For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

andrewbytes's avatar
andrewbytes
Icon for Altocumulus rankAltocumulus
Aug 01, 2019
Solved

How can I skip ONLY Geolocation within ASM_REQUEST_VIOLATION if there is more than one Violation?

So far; This WORKS;   when ASM_REQUEST_VIOLATION {   if { [ASM::status] eq "blocked" } {     if { [class match [IP::client_addr] equals WHITELIST] && [ASM::violation names] equals "VIOLATION_I...
AFM
iRules
security
unblock
  • andrewbytes's avatar
    andrewbytes
    Aug 01, 2019

    UPDATE!!!!

    when ASM_REQUEST_DONE {

      if { [ASM::status] eq "blocked" } {

        if { [class match [IP::client_addr] equals WHITELIST] && [ASM::violation names] equals "VIOLATION_ILLEGAL_GEOLOCATION" && [ASM::violation details] equals ""}{

          log local0. "[ASM::violation_data]. [IP::client_addr] found in WHITELIST"

    #     log local0. "Violation count: [ASM::violation count] "

    #      log local0. "Violation names: [ASM::violation names] "

    #     log local0. "Violation attack types: [ASM::violation attack_types] "

          log local0. "Violation details: [ASM::violation details] "      

          ASM::unblock 

        } else {

        log local0. "[ASM::violation_data]. blocked for [IP::client_addr]"

        }

      } 

    }

     

    if the ONLY Violation is Geolocation, then I continue. If there's anything else, I want to skip it. So NORMAL input on a web form is fine from a specific geolocation. Try and slip XSS, or SQL Injection, and it returns a System ID error. How can [ASM::violation count] returns 1 all the time, even though I've slipped some other violation into the form.

     

    PLEASE NOTE; the ASM_REQUEST_DONE only works if ASM iRule setting is set to NORMAL. It will not fire in compatibility mode.

     

     

andrewbytes's avatar
andrewbytes
Icon for Altocumulus rankAltocumulus
Aug 01, 2019

UPDATE!!!!

when ASM_REQUEST_DONE {

  if { [ASM::status] eq "blocked" } {

    if { [class match [IP::client_addr] equals WHITELIST] && [ASM::violation names] equals "VIOLATION_ILLEGAL_GEOLOCATION" && [ASM::violation details] equals ""}{

      log local0. "[ASM::violation_data]. [IP::client_addr] found in WHITELIST"

#     log local0. "Violation count: [ASM::violation count] "

#      log local0. "Violation names: [ASM::violation names] "

#     log local0. "Violation attack types: [ASM::violation attack_types] "

      log local0. "Violation details: [ASM::violation details] "      

      ASM::unblock 

    } else {

    log local0. "[ASM::violation_data]. blocked for [IP::client_addr]"

    }

  } 

}

 

if the ONLY Violation is Geolocation, then I continue. If there's anything else, I want to skip it. So NORMAL input on a web form is fine from a specific geolocation. Try and slip XSS, or SQL Injection, and it returns a System ID error. How can [ASM::violation count] returns 1 all the time, even though I've slipped some other violation into the form.

 

PLEASE NOTE; the ASM_REQUEST_DONE only works if ASM iRule setting is set to NORMAL. It will not fire in compatibility mode.