Forum Discussion
How could I exclude Vulnerability scanners from Session Tracking?
- Jan 10, 2017
Is it bad form to answer my own question?
Anyhow, using logging I discovered that the violation name wasn't matching correctly. Here is a rule that I've now deployed and tested.
when ASM_REQUEST_DONE { if {([ASM::violation names] contains "SESSION_AWARENESS" && [ASM::violation count] < 2 && [IP::addr [IP::client_addr] equals n.n.n.n/m])} { ASM::unblock } }
Is it bad form to answer my own question?
Anyhow, using logging I discovered that the violation name wasn't matching correctly. Here is a rule that I've now deployed and tested.
when ASM_REQUEST_DONE {
if {([ASM::violation names] contains "SESSION_AWARENESS" && [ASM::violation count] < 2 && [IP::addr [IP::client_addr] equals n.n.n.n/m])} {
ASM::unblock
}
}
- cdjac0bsenFeb 23, 2017Nimbostratus
You're a genius, thanks so much. This is exactly the same issue we are having. If you don't mind, I'm going to submit this as a feature enhancement request to add this option to the IP address exception configuration. Seems like a no-brainer to me, I'm surprised it wasn't added already. You don't want legitimate vuln scanners to get blocked by session tracking--makes the results invalid.
- uknoodler_23999Feb 23, 2017Altostratus
no problem, thanks for putting in the feature request.
- cdjac0bsenMar 01, 2017Nimbostratus
You're welcome. What would be the best syntax to add multiple IP addresses/subnets? We have about 15 we need to exclude. And I'm not keen on reading in a list of IP's from a separate file.
- sponge_13_16833Mar 09, 2017Nimbostratus
I came up with a way for this to be done using a data list group. Create the data list group, call it "scanners" for example. Then, in the iRule, use a class match to evaluate the list.
To add new "scanners" just add the new IP or subnet to the data list group.
Here is the iRule using class match to list of "scanners"
when ASM_REQUEST_DONE { if {([class match [IP::client_addr] equals scanners] && [ASM::violation names] contains "SESSION_AWARENESS" && [ASM::violation count] < 2 )} { ASM::unblock } }
To create the data list group, using tmsh:
create ltm data-group internal scanners type ip records add {x.x.x.x/xx}
To modify existing list (adding host and subnet to list):
modify ltm data-group internal scanners records add {x.x.x.x/32 x.x.x.x/24}
- cdjac0bsenMar 09, 2017Nimbostratus
Brilliant!
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com