: (Cancel), (Clear), (Accept). If I choose one of these, it will affect that violation as a whole.
If I click on the the details and bring up a list of all of the violations that were triggered, I see that I am given the option to "LEARN". Is this what I need to allow a specific URL to be allowed? If so, where is that reflected once I click learn? IE... where can I go to see what other URLs have been allowed?
1 Reply
hoolioCirrostratus
You might be able to use an iRule to selectively block for this type of violation if the requested URI is not in a string data group of URIs to allow the violation on. The general idea is that you'd disable blocking for the violation but leave alarm enabled and then check the [ASM::violation_data] array in the ASM_REQUEST_VIOLATION event. I'm not sure whether the subviolation for unparsable request content has been added for ASM::violation_data though. Can you try testing this on a non-production virtual server?
First though, why is a client sending unparsable request content? Generally this means that the client is sending an improperly formatted request which breaks the HTTP RFCs. Are you able to change either the application or the client to fix this? That would be the ideal solution.
Aaron
