Forum Discussion

Jesse_42915's avatar
Jesse_42915
Icon for Nimbostratus rankNimbostratus
Dec 27, 2011

Disable specific ASM attack signatures on specific URL?

I'm trying to disable some ASM attack signatures on a specific URL only, and not for the entire policy. Is that possible?     I'm running v 10.2.3  
app sec
BIG-IP Access Policy Manager (APM)
security
Mandrake's avatar
Mandrake
Icon for Nimbostratus rankNimbostratus
Aug 28, 2012
Hi Experts,

 

 

I am just trying something like this:

 

 

when ASM_REQUEST_VIOLATION

 

{

 

set x [ASM::violation_data]

 

 

for {set i 0} { $i < 7 } {incr i} {

 

switch $i {

 

0 { log local0. "violation=[lindex $x $i]" }

 

1 { log local0. "support_id=[lindex $x $i]" }

 

2 { log local0. "web_application=[lindex $x $i]" }

 

3 { log local0. "severity=[lindex $x $i]" }

 

4 { log local0. "source_ip=[lindex $x $i]" }

 

5 { log local0. "attack_type=[lindex $x $i]" }

 

6 { log local0. "request_status=[lindex $x $i]" }

 

 

}}

 

 

if {([lindex $x 0] contains "VIOLATION_ATTACK_SIGNATURE_DETECTED" and [lindex $x 5] contains "ATTACK_TYPE_CROSS_SITE_SCRIPTING" )

 

and ([HTTP::uri] contains "/x/y/z.js")

 

}

 

HTTP::respond 200 content {

 

 

 

Block Page

 

 

 

Your Requested has been blocked please contact your systems adminstrator

 

Your support ID is: <%TS.request.ID()%>

 

 

 

}

 

else {

 

return

 

}

 

 

}

 

 

for strange reasons it's just not triggering, am i making any obvious mistake here ?

 

 

Cheers

 

Jani