For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

smalex's avatar
smalex
Icon for Altostratus rankAltostratus
Jun 11, 2019

HTTP Compliance Exception

We have implemented ASM recently and one request was blocked because of content length being 0. Checked with application team and as per them that shouldn't be blocked. Is there a way to exclude a UR...
application delivery
ASM Advanced WAF
security
Niels_van_Sluis's avatar
Niels_van_Sluis
Icon for MVP rankMVP
Jun 12, 2019

Something like this:

when ASM_REQUEST_DONE {
  set uri [HTTP::uri]
  foreach violation [ASM::violation names] {
      if { $uri starts_with "/login.php" && [ASM::violation count] < 2 } {
          foreach attack [ASM::violation attack_types] {
              switch $attack {
                  "ATTACK_TYPE_HTTP_REQUEST_SMUGGLING_ATTACK" -
                  "ATTACK_TYPE_HTTP_PARSER_ATTACK" {
                      log local0. "Violation: $violation and attack: $attack detected for URI $uri, but allowed anyway."
                      ASM::unblock
                  }
              }
          }
      } else {
          # More than one violation, too dangerous to Unblock
          return
      }
  }
}

BTW, this is the way to test with curl if you want to send an empty HTTP header:

curl -v http://10.23.98.101/login.php -H "If-None-Match;"

smalex's avatar
smalex
Icon for Altostratus rankAltostratus
Jun 12, 2019

Thank you for providing so much details.

 

I created the irule and changed on the ' $uri starts_with' part to match my URL. Attached to the virtual server and tried the curl command. It was still blocked and when I go to irule statistics, I see executions as 0. What am I missing?