Forum Discussion
andrewbytes
Altocumulus
AltocumulusHow can I skip ONLY Geolocation within ASM_REQUEST_VIOLATION if there is more than one Violation?
So far;
This WORKS;
when ASM_REQUEST_VIOLATION {
if { [ASM::status] eq "blocked" } {
if { [class match [IP::client_addr] equals WHITELIST] && [ASM::violation names] equals "VIOLATION_ILLEGAL_GEOLOCATION"}{
log local0. "[ASM::violation_data]. [IP::client_addr] found in WHITELIST"
log local0. "Violation count: [ASM::violation count] "
log local0. "Violation names: [ASM::violation names] "
log local0. "Violation attack types: [ASM::violation attack_types] "
log local0. "Violation details: [ASM::violation details] "
ASM::unblock
} else {
log local0. "[ASM::violation_data]. blocked for [IP::client_addr]"
}
}
}
However, I only want to skip Geolocation violation. When watching the logs, I see the violation information - however I want to continue ASM checking if the Geolocation is in my Datagroup named "WHITELIST". I do NOT want a golden ticket skipping over XSS, SQL Injection, etc... because I made a pinhole in my IP to allow access. When I add an IP to the IP Address Exceptions, it skips all ASM Rules. Is there an ASM::skip ability that I'm missing? GEOLOCATION::ALLOW?
UPDATE!!!!
when ASM_REQUEST_DONE {
if { [ASM::status] eq "blocked" } {
if { [class match [IP::client_addr] equals WHITELIST] && [ASM::violation names] equals "VIOLATION_ILLEGAL_GEOLOCATION" && [ASM::violation details] equals ""}{
log local0. "[ASM::violation_data]. [IP::client_addr] found in WHITELIST"
# log local0. "Violation count: [ASM::violation count] "
# log local0. "Violation names: [ASM::violation names] "
# log local0. "Violation attack types: [ASM::violation attack_types] "
log local0. "Violation details: [ASM::violation details] "
ASM::unblock
} else {
log local0. "[ASM::violation_data]. blocked for [IP::client_addr]"
}
}
}
if the ONLY Violation is Geolocation, then I continue. If there's anything else, I want to skip it. So NORMAL input on a web form is fine from a specific geolocation. Try and slip XSS, or SQL Injection, and it returns a System ID error. How can [ASM::violation count] returns 1 all the time, even though I've slipped some other violation into the form.
PLEASE NOTE; the ASM_REQUEST_DONE only works if ASM iRule setting is set to NORMAL. It will not fire in compatibility mode.
andrewbytesUPDATE!!!!
when ASM_REQUEST_DONE {
if { [ASM::status] eq "blocked" } {
if { [class match [IP::client_addr] equals WHITELIST] && [ASM::violation names] equals "VIOLATION_ILLEGAL_GEOLOCATION" && [ASM::violation details] equals ""}{
log local0. "[ASM::violation_data]. [IP::client_addr] found in WHITELIST"
# log local0. "Violation count: [ASM::violation count] "
# log local0. "Violation names: [ASM::violation names] "
# log local0. "Violation attack types: [ASM::violation attack_types] "
log local0. "Violation details: [ASM::violation details] "
ASM::unblock
} else {
log local0. "[ASM::violation_data]. blocked for [IP::client_addr]"
}
}
}
if the ONLY Violation is Geolocation, then I continue. If there's anything else, I want to skip it. So NORMAL input on a web form is fine from a specific geolocation. Try and slip XSS, or SQL Injection, and it returns a System ID error. How can [ASM::violation count] returns 1 all the time, even though I've slipped some other violation into the form.
PLEASE NOTE; the ASM_REQUEST_DONE only works if ASM iRule setting is set to NORMAL. It will not fire in compatibility mode.