Forum Discussion
andrewbytes
Altocumulus
AltocumulusHow can I skip ONLY Geolocation within ASM_REQUEST_VIOLATION if there is more than one Violation?
So far; This WORKS; when ASM_REQUEST_VIOLATION { if { [ASM::status] eq "blocked" } { if { [class match [IP::client_addr] equals WHITELIST] && [ASM::violation names] equals "VIOLATION_I...
UPDATE!!!!
when ASM_REQUEST_DONE {
if { [ASM::status] eq "blocked" } {
if { [class match [IP::client_addr] equals WHITELIST] && [ASM::violation names] equals "VIOLATION_ILLEGAL_GEOLOCATION" && [ASM::violation details] equals ""}{
log local0. "[ASM::violation_data]. [IP::client_addr] found in WHITELIST"
# log local0. "Violation count: [ASM::violation count] "
# log local0. "Violation names: [ASM::violation names] "
# log local0. "Violation attack types: [ASM::violation attack_types] "
log local0. "Violation details: [ASM::violation details] "
ASM::unblock
} else {
log local0. "[ASM::violation_data]. blocked for [IP::client_addr]"
}
}
}
if the ONLY Violation is Geolocation, then I continue. If there's anything else, I want to skip it. So NORMAL input on a web form is fine from a specific geolocation. Try and slip XSS, or SQL Injection, and it returns a System ID error. How can [ASM::violation count] returns 1 all the time, even though I've slipped some other violation into the form.
PLEASE NOTE; the ASM_REQUEST_DONE only works if ASM iRule setting is set to NORMAL. It will not fire in compatibility mode.
andrewbytesAltocumulus
AltocumulusUPDATE!!!!
when ASM_REQUEST_DONE {
if { [ASM::status] eq "blocked" } {
if { [class match [IP::client_addr] equals WHITELIST] && [ASM::violation names] equals "VIOLATION_ILLEGAL_GEOLOCATION" && [ASM::violation details] equals ""}{
log local0. "[ASM::violation_data]. [IP::client_addr] found in WHITELIST"
# log local0. "Violation count: [ASM::violation count] "
# log local0. "Violation names: [ASM::violation names] "
# log local0. "Violation attack types: [ASM::violation attack_types] "
log local0. "Violation details: [ASM::violation details] "
ASM::unblock
} else {
log local0. "[ASM::violation_data]. blocked for [IP::client_addr]"
}
}
}
if the ONLY Violation is Geolocation, then I continue. If there's anything else, I want to skip it. So NORMAL input on a web form is fine from a specific geolocation. Try and slip XSS, or SQL Injection, and it returns a System ID error. How can [ASM::violation count] returns 1 all the time, even though I've slipped some other violation into the form.
PLEASE NOTE; the ASM_REQUEST_DONE only works if ASM iRule setting is set to NORMAL. It will not fire in compatibility mode.