Forum Discussion
smalex
Altostratus
AltostratusHTTP Compliance Exception
We have implemented ASM recently and one request was blocked because of content length being 0. Checked with application team and as per them that shouldn't be blocked. Is there a way to exclude a UR...
smalexAltostratus
AltostratusWhat about 'Header 'If-None-Match' has no value'?
Something like this:
when ASM_REQUEST_DONE {
set uri [HTTP::uri]
foreach violation [ASM::violation names] {
if { $uri starts_with "/login.php" && [ASM::violation count] < 2 } {
foreach attack [ASM::violation attack_types] {
switch $attack {
"ATTACK_TYPE_HTTP_REQUEST_SMUGGLING_ATTACK" -
"ATTACK_TYPE_HTTP_PARSER_ATTACK" {
log local0. "Violation: $violation and attack: $attack detected for URI $uri, but allowed anyway."
ASM::unblock
}
}
}
} else {
# More than one violation, too dangerous to Unblock
return
}
}
}BTW, this is the way to test with curl if you want to send an empty HTTP header:
curl -v http://10.23.98.101/login.php -H "If-None-Match;"
Did you enable the 'Trigger ASM iRule Events' in your security policy? It's in the advanced settings.
- smalex
Thank you for providing so much details.
I created the irule and changed on the ' $uri starts_with' part to match my URL. Attached to the virtual server and tried the curl command. It was still blocked and when I go to irule statistics, I see executions as 0. What am I missing?
- smalex
That worked. Thank you so much for your patience and support.
This violations were not in the list you shared yesterday. Is there a more detailed list:
https://clouddocs.f5.com/api/irules/ASM__violation_data.html
There could be, but I don't know. I've been using extra logging rules to determine what attacks where hit. See the example below.
when ASM_REQUEST_DONE { log local0. "[ASM::violation names]" log local0. "[ASM::violation attack_types]" }