Forum Discussion
AltostratusHTTP Compliance Exception
AltostratusWhat about 'Header 'If-None-Match' has no value'?
Something like this:
when ASM_REQUEST_DONE {
set uri [HTTP::uri]
foreach violation [ASM::violation names] {
if { $uri starts_with "/login.php" && [ASM::violation count] < 2 } {
foreach attack [ASM::violation attack_types] {
switch $attack {
"ATTACK_TYPE_HTTP_REQUEST_SMUGGLING_ATTACK" -
"ATTACK_TYPE_HTTP_PARSER_ATTACK" {
log local0. "Violation: $violation and attack: $attack detected for URI $uri, but allowed anyway."
ASM::unblock
}
}
}
} else {
# More than one violation, too dangerous to Unblock
return
}
}
}BTW, this is the way to test with curl if you want to send an empty HTTP header:
curl -v http://10.23.98.101/login.php -H "If-None-Match;"
- smalex
Thank you for providing so much details.
I created the irule and changed on the ' $uri starts_with' part to match my URL. Attached to the virtual server and tried the curl command. It was still blocked and when I go to irule statistics, I see executions as 0. What am I missing?
Did you enable the 'Trigger ASM iRule Events' in your security policy? It's in the advanced settings.
- smalex
That worked. Thank you so much for your patience and support.
This violations were not in the list you shared yesterday. Is there a more detailed list:
https://clouddocs.f5.com/api/irules/ASM__violation_data.html
There could be, but I don't know. I've been using extra logging rules to determine what attacks where hit. See the example below.
when ASM_REQUEST_DONE { log local0. "[ASM::violation names]" log local0. "[ASM::violation attack_types]" }
