For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Grandiser's avatar
Grandiser
Icon for Nimbostratus rankNimbostratus
Feb 08, 2024

I need an ASM i-rule that drops the connection upon the occurrence of a violation.

Hi;

 

I need an ASM i-rule that drops the connection upon the occurance of a violation. I don't want to present the default "Blocking response page" to the user, but rather drop the TCP connection. 

 

I have tried

 

when ASM_REQUEST_BlOCKING {

drop

}

 

and the response page still comes up.

 

I have also tried the following ASM i-rule in compatibility mode

when ASM_REQUEST_VIOLATION {

drop

}

 

Still the response page is coming up.

 

Kindly

Wasfi

security

2 Replies

  • Jeff_Granieri's avatar
    Jeff_Granieri
    Icon for Employee rankEmployee
    Feb 12, 2024

    something like this might work.   

    when ASM_REQUEST_VIOLATION {
        # When a request violation occurs, drop the TCP connection
        drop
    }

    when ASM_RESPONSE_VIOLATION {
        # When a response violation occurs, drop the TCP connection
        drop
    }

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Feb 12, 2024

    Sometimes the handoffs between the primary proxy and plugin architecture clients like ASM are obscure. You might need to set a variable in the ASM event and then evaluate in the HTTP_RESPONSE_RELEASE event. Try something like this:

    when ASM_REQUEST_VIOLATION {
    set req_violation 1
}
when HTTP_RESPONSE_RELEASE {
    if { [info exists req_violation] } {
        drop
    }
}