F5 AWAF/ASM ASM_RESPONSE_VIOLATION event seem to not trigger on 17.1.x

Hey Everyone,

 

The F5 AWAF/ASM ASM_RESPONSE_VIOLATION event seem to not trigger on 17.1.x.

 

I have enabled irules support the waf policy and I tested in Normal and Compatibility mode but no luck. The other events trigger without an issue.

 

I created 2 custom signatures for response and request match and request match one has no issues so it seems a bug to me.

 

This can be easily tested with the below irule that logs to /var/log/asm

 

when ASM_REQUEST_DONE {

log local3. "test request"

}

 

when ASM_RESPONSE_VIOLATION {

 

log local3. "test response"

 

}

 

The custom response signature is in the policy to just trigger alarm.

 

 

 

I tried string or regex match " (?i)failed " PCRE-style as F5 15.x and up are using this regex style.