Forum Discussion
Jesse_42915
Nimbostratus
NimbostratusDisable specific ASM attack signatures on specific URL?
I'm trying to disable some ASM attack signatures on a specific URL only, and not for the entire policy. Is that possible? I'm running v 10.2.3
hooleylist
Cirrostratus
CirrostratusHi Jesse,
As Josh said, I don't think you can disable a header based attack signature for a specific URL. Here are a few options:
- open an RFE with F5 Support to request this functionality. This might be a good idea regardless of which option you select.
- disable the specific attack signature globally. This is the simplest option, but lowers the security of your policy somewhat.
- create a separate policy for the specific URL which is a copy of the original policy with the specific attack signature disabled. The downside to this is that you would need to manually maintain two policies.
- put the specific signature(s) in a separate attack signature set and put that signature set in transparent mode. Use an iRule to manually block any requests which trigger that attack sig which is not on the specific URL. I think this might be the closest way to do what you want. You'd basically create an iRule which checks the ASM::violation_data output in the ASM_REQUEST_VIOLATION event. See the wiki pages for details: http://devcentral.f5.com/wiki/iRules.asm.ashx
Aaron